EU – US adequacy decision: State of play

By Rachel De Souza on December 15, 2022

1 New development and timing

On 13^th December, the European Commission published a draft adequacy decision to enhance and replace its 2016 adequacy decision for the EU-U.S. Privacy Shield framework (“Privacy Shield”), which was invalidated by the Schrems II decision of the Court of Justice of the European Union (“CJEU”). The Commission has submitted…
Continue Reading EU – US adequacy decision: State of play

End of Meta’s targeted ads model?

By Magda Zmorka on December 9, 2022

Posted in Direct marketing, General Data Protection Regulation

Authors: Ewa Kurowska-Tober, Andrew Serwin, John Magee and Madison Swoy

A trio of forthcoming decisions against tech giant Meta may signal the end for Meta’s targeted ads model, though the issue is likely to rumble on for some time.

For many years, Meta has relied on contractual necessity (Article 6(1)(b) of the GDPR)…
Continue Reading End of Meta’s targeted ads model?

UK NIS – Get ready for expansion of the UK’s critical national infrastructure cyber security laws

By Rachel De Souza on December 5, 2022

Posted in Uncategorized

Authors: James Clark and David Cook

The UK government has published its plans to amend the Network and Information Systems Regulations 2018. The reforms will lead to many more IT companies falling within the scope of the Regulations as ‘Digital Service Providers’ and will expand incident reporting obligations. A two-tiered regime for Digital Service Providers…
Continue Reading UK NIS – Get ready for expansion of the UK’s critical national infrastructure cyber security laws

CJEU rules that Privacy Rights Outweigh AML Requirements

By Rachel De Souza on December 1, 2022

Posted in Uncategorized

Authors: Ewa Kurowska-Tober, Andrew Serwin, John N Gevertz and Piotr Czulak

The CJEU recently ruled that a Luxembourg law adopted in 2019 in accordance with the amended anti-money-laundering directive[1] (“AML Directive”), which required the disclosure and publication of certain information on the beneficial owners of entities registered in the Register of Beneficial…
Continue Reading CJEU rules that Privacy Rights Outweigh AML Requirements

Europe: Compensation for non-material damage does not automatically accompany every breach of the GDPR (AG’s opinion)

By Rachel De Souza on November 28, 2022

Posted in Uncategorized

Authors: David Cook, Benjamin Fellows and Heba Khalid

On 6 October 2022, Advocate General Campos Sánchez-Bordona delivered his opinion in UI v Österreichische Post AG (Case C‑300/21) on the interpretation of Article 82 of the General Data Protection Regulation, holding that:

A “mere breach” of the GDPR is not sufficient to warrant

…
Continue Reading Europe: Compensation for non-material damage does not automatically accompany every breach of the GDPR (AG’s opinion)

HONG KONG: Increased Enforcement Action?

By olaideogungbesan on November 17, 2022

Posted in Cyber security, Data security and breaches, Data transfers

Author: Carolyn Bigg

Are we seeing a return of proactive enforcement of Hong Kong’s data protection laws, after a lull in recent years?

On 14 November 2022, the Office of the Privacy Commissioner for Personal Data (“PCPD”) published two investigation reports for non-compliance of the Personal Data (Privacy) Ordinance (“PDPO”):

EC Healthcare’s failure to obtain

…
Continue Reading HONG KONG: Increased Enforcement Action?

The GDPR International Data Transfer Regime: the case for Proportionality and a Risk-Based Approach

By Rachel De Souza on November 15, 2022

Posted in Uncategorized

The Schrems II judgment has created significant legal uncertainty and challenges for data exporters across the European Economic Area (the EEA), requiring highly complex assessments of the laws and practices of third countries and risk assessments. Compounding this challenge, the legal standard to be applied to personal data transfers abroad from the EEA…
Continue Reading The GDPR International Data Transfer Regime: the case for Proportionality and a Risk-Based Approach

Belgium: First Settlement Decisions by Belgian Data Protection Authority

By Rachel De Souza on November 10, 2022

Posted in Uncategorized

Authors: Heidi Waem, Nicolas Becker

On 21 October 2022, the Belgian Data Protection Authority issued its first settlement decisions (Cases 150/2022 and 151/2022 of 21 October 2022 ) whereby the cases against a controller for alleged cookie infringements were settled by means of payment of 10.000 EUR per case. It is also the first…
Continue Reading Belgium: First Settlement Decisions by Belgian Data Protection Authority

Keeping an ‘AI’ on your data: UK data regulator recommends lawful methods of using personal information and artificial intelligence

By Magda Zmorka on November 8, 2022

Posted in Artificial Intelligence, General Data Protection Regulation

Authors: Jules Toynton, Coran Darling

Data is often the fuel that powers AI used by organisations. It tailors search parameters, spots behavioural trends, and predicts future possible outcomes (to highlight a just a few uses). In response, many of these organisations seek to accumulate and use as much data as possible, in order to…
Continue Reading Keeping an ‘AI’ on your data: UK data regulator recommends lawful methods of using personal information and artificial intelligence

AUSTRALIA: Likely increase in maximum penalties for privacy breaches

By Magda Zmorka on November 3, 2022

Posted in Data security and breaches

Author: Sarah Birkett

Anyone with a passing interest in Australian privacy laws will no doubt have heard about the Optus data breach. The incident, which was made public in late September 2022, is thought to have affected around 9 million individuals (almost 40% of the Australian population), with identity documents relating to approximately 2.22 million…
Continue Reading AUSTRALIA: Likely increase in maximum penalties for privacy breaches