The Personal Information Protection Law (“PIPL“) requires a data controller to conduct compliance audits of its personal data processing activities on a regular basis (“Self-supervision Audits“). Apart from such Self-supervision Audits, in case the data regulator finds significant risks involved in a data controller’s processing or where data incidents occur, the
Continue Reading CHINA: Mandatory data protection compliance (self) audits on their way
On August 21, 2024, the second expert committee appointed under the Thai Personal Data Protection Act (PDPA) of 2019, issued an administrative fine to a major private company involved in online sales. The company allowed a significant amount of personal data to leak to call center gangs without implementing adequate security measures as required by
Continue Reading THAILAND: First PDPA Enforcement in Thailand: A Landmark Case
While the definition of sensitive personal information in China has always been different to other jurisdictions, with a focus on risk of harm at its heart, new draft guidance should make it easier for organisations to map their processing of China sensitive personal information, which is increasingly important in light of new cross-border data transfer
Continue Reading China: Important new guidance on defining sensitive personal information
On 1 July 2024, Australia’s spam regulator, the Australian Communications and Media Authority (AMCA), released a Statement of Expectations setting out its requirements for customer consent in the context of direct marketing.
The ACMA has consistently demonstrated a clear intolerance for breaches of the spam requirements, penalising business with over AUD 15 million
Continue Reading Australia’s e-marketing expectations: When customers don’t give a spam
The Federal Trade Commission (FTC) reiterated its long-held view that hashing or pseudonymizing identifiers does not render data anonymous, in a post to its Technology Blog on July 24, 2024.
In the rather strongly worded post, while acknowledging that hashing and pseudonymizing data has the benefit of obscuring the underlying personal data, the FTC
Continue Reading FTC Reiterates that Hashed and Pseudonymized Data is Still Identifiable Data
This is Part 2 in a series of articles on the European Health Data Space (“EHDS“). Part 1, which provides a general overview of the EHDS, is available here.
Alongside the better-known provisions of the EHDS dealing with secondary use of health data, the draft Regulation also sets out specific technical requirements
Continue Reading Requirements of EHR systems under the European Health Data SpaceThe next steps in Australia’s long bubbling reform of the privacy regime has been announced, with draft legislation expected to be tabled by August 2024. The reform is being presented as part of the Federal Government’s efforts to improve online safety, particularly for women, but it’s not clear how broad its remit will be at
Continue Reading Australia: Privacy Act Updates Expected in August 2024
The European Data Protection Board (“EDPB”) has adopted an Opinion (“EDPB Opinion”) on the validity of consent to process personal data for the purposes of behavioural advertising in the context of ‘consent or pay’ models deployed by large online platforms. The EDPB concludes that “in most cases”, the requirements of
Continue Reading Europe: EDPB issues Opinion on ‘consent or pay’ models deployed by large online platforms
Data classification and grading is an obligation that each data handler must comply with under the Chinese data protection laws. Data handlers have been waiting for clear requirements and standards on how to carry out the relevant work. The newly published national standard GB/T 43697-2024 Data Security Technology – Rules for Data Classification and Grading
Continue Reading CHINA: New national data classification and grading standard is releasedOn March 6, 2024, the New Hampshire Governor signed into law Senate Bill 255 (the “NH Act”), making New Hampshire the 15th state to adopt a comprehensive state privacy law. The NH Act will take effect January 1, 2025. This post explores how the NH Act stacks up against the other comprehensive state privacy
Continue Reading US: New Hampshire Enacts 15th Comprehensive State Privacy Law
