Sweeping Amendments to NYDFS Cybersecurity Regulation

On November 1, 2023, the New York Department of Financial Services (NYDFS) announced extensive amendments to its cybersecurity requirements for financial institutions issued under 23 NYCRR Part 500.  The amendments are intended to address the evolution in the cybersecurity landscape since the regulation was first enacted in 2017, including

Continue Reading US: Regulators Enhance Information Security Requirements for Financial Services Companies

The European Data Protection Board has published new guidelines (14 November 2023) on the scope of Article 5(3) of the e-Privacy Directive – i.e., the so-called ‘cookie rule’.  

These guidelines apply a maximalist interpretation to the cookie rule, meaning that a wide variety of technologies other than traditional cookies are, in the opinion of the

Continue Reading EU: New EDPB guidelines on the scope of the ‘cookie rule’

Authors: Heidi Waem, Muhammed Demircan, Nicolas Becker

On 29 September 2023, the Belgian Data Protection Authority (Belgian DPA) issued a decision imposing a reprimand on a public authority and its processor for various infringements of the GDPR, including the lack of a timely signed data processing agreement between the public authority – who

Continue Reading Belgian DPA decides on the (in)validity of retroactive data processing agreements

Implicit within Delaware law, and now explicit in the SEC Cyber Rules, is the concept of adequate governance. It is not what the FTC just said on a particular topic, the latest guidance from a Data Protection Authority, what the NIST framework provides, or a set of controls in any particular subject area regarding privacy

Continue Reading US: Understanding Governance–A Path for Privacy and Security Governance

We (finally) have more clarity as to the next steps in the long-awaited reform of the Australian Privacy Act.

As we noted back in February this year (see here), the Attorney-General’s Department recommended a number of changes to Australia’s core privacy regime, which saw its last major overhaul in 2014.

The Australian Government

Continue Reading Australia – next stages in the Privacy Act review confirmed

Summary

A UK court has reversed a fine imposed on the provider of a facial image database service, Clearview AI, on the basis that the (UK) GDPR did not apply to the processing of personal data by the company. In so doing, the court has provided helpful judicial interpretation of both the territorial and material scope

Continue Reading Clearview AI -v- Information Commissioner

Author: Nicholas De Lacy-Brown

The arrival of NIS2 is only one year away. With significantly enhanced requirements around cybersecurity management extending across the supply chain, increased reporting obligations in the case of cyber breach, and personal liability for senior management, working out whether or not an organisation will be in scope for NIS2 will be

Continue Reading EU: The NIS2 Enigma: who will be caught by the EU’s updated cyber requirements?

UK Extension

Following the European Commission’s adequacy decision for the EU-US Data Privacy Framework (DPF) (for further information see here), the UK Government has announced that from 12 October 2023, organisations in the UK can transfer personal data to US organisations certified to the “UK Extension to the EU-US Data Privacy Framework

Continue Reading UK: EU-UK Data Privacy Framework Extension

Following the passing of the long-awaited Personal Data Protection Law (“PDPL”) in Indonesia, on 31 August 2023, the Ministry of Communications and Information Technology published the draft government regulation (“Draft Regulation”) on the implementation of the PDPL for public consultation. The public consultation will close on 14 September 2023. The Draft

Continue Reading Indonesia: prepare now for the new Personal Data Protection Law