We previously wrote about proposed changes to the definition of sensitive personal information under a June 2024 draft of the Guide for Sensitive Personal Information Identification (“Guide“). The Guide has now (September 2024) been finalized and issued by the National Information Security Standardization Technical Committee (TC260). Helpfully, it gives organisations greater scope to
Continue Reading China: New definition and guidelines on Sensitive Personal Information now finalisedUK: Data protection authority issues reprimand to gambling operator for unlawfully processing personal data
On 16 September 2024, the UK’s data protection authority, the Information Commissioner’s Office (ICO), issued a reprimand against Sky Betting and Gaming (SkyBet) for unlawfully processing people’s data through advertising cookies without their consent.
Between 10 January and 3 March 2023, SkyBet’s website dropped third-party AdTech cookies to visitors’ browsers before…
Continue Reading UK: Data protection authority issues reprimand to gambling operator for unlawfully processing personal dataData Act Frequently Asked Questions answered by the EU Commission
The EU Data Act is one of the cornerstones of the EU’s Data Strategy and introduces a new and horizontal set of rules on data access and use to boost the EU’s data economy. Most of the provisions of the Data Act will become applicable as of 12 September 2025. To assist stakeholders in the…
Continue Reading Data Act Frequently Asked Questions answered by the EU CommissionAustralia: Long awaited Australian privacy reform comes to fruition
The Australian Government has today published a draft Bill outlining the next steps in Australia’s Privacy Act Review process.
The changes to be implemented by the Privacy and Other Legislation Amendment Bill 2024 include the introduction of:
- A statutory tort for serious invasions of privacy, which has previously been referred to as filling an “
Australia: Anti-scam measures and ransomware reporting on the agenda
Cyber regulation is changing in Australia. As governments globally grapple with the everchanging and increasingly challenging cyber landscape, Australia is poised to implement new laws and update existing regulation in order to enhance Australia’s cyber security and resilience. These changes fall within the framework established by the 2023-2030 Australian Cyber Security Strategy, which aims to…
Continue Reading Australia: Anti-scam measures and ransomware reporting on the agendaCHINA: Mandatory data protection compliance (self) audits on their way
The Personal Information Protection Law (“PIPL“) requires a data controller to conduct compliance audits of its personal data processing activities on a regular basis (“Self-supervision Audits“). Apart from such Self-supervision Audits, in case the data regulator finds significant risks involved in a data controller’s processing or where data incidents occur, the…
Continue Reading CHINA: Mandatory data protection compliance (self) audits on their wayEurope/Germany: Right to bring collective action for violations of information obligations under GDPR
Summary
In its judgement of 11 July 2024 (C-757/22), the European Court of Justice (‘ECJ’) ruled that the violation of a controller’s information obligations under Art. 12 and 13 GDPR, can be subject to a representative action under Article 80(2) GDPR.
Facts of the case
Meta Platforms Ireland Limited (“…
Continue Reading Europe/Germany: Right to bring collective action for violations of information obligations under GDPRTHAILAND: First PDPA Enforcement in Thailand: A Landmark Case
On August 21, 2024, the second expert committee appointed under the Thai Personal Data Protection Act (PDPA) of 2019, issued an administrative fine to a major private company involved in online sales. The company allowed a significant amount of personal data to leak to call center gangs without implementing adequate security measures as required by…
Continue Reading THAILAND: First PDPA Enforcement in Thailand: A Landmark CaseIreland: Increased regulatory convergence of AI and data protection: X suspends training of AI chatbot with EU user data after Irish regulator issues High Court proceedings
The Irish Data Protection Commission (DPC) has welcomed X’s agreement to suspend its processing of certain personal data for the purpose of training its AI chatbot tool, Grok. This comes after the DPC issued suspension proceedings against X in the Irish High Court. The DPC described this as the first time that any…
Continue Reading Ireland: Increased regulatory convergence of AI and data protection: X suspends training of AI chatbot with EU user data after Irish regulator issues High Court proceedingsHong Kong: A Practical Guide to the Proposed Critical Infrastructure Cybersecurity Legislation
Hong Kong is following other jurisdictions, including Mainland China, Singapore and the UK, in proposing to enhance cybersecurity obligations on IT systems of those operating critical infrastructure (“CI“). While the proposed new law, tentatively entitled the Protection of Critical Infrastructure (Computer System) Bill (the“proposed legislation”), is still at an early stage…
Continue Reading Hong Kong: A Practical Guide to the Proposed Critical Infrastructure Cybersecurity Legislation