On 3 January 2025, the Cyberspace Administration of China (“CAC“) released for public consultation the draft Measures for Certification of Personal Information Protection for Cross-Border Transfer of Personal Information (“Draft Measures“). This regulation represents the final piece in the CAC’s regulatory framework for the three routes to legitimize cross-border transfers of personal data
Continue Reading CHINA: Draft Regulation on Certification for Cross-Border Data Transfers PublishedGermany: Works agreements cannot legitimate inadmissible data processing.
If employers and works councils agree on ‘more specific rules’ in a works agreement regarding the processing of employees’ personal data in the employment context (Art. 88 (1) GDPR), these must take into account the general data protection principles, including the lawfulness of processing (Art. 5, Art. 6 and Art. 9 GDPR), according to the…
Continue Reading Germany: Works agreements cannot legitimate inadmissible data processing.Germany: Update: Judgment on Non-Material Damages for Loss of Control over Personal Data
In its judgement of November 18, 2024 (case number VI ZR 10/24) the German Federal Court of Justice (Bundesgerichtshof – “BGH”) clarified key legal issues regarding claims for damages under Article 82 GDPR in the event of a mere loss of control of personal data in the Facebook scraping complex. This blog…
Continue Reading Germany: Update: Judgment on Non-Material Damages for Loss of Control over Personal DataAustralia: Privacy Act amendments and Cyber Security Act become law
On 29 November 2024, the Australian Senate passed the Privacy and Other Legislation Amendment Bill 2024 (Cth) (the Privacy Act Bill). This follows the passage of the Cyber Security Act 2024 (Cth), and other cyber-security related amendments, on 25 November 2024.
The majority of the amendments to the Privacy Act 1988 (Cth) will…
Continue Reading Australia: Privacy Act amendments and Cyber Security Act become lawAustralia: In-Store Facial Recognition Tech Breached Privacy Act
“Ethically challenging” and “the most intrusive option” – these are some of the words Australia’s Privacy Commissioner used to describe facial recognition technology (FRT), and its use by national hardware retailer Bunnings.
The Office of the Australian Information Commissioner (OAIC) has released the findings of its much-awaited investigation into the use of FRT…
Continue Reading Australia: In-Store Facial Recognition Tech Breached Privacy ActEU: Cyber Resilience Act published in EU Official Journal
On 20 November 2024, the EU Cyber Resilience Act (CRA) was published in the Official Journal of the EU, kicking off the phased implementation of the CRA obligations.
What is the CRA?
The CRA is a harmonising EU regulation, the first of its kind focusing on safeguarding consumers and businesses from cybersecurity threats. …
Continue Reading EU: Cyber Resilience Act published in EU Official JournalGermany: Judgment on Non-Material Damages for Loss of Control over Personal Data
On November 18, 2024, the German Federal Court of Justice (Bundesgerichtshof – “BGH”) made a (to date unpublished) judgment under the case number VI ZR 10/24 regarding claims for non-material damages pursuant to Art. 82 GDPR, due to the loss of control over personal data.
The judgment is based on a personal…
Continue Reading Germany: Judgment on Non-Material Damages for Loss of Control over Personal DataEU: EHDS – Access to health data for secondary use under the European Health Data Space
This is Part 3 in a series of articles on the European Health Data Space (“EHDS“). Part 1, which provides a general overview of the EHDS, is available here. Part 2, which deals with the requirements on the manufacturers of EHR-Systems under the EHDS, is available here.
This article provides an…
Continue Reading EU: EHDS – Access to health data for secondary use under the European Health Data SpaceEU: Engaging vendors in the financial sector: EDPB clarifications mean more mapping and management
The European Data Protection Board (“EDPB“) adopted an opinion on 7 October 2024, providing guidance for data controllers relying on processors (and sub-processors) under the GDPR. The two key themes are:
- supply chain mapping;
- verifying compliance with flow-down obligations.
For many financial institutions, the emphasis on these obligations should not come as a…
Continue Reading EU: Engaging vendors in the financial sector: EDPB clarifications mean more mapping and managementHong Kong: Updates to the Personal Data (Privacy) Ordinance put on hold
At the Legislative Council Panel on Constitutional Affairs held on 19 February 2024, the Privacy Commissioner (“Commissioner“) reported that the Office of the Privacy Commissioner for Personal Data was working with the Government to review the Personal Data (Privacy) Ordinance (“PDPO“) to strengthen personal data protection in Hong Kong. At the…
Continue Reading Hong Kong: Updates to the Personal Data (Privacy) Ordinance put on hold