Cyber regulation is changing in Australia. As governments globally grapple with the everchanging and increasingly challenging cyber landscape, Australia is poised to implement new laws and update existing regulation in order to enhance Australia’s cyber security and resilience. These changes fall within the framework established by the 2023-2030 Australian Cyber Security Strategy, which aims to
Continue Reading Australia: Anti-scam measures and ransomware reporting on the agendaCHINA: Mandatory data protection compliance (self) audits on their way
The Personal Information Protection Law (“PIPL“) requires a data controller to conduct compliance audits of its personal data processing activities on a regular basis (“Self-supervision Audits“). Apart from such Self-supervision Audits, in case the data regulator finds significant risks involved in a data controller’s processing or where data incidents occur, the…
Continue Reading CHINA: Mandatory data protection compliance (self) audits on their wayEurope/Germany: Right to bring collective action for violations of information obligations under GDPR
Summary
In its judgement of 11 July 2024 (C-757/22), the European Court of Justice (‘ECJ’) ruled that the violation of a controller’s information obligations under Art. 12 and 13 GDPR, can be subject to a representative action under Article 80(2) GDPR.
Facts of the case
Meta Platforms Ireland Limited (“…
Continue Reading Europe/Germany: Right to bring collective action for violations of information obligations under GDPRTHAILAND: First PDPA Enforcement in Thailand: A Landmark Case
On August 21, 2024, the second expert committee appointed under the Thai Personal Data Protection Act (PDPA) of 2019, issued an administrative fine to a major private company involved in online sales. The company allowed a significant amount of personal data to leak to call center gangs without implementing adequate security measures as required by…
Continue Reading THAILAND: First PDPA Enforcement in Thailand: A Landmark CaseIreland: Increased regulatory convergence of AI and data protection: X suspends training of AI chatbot with EU user data after Irish regulator issues High Court proceedings
The Irish Data Protection Commission (DPC) has welcomed X’s agreement to suspend its processing of certain personal data for the purpose of training its AI chatbot tool, Grok. This comes after the DPC issued suspension proceedings against X in the Irish High Court. The DPC described this as the first time that any…
Continue Reading Ireland: Increased regulatory convergence of AI and data protection: X suspends training of AI chatbot with EU user data after Irish regulator issues High Court proceedingsHong Kong: A Practical Guide to the Proposed Critical Infrastructure Cybersecurity Legislation
Hong Kong is following other jurisdictions, including Mainland China, Singapore and the UK, in proposing to enhance cybersecurity obligations on IT systems of those operating critical infrastructure (“CI“). While the proposed new law, tentatively entitled the Protection of Critical Infrastructure (Computer System) Bill (the“proposed legislation”), is still at an early stage…
Continue Reading Hong Kong: A Practical Guide to the Proposed Critical Infrastructure Cybersecurity LegislationChina: Important new guidance on defining sensitive personal information
While the definition of sensitive personal information in China has always been different to other jurisdictions, with a focus on risk of harm at its heart, new draft guidance should make it easier for organisations to map their processing of China sensitive personal information, which is increasingly important in light of new cross-border data transfer…
Continue Reading China: Important new guidance on defining sensitive personal informationAustralia’s e-marketing expectations: When customers don’t give a spam
On 1 July 2024, Australia’s spam regulator, the Australian Communications and Media Authority (AMCA), released a Statement of Expectations setting out its requirements for customer consent in the context of direct marketing.
The ACMA has consistently demonstrated a clear intolerance for breaches of the spam requirements, penalising business with over AUD 15 million…
Continue Reading Australia’s e-marketing expectations: When customers don’t give a spamFTC Reiterates that Hashed and Pseudonymized Data is Still Identifiable Data
The Federal Trade Commission (FTC) reiterated its long-held view that hashing or pseudonymizing identifiers does not render data anonymous, in a post to its Technology Blog on July 24, 2024.
In the rather strongly worded post, while acknowledging that hashing and pseudonymizing data has the benefit of obscuring the underlying personal data, the FTC…
Continue Reading FTC Reiterates that Hashed and Pseudonymized Data is Still Identifiable DataEU: European Supervisory Authorities issue second batch of technical standards under DORA
On 18th July, the European Supervisory Authorities (“ESAs“) published the final versions of the second batch of their draft regulatory technical standards (RTS) and implementing technical standards (ITS), developed under the Digital Operational Resilience Act (DORA), as well as two sets of Guidelines.
Summary of draft …
Continue Reading EU: European Supervisory Authorities issue second batch of technical standards under DORA