This month, the Department of Homeland Security (“DHS”) Cybersecurity and Infrastructure Security Agency (“CISA”) released its long-awaited proposed draft regulations pursuant to the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA” or the “Act”).
The Act was enacted on March 15, 2022, following several significant and disruptive cyberattacks on critical infrastructure in the
Continue Reading US CIRCIA Update: CISA Proposed Regulations ReleasedOn March 6, 2024, the New Hampshire Governor signed into law Senate Bill 255 (the “NH Act”), making New Hampshire the 15th state to adopt a comprehensive state privacy law. The NH Act will take effect January 1, 2025. This post explores how the NH Act stacks up against the other comprehensive state privacy
Continue Reading US: New Hampshire Enacts 15th Comprehensive State Privacy LawOn 7 March 2024, the Court of Justice of the European Union (CJEU) issued its judgment in the Endemol Shine case (C-740/22), holding that the concept of ‘processing’ under the GDPR includes the oral disclosure of personal data.
In its judgment, the CJEU not only provided clarity on the definition of “processing”
Continue Reading EU: CJEU confirms oral disclosures are considered ‘processing’ under the GDPR
In the evolving legal landscape of data protection, several decisions by data protection regulators and courts across the EU and UK underscore the importance of proactive GDPR compliance from a contractual perspective. These issues are being scrutinised more closely in corporate due diligence transactions and by regulators in the event of a data breach or
Continue Reading EU and UK: The importance of data processing agreements
In good news, on 22 March 2024, the Cyberspace Administration of China (“CAC”) finalised long-awaited guidelines setting out exemptions to some of the more challenging cross-border data transfer (“CBDT”) compliance requirements (“Guidelines”). As well the exemptions, there are updated filing templates for those still falling outside the exemptions; and
Continue Reading CHINA: Cross Border Data Transfer Requirements – exemptions now available
On 11 March 2024, following an investigation, the European Data Protection Supervisor (EDPS) announced that the European Commission’s (Commission) use of a major software company infringes the data protection law for EU institutions, bodies, offices and agencies (Regulation (EU) 2018/1725). In particular, the EDPS found that the Commission had
Continue Reading Europe: EDPS finds that the European Commission has infringed data protection rules
Following the threat of significantly larger penalties since 2018 (the enhanced fines under the General Data Protection Regulation as compared to the legislation that went before), companies have asked us time and time again, “what is my financial risk for data protection non-compliance in the UK?”
The publication of the Information Commissioner Office’s new fining
Continue Reading UK: How much will I get fined if I don’t comply?Introduction
Identifiability; what can amount to personal data; and joint controllership are some of the issues addressed by the Court of Justice of the European Union (CJEU) in its recent judgment in the IAB Europe case (C-604/22). This case concerned the use of personal data for online advertising purposes and the use
Continue Reading CJEU ruling clarifies data protection and e-privacy issues in the ad-tech spaceThe ICO has issued an enforcement notice which provides valuable insights into its approach to the use of biometrics in the workplace, and the lawfulness of employee monitoring activities more broadly.
On 23 February 2024, the Information Commissioner’s Office (“ICO”) ordered Serco Leisure Operating Limited (“Serco”), an operator of leisure facilities, to stop using facial
Continue Reading UK: Enforcement Against the Use of Biometrics in the WorkplaceOverview
On February 21, 2024, the California Attorney General (CA AG) announced that it had reached a settlement with DoorDash over allegations that the company failed to comply with “sale” requirements under the California Consumer Privacy Act (CCPA) and disclosure requirements under the California Online Privacy Protection Act (CalOPPA). The settlement requires DoorDash to pay
Continue Reading California Attorney General Settles with DoorDash over Alleged Sale of Personal Information
