Authors: Jim Sullivan, Rachel De Souza, Heidi Waem, John Magee and David Brazil

On 10 July 2023, the European Commission adopted its long-awaited adequacy decision for the EU-US Data Privacy Framework (DPF). The DPF replaces the Privacy Shield Framework (Privacy Shield) which was invalidated by the Schrems II decision of

Continue Reading European Commission adopts new adequacy decision for EU-US data flows

Authors: Jim Sullivan, Rachel De Souza, Heidi Waem, John Magee and David Brazil

On 10 July 2023, the European Commission adopted its long-awaited adequacy decision for the EU-US Data Privacy Framework (DPF). The DPF replaces the Privacy Shield Framework (Privacy Shield) which was invalidated by the Schrems II decision of

Continue Reading European Commission adopts new adequacy decision for EU-US data flows

Global flows of personal data have been a source of geopolitical concern for many years now. The Court of Justice of the European Union’s “Schrems II” judgement has revived the debate and organisations around the world now have to map personal data flows and conduct transfer impact assessments, while patiently awaiting the developments around the

Continue Reading EU: International data transfer rules for non-personal data

With the Cyberspace Administration of China’s (“CAC”) release last week of the Guidelines for Filing of Standard Contracts for Cross-border transfers of Personal Information (“Guidelines”), organisations processing Mainland China personal data must now turn their attention to the China Standard Contractual Clauses (“China SCCs”) route for legitimizing their cross-border

Continue Reading CHINA: China SCCs filing procedure now published – more preparation work must be done, and filings will be scrutinized

Authors: Carolyn Bigg, Amanda Ge, Venus Cheung, and Gwyneth To.

Vietnam’s long-awaited, first-ever Personal Data Protection Decree (“PDPD”) has finally been passed and is scheduled to take effect from 1 July 2023 (save limited grace period exceptions).

The PDPD is the first comprehensive data protection regulation consolidating Vietnam’s existing data

Continue Reading VIETNAM: First Personal Data Protection Decree passed – What you need to know

Decision could imperil other companies’ transatlantic transfers as well

By: John Magee, Andrew Dyson, James Sullivan, Andrew Serwin, Claire O’Brien & Rachel De Souza

The Irish Data Protection Commission (DPC) has published a decision that could impact the ability of thousands of companies to move personal data from the European Economic Area (
Continue Reading Ireland/EU: Irish DPC bans Meta’s EU-US data flows and issues record €1.2bn fine

On 26th April, the General Court of the European Union (EGC), published its judgment in Case T-557/20, Single Resolution Board (SRB) v European Data Protection Supervisor (EDPS), in relation to the threshold between pseudonymous and anonymous data.

The EGC held that pseudonymised data transmitted to a data
Continue Reading Europe: EU General Court Clarifies When Pseudonymized Data is Considered Personal Data

Authors: Carolyn Bigg, Amanda Ge, Venus Cheung, Gwyneth To

China’s amended Anti-Espionage Law will take effect from 1 July 2023. However, its effects have already been felt by some international businesses. So what should international businesses do to respond to these new risks?

The new law broadens the scope of espionage activities,
Continue Reading CHINA: new Anti-Espionage Law and its impact on your China data and operations – how your organisation should respond

On 4 May 2023, European Court of Justice (“CJEU”) delivered its judgment regarding the interpretation of Article 82 of the General Data Protection Regulation (“GDPR”). The CJEU held that mere infringement of the GDPR does not give rise to a right to compensation. However, there is no requirement for the non-material
Continue Reading Europe: CJEU holds that mere infringement of the GDPR does not give rise to a right to compensation

Authors: Verena Grentzenberg, Andreas Rüdiger, Ludwig Lauer

In his Opinion of 27.04.2023 (C 340/21), the Advocate General of the European Court of Justice (“ECJ”) commented on the interpretation of the civil non-material right to damages pursuant to Article 82 (1) GDPR as well as on the requirements and the duty of
Continue Reading Europe: Opinion of the Advocate General on presumed fault of the controller in case of unlawful third-party access to personal data