The European Data Protection Board (“EDPB”) has adopted an Opinion (“EDPB Opinion”) on the validity of consent to process personal data for the purposes of behavioural advertising in the context of ‘consent or pay’ models deployed by large online platforms. The EDPB concludes that “in most cases”, the requirements of

Continue Reading Europe: EDPB issues Opinion on ‘consent or pay’ models deployed by large online platforms

Data classification and grading is an obligation that each data handler must comply with under the Chinese data protection laws. Data handlers have been waiting for clear requirements and standards on how to carry out the relevant work. The newly published national standard GB/T 43697-2024 Data Security Technology – Rules for Data Classification and Grading

Continue Reading CHINA: New national data classification and grading standard is released

This month, the Department of Homeland Security (“DHS”) Cybersecurity and Infrastructure Security Agency (“CISA”) released its long-awaited proposed draft regulations pursuant to the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA” or the “Act”).

The Act was enacted on March 15, 2022, following several significant and disruptive cyberattacks on critical infrastructure in the

Continue Reading US CIRCIA Update: CISA Proposed Regulations Released  

On March 6, 2024, the New Hampshire Governor signed into law Senate Bill 255 (the “NH Act”), making New Hampshire the 15th state to adopt a comprehensive state privacy law. The NH Act will take effect January 1, 2025. This post explores how the NH Act stacks up against the other comprehensive state privacy

Continue Reading US: New Hampshire Enacts 15th Comprehensive State Privacy Law

On 7 March 2024, the Court of Justice of the European Union (CJEU) issued its judgment in the Endemol Shine case (C-740/22), holding that the concept of ‘processing’ under the GDPR includes the oral disclosure of personal data.

In its judgment, the CJEU not only provided clarity on the definition of “processing”

Continue Reading EU: CJEU confirms oral disclosures are considered ‘processing’ under the GDPR

In the evolving legal landscape of data protection, several decisions by data protection regulators and courts across the EU and UK underscore the importance of proactive GDPR compliance from a contractual perspective. These issues are being scrutinised more closely in corporate due diligence transactions and by regulators in the event of a data breach or

Continue Reading EU and UK: The importance of data processing agreements

In good news, on 22 March 2024, the Cyberspace Administration of China (“CAC”) finalised long-awaited guidelines setting out exemptions to some of the more challenging cross-border data transfer (“CBDT”) compliance requirements (“Guidelines”). As well the exemptions, there are updated filing templates for those still falling outside the exemptions; and

Continue Reading CHINA: Cross Border Data Transfer Requirements – exemptions now available

On 11 March 2024, following an investigation, the European Data Protection Supervisor (EDPS) announced that the European Commission’s (Commission) use of a major software company infringes the data protection law for EU institutions, bodies, offices and agencies (Regulation (EU) 2018/1725). In particular, the EDPS found that the Commission had

Continue Reading Europe: EDPS finds that the European Commission has infringed data protection rules

Following the threat of significantly larger penalties since 2018 (the enhanced fines under the General Data Protection Regulation as compared to the legislation that went before), companies have asked us time and time again, “what is my financial risk for data protection non-compliance in the UK?”

The publication of the Information Commissioner Office’s new fining

Continue Reading UK: How much will I get fined if I don’t comply?

Introduction

Identifiability; what can amount to personal data; and joint controllership are some of the issues addressed by the Court of Justice of the European Union (CJEU) in its recent judgment in the IAB Europe case (C-604/22). This case concerned the use of personal data for online advertising purposes and the use

Continue Reading CJEU ruling clarifies data protection and e-privacy issues in the ad-tech space