UK: Consultation on Ransomware payments

By Jules Toynton & Rachel de Souza on January 23, 2025

Posted in Cyber security, Cyber-crime, Ransomware

On 14 January 2025, the UK Home Office published a consultation paper focusing on legislative proposals to reduce payments to cyber criminals and increasing incident reporting.

The proposals set out in the consultation paper aim to protect UK businesses, citizens, and critical infrastructure from the growing threat of ransomware, by reducing the financial incentives for…

EU: DLA Piper GDPR Fines and Data Breach Survey: January 2025

By Rachel de Souza on January 21, 2025

Posted in Data security and breaches, Enforcement, EU privacy, General Data Protection Regulation, Privacy Law

The seventh annual edition of DLA Piper’s GDPR Fines and Data Breach Survey has revealed another significant year in data privacy enforcement, with an aggregate total of EUR1.2 billion (USD1.26 billion/GBP996 million) in fines issued across Europe in 2024.

Ireland once again remains the preeminent enforcer issuing EUR3.5 billion (USD3.7 billion/GBP2.91 billion) in fines since…

EU: EDPB Opinion on AI Provides Important Guidance though Many Questions Remain

By James Clark, Heidi Waem, John Magee & Rachel de Souza on January 14, 2025

Posted in Artificial Intelligence, EDBP (European Data Protection Board), Privacy Law

A much-anticipated Opinion from the European Data Protection Board (EDPB) on AI models and data protection has not resulted in the clear or definitive guidance that businesses operating in the EU had hoped for. The Opinion emphasises the need for case-by-case assessments to determine GDPR applicability, highlighting the importance of accountability and record-keeping…

CHINA: Draft Regulation on Certification for Cross-Border Data Transfers Published

By Carolyn Bigg, Amanda Ge & Qiuyang Zhao on January 14, 2025

Posted in China, Data transfers, New laws, Privacy Law

On 3 January 2025, the Cyberspace Administration of China (“CAC“) released for public consultation the draft Measures for Certification of Personal Information Protection for Cross-Border Transfer of Personal Information (“Draft Measures“). This regulation represents the final piece in the CAC’s regulatory framework for the three routes to legitimize cross-border transfers of personal data…

Germany: Works agreements cannot legitimate inadmissible data processing.

By Maximilian Plote on January 10, 2025

Posted in EU privacy, General Data Protection Regulation

If employers and works councils agree on ‘more specific rules’ in a works agreement regarding the processing of employees’ personal data in the employment context (Art. 88 (1) GDPR), these must take into account the general data protection principles, including the lawfulness of processing (Art. 5, Art. 6 and Art. 9 GDPR), according to the…

Germany: Update: Judgment on Non-Material Damages for Loss of Control over Personal Data

By Philipp Adelberg, Verena Grentzenberg & Jan Pohle on December 12, 2024

Posted in EU privacy, General Data Protection Regulation

In its judgement of November 18, 2024 (case number VI ZR 10/24) the German Federal Court of Justice (Bundesgerichtshof – “BGH”) clarified key legal issues regarding claims for damages under Article 82 GDPR in the event of a mere loss of control of personal data in the Facebook scraping complex. This blog…

Australia: Privacy Act amendments and Cyber Security Act become law

By Sarah Birkett & Claire Kermond on December 5, 2024

Posted in Cyber security, New laws, Privacy Law

On 29 November 2024, the Australian Senate passed the Privacy and Other Legislation Amendment Bill 2024 (Cth) (the Privacy Act Bill). This follows the passage of the Cyber Security Act 2024 (Cth), and other cyber-security related amendments, on 25 November 2024.

The majority of the amendments to the Privacy Act 1988 (Cth) will…

Australia: In-Store Facial Recognition Tech Breached Privacy Act

By Sarah Birkett & Alexandra Moore on November 22, 2024

Posted in Privacy Law

“Ethically challenging” and “the most intrusive option” – these are some of the words Australia’s Privacy Commissioner used to describe facial recognition technology (FRT), and its use by national hardware retailer Bunnings.

The Office of the Australian Information Commissioner (OAIC) has released the findings of its much-awaited investigation into the use of FRT…

EU: Cyber Resilience Act published in EU Official Journal

By Rachel de Souza & Philipp Adelberg on November 21, 2024

Posted in Cyber security, Digital Decade, Digital transformation, EU data governance, EU privacy, New laws

On 20 November 2024, the EU Cyber Resilience Act (CRA) was published in the Official Journal of the EU, kicking off the phased implementation of the CRA obligations.

What is the CRA?

The CRA is a harmonising EU regulation, the first of its kind focusing on safeguarding consumers and businesses from cybersecurity threats. …

Germany: Judgment on Non-Material Damages for Loss of Control over Personal Data

By Verena Grentzenberg, Jan Pohle, Philipp Adelberg & Lucas Blum on November 19, 2024

Posted in EU privacy, General Data Protection Regulation

On November 18, 2024, the German Federal Court of Justice (Bundesgerichtshof – “BGH”) made a (to date unpublished) judgment under the case number VI ZR 10/24 regarding claims for non-material damages pursuant to Art. 82 GDPR, due to the loss of control over personal data.

The judgment is based on a personal…