The Schrems II judgment has created significant legal uncertainty and challenges for data exporters across the European Economic Area (the EEA), requiring highly complex assessments of the laws and practices of third countries and risk assessments. Compounding this challenge, the legal standard to be applied to personal data transfers abroad from the EEA
Continue Reading The GDPR International Data Transfer Regime: the case for Proportionality and a Risk-Based Approach

Authors: Heidi Waem, Nicolas Becker

On 21 October 2022, the Belgian Data Protection Authority issued its first settlement decisions (Cases 150/2022 and 151/2022 of 21 October 2022 ) whereby the cases against a controller for alleged cookie infringements were settled by means of payment of 10.000 EUR per case. It is also the first
Continue Reading Belgium: First Settlement Decisions by Belgian Data Protection Authority

Authors: Jules Toynton, Coran Darling

Data is often the fuel that powers AI used by organisations. It tailors search parameters, spots behavioural trends, and predicts future possible outcomes (to highlight a just a few uses). In response, many of these organisations seek to accumulate and use as much data as possible, in order to
Continue Reading Keeping an ‘AI’ on your data: UK data regulator recommends lawful methods of using personal information and artificial intelligence

Author: Sarah Birkett

Anyone with a passing interest in Australian privacy laws will no doubt have heard about the Optus data breach. The incident, which was made public in late September 2022, is thought to have affected around 9 million individuals (almost 40% of the Australian population), with identity documents relating to approximately 2.22 million
Continue Reading AUSTRALIA: Likely increase in maximum penalties for privacy breaches

Authors: Ross McKean, Henry Pelling

On 24 October 2022, the ICO issued a penalty notice (MPN) to Interserve Group Limited (Interserve), imposing a fine of £4.4m for violations of the GDPR (the violations were pre-Brexit).
The ICO found that Interserve had failed to put appropriate technical and organisational measures in place to secure personal
Continue Reading UK: ICO issue fine of £4.4m to Interserve for security failings

Author: Carolyn Bigg, Yue Lin Lee

Indonesia’s long-awaited Personal Data Protection Law (“PDPL”) finally came into force on 17 October 2022, helpfully consolidating and clarifying the personal data protection framework in Indonesia.

Whilst there is a two-year transition period, businesses with Indonesian operations or which process the personal data of Indonesian citizens should now make
Continue Reading INDONESIA: Personal Data Protection Law PDPL Now in Force

A recent decision by the Irish Data Protection Commission (“DPC“) imposing a record €405 million fine provides clarification on the lawfulness of processing children’s personal data in accordance with the legal bases of ‘performance of contract’ and ‘legitimate interest’.

On 2 September 2022, the DPC imposed a record €405 million GDPR fine on
Continue Reading Ireland / Europe: DPC’s Record Fine Raises Expectations on Standards Applicable for Processing Children’s Data

Long-awaited executive order strives to enhance and revive the invalidated Privacy Shield Framework

Author: Jim Sullivan

On 7 October 2022, President Biden issued an Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities (the EO), aimed at addressing the widespread legal uncertainty that has prevailed with respect to transatlantic data transfers since the 

Continue Reading President Biden orders surveillance reforms two years after Schrems II

Authors: Coran Darling, James Clark

In its proposed AI Regulation (“AI Act”), the EU recognises AI as one of the most important technologies of the 21st century. It is often forgotten, however, that AI is not one specific type of technology. Instead, it is an umbrella term for a range of

Continue Reading EUROPE: Data protection regulators publish myth-busting guidance on machine learning

Authors: Carolyn Bigg, Yue Lin Lee

The provision setting out significantly higher financial penalties for Singapore’s Personal Data Protection Act 2012 (“PDPA”) is now in force.

There is now an increased risk for organisations contravening the PDPA in Singapore.

This means that in relation to any intentional or negligent contravention of:

  1. the data


Continue Reading SINGAPORE: Increased financial penalties under the PDPA now in effect