The Federal Trade Commission (“FTC”) is taking bold actions to challenge business’s collection and monetization of consumers’ personal data—particularly sensitive personal data. This month, the FTC reached settlements with a data broker, X-Mode Social and its successor Outlogic LLC (“X-Mode”), and an alcohol addiction treatment firm, Monument Inc. (“Monument”), for, among other things, allegedly selling
Continue Reading US: The FTC Cracks Down on Sensitive Personal Information DisclosuresEurope: The EU AI Act’s relationship with data protection law: key takeaways
Disclaimer: The blogpost below is based on a previously published Thomson Reuters Practical Law practice note (EU AI Act: data protection aspects (EU)) and only presents a short overview of and key takeaways from this practice note. This blogpost has been produced with the permission of Thomson Reuters, who has the copyright over the…
Continue Reading Europe: The EU AI Act’s relationship with data protection law: key takeawaysUS: CCPA and California Privacy Protection Agency Updates: 2024 to Date
The California Privacy Protection Agency (“CPPA”) has been active since the start of the year. In this blog post we summarize some key activities of the CPPA to date in 2024, including:
- On April 2, 2024, the CPPA Enforcement Division issued its inaugural advisory, emphasizing the importance of data minimization. (Read more about
Europe: EDPB issues Opinion on ‘consent or pay’ models deployed by large online platforms
The European Data Protection Board (“EDPB”) has adopted an Opinion (“EDPB Opinion”) on the validity of consent to process personal data for the purposes of behavioural advertising in the context of ‘consent or pay’ models deployed by large online platforms. The EDPB concludes that “in most cases”, the requirements of…
Continue Reading Europe: EDPB issues Opinion on ‘consent or pay’ models deployed by large online platformsCHINA: New national data classification and grading standard is released
Data classification and grading is an obligation that each data handler must comply with under the Chinese data protection laws. Data handlers have been waiting for clear requirements and standards on how to carry out the relevant work. The newly published national standard GB/T 43697-2024 Data Security Technology – Rules for Data Classification and Grading…
Continue Reading CHINA: New national data classification and grading standard is releasedUS CIRCIA Update: CISA Proposed Regulations Released
This month, the Department of Homeland Security (“DHS”) Cybersecurity and Infrastructure Security Agency (“CISA”) released its long-awaited proposed draft regulations pursuant to the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA” or the “Act”).
The Act was enacted on March 15, 2022, following several significant and disruptive cyberattacks on critical infrastructure in the…
Continue Reading US CIRCIA Update: CISA Proposed Regulations ReleasedUS: New Hampshire Enacts 15th Comprehensive State Privacy Law
On March 6, 2024, the New Hampshire Governor signed into law Senate Bill 255 (the “NH Act”), making New Hampshire the 15th state to adopt a comprehensive state privacy law. The NH Act will take effect January 1, 2025. This post explores how the NH Act stacks up against the other comprehensive state privacy…
Continue Reading US: New Hampshire Enacts 15th Comprehensive State Privacy LawEU: CJEU confirms oral disclosures are considered ‘processing’ under the GDPR
On 7 March 2024, the Court of Justice of the European Union (CJEU) issued its judgment in the Endemol Shine case (C-740/22), holding that the concept of ‘processing’ under the GDPR includes the oral disclosure of personal data.
In its judgment, the CJEU not only provided clarity on the definition of “processing”…
Continue Reading EU: CJEU confirms oral disclosures are considered ‘processing’ under the GDPREU and UK: The importance of data processing agreements
In the evolving legal landscape of data protection, several decisions by data protection regulators and courts across the EU and UK underscore the importance of proactive GDPR compliance from a contractual perspective. These issues are being scrutinised more closely in corporate due diligence transactions and by regulators in the event of a data breach or…
Continue Reading EU and UK: The importance of data processing agreementsCHINA: Cross Border Data Transfer Requirements – exemptions now available
In good news, on 22 March 2024, the Cyberspace Administration of China (“CAC”) finalised long-awaited guidelines setting out exemptions to some of the more challenging cross-border data transfer (“CBDT”) compliance requirements (“Guidelines”). As well the exemptions, there are updated filing templates for those still falling outside the exemptions; and…
Continue Reading CHINA: Cross Border Data Transfer Requirements – exemptions now available