Introduction

In its judgement of 04 October 2024 (C-21/23), the European Court of Justice (“ECJ”, “Court”) ruled, that the provisions of Chapter VIII of the GDPR, do not preclude national rules which grant undertakings the right to rely, on the basis of the prohibition of acts of unfair competition

Continue Reading EU: ECJ rules that competitors are entitled to bring an injunction claim based on an infringement of the GDPR.

Introduction

The subject of “legitimate interests” and in particular whether they can be “purely commercial” has been a topic of front and center stage debate in the Netherlands for some time. The Dutch data protection authority (AP) has historically interpreted the concept of legitimate interest narrowly, taking the position that organisations

Continue Reading EU: CJEU Confirms that Legitimate Interests can cover purely commercial interests

The EU Data Act is one of the cornerstones of the EU’s Data Strategy and introduces a new and horizontal set of rules on data access and use to boost the EU’s data economy. Most of the provisions of the Data Act will become applicable as of 12 September 2025. To assist stakeholders in the

Continue Reading Data Act Frequently Asked Questions answered by the EU Commission

The Australian Government has today published a draft Bill outlining the next steps in Australia’s Privacy Act Review process. 

The changes to be implemented by the Privacy and Other Legislation Amendment Bill 2024 include the introduction of:

  • A statutory tort for serious invasions of privacy, which has previously been referred to as filling an “
Continue Reading Australia: Long awaited Australian privacy reform comes to fruition

The Personal Information Protection Law (“PIPL“) requires a data controller to conduct compliance audits of its personal data processing activities on a regular basis (“Self-supervision Audits“). Apart from such Self-supervision Audits, in case the data regulator finds significant risks involved in a data controller’s processing or where data incidents occur, the

Continue Reading CHINA: Mandatory data protection compliance (self) audits on their way

Summary

In its judgement of 11 July 2024 (C-757/22), the European Court of Justice (‘ECJ’) ruled that the violation of a controller’s information obligations under Art. 12 and 13 GDPR, can be subject to a representative action under Article 80(2) GDPR.

Facts of the case

Meta Platforms Ireland Limited (“

Continue Reading Europe/Germany:  Right to bring collective action for violations of information obligations under GDPR

On August 21, 2024, the second expert committee appointed under the Thai Personal Data Protection Act (PDPA) of 2019, issued an administrative fine to a major private company involved in online sales. The company allowed a significant amount of personal data to leak to call center gangs without implementing adequate security measures as required by

Continue Reading THAILAND: First PDPA Enforcement in Thailand: A Landmark Case

The Irish Data Protection Commission (DPC) has welcomed X’s agreement to suspend its processing of certain personal data for the purpose of training its AI chatbot tool, Grok. This comes after the DPC issued suspension proceedings against X in the Irish High Court.  The DPC described this as the first time that any

Continue Reading Ireland: Increased regulatory convergence of AI and data protection: X suspends training of AI chatbot with EU user data after Irish regulator issues High Court proceedings

While the definition of sensitive personal information in China has always been different to other jurisdictions, with a focus on risk of harm at its heart, new draft guidance should make it easier for organisations to map their processing of China sensitive personal information, which is increasingly important in light of new cross-border data transfer

Continue Reading China: Important new guidance on defining sensitive personal information

On 1 July 2024, Australia’s spam regulator, the Australian Communications and Media Authority (AMCA), released a Statement of Expectations setting out its requirements for customer consent in the context of direct marketing.

The ACMA has consistently demonstrated a clear intolerance for breaches of the spam requirements, penalising business with over AUD 15 million

Continue Reading Australia’s e-marketing expectations: When customers don’t give a spam