On February 24, Congressman Patrick McHenry (NC-10) formally introduced his bill to modernize the Gramm-Leach-Bliley Act (“GLBA”) in the House as H.R. 1165. The bill was first released as a discussion draft in June 2022, although the latest version reflects a number of updates as compared to the initial
Continue Reading McHenry Introduces Data Privacy Act of 2023February 2023
Senate Judiciary Committee Holds Hearing on Children’s Online Safety
On Tuesday, February 14, 2023, the Senate Judiciary Committee held a hearing titled “Protecting Our Children Online.” The witnesses included only consumer advocates, and no industry representatives. As Committee Chair, however, Senator Durbin (D-IL) indicated that he plans to hold another hearing featuring representatives from technology companies.Continue Reading Senate Judiciary Committee Holds Hearing on Children’s Online Safety
EDPB Releases its 2023-2024 Work Program
By Dan Cooper & Laura Somaini on
On February 22, 2023, the European Data Protection Board (“EDPB”) released its Work Program for 2023-2024 (“the Program”), outlining the key priority areas for the next two years. The Program is divided into four pillars, which largely reflect the priorities already set out in its Strategy 2021-2023.Continue Reading EDPB Releases its 2023-2024 Work Program
National Transposition of the EU Representative Actions Directive: What is the Current Status?
Posted in EU Data Protection, Litigation
The EU Representative Actions Directive (“RAD”) was meant to have been transposed by all EU member states by December 25, 2022. However, the EU Commission announced on January 27, 2023, that only three out of the 27 EU member states have properly transposed the RAD into their national legislation as required, and that it will now start issuing formal notices to the remaining countries to transpose the RAD as soon as possible.
As reported in our previous blog post, the RAD aims to harmonize member state frameworks on collective actions (i.e., whereby multiple claimants may lodge a claim or claims as a group) across the EU. It sets minimum requirements with respect to collective actions on a wide range of topics, including data protection matters (see also our blog post on the implications of RAD for data protection infringements and our separate blog post on the Court of Justice of the EU’s interpretation of Article 80(2) GDPR on data protection-related collective actions). This blogpost provides an overview of the RAD and its implementation status by EU member states.Continue Reading National Transposition of the EU Representative Actions Directive: What is the Current Status?
China Finalizes Standard Contract for Cross-Border Transfers of Personal Information
By Yan Luo & Nicholas Shepherd on
On February 24, 2023, the Cyberspace Administration of China (“CAC”) released the final version of the Measures on the Standard Contract for the Cross-border Transfer of Personal Information (“Measures”) (only available in Chinese here), including a template contract (“Standard Contract”) accompanying the Measures. The Measures will take effect on June 1, 2023, but are subject to a 6-month grace period to allow companies time to bring their activities into compliance.
The finalization of the Measures marks another important step forward in the establishment of China’s cross-border data transfer framework. With implementing rules for all three lawful transfer mechanisms now in place, China appears to be entering into a new phase where cross-border transfer activities will be more closely regulated and enforcement actions are more likely to arise for non-compliance. Continue Reading China Finalizes Standard Contract for Cross-Border Transfers of Personal Information
UK Information Commissioner’s Office Publishes Guidance for Video Game Developers and Designers to Improve Data Protection in their Services
By Dan Cooper & Sam Jungyun Choi on
On February 16, 2023, the UK Information Commissioner’s Office (“ICO”) released guidance for the video game industry on how to conform with the UK’s Age Appropriate Design Code when developing video games. This blog post summarizes the ICO’s recommendations for video game developers and designers when creating video games that are likely to be accessed by children under the age of 18. For more information about the UK’s Age Appropriate Design Code, see our previous blog posts here and here.Continue Reading UK Information Commissioner’s Office Publishes Guidance for Video Game Developers and Designers to Improve Data Protection in their Services
Italian Garante Fines Three Hospitals Over Their Use of AI for Risk Stratification Purposes, Establishes That Predictive Medicine Processing Requires the Patient’s Explicit Consent
By Kristof Van Quathem on
On 24 January 2023, the Italian Supervisory Authority (“Garante”) announced it fined three hospitals in the amount of 55,000 EUR each for their unlawful use an artificial intelligence (“AI”) system for risk stratification purposes, i.e., to systematically categorize patients based on their health status. The Garante also ordered the hospitals to erase all the data they obtained as a consequence of that unlawful processing.Continue Reading Italian Garante Fines Three Hospitals Over Their Use of AI for Risk Stratification Purposes, Establishes That Predictive Medicine Processing Requires the Patient’s Explicit Consent
European Commission Plans to Improve Cooperation Between Supervisory Authorities in Cross-Border GDPR Cases
Posted in EU Data Protection, GDPR
On February 20, 2023, the European Commission launched an initiative to further specify procedural aspects relating to the enforcement of the GDPR (“ procedural initiative”). The aim of the procedural initiative is to clarify the administrative procedure that applies in cross-border investigations and enforcement under the GDPR. These rules are expected to clarify and complement the existing rules on cooperation and dispute resolution under GDPR Articles 60 and 65.
This procedural initiative was announced in the Commission’s work program for 2023, and the text of the proposal is not yet available. The European Commission is expecting to publish a draft regulation on procedural rules relating to the enforcement of the GDPR in Q2 2023.Continue Reading European Commission Plans to Improve Cooperation Between Supervisory Authorities in Cross-Border GDPR Cases
German DSK Publishes Decision on the Data Protection Assessment of Access Possibilities of Third Country Public Authorities to Personal Data
By Lars Lensdorf on
On February 3, 2023, the German Data Protection Conference (“Datenschutzkonferenz”, “DSK”) published its decision, dated January 31, 2023, on the data protection assessment of access possibilities for third country public authorities to personal data processed by an EU/EEA-based subsidiary of a third country-based parent company pursuant to Article 28…
Continue Reading German DSK Publishes Decision on the Data Protection Assessment of Access Possibilities of Third Country Public Authorities to Personal DataCourt of Justice of the EU Clarifies Rules on Data Protection Officers’ Dismissal and Conflicts of Interest
Posted in Data Protection Officer, EU Data Protection
On February 9, 2023, the Court of Justice of the EU (“CJEU”) released two separate rulings on the dismissal of data protection officers (“DPOs”) under the German Federal Data Protection Law (“German DPL”) (C-453/21 and C-560/21). The main question in both cases was whether Section 6(4) of the German DPL which permits the dismissal of a DPO with “just cause” is compatible with the GDPR. In short, the CJEU (i) found that the provision was compatible with the GDPR because EU member states can use “just cause” as a threshold for dismissal as long as this does not undermine the objectives set for DPOs under the GDPR, and (ii) clarified the criteria EU member states should take into account to determine whether there is a conflict of interest.Continue Reading Court of Justice of the EU Clarifies Rules on Data Protection Officers’ Dismissal and Conflicts of Interest