International

China Imposes $1.2 Billion Fine for Data Violations

By Yan Luo & Nicholas Shepherd on July 25, 2022

On July 21, 2022, the Cyberspace Administration of China (“CAC”) – the country’s primary regulator for cybersecurity and privacy – imposed a fine of RMB 8.026 billion (around $1.2 billion USD) on China’s largest ride-hailing company for violating data protection laws, including the Cybersecurity Law, Data Security Law…

China Releases Measures for a Security Assessment of Cross-Border Data Transfers To Take Effect in September 2022

By Yan Luo on July 7, 2022

Posted in China, International, Privacy and Data Security

In addition to the two developments we reported on in our last blog post, on July 7, 2022, the long-waited, final version of the Measures for Security Assessment of Cross-border Data Transfer (《数据出境安全评估办法》, “Measures”) were released by the Cyberspace Administration of China (“CAC”). With a very tight implementation schedule, the Measures will take effect on September 1, 2022. The full text of the Measures can be found here (currently available only in Mandarin Chinese).

In this blog, we highlight a few key takeaways from the final Measures.

8 Eye-catching Reforms in the UK Government’s Response to its Public Consultation on Data Protection Law

By Mark Young & Paul Maynard on July 5, 2022

Posted in United Kingdom

The UK Government recently published its long-awaited response to its data reform consultation, ‘Data: A new direction’ (see our post on the consultation, here).

As many readers are aware, following Brexit, the UK Government has to walk a fine line between trying to reduce the compliance burden on organizations and retaining the ‘adequacy’ status that the European Commission granted in 2021 (see our post on the decision, here).

While we’ll have to wait to review the detail of the final legislation, we outline below some of the more eye-catching proposals for reform.

European Data Protection Board Publishes Guidelines on Certification as a Tool for International Personal Data Transfers

By Kristof Van Quathem, Dan Cooper & Anna Sophia Oberschelp de Meneses on July 4, 2022

Posted in Cross-Border Transfers, EU Data Protection, European Union

On June 30, 2022, the European Data Protection Board published draft guidelines on certification as a tool for transfers. These guidelines complement the EDPB’s earlier guidelines on certification and identifying certification criteria.

These guidelines and the guidelines on codes of conduct as tools for transfers appear to be part of the EDPB’s broader response to the Schrems II decision issued by the Court of Justice of the European Union (“CJEU”), which invalidated the EU-US Privacy Shield framework. The approval of certification schemes expands the toolbox available under Art. 46 GDPR for lawfully transferring personal data outside the EEA.

German Federal Office for Information Security Publishes Security Requirements for Healthcare Apps

By Kristof Van Quathem & Anna Sophia Oberschelp de Meneses on July 4, 2022

Posted in Data Security, EU Data Protection, European Union

On June 23, 2022, the German Federal Office for Information Security (“Office”) published technical guidelines on security requirements for healthcare apps, including mobile apps, web apps, and background systems. Although the technical guidelines are aimed at healthcare app developers, they contain useful guidance for developers of any app…

Cross-Border Data Transfer Developments in China

By Yan Luo on July 2, 2022

Posted in China, Cross-Border Transfers, Privacy and Data Security

After more than seven months since China’s Personal Information Protection Law (《个人信息保护法》, “PIPL”) went into effect, Chinese regulators have issued several new (draft) rules over the past few days to implement the cross-border data transfer requirements of the PIPL. In particular, Article 38 of the PIPL sets out three legal mechanisms for lawful transfers of personal information outside of China, namely: (i) successful completion of a government-led security assessment, (ii) obtaining certification under a government-authorized certification scheme, or (iii) implementing a standard contract with the party(-ies) outside of China receiving the data. The most recent developments in relation to these mechanisms concern the standard contract and certification.

Court of Justice of the EU Decides that the Passenger Name Record Directive is Compatible with EU Law

By Dan Cooper & Anna Sophia Oberschelp de Meneses on June 27, 2022

Posted in Data Privacy, EU Data Protection, European Union

On June 21, 2022, the Court of Justice of the EU (“CJEU”) decided that that the Passenger Name Record (“PNR”) Directive’s provisions providing for the processing of PNR data by competent Member State authorities are compatible with the EU Charter of Fundamental Rights (“Charter”). However, the CJEU also decided that the PNR Directive limits the way in which Member State laws transpose some of its provisions, particularly in relation to the collection of passenger information for intra-EU flights. Its decision will require Belgium to amend its law transposing the PNR Directive, mainly in relation to the PNR data competent authorities may receive and how they can process this data. It is likely to indirectly impact air carriers and tour operators operating in Belgium, as it will reduce the amount of data they need to share with competent authorities under such a revised legal framework.

The CJEU decision also considers, as well, Member State laws transposing (1) the Council Directive 2004/82/EC on the obligation of carriers to communicate passenger data (API Directive) and (2) Directive 2010/65/EU on reporting formalities for ships arriving in and/or departing from ports of the Member States.

The case was lodged on October 31, 2019, by the non-profit organization Ligue des Droits Humainsbefore the Belgian courts in relation to the Belgian law transposing the PNR and API Directives. The Belgian Constitutional Court referred certain questions to the CJEU.

UK Government calls for views in three areas to assess whether action is needed to enhance security of data centres and cloud services

By Mark Young & Paul Maynard on June 8, 2022

Posted in Privacy and Data Security, United Kingdom

The UK Government has issued a “call for views” on the current level of physical, technical and organizational security provided by data center operators (i.e. colocation service providers, not businesses that operate their own data centers) and cloud service providers (including providers of infrastructure-as-a-service, platform-as-a-service, and managed services).

Court of Justice of the EU Greenlights GDPR Collective Claims Without a Mandate

By Dan Cooper, Kristof Van Quathem & Anna Sophia Oberschelp de Meneses on May 24, 2022

Posted in EU Data Protection, European Union, European Union

On April 28, 2022, the Court of Justice of the EU (“CJEU”) decided that consumer protection associations may bring collective claims without a mandate from the affected consumers, including for violations of the GDPR, relying on national consumer law provisions. The words “without a mandate” refers to the fact that the organization is not representing a particular consumer or group of consumers, rather, it is representing the collective interests of those whose personal data have been processed in a manner contrary to the GDPR, without naming particular data subjects.

Online Safety Bill to Proceed Through Parliament

By Lisa Peets, Marty Hansen, Shona O'Donovan & Tomos Griffiths on May 17, 2022

Posted in Data Privacy, EMEA Tech Regulation, United Kingdom

On May 10, 2022, Prince Charles announced in the Queen’s Speech that the UK Government’s proposed Online Safety Bill (the “OSB”) will proceed through Parliament. The OSB is currently at committee stage in the House of Commons. Since it was first announced in December 2020, the OSB has been the subject of intense debate and scrutiny on the balance it seeks to strike between online safety and protecting children on the one hand, and freedom of expression and privacy on the other.

Inside Privacy