On 1 July 2024, Germany has enacted stricter requirements for the processing of health data when using cloud-computing services. The new Section 393 SGB V aims to establish a uniform standard for the use of cloud-computing services in the statutory healthcare system which covers around 90% of the German population. In this blog
Continue Reading Germany enacts stricter requirements for the processing of Health Data using Cloud-Computing – with potential side effects for Medical Research with Pharmaceuticals and Medical Devicesdata processing
Privacy Updates from China: Proliferation of Sector-Specific Rules As Key Legislation Remains Pending – Part 1: Data Protection in the E-Commerce Sector
When China’s legislature, the National People’s Congress (“NPC”), enacted the Cybersecurity Law (“CSL”) in 2017, it set into motion a new era of data governance in China. Three years later, in 2020, the NPC followed up this landmark act with two other legislative milestones in this space: the draft Data Security Law (“DSL”) (see our blogpost here) and draft Personal Information Protection Law (“PIPL”) (see our client alert here). Both the PIPL and DSL will be finalized this year. Taken as a whole, these three laws form an over-arching framework that will govern data protection and cybersecurity in China for years to come.
While the DSL and PIPL have remained in draft form over the past year, the Chinese government has not stood idly by – instead, various Chinese regulators have continued to introduce data- and cyber-related rules in key sectors. Many of these sectoral rules do not appear to be primarily focused on data protection or cybersecurity, yet they may indirectly impact the collection, use and processing of personal information in specific sectors. The rollout of these new rules has not been fully coordinated, and the approaches taken in some cases deviate from the over-arching framework mentioned above. We expect this divergence to remain, even after the finalization of the PIPL and DSL. Consequently, China’s data and cyber regime will likely present a complex web of regulatory rules for organizations to navigate – both now and in the years ahead.
In this blog series, we examine several recently-introduced data and cyber rules in the areas of e-commerce, finance, healthcare, and artificial intelligence – all of which are rapidly expanding sectors in China where the collection and use of massive amounts of personal information have given rise to a variety of regulatory concerns. We will also explain, in the last blogpost of this series, China’s recent push to regulate how mobile applications can collect and process user data.
In our first blogpost of this series, we focus on recent developments in China’s e-commerce sector.Continue Reading Privacy Updates from China: Proliferation of Sector-Specific Rules As Key Legislation Remains Pending – Part 1: Data Protection in the E-Commerce Sector
Google Loses Administrative Appeal Against Hamburg Decision Concerning Its Practice of Cross-Service Data Combination
Pursuant to a press release of April 8, 2014, the Hamburg data protection authority (the “Hamburg DPA”) essentially upheld its order of September 2014, in which it found that certain of Google’s data processing operations explained in its 2012 privacy policy violated German data protection law. More in particular, the…
Continue Reading Google Loses Administrative Appeal Against Hamburg Decision Concerning Its Practice of Cross-Service Data Combination
Russian Data Localization Bill Now Confirmed To Come Into Effect On 1 September 2015
UPDATED: This post was first published on December 19, 2014; it is now being updated to reflect President Putin’s signature of the bill discussed below on 31 December, 2014.
In July 2014, Russia enacted Law 242-FZ (the “Localization Law”). The Localization Law amends the Russian Federal Law on Information, Information…
Continue Reading Russian Data Localization Bill Now Confirmed To Come Into Effect On 1 September 2015
Duma Votes to Accelerate Implementation Date of Russian Data Localization Bill By A Year
In July this year, Russia enacted Law 242-FZ (the “Localization Law”). The Localization Law amends the Russian Federal Law on Information, Information Technology and Information Protection, and would introduce a new requirement for certain businesses (including in particular those processing data concerning Russian citizens and also maintaining offices in Russia)…
Continue Reading Duma Votes to Accelerate Implementation Date of Russian Data Localization Bill By A Year
ISO’s New Cloud Privacy Standard
This summer, the International Standards Organization (ISO) adopted a new voluntary standard governing the processing of personal data in the cloud — ISO 27018. Although this recent development has gone mostly unnoticed by the technology and media press to date, the new cloud standard provides a useful privacy compliance framework for cloud services providers that addresses key processor (and some controller) obligations under EU data protection laws.
ISO 27018 builds on existing information security standards, such as ISO 27001 and ISO 27002, which set out general information security principles (e.g., securing offices and facilities, media handling, human resources security, etc.). By contrast, ISO 27018 is tailored to cloud services specifically and is the first privacy-specific international standard for the cloud. ISO 27018 seeks to address such issues as keeping customer information confidential and secure and preventing personal information from being processed for secondary purposes (e.g., advertising or data analytics) without the customer’s approval. ISO 27018 also responds directly to EU regulators’ calls for the introduction of an auditable compliance framework for cloud processors to increase trust in the online environment (see the European Commission’s 2012 Cloud Strategy here).Continue Reading ISO’s New Cloud Privacy Standard