The OECD's AI recommendations encourage Member States to uphold principles of trustworthy AI.
Laws/Regulations directly regulating AI (the “AI Regulations”)
The OECD's Recommendation of the Council on Artificial...more
6/18/2024
/ Artificial Intelligence ,
Enforcement ,
EU ,
Machine Learning ,
New Legislation ,
OECD ,
Personal Data ,
Regulatory Agenda ,
Research and Development ,
Risk Assessment ,
Risk Management ,
Technology Sector ,
Transparency
On November 27, 2023, the European Union ("EU") adopted the final text of the Data Act, marking an effort to create a harmonized, cross-sectoral data sharing framework with the stated goal of ensuring fair access to and use...more
11/30/2023
/ B2B Organizations ,
Corporate Counsel ,
DATA Act ,
Data Protection ,
Digital Data ,
Enforcement Actions ,
EU ,
EU Data Protection Laws ,
European Commission ,
General Data Protection Regulation (GDPR) ,
New Legislation ,
Personal Data ,
Small and Medium-Sized Enterprises (SMEs) ,
Technology Sector
The UK-US Data Bridge (the "Data Bridge") has now come into effect, potentially simplifying transfers of personal data from the UK to the US.
On 12 October 2023, the Data Bridge took effect. The Data Bridge allows UK...more
The United States ("U.S.") and the European Union ("EU") have settled on a framework for transfers of personal data for the first time since the European Court of Justice ("CJEU") effectively invalidate the EU-U.S. Privacy...more
8/2/2023
/ Court of Justice of the European Union (CJEU) ,
Data Privacy ,
Data Protection ,
Data Security ,
EU ,
EU-US Privacy Shield ,
European Economic Area (EEA) ,
International Data Transfers ,
National Security ,
Personal Data ,
U.S. Commerce Department
The Court of Justice of the EU (CJEU)1 has held that the General Data Protection Regulation (GDPR) requires controllers to provide data subjects a "faithful reproduction" of their personal data, which takes into account the...more
The GDPR allows individuals to request information about the “recipients or categories of recipients” to whom their personal data has been disclosed. In a recent ruling, the EU’s Court of Justice said data subjects get to...more
On January 18, 2022, the European Data Protection Board (the "EDPB") issued the Guidelines 01/2022 on data subject rights - Right of access (the "Draft Guidelines"), laying out its interpretation of Article 15 GDPR on the...more
The Supreme Court of the United Kingdom has delivered its long-awaited decision in the case of Lloyd [2021] UKSC 50, rejecting an attempt to bring a representative claim for compensation for "loss of control" over personal...more
11/11/2021
/ Appeals ,
Class Action ,
Cybersecurity ,
Data Breach ,
Data Protection ,
Personal Data ,
Rules of Civil Procedure ,
UK ,
UK Data Protection Act ,
UK GDPR ,
UK Supreme Court
The pandemic seems to have prompted people to rethink their attitudes toward sharing personal data, particularly when it is used to manage public health and provide essential services. Can this shift serve as a catalyst for...more
In recent weeks, there has been a series of important developments affecting cross-border data transfers. First, on 21 June 2021, the European Data Protection Board ("EDPB") published its final, much-anticipated...more
The European Commission recently published an updated version of the standard contractual clauses for the transfer of personal data to third countries ('SCCs'). Companies can use such SCCs to provide the appropriate...more
6/21/2021
/ Cybersecurity ,
Data Protection ,
EU ,
EU-US Privacy Shield ,
European Commission ,
European Economic Area (EEA) ,
General Data Protection Regulation (GDPR) ,
International Data Transfers ,
Personal Data ,
Schrems I & Schrems II ,
Standard Contractual Clauses
The Court of Justice of the EU has declared that the European Commission's adequacy decision in respect of the EU-U.S. Privacy Shield is invalid. The Court's ruling effectively removes a key mechanism that had been widely...more
7/19/2020
/ Binding Corporate Rules ,
Court of Justice of the European Union (CJEU) ,
Data Protection Authority ,
EU ,
EU-US Privacy Shield ,
European Commission ,
European Economic Area (EEA) ,
General Data Protection Regulation (GDPR) ,
International Data Transfers ,
Personal Data ,
Popular ,
Standard Contractual Clauses
Q1/ Applicable legislation -
(a) Have the requirements of the GDPR been addressed by introducing a new law, or by updating existing legislation?
New legislation has been passed.
———
(b) Relevant legislation...more
11/27/2019
/ Compliance ,
Consumer Privacy Rights ,
Cyprus ,
Data Controller ,
Data Protection Authority ,
Data Protection Impact Assessments (DPIAs) ,
Data Protection Officers (DPOs) ,
Data Subjects Rights ,
Decedent Protection ,
Employee Privacy Rights ,
Enforcement Actions ,
EU ,
European Economic Area (EEA) ,
Exemptions ,
Fines ,
Freedom of Expression ,
General Data Protection Regulation (GDPR) ,
Guidance Update ,
International Data Transfers ,
Joint Control ,
Member State ,
Minor Children ,
National Identification Numbers ,
Nonprofits ,
Penalties ,
Personal Data ,
Prior Authorization ,
Prior Express Consent ,
Public Interest ,
Sanctions
Q1/ Applicable legislation
(a) Have the requirements of the GDPR been addressed by introducing a new law, or by updating existing legislation?
Old legislation has been updated.
———...more
11/20/2019
/ Bulgaria ,
Civil Monetary Penalty ,
Data Processors ,
Data Protection ,
Data Protection Authority ,
Data Protection Impact Assessments (DPIAs) ,
Data Protection Officers (DPOs) ,
Data Subjects Rights ,
Decedent Protection ,
Employee Privacy Rights ,
Enforcement Actions ,
EU ,
European Economic Area (EEA) ,
Exemptions ,
Fines ,
Freedom of Expression ,
General Data Protection Regulation (GDPR) ,
International Data Transfers ,
Joint Control ,
Minor Children ,
National Identification Numbers ,
Personal Data ,
Prior Authorization ,
Prior Express Consent ,
Public Interest ,
Sanctions ,
Sensitive Personal Information
Q1/ Applicable legislation -
(a) Have the requirements of the GDPR been addressed by introducing a new law, or by updating existing legislation?
Old legislation has been updated.
———
(b) Relevant legislation...more
11/15/2019
/ Austria ,
Compliance ,
Consumer Privacy Rights ,
Data Controller ,
Data Protection Authority ,
Data Protection Impact Assessments (DPIAs) ,
Data Protection Officers (DPOs) ,
Data Subjects Rights ,
Decedent Protection ,
Employee Privacy Rights ,
Enforcement Actions ,
EU ,
European Economic Area (EEA) ,
Exemptions ,
Fines ,
Freedom of Expression ,
General Data Protection Regulation (GDPR) ,
Guidance Update ,
International Data Transfers ,
Joint Control ,
Member State ,
Minor Children ,
National Identification Numbers ,
Nonprofits ,
Penalties ,
Personal Data ,
Prior Authorization ,
Prior Express Consent ,
Public Interest ,
Sanctions
The Dutch Data Protection Authority has written to the Dutch Banking Association to state that processing customers' transaction data for direct marketing purposes may not be in compliance with the General Data Protection...more
7/22/2019
/ Banks ,
Confidential Information ,
Customer Information ,
Data Collection ,
Data Controller ,
Data Processing Rules ,
Data Protection Authority ,
Direct Marketing ,
Dutch Banking Association ,
Electronic Payment Transactions ,
Enforcement Actions ,
General Data Protection Regulation (GDPR) ,
International Data Transfers ,
Netherlands ,
New Guidance ,
Personal Data ,
Principle Purpose Doctrine ,
Prior Express Consent ,
Prohibited Transactions
The UK Information Commissioner's Office announced more than £280 million of fines last week, in connection with data protection breaches. It singled out the perceived failure of buyers to conduct proper data protection due...more
7/17/2019
/ Acquisitions ,
Buyers ,
Data Protection ,
Data Protection Authority ,
Due Diligence ,
Enforcement Actions ,
Fines ,
General Data Protection Regulation (GDPR) ,
Personal Data ,
Sellers ,
Successor Liability ,
UK ,
UK ICO
The European Data Protection Board ("EDPB") has published guidelines on the use of the certification mechanism under the GDPR. Certifications are intended to help businesses provide evidence of compliance with the GDPR. The...more
7/5/2019
/ Certifications ,
Compliance ,
Data Protection ,
Data Protection Authority ,
EU ,
European Commission ,
European Data Protection Board (EDPB) ,
General Data Protection Regulation (GDPR) ,
International Data Transfers ,
Member State ,
New Guidance ,
Personal Data
On 31 May 2019, the Data Protection Authorities of Singapore and Hong Kong signed a Memorandum of Understanding ("MoU") intended to strengthen cooperation in data protection in the two jurisdictions....more
7/1/2019
/ Asia Pacific ,
Cross-Border Transactions ,
Data Protection ,
Data Protection Authority ,
GPEN ,
Hong Kong ,
International Data Transfers ,
Memorandum of Understanding ,
New Guidance ,
Personal Data ,
Personal Data Privacy Comission (PDPC) ,
Privacy Comissioners ,
Risk Mitigation ,
Singapore ,
Transparency
EU data protection law contains a powerful tool called a Subject Access Request ("SAR") which allows an individual to obtain copies of data about themselves, on demand, within a tight timeframe, and at low cost. Satisfying...more
6/13/2019
/ Burden of Proof ,
Data Controller ,
Data Processors ,
Discovery Disputes ,
EU ,
Exemptions ,
General Data Protection Regulation (GDPR) ,
Journalism ,
Legal Professional Privilege ,
Personal Data ,
Subject Access Request (SAR) ,
UK ,
UK ICO
ad hoc clauses means a set of clauses for Cross-Border Data Transfers, which require prior approval by a DPA (see Chapter 13).
Adequacy Decision means a decision by the Commission to designate a third country as an...more
Why does this topic matter to organisations?
The GDPR is now the main instrument governing EU data protection law across all Member States. The Directive, which was almost 20 years old, has been repealed. However, the...more
4/27/2019
/ Breach Notification Rule ,
Compliance ,
Conflicts of Laws ,
e-Privacy Directive ,
EU ,
EU Directive ,
European Data Protection Board (EDPB) ,
General Data Protection Regulation (GDPR) ,
International Data Transfers ,
International Treaties ,
Member State ,
Mutual Legal Assistance Treaties (MLAT) ,
Personal Data ,
Personally Identifiable Information ,
Repeal
Why does this topic matter to organisations?
Although a key aim of the GDPR is to harmonise data protection law across the EU, there are a number of areas in which the GDPR leaves it to Member States to adopt their own...more
4/25/2019
/ Data Privacy ,
Data Protection ,
EU ,
EU Data Protection Laws ,
Freedom of Expression ,
General Data Protection Regulation (GDPR) ,
Harmonization Rules ,
International Data Transfers ,
Member State ,
Personal Data ,
Religious Institutions ,
Scientific Research
Why does this topic matter to organisations?
Whereas the remedies and sanctions available to DPAs under the Directive were comparatively low (generally subject to a maximum of less than €1 million per infringement, with...more
4/24/2019
/ Administrative Fines ,
Civil Liability ,
Criminal Sanctions ,
Damages ,
Data Breach ,
Data Processors ,
Data Protection ,
Data Protection Authority ,
Data Subjects Rights ,
EU ,
EU Data Protection Laws ,
General Data Protection Regulation (GDPR) ,
International Data Transfers ,
Personal Data ,
Personally Identifiable Information ,
Policies and Procedures ,
Privacy Laws ,
Remedies ,
Risk Management ,
Sanctions ,
Statutory Violations
Why does this topic matter to organisations?
Under the Directive, organisations were obliged to deal with a separate DPA for each Member State whose laws apply to them. This meant that businesses faced a range of...more
4/24/2019
/ Consistency Mechanism ,
Cooperation ,
Court of Justice of the European Union (CJEU) ,
Data Protection ,
Data Protection Authority ,
Dispute Resolution ,
DPA ,
EU ,
EU Data Protection Laws ,
European Data Protection Board (EDPB) ,
General Data Protection Regulation (GDPR) ,
Information Sharing ,
International Data Transfers ,
Member State ,
Multidistrict Litigation ,
Multinationals ,
One-Stop Shop ,
Personal Data