Join SPB’s Julia Jacobson and Sasha Kiosse for a Strafford webinar on Data Privacy and Security Programs: Policies, Practices, Requirements, Latest Developments, Compliance Updates, taking place next week on Tuesday, December 17, from 1:00 pm to 2:30 pm EST.

Continue Reading Join Us for a Strafford Webinar on Data Privacy and Security Programs

Discover cutting-edge insights and actionable strategies on cybersecurity, data privacy and legal compliance from SPB partners Scott Warren and Charmian Aw during these upcoming events in Southeast Asia and the Middle East.

Indonesia & SE Asia: 10th International Arbitration & Corporate Crime Summit
12 December 2024 | Jakarta, Indonesia
Hear from Scott Warren as he chairs the morning sessions of this highly anticipated summit. In the afternoon, Scott will delve into the intricacies of cross-border data breach, including Indonesia’s reporting requirements, offering crucial guidance for navigating today’s global data challenges, in a session on Cross-Border Data Breach: What You Need To Know!
Registration is available here.

12th EMEA Anti-Corruption Compliance Summit 2025
16 January 2025 | Dubai, U.A.E.
Understanding data sovereignty is essential to adhering to today’s regulatory landscape and addressing potential corruption and compliance issues. Join Scott Warren as he discusses this and more in his presentation on Data Sovereignty: How It Impacts The Cross-Border Flow of Data?
Registration is available here

Global Legal ConfEx
18 February 2025 | Singapore
Join Charmian Aw and Scott Warren in two sessions at the upcoming Global Legal ConfEx in Singapore. Charmian will lead a compelling panel discussion on Staying Ahead of the Curve: Navigating Singapore’s PDPA and Global Data Privacy Compliance Challenges, comparing frameworks like GDPR, managing cross-border data transfers, and addressing the role of AI in privacy obligations. Scott will present a session on Protecting the Fortress: Cybersecurity Strategies for Legal Professionals in a Digital Era,  focusing on critical risks, breach response and robust protocols for remote work environments.
Registration for both sessions here.

For questions about these events or the topics covered, please reach out to the Scott and Charmian directly.

The first tranche of Australian privacy law reform has been passed by the Australian government and will come into effect within days. This reform further increases the range and type of penalties that Australia can enforce for non-compliance with local privacy law and introduces changes which businesses will need to action.

Continue Reading First Tranche of Reforms to Australian Privacy Law Passed with Amendments

The Data (Use and Access) Bill (“DUA Bill”)[1] had its second reading on 19th November 2024 after being introduced in the House of Lords on 23 October and the Bill is anticipated to enter the Lords’ Committee stage in December. According to the Department for Science, Innovation and Technology, the DUA Bill will harness the power of data to boost the UK economy by an estimated £10 billion, free up thousands of police and NHS staff time and secure the effective use of data for the public interest.[2] The DUA Bill proposes to amend both the UK General Data Protection Regulation (“UK GDPR”) and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECRs”), despite little weight being placed on this in the Government’s initial press release.

Continue Reading Unpacking the Proposed Data (Use and Access) Bill

Nineteen states have followed the lead of California and passed consumer privacy laws.  Three went into effect this year and eight will become effective in 2025.  The remainder become effective in 2026.  Charts at the end of this post track effective dates (see Table 1) and applicability thresholds (see Table 2).  While there are many similar aspects to these laws, they also diverge from each other in material ways, creating a compliance challenge for organizations. In addition, there are other privacy laws pertaining specifically to consumer health data,[1] laws specific to children’s and minors’ personal data and not part of a comprehensive consumer privacy law,[2] AI-specific laws,[3] or laws, including part of overall consumer privacy laws, regulating data brokers[4] that enterprises need to consider. 

A recent article published by the authors in Competition Policy International’s TechReg Chronical details the similarities and differences between the 20 state consumer privacy laws and a chart at the end of this post provides a quick reference comparison of these laws (see Table 3).

Continue Reading Are You Ready for The Latest U.S. State Consumer Privacy Laws?

In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

Balancing the Scales: How to Use “Legitimate Interest” to Process Personal Data “Fairly”

Court Ruling in China on Personal Data Transfer by International Hotel Chain

Data Breaches and Spreadsheets: How to Avoid Fines When Excelling

Join SPB’s Privacy Team for Two Strafford Webinars in December

Cancel Culture: New Requirements for Automatic Renewal and Other Negative Option Offers

SPB’s Alan Friel Speaks on Privacy Risk Assessments: Aligning Business With Compliance

Navigating California’s Evolving Privacy Landscape: Key Updates from the November 8th CPPA Board Meeting on Rulemaking and What It Means for You

When Data Breaches Cost Twice – AEPD’s Landmark Fine Shows That Being the Victim of a Cyberattack Doesn’t Excuse GDPR Failures

Artificial Intelligence and the Rise of Product Liability Tort Litigation: Novel Action Alleges AI Chatbot Caused Minor’s Suicide

On October 9, 2024, the European Data Protection Board (EDPB) unveiled its much-anticipated Guidelines on using legitimate interest (Article 6.1(f) of the GDPR) as a lawful basis for processing personal data. These guidelines set out clear criteria for data controllers, and will therefore be most welcome.

For years, legitimate interest has been among the go-to option for organizations, with the idea that it offers more flexibility (as long as you comply with the inherent requirements of its use). High-profile cases, like the Court of Justice of the European Union’s (CJEU) decision in Royal Dutch Tennis Association (KNLTB), acknowledged that commercial interests may qualify as legitimate, but also crystalized the tension on its uses from supervisory authorities and privacy advocates.

Continue Reading Balancing the Scales: How to Use “Legitimate Interest” to Process Personal Data “Fairly”

In September 2024, the Guangzhou Internet Court released its ruling on a civil dispute that was originally issued in September 2023, involving the transfer of personal data outside mainland China. This judgment is reportedly the first judicial judgment on cross-border data transfers.

In this case, an international hotel group based in France, as the defendant, was found liable for illegally transferring the personal data of the plaintiff, an individual Chinese customer, to third parties outside of China for the purpose of marketing, without obtaining the customer’s separate consent prior to providing the data.

Continue Reading Court Ruling in China on Personal Data Transfer by International Hotel Chain

The ICO has fined the Police Service of Northern Ireland (“PSNI”) £750,000 in what it has described as the “most significant data breach that has ever occurred in the history of UK policing[1]. The ICO imposed the largest ever fine on a public body following the unauthorised disclosure of an Excel spreadsheet containing the personal data of 9,483 police officers and staff. Given the ICO’s stated policy for public authorities is for enforcement to act as a deterrent and to remedy data breaches through reprimands and enforcement notices, with the use of fines reserved for the most egregious cases, it is, at first glance at least, surprising to see the level of fine imposed. The fine comes with a word of warning to private sector data controllers that they would not have benefited from the reduction afforded to public sector enforcement and could have faced a fine of up to £17.5 million.

Background

On 3 August 2023, the PSNI received two Freedom of Information (FOI) requests from the website WhatDoTheyKnow (WDTK) requesting details of the number of officers and staff at each rank or grade. This data was compiled by the PSNI’s Workforce Planning Team by downloading and editing existing HR Excel spreadsheets. After preparation, the responsive spreadsheet was sent to the Head of the Workforce Planning Team for quality assurance checks. Once reviewed, it was forwarded to the FOI Decision Maker, who chose to disclose the Excel file in its original format rather than convert it to a Word document, due to technical issues.

Continue Reading Data Breaches and Spreadsheets: How to Avoid Fines When Excelling

In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

Join SPB’s Privacy Team for Two Strafford Webinars in December

Cancel Culture: New Requirements for Automatic Renewal and Other Negative Option Offers

SPB’s Alan Friel Speaks on Privacy Risk Assessments: Aligning Business With Compliance

Navigating California’s Evolving Privacy Landscape: Key Updates from the November 8th CPPA Board Meeting on Rulemaking and What It Means for You

When Data Breaches Cost Twice – AEPD’s Landmark Fine Shows That Being the Victim of a Cyberattack Doesn’t Excuse GDPR Failures

Artificial Intelligence and the Rise of Product Liability Tort Litigation: Novel Action Alleges AI Chatbot Caused Minor’s Suicide