Hannah-Mei Grisley

Contact:Read more about Hannah-Mei Grisley

The Data (Use and Access) Bill (“DUA Bill”)[1] had its second reading on 19th November 2024 after being introduced in the House of Lords on 23 October and the Bill is anticipated to enter the Lords’ Committee stage in December. According to the Department for Science, Innovation and Technology, the DUA Bill will harness the power of data to boost the UK economy by an estimated £10 billion, free up thousands of police and NHS staff time and secure the effective use of data for the public interest.[2] The DUA Bill proposes to amend both the UK General Data Protection Regulation (“UK GDPR”) and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECRs”), despite little weight being placed on this in the Government’s initial press release.Continue Reading Unpacking the Proposed Data (Use and Access) Bill

In this blog post, we breakdown the new Vietnamese cybersecurity regulations which apply to both Vietnamese and foreign organisations. Alongside the ongoing consultation for the Ministry of Public Security’s proposed data law, Vietnam is taking steps to move towards a data protection compliance regime in line with other countries and regions, such as the EU – something of particular relevance in a country with one of highest internet user growth rate (nearly 80 million internet users).

What Is the CAS Decree?

The Cybersecurity Administrative Sanctions Decree (CAS Decree) is a decree unveiled by the Vietnamese Ministry of Security to the Ministry of Justice in mid-May 2024.

The first draft was published for consultation in September 2021 and has undergone multiple revisions following public consultations.Continue Reading Summarising the New Vietnamese Cybersecurity Regulations

The UK Parliament was dissolved on 30th May 2024 ahead of the upcoming July general election and before the Government’s Data Protection and Digital Information (DPDI) Bill could be passed in the “wash up period”1. Like other proposed laws which were not enacted prior to the dissolution of Parliament, the Bill is considered failed and will not be carried over to the new Parliament (even if the Conservatives are re-elected, it will need to be re-presented).

What was the DPDI Bill?

This Bill was the second version of the DPDI Bill – the first version was presented to Parliament in July 2022. Its stated goal was to revise the UK’s data protection laws post-Brexit and reduce red tape and paperwork for UK businesses2. However, as we observed in a previous post, the creation of a UK data protection regime that diverged further from the regime in the EU would have had the opposite effect for any international UK (and other) businesses already subject to EU GDPR and other data protection laws.

In addition, the DPDI Bill aimed to:

  • Reduce barriers to responsible innovation by, for example, amending the definition of “scientific research” to include commercial activities;
  • Boost trade and reduce barriers to data flows by, for example, keeping the existing EU Standard Contractual Clauses;
  • Deliver better public services by, for example, the facilitation of data sharing between public and private institutions including banks to prevent fraud; and
  • Reform the Information Commissioner’s Office by, for example, replacing the current Commissioner role with a statutory board of members appointed by the Secretary of State.

Continue Reading What Happened to the UK’s Data Protection and Digital Information Bill?

Ransomware and DDoS attacks are costly to organisations that fall victim in terms of reputational damage, picking up the pieces as well as potential enforcement from the ICO and compensation claims by data subjects.
Continue Reading Double Trouble: Why Organisations Need to Consider the Legal Consequences of Ransomware and DDoS Attacks

The Dutch Data Protection Authority (Dutch DPA) has issued fixed and periodic fines to a government ministry over its lack of security measures and transparency about who it shares personal data with, while the Danish Data Protection Agency (Danish DPA) has issued fines to a national bank for its lack of documentation on the deletion of personal data.
Continue Reading European DPAs in Action: Periodic Penalties and Deletion of Personal Data

The new UK International Data Transfer Agreement (“IDTA”) and Addendum to the new 2021 EU Standard Contract Clauses (“New EU SCCs”) are now in force (as of the 21 March 2022), providing much needed certainty for UK organisations transferring personal data to service providers and group companies based outside of the UK/EEA.

The IDTA and

The UK’s Competition and Markets Authority (“CMA”), Information Commissioner’s Office (“ICO”) and Google have agreed legally binding commitments from Google on the development of its Privacy Sandbox proposals.

These proposals relate to the removal of third-party cookies – to be phased out by 2023 – in the Chrome browser and Chromium browser engine, which will

The UK data protection regulator, the Information Commissioner’s Office (the “ICO”) has finalised its new UK data transfer agreement and addendum to the new EU Standard Contractual Clauses (EU SCCs) following its consultation last year. From 21 March 2022, (subject to Parliamentary approval) organisations in the UK will be able to choose whether to use