Data Privacy

In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

The Philippines Consults on Draft Consent and Private Identification Cards Guidelines | Privacy World

Southeast Asia and the EU Publish

With several consumer privacy laws and regulations going into effect this year, businesses need to be conducting and documenting formal assessments of their data practices, known as “Data Protection Impact Assessments” or “DPIAs.” We previously discussed DPIA requirements under the Virginia Consumer Data Protection Act (“VCDPA”), Connecticut’s Public Act No. 22-15 (“CTPA”), California Privacy Rights Act (“CPRA”), and Colorado Privacy Rights Act (“CPA”) here, and DPIA requirements under the California Age-Appropriate Design Code Act (“CAADCA”) and New York City’s Local Law 144 (“Local Law 144”) here.
Continue Reading Navigating Data Privacy Assessments Amid New State Laws

On May 18, 2023, South Korea’s privacy regulator, the Personal Information Protection Commission (PIPC), released for public consultation a draft decree[1] under the Personal Information Protection Act (PIPA). The key changes proposed in the draft decree are as follows.


The draft decree seeks to enhance the right under the PIPA of citizens who are data subjects, to determine how their personal data may be processed. This is done by specifying that, where consent is the appropriate basis for processing personal data, such consent must be freely given by each data subject after it has been made explicitly clear to them that they can choose whether or not to consent. This includes ensuring that any personal data processing policy is implemented and disclosed in an easy-to-understand manner.

Where personal data is collected from a third party other than the data subject, the draft decree streamlines the requirement for notification that must be given, to the third-party source, of the details of use of the data subject’s personal data.
Continue Reading South Korea Consults on Draft Decree to Personal Information Protection Act

In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

Data Protection Impact Assessments: Are You Ready? | Privacy World

Introducing Our AI Webinar Series | Privacy World

Scott Warren

This year has widened the landscape of consumer privacy protections, with dozens of comprehensive privacy bills moving through state legislatures and becoming enacted. So far in 2023, Iowa’s Act Relating to Consumer Data Protection (“Iowa Privacy Law”) and Indiana’s Consumer Data Protection Act (“ICDPA”) were signed into law. These two laws join the Virginia Consumer Data Protection Act (“VCDPA”), California Privacy Rights Act (“CPRA”), Colorado Privacy Rights Act (“CPA”), Connecticut’s Public Act No. 22-15 (“CTPA”), and Utah Consumer Privacy Act (“UCPA”) in the state comprehensive consumer privacy law framework. The Iowa Privacy Law becomes effective on January 1, 2025, and the ICDPA becomes effective on July 1, 2026. The VCDPA and CPRA (amending the California Consumer Privacy Act or “CCPA”) went into effect on January 1, 2023, while the CPA and CTPA go into effect on July 1, 2023. The UCPA will go into effect December 31, 2023.
Continue Reading Data Protection Impact Assessments: Are You Ready?

On May 18th, Scott Warren, Partner, Tokyo/Shanghai, will be speaking at the Legal Plus 3rd Annual Asia International Arbitration and Competition Law Summit held in Hong Kong on the topic “China’s New Personal Data Export Restrictions: Are You Ready?” Scott is speaking from 2:40-3:00 p.m. Hong Kong time on the challenges

Stephanie Faber will be speaking at the 3rd Annual France-Singapore Symposium on Law and Business which will take place in Paris on May 11-12, 2023.

The symposium is organized by the Singapore Academy of Law, Embassy of France in Singapore in collaboration with Paris Bar, the Université Paris 1 Panthéon-Sorbonne, the Asian Business Law

Florida is the latest state to pass a consumer privacy bill, pending Governor DeSantis’ signature, that will go into full effect on July 1, 2024.

While the Florida Digital Bill of Rights found in S.B. 262 provides similar rights as the other state laws going into effect, it also differs in important and significant ways. The primary difference is the definition of a “controller.” A controller must have $1 billion in global gross revenue (a significant departure from the $25 million dollar requirement in other states), and at least one of the following: i) 50% of global gross revenue coming from the sale of advertisements online; ii) operates a consumer smart speaker and voice command service; or iii) operates an app store or digital distribution platform with at least 250,000 different software applications. Based on these threshold requirements, most of the bill is clearly intended to target only a select group of businesses. However, there are obligations placed on businesses that don’t meet the full definition of a controller in Section 501.715, as we discuss below.
Continue Reading Florida Joins the Privacy Pack with an Opt-In to Sale of Sensitive Data

On May 8, 2023, the Online Criminal Harms Bill[1] (Bill) was introduced for its first reading in Singapore’s Parliament.

The Bill empowers a competent public authority[2] to issue any of five distinct types of directions:

  1. A Stop Communication Direction, which requires a person or entity to remove, stop posting or transmitting, and/or disable access to online criminal content so it is not accessible by any persons in Singapore.
  2. A Disabling Direction, which requires an online service provider (such as a social media platform or instant messaging provider) to disable access to specified content, such as material that had been posted or transmitted on or through an online service. This extends to disabling access to any identical copies of the relevant material, as well as to any location on the online service from where the content could be retrieved.
  3. An Access Blocking Direction, which requires an internet service provider to block access by persons in Singapore to any material or location such as a website.
  4. An Account Restriction Direction, which requires an online service provider to stop or restrict interaction between an account on its online service from communicating and interacting with any persons in Singapore.
  5. An App Removal Direction, which requires an app store to stop distributing an app to, and to stop enabling the download of this app by, any persons in Singapore.

Continue Reading Singapore Introduces New Law to Order Removal, Blocking of Harmful Online Content

A growing area of privacy litigation concerns claims brought under federal and state wiretapping laws against website operators.  In many of those cases, plaintiffs allege that their personal information was improperly intercepted and disclosed to third parties, including in relation to information purportedly provided through a website’s chat feature.  Last month, a federal court in