Authors: Eilis McDonald; Marcus Walsh; John Magee; Gavin Woods; David Cook; Andreas Rüdiger The Irish Circuit Court has recently delivered an important judgment on non-material damages for infringement of the GDPR.  The judgment also establishes a list of factors for the courts to consider when assessing non-material damages. This judgment comes in the context of other recent decisions on this topic in the UK and EU and which continue to shape the data protection environment that multi-national organisations operate in. The scrutiny by national courts over the lawfulness of certain proces ..read more

Authors: Carolyn Bigg, Gwyneth To and Rachel De Souza Start preparing now to comply with India’s new data protection law. While there are similarities with EU/UK GDPR – and sufficient harmonisation with data protection laws across APAC to continue a regional data compliance in Asia – the practicalities of implementation and compliance should not be underestimated. On 11 August 2023, India’s long-awaited law governing data protection – the Digital Personal Data Protection Act, 2023 (DPDP Act) – received the President’s assent and was published in the official gazette the following day. The DPDP ..read more

Helpful guidance on some previously uncertain areas of China data protection compliance programmes have been provided by the Administrative Measures for Personal Information Protection Compliance Audit (Draft for Comment) (“Draft Measures”), which were published for public consultation on 3 August 2023 by the Cyberspace Administration of China (“CAC”). The Draft Measures propose to introduce or flesh out other compliance requirements contained in the PIPL. For example: Automated Decision-Making: where a data controller uses personal data to conduct any automated decision making, it must proac ..read more

To add to the compliance burden, new mandatory, periodic and detailed data protection compliance audits have now been proposed in China, with measures beyond the usual governance/compliance audit compliance steps expected under other data protection frameworks, and a duty to report the audit results to the China data authorities. On 3 August 2023, the Cyberspace Administration of China (“CAC”) published the Administrative Measures for Personal Information Protection Compliance Audit (Draft for Comment) (“Draft Measures”) for public consultation, which closes on 2 September 2023. The Draft Meas ..read more

Authors: Carolyn Bigg and Amanda Ge Businesses who must follow the China SCCs route to legitimize their cross-border transfers of personal data must file their signed China SCCs together with the supporting personal information impact assessment (“PIIA”) report with their local CAC branch by no later than 30 November 2023. This requires significant effort, and so businesses must act now to meet the filing deadline. To recap, the China SCCs route is the relevant route for China entities that are data controllers of China personal information but who do not meet the thresholds whereby the full C ..read more

Authors: Carolyn Bigg, Amanda Ge and Venus Cheung On July 24, 2023, the People’s Bank of China (“PBOC”) released the Measures for the Management of Data Security in the Business Areas Falling into PBOC’s Jurisdiction (Draft for Comment) (“Draft Measures”) for public consultation, which closes on August 24, 2023. The Draft Measures regulate the processing of electronic data collected and generated during the course of business activities that are under the supervision and management of PBOC (“Regulated Data”). Regulated Data includes personal and non-personal data categories, but state secrets ..read more

Authors: Carolyn Bigg, Lauren Hurcombe and Yue Lin Lee. On 18 July 2023, Singapore’s Personal Data Protection Commission (“PDPC”) issued for public consultation a set of proposed guidelines for the use of personal data in AI recommendation and decision systems (“Proposed Guidelines”). The public consultation is open until 31 August 2023. The Proposed Guidelines aim to clarify the application of the Singapore Personal Data Protection Act (“PDPA”) in the context of developing and deploying AI systems involving the use of personal data for making recommendations or predictions for human decision ..read more

CJEU’s landmark decision in Meta vs Bundeskartellamt allows GDPR scrutiny through antitrust regulators and imposes strict limitations on the personalised use of consumers’ personal data by social media platforms By Verena Grentzenberg, Philipp Schmechel, Dr. Jonas Kranz On 4 July 2023, the European Court of Justice (“CJEU”) delivered its judgment in Meta vs Bundeskartellamt Case C-252/21. The decision imposes important requirements in relation to the interpretation of the GDPR and the interplay between competition authorities and data protection supervisory authorities, in particular, with reg ..read more

Authors: Jim Sullivan, Rachel De Souza, Heidi Waem, John Magee and David Brazil On 10 July 2023, the European Commission adopted its long-awaited adequacy decision for the EU-US Data Privacy Framework (DPF). The DPF replaces the Privacy Shield Framework (Privacy Shield) which was invalidated by the Schrems II decision of the Court of Justice of the European Union (CJEU) in July 2020.  Effective immediately, the new adequacy decision allows personal data to flow from the European Economic Area (EEA) to DPF-certified US companies without the need for additional data protectio ..read more

Global flows of personal data have been a source of geopolitical concern for many years now. The Court of Justice of the European Union’s “Schrems II” judgement has revived the debate and organisations around the world now have to map personal data flows and conduct transfer impact assessments, while patiently awaiting the developments around the upcoming EU-US Data Privacy Framework. To date, these compliance challenges were essentially limited to personal data processing, so some organisations and sectors had to do more than others. However, several legislative initiatives deriving from the ..read more