Global Privacy Control Opt-Out of “Sale” – A Technical and Legal Viewpoint

Global Privacy Control Opt-Out of “Sale” – A Technical and Legal Viewpoint

According to the California Attorney General, consumers may now utilize a new technology called the Global Privacy Control (“GPC”) in order to opt out of a “sale” of personal information under the California Consumer Privacy Act (“CCPA”).

The GPC, according to its website, was developed by “various stakeholders including technologists, web publishers, technology companies, browser vendors, extension developers, academics, and civil rights organizations.”

Unlike the IAB Tech Lab U.S. Privacy String, which is controlled and operated by the adopting Business via JavaScript, the GPC is controlled by the browser software either natively (as in the case of Firefox) … Continue Reading

Hong Kong: Bill to amend the Personal Data (Privacy) Ordinance to combat doxxing acts was gazetted today

The Personal Data (Privacy) (Amendment) Bill 2021 (the Bill) was gazetted today, 16 July 2021.

The Bill aims to combat doxxing acts through (i) criminalisation of doxxing acts; (ii) empowering the Privacy Commissioner for Personal Data to conduct criminal investigation and institute prosecution for doxxing cases; and (iii) conferring on the Commissioner statutory powers to demand the rectification of doxxing content. The details of the Bill are summarized in our earlier post.

The government has submitted the brief on the Bill to the Legislative Counsel on 14 July 2021. It is expected that the Bill would be introduced into … Continue Reading

EU’s possible Data Act: What can we anticipate from the Inception Impact Assessment and the Consultation?

The European Commission (EC) signalled plans for a new Data Act, to be published in late 2021, in its February 2020 Data Strategy Communication.  The EC revealed more details in its 2021 Consultation and Inception Impact Assessment. The responses to the Consultation and Inception Impact Assessment are bound to shape the future of EU’s digital economy.  The Data Act will complement other European Union (EU) measures to create a solid framework for digital trust, opening up public sector data, removing digital borders, encouraging trade in data, opening up competition and facilitating better security within the EU single market.… Continue Reading

EU – UK data transfers can continue: UK receives much welcome adequacy decision

Norton Rose Fulbright - Data Protection Report blog

The European Commission has today published a positive adequacy finding in respect of the UK’s data protection regime (the Decision).  This means that personal data can continue to flow freely from the EU to the UK without the need for organisations to take further measures.

For the time-being, however, the Decision does not concern personal data transferred for United Kingdom immigration control purposes or which otherwise falls within the scope of the exemption from certain data subject rights for purposes of the maintenance of effective immigration control (the Immigration Exemption).  The Immigration Exemption has been widely criticised by … Continue Reading

The EDPB publishes its finalised version of the Recommendations on supplementary measures

On 21 June 2021, the European Data Protection Board (EDPB) published its finalised version of the Recommendations on supplementary measures (the Recommendations) to assist companies comply with the Schrems II judgement.

This comes just a couple of weeks after the European Commission (the Commission) published new, revised Standard Contractual Clauses (New SCCs) (read our blog post for more information).  Like the Recommendations, the New SCCs also aim to assist organisations with the complex Schrems II requirements.

The new SCCs and the Recommendations show that compromise between the Commission and the EDPB has been … Continue Reading

Google to nix “GAID” for opted-out users on Android

Google to nix “GAID” for opted-out users on Android

Steve Roosa and Daniel Rosenzweig report on Google’s recent announcement regarding Android GAID settings.

Beginning later in 2021, for Android 12, Android devices will “zero-out” the Google Advertising ID (“GAID”) for users who have opted out of tracking and personalized advertising. (In other words, using the “Opt out of Ads Personalization” settings).

Read the full post on the NT Analyzer blog.… Continue Reading

Max Schrems’ NGO, noyb, submits mass cookie law compliance complaints


Max Schrems’ privacy NGO, noyb, has sent hundreds of draft complaints to companies across Europe that it claims use unlawful cookie banners along with a guide of how to comply.  noyb is giving these companies one month to make the changes to their cookie banners and consent management solutions before filing formal complaints with data protection authorities.

noyb’s stated aim is to move to a world where users are presented with simple and clear “accept”/”reject” options and companies do not design their cookie banners to try to “frustrate” users into accepting cookies or design their privacy settings to make … Continue Reading

A deeper dive into the new Standard Contractual Clauses

On Friday 4 June, the European Commission published the finalised version of the new Standard Contractual Clauses for transferring personal data from the EU to third countries (the New SCCs).  Privacy professionals have been waiting for the New SCCs for several years and have been particularly interested to know if the New SCCs will help address the complex requirements of the Schrems II case.

The good news is that the New SCCs allow companies to take a risk-based approach when making assessments on whether a third country’s access laws and practices provide adequate protection for personal data.  This approach was … Continue Reading

European Commission publishes much anticipated finalised Standard Contractual Clauses

Norton Rose Fulbright - Data Protection Report blog

The European Commission has today published the finalised version of the new Standard Contractual Clauses (the new SCCs).  The purpose of the new SCCs are to help companies legalise transfers of personal data from outside of the EEA.  They will also be a lawful mechanism for UK companies to use too.

The new SCCs were updated to:

  • allow for various types of transfers (in particular those between a processor and a sub-processor);
  • give the clauses a GDPR ‘face lift’; and
  • address the requirements of the Schrems II judgement.

Organisations may continue to use the current SCCs until 27 September … Continue Reading