Topic: General

Subscribe to General RSS feed

ICO publishes guidance on bulk emails

The Information Commissioner’s Office has published new guidance on email security, with emphasis on safety when sending to multiple recipients which is relevant for pension schemes when emailing their membership. The principal points include: As regards pension schemes, administrators should remember that whether information is sensitive can depend on the context and consideration should be given to … Continue reading

China finalises its Generative AI Regulation

The Provisional Administrative Measures of Generative Artificial Intelligence Services (Generative AI Measures), were published by the Cyberspace Administration of China (CAC), together with six other authorities, on 13 July 2023 and will take effect from 15 August 2023. The Generative AI Measures, along with the likely enactment of the Artificial Intelligence Law in the 2023 legislative … Continue reading

The ICO urges organisations to start using privacy enhancing technologies to share personal data safely, securely and anonymously

On 19 June 2023, the UK Information Commissioner’s Office (the ICO) published guidance on privacy enhancing technologies (or PETs) (the Guidance). The Guidance sits alongside the ICO’s recommendation that organisations should, if they haven’t already, start using PETs to share personal data safely, securely and anonymously. Structure of the Guidance The Guidance is split into … Continue reading

Singapore contributes to the development of accessible AI testing and accountability methodology with the launch of the AI Verify Foundation and AI Verify Testing Tool

On 7 June 2023, at the ATxAISummit, Singapore launched the AI Verify Foundation, which aims to “harness the collective power and contributions of the global open source community” in order to develop the AI Verify testing tool for the responsible use of AI. In this short post, we discuss this development as well as the … Continue reading

Privacy notices – the ICO follows the lead of the EU data protection authorities in their interpretation of Article 13 UK GDPR

Introduction On 15 May, the ICO published the monetary penalty notice (MPN) in relation to the £12.7 million fine it imposed on TikTok in April. This MPN and its accompanying annexes set out details of TikTok’s non-compliance with data protection law and the reasons why the ICO considered that a fine was appropriate. Whilst a … Continue reading

Schrems II – Irish DPC finally issues its decision – suspension order, deletion/ repatriation of data and fine

Introduction: On 22 May, the Irish Data Protection Commissioner (the DPC) published its decision against Meta Platform Ireland Ltd (Meta Ireland) in relation to Facebook’s transfer of user’s personal data to the US (the Decision). In it, the DPC ordered Meta Ireland to suspend Facebook’s future transfers of personal data to the U.S. within five … Continue reading

NIST Proposes Revised Security Guidelines For Federal Contractors

In response to the constantly evolving landscape of cybersecurity threats, the National Institute of Standards and Technology (NIST) has recently updated their guidelines for Special Publication NIST 800-171, making its guidance more prescriptive, and potentially making it harder for contractors to comply. NIST 800-171 is a set of guidelines created to help federal agencies and … Continue reading

The AI Act – A step closer to the first law on Artificial Intelligence

On 11 May 2023, members of the European Parliament passed their compromise text of the AI Act (the AI Act) at the committee stage, taking this law a step closer to being finalised. The compromise text (the Parliament Draft), which amends the Commission’s original proposal, includes quite a large number of amendments, some of which … Continue reading

Biden restricts U.S. government use of commercial spyware

Governments state that they use commercial spyware exclusively for criminal investigations, but critics claim such spyware has purportedly been used for human rights abuses targeting journalists, human rights defenders, lawyers, and political dissidents.  Moreover, the U.S. Government and its employees have been allegedly targeted by such spyware.  To set an example for governments globally—both authoritarian … Continue reading

Italian Garante bans Chat GPT from processing personal data of Italian data subjects

IntroductionBy way of an interim measure adopted on 30 March 2023, the Italian Data Protection Authority (Garante per la protezione dei dati personali) (the Garante) ordered  the US company Open AI LLC to temporarily stop ChatGPT’s processing of personal data relating to individuals located in Italy, pending the outcome of the Garante’s investigation into the … Continue reading

UK AI White Paper

At last, UK Government publishes its White Paper on AI – “A pro-innovation approach to AI regulation” – an opportune start, but as expected, a framework with detail to follow… The Department for Science, Innovation and Technology, has finally published its AI regulation white paper (the ‘White Paper’). Here are the key elements: What AI … Continue reading

Relying on the Legitimate Interests Exception under the Personal Data Protection Act 2012

In a recent decision (the Decision),[1] the Personal Data Protection Commission (PDPC) considered for the first time a company’s reliance on the Legitimate Interests Exception (as defined below) under the Personal Data Protection Act 2012 (PDPA) when the consent procured is invalid. The General Legitimate Interests Exception The general Legitimate Interests Exception was introduced to … Continue reading

Cyber-insurance – 72 hours for the insured party to file a criminal complaint: GDPR’s false friend

Cyberattacks have become more frequent, problematic and complex over the years – so much so that they now represent a real threat to economic activities. The French Information and Digital Security Experts Club (CESIN) has estimated that 54% of French companies were subject to cyberattacks in 2021,[1] while France Assureurs has put cyberattack risks on … Continue reading

FTC proposed consent order prohibits perpetual retention of personal information

We had previously written about an FTC proposed consent order that would prohibit a company from perpetual retention of personal health information.  On March 2, 2023, the FTC announced a complaint and proposed consent with BetterHelp, Inc. that would prohibit the company from perpetual retention of personal information—a broader category.   Also unlike the previous matter, … Continue reading

EDPB Guidelines on international transfers: 6 key takeways

EDPB Guidelines on the interplay between Article 3 and the provisions in Chapter V of the General Data Protection Regulation on international data transfers On 14 February 2023, the European Data Protection Board (EDPB) published its Guidelines on the interplay between Article 3 and the provisions in Chapter V of the General Data Protection Regulation … Continue reading

Hong Kong’s data privacy law reform may come in 2023

The reform of Hong Kong’s Personal Data (Privacy) Ordinance (Cap.486) (the PDPO) is back on the agenda. In our earlier post in 2020, we reported that the Constitutional and Mainland Affairs Bureau published a discussion paper (the Discussion Paper) seeking the Legislative Council’s Panel on Constitutional Affairs’ (the Panel) views on proposed changes to the … Continue reading

“Forever and forever, farewell”:  FTC prohibits indefinite retention of PHI in consent order

innovation circuit boardOn February 1, 2023, the Federal Trade Commission announced a complaint and stipulated order with GoodRx, with the FTC using for the first time its interpretation of the Health Breach Notification Rule.  Under the Rule, the FTC interpreted a “breach” to include disclosures of personal health information without notice to the individual and consent by … Continue reading

BIPA Year in Review: Where Are We Now and What’s Coming Next?

2022 has been a record year for Illinois Biometric Information Privacy Act (“BIPA”) litigation. Since its enactment in 2008, BIPA has been one of the most litigated privacy-related laws with some of the highest penalties. However, it wasn’t until last month that the first BIPA jury verdict was ever rendered.  The award, a whopping $228 … Continue reading

Canada’s artificial intelligence legislation is here

On 16 June 2022 the Canadian federal government introduced Bill C-27, also known as the Digital Charter Implementation Act 2022. If passed, this package of laws will: Implement Canada’s first artificial intelligence (AI) legislation, the Artificial Intelligence and Data Act (AIDA). Reform Canadian privacy law, replacing the Personal Information Protection and Electronic Documents Act with … Continue reading

Points to note on the European Commission’s questions and answers on the Revised Standard Contractual Clauses (SCCs)

On May 25th 2022, the European Commission published a series of questions and answers on the SCCs to be used between controllers and processors within the European Economic Area (EEA), and the SCCs to be used for transfers to countries not considered adequate by the European Commission (Third Countries) (the Q&As). The text of the … Continue reading

EDPB publishes guidance on calculating GDPR fines

On 12 May 2022 EDPB adopted Guidelines on the calculation of administrative fines (the Guidelines).  The Guidelines supplement the Article 29 Working Party’s Guidelines on the application and setting of administrative fines (WP253) adopted in October 2017 and recommends that the two are read together.  Whereas the previous guidance set out general principles for when … Continue reading

The EU’s Data Act: Capstone of the EU Data Strategy

On 23 February 2022 the EU Commission published its long-awaited Data Act, the last major building block of the Commission’s February 2020 Data Strategy. The Data Act: Is an ambitious piece of legislation with implications for consumers and businesses across the economy, not limited to the technology sector. Aims to facilitate access to data by … Continue reading
LexBlog