Privacy law

CJEU Advocate General clarifies when pseudonymised data falls outside the definition of personal data

By Marcus Evans (UK), Rosie Nance & Alice Knowles on February 10, 2025

On 5 February 2025, the Advocate General of the Court of Justice of the European Union (CJEU) issued its opinion in the case of C 413/23 P European Data Protection Supervisor (EDPS) v Single Resolution Board…

Online Safety Act: Protecting Children from Harmful Content Online – Ofcom’s Guidance on Age Assurance for Part 3 Services

By Farah Mukaddam (UK), Marcus Evans (UK) & Rosie Nance on January 28, 2025

Ofcom has published its guidance for implementing age assurance measures for regulated service providers. User-to-user (U2U) services and search services take note: a decision not to implement highly effective age assurance measures means that your service may be deemed by…

New Horizons in Data Protection: Malaysia’s Personal Data Protection (Amendment) Act 2024

By Wilson Ang, Jeremy Lua & Terence De Silva on January 17, 2025

On 24 December 2024, Malaysia’s Minister of Digital stipulated the dates on which the provisions of the Malaysian Personal Data Protection (Amendment) Act 2024 (Amendment Act) will come into force. The Amendment Act will take effect in three…

Facial recognition and privacy: Updated OAIC guidance

By Lisa Fitzgerald on December 11, 2024

The Office of the Australian Information Commissioner (OAIC) has issued guidance to private sector organisations who are considering using facial recognition technology (FRT) for identification purposes in commercial or retail settings. The guidance follows a determination of the Privacy Commissioner…

TR v Land Hessen – DPA not obliged to fine under the GDPR

By Shan Nanayakkara on December 3, 2024

By Shan Nanayakkara

In TR v Land Hessen (C‑768/21) the European Court of Justice (“ECJ”) found that following a personal data breach, a supervisory authority is under no obligation to exercise its corrective powers, specifically the power to…

Bill C-26: Advancing towards cybersecurity governance in Canada

By John Cassell (CA), Imran Ahmad (CA) & Marisa Kwan on October 30, 2024

Content On September 19, the Senate commenced its second reading of Bill C-26: An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts, marking a significant step forward in the legislative process since…

Lessons on international transfers to the US to organisations caught by the GDPR

By Jurriaan Jansen, Naomi Schuitema, Marcus Evans (UK) & Rosie Nance on September 11, 2024

The Dutch data protection authority, the Autoriteit Persoonsgegevens (AP) announced a fine of €290 million on Uber Technologies Inc. (UTI) and Uber B.V.,(UBV) (together Uber) with press releases in Dutch and English. The fine relates to the transfer of…

Recent regulatory developments in training AI models under the GDPR

By Marcus Evans (UK), Rosie Nance & Olivia Wint on August 22, 2024

In 2024, many organisations have been eager to look at how they can use the data they hold to debut or build on their artificial intelligence (AI) programme. Many are looking to use that data to train AI models, or…

EDPB opines on the use of facial recognition in airports

By Marcus Evans (UK) & Shiv Daddar (UK) on July 18, 2024

Co-written by Swaathi Balajawahar, Trainee Solicitor

Introduction

On 23 May 2024, the European Data Protection Board (EDPB) issued Opinion 11/2024 on the use of facial recognition to streamline airport passengers’ flow (the Opinion). The Opinion considered the use of facial…

Minnesota enacts comprehensive privacy law

By Susan Ross (US), David Kessler (US), Amelia Klitenic (US), Kelly Atherton (US) & Rachel Cooper (US) on June 24, 2024

On May 24, 2024, the Minnesota Governor signed the Minnesota Consumer Data Privacy Act (“MCDPA”), making Minnesota the eighteenth state to enact a comprehensive privacy law. The new law takes effect on July 31, 2025, for most regulated entities, with…

Data Protection Report