Clifford Chance

Data

Advocate General's opinion on administrative fines under the GDPR

On 12 September 2024, Advocate-General Leila Medina (AG) delivered her opinion to the ECJ in Case C-383/23 Anklagemyndighenden v ILVA A/S (ILVA) which clarifies the relationship between the basis on which the level of an administrative fine is to be set under articles 83(1) to (3) of the EU General Data Protection Regulation (GDPR), and the maximum level of such a fine under articles 83(4) and (5).

Read

Data

Court of Justice of the European Union on GDPR & Cybercrime

On 14 December 2023, the Court of Justice of the European Union (CJEU) published its preliminary ruling in Case C-340/21 involving the Bulgarian National Revenue Agency (NAP), which suffered a cyberattack leading to the unauthorized disclosure of personal data.

Read

Data

Amendments to the Act on the Protection of Personal Information of Japan Proposed for 2025

The PPC announced that there will be amendments to the Act on the Protection of Personal Information (APPI) in 2025, which are set to introduce significant changes to the current data protection framework. The Personal Information Protection Committee of Japan has published an interim report following their meeting on 26 June 2024 to summarise the ongoing discussions to revisit the APPI. Revisions are being proposed as part of the requirement to have the APPI reviewed every three years and in response to industry feedback calling for regulations that better align with practical business conditions.

Read

Keeping Pace: The First Tranche of Australian Privacy Reforms versus the GDPR Regimes

For investors and corporates with interests across Australia, the EU, and the UK, this post addresses the reforms proposed in the Privacy Bill, and how and to what extent the changes will align the Privacy Act more closely with the EU General Data Protection Regulation (EU GDPR) and its essentially similar UK equivalent (UK GDPR, and together with the EU GDPR, GDPR).

Read

President Biden Issues Executive Order to Protect American's Sensitive Personal Data

This article examines EO 14117 and the subsequent Advance Notice of Proposed Rulemaking (ANPRM) detailing the framework of the forthcoming regulations it will issue to implement the order's directives and filling in the details on what transactions will be impacted. Together, EO 14117 and the accompanying ANPRM from DOJ will likely have important implications for companies that do business in or otherwise operate in countries of concern, including notably China and Russia.

Read

APAC Data Regulatory Themes and Strategies

Data regulation is rapidly developing across the Asia Pacific (APAC) region. Businesses need to understand how these regulations will affect their strategies and how to balance mitigating risk with building consumer trust and fostering innovation. In this extract from a recent Clifford Chance webinar, we explore data transfers and localisation, cybersecurity and the latest regulatory developments and enforcement trends in APAC.

Read

ECJ rules on vehicle data sharing obligations and GDPR (Gesamtverband v Scania)

The recent decision of the European Court of Justice (ECJ) in Gesamtverband Autoteile-Handel eV v Scania CV AB clarifies requirements under EU Regulation 2018/858 for vehicle manufacturers to provide vehicle data to aftermarket participants, including manufacturers and distributors of spare parts.

Read

Data

CJEU decisions on administrative fines under the GDPR

On 5 December 2023, the Court of Justice of the European Union (CJEU) published its preliminary rulings in Cases C-683/21 (Nacionalis visuomenés sveikatos centros prie Sveikatos apsaugos ministerijos) (NVSC) and C-807-21 (Deutsche Wohnen SE) (DW). In these cases, factually unrelated but raising overlapping issues of principle, the CJEU reached several key decisions clarifying the position under the EU General Data Protection Regulation (GDPR) regarding the imposition of administrative fines by data protection supervisory authorities.

Read

Data

German Data Protection Authority comments on required legal bases under the GDPR for processing of personal data using AI

The State Commissioner for Data Protection and Freedom of Information of Baden-Württemberg has published a consultation paper concerning the relevant legal bases under the EU General Data Protection Regulation (GDPR) for processing personal data as part of the development and use of artificial intelligence (AI) systems.

Read

Data

EU/UK-U.S data privacy framework approved

On 10 July 2023, the European Commission reached an "adequacy decision" under the European Union General Data Protection Regulation (GDPR), approving transfers of personal data to organisations located in the United States that will be certified under the newly-established Trans-Atlantic Data Privacy Framework (DPF) agreed between the U.S. and the EU.This long-awaited decision replaces the EU-U.S. "Privacy Shield", which was invalidated by the Court of Justice of the European Union (CJEU) in the Schrems 2 case in 2020

Read

Data

When does pseudonymized data stop being personal data?

Building on existing case law from the Court of Justice of the European Union (CJEU), a recent judgment from the General Court provides useful guidance as regards the concept of 'personal data' and provides comfort to organizations disclosing pseudonymized data to third-party recipients.

Read

Data

AEPD tries to clarify previous decision on inclusion of worker in company's WhatsApp groups

This decision caused quite a stir in the Spanish data protection community, primarily because the AEPD offered only brief and generic reasoning in its decision, creating doubt as to the legal basis for this type of processing. This resulted in the AEPD receiving an enquiry from the privacy sector , asking it, , to identify the legitimate grounds for creating WhatsApp groups in the work environment.

Read

Data

China Finalises Standard Contract on Cross-Border Transfer of Personal Information

The PRC Data Laws set out the supervisory approach of PRC regulators to different data- and PI- related matters. One of the key focuses for multinational companies that are subject to the PRC Data Laws is compliance with PRC regulatory requirements on international transfer of PI (i.e., exporting and/or receiving China-sourced PI, including by way of remote access), given the potential widespread implications on their global business and data management systems.

Read

Data

The UK's Data Protection and Digital Information Bill – Further Reform on the Horizon

The UK’s Data Protection and Digital Information Bill (Bill) was laid before the UK Parliament on 18 July 2022, marking a significant step in the post-Brexit reform of the UK’s data protection regime. This long take analyses key aspects of the Bill and highlights areas that are likely to be the focus of engagement on potential further reform. To assist stakeholders in understanding the changes to legislation proposed by the draft Data Protection and Digital Information Bill, Clifford Chance has produced PDF redlines (called 'Keeling Schedules') of the UK GDPR, the Data Protection Act 2018 and the Privacy and Electronic Communications (EC Directive) Regulations 2003.

Read

Data

The case for a risk-based approach to data transfers: Clifford Chance and DLA Piper publish joint paper arguing for proportionality

The leading European data protection teams at Clifford Chance and DLA Piper have collaborated on a joint paper setting out the case for a proportionate approach to conducting risk assessments of international transfers of personal data.

Read

Data

Data Privacy: Preparing for 2023 (and beyond) in California

As 2023 approaches, a flurry of activity in California means big changes in the year ahead for data privacy. New obligations, an expanded scope of covered data, increasing enforcement, and scant regulations all mean it’s a good time for companies processing the personal information of California residents to make sure they’re prepared for the new year. Read ahead for insights into what’s coming and strategies for compliance, including Frequently Asked Questions.

READ

Data Centre Trends 2023

The data centre industry is poised for growth in 2023 due to increased demand from businesses. However, factors such as higher costs, a slowing economy, new capacity challenges and increased regulation due to sustainability concerns about energy and water consumption, will impact growth. The pandemic has fueled the growth of the global data centre market, projected to reach 235 billion euros by 2026 with a projected Compound Annual Growth Rate of 4.5%. Companies must consider the latest tech trends when selecting a data centre partner or colocation provider.

READ

Data

Monitoring in the workplace: direction of travel

Monitoring employees in the workplace is not new but the methods by which this is achieved, the workplace itself and relevant regulatory regimes are continually evolving. The UK's Information Commissioner's Office (ICO) has published for consultation draft Guidance on Monitoring at Work. Coincidentally, in the same week the international press reported a Dutch case in which the courts awarded an employee in the region of €75,000 after being dismissed for refusing an instruction to keep his webcam on for the entire duration he was logged on to his work PC.

READ

Data

Data Flows in a Modern World

Data flows are the lifeblood of trade in digital services. Despite this, a growing number of jurisdictions are restricting cross-border data flows and implementing localisation requirements, often in the name of data sovereignty. There are two facets to this issue: data localisation and data transfer regimes, which we consider in this article

READ

Tech

Digital trade: an evolving concept and legal landscape

The concept of "digital trade" does not have a universally recognised definition. It is commonly used to refer to both the online trade in goods and services and the physical trade in goods that is enabled though digital means (such as electronic customs clearance technology, enterprise freight management software or blockchain). For example, the OECD defines digital trade as "digitally enabled transactions of trade in goods and services that can either be digitally or physically delivered".

READ

Data

Beyond adequacy: working together to ease multi-jurisdictional privacy compliance

International trade in digital goods and services relies on the sharing of data across borders. As an increasing number of countries introduce and update data protection laws, complying with requirements across jurisdictions is becoming increasingly complex. Cross-border data governance is a significant, and seemingly ever-growing, cost of doing business.

READ

Data

The Data Act: A proposed new framework for data access and porting within the EU

The proposed Regulation seeks to redefine rules and practices on data access and use in order to foster data (re)use.

READ

Data

Next steps after U.S. President Biden issues Executive Order on U.S. data transfers from 'qualified states'

On 7 October 2022, U.S. President Joe Biden issued an Executive Order "On Enhancing Safeguards for United States Signals Intelligence Activities" (the Order) to effectuate the preliminary agreement between U.S. President Biden and European Commission President Ursula von der Leyen for promoting trans-Atlantic data flows. The Order does not establish a mechanism for transfers of personal data from the EEA to the U.S., but is expected to pave the way for an adequacy decision from the European Commission in due course, which would permit such trans-Atlantic personal data flows.

READ

Data

E-Privacy check-in: where we are, and where we're headed

Are we any closer to EU institutions reaching an agreement on the final regulation text

READ

Data

Colorado joins California and Virginia with a comprehensive data privacy law

The Colorado Privacy Act (CPA) will give Colorado consumers certain rights with respect to their personal data. The new law will go into effect on 1 July 2023

READ

Data

Connecticut Data Privacy Act Becomes Nation's Fifth State Privacy Law, Setting Stricter Standards

The Act is the latest stitch in the patchwork of state and federal privacy laws that is growing ever more complex. And as has become a trend, while the law shares many similarities with its counterparts in other states, the Act also has certain unique provisions that companies that do business in Connecticut will need to carefully consider before the law goes into effect on July 1, 2023

READ

Data

Utah Becomes Fourth State To Pass Consumer Privacy Act, First With Republican-Controlled House And Senate

On March 24, 2022, Utah Governor Spencer Cox signed the Utah Consumer Privacy Act into law, making Utah the fourth state to pass a comprehensive consumer privacy law

READ

US Lawmakers Release Draft of Comprehensive Federal Data Privacy Bill

On June 3, 2022, a coalition of lawmakers from the United States House and Senate released a discussion draft of the American Data Privacy and Protection Act ("ADDPA). The 64-page bill represents a crucial bipartisan and bicameral compromise1 to give Americans unprecedented rights over their data.

READ

One "Fine" Day? Insights from the first fine issued by the California Attorney General under the CCPA

On August 24, 2022, the California Attorney General (CAG) announced a $1.2 million settlement with Sephora to resolve allegations that the consumer goods retailer violated the California Consumer Privacy Act (CCPA) by failing to disclose to consumers that it was selling their personal information. The settlement is notable not only because it is the first civil penalty issued under the statute, but also because it confirms a broad interpretation of what constitutes a "sale" of personal information under the law and the requirement for websites to respond to global privacy controls.

READ

Virginia passes the Consumer Data Protection Act

2021 is projected to be a pivotal year in privacy legislation and the year is off to a fast start. On2nd March, the Commonwealth of Virginia became the first state to enact a comprehensive consumer privacy law in 2021. The Virginia Consumer Data Protection Act draws heavily from the California Consumer Privacy Act and the EU General Data Protection Regulation and will impose significant new obligations on certain companies that process personal information of Virginia residents. The new law will go into effect in 2023.

READ