On 18 March 2024, the Information Commissioner’s Office (the “ICO“), issued its Data Protection Fining Guidance (the “Guidance“) on issuing fines under the UK General Data Protection Regulation (the “UK GDPR“) and the Data Protection Act 2018 (the “DPA 2018“). The guidance replaces the sections about penalty notices in the ICO’s Regulatory Action Policy which

The Thai National Cyber Security Committee of Thailand (“NCSC“) has released two notifications requiring critical information infrastructure operators (“CIIOs“)1 to implement baseline cybersecurity protection measures in their data and information systems to enhance their cybersecurity resilience.
These notifications are:

  • Notification on standards in determining the security category for data or information systems (“Notification on

Happy (belated) International Data Privacy Day for Sunday!
And what better reason than that to explore what 2024 is likely to have in store for data and privacy?
We are just over one year on from the European Commission kick starting the process to adopt an adequacy decision for the EU-US Data Privacy Framework. Two

On 25 December 2023, the long-awaited notifications of the Personal Data Protection Committee (the “PDPC”) on cross-border transfer of personal data were finally published on Thailand’s royal gazette.
These notifications are:

  • The PDPC Notification Re: Criteria on Protection of Personal Data transferred to third countries pursuant to Section 28 of the Personal Data Protection Act
  • In a last-minute addition to this Data Wrap, after nearly three years of discussions and negotiation, political agreement has finally been reached in relation to the EU’s AI Act – the first major comprehensive regulation specifically in relation to artificial intelligence.  While the text is not yet available, the key elements of the agreement are

    The Cybersecurity Administration of China (CAC) recently released a consultation draft of the Administrative Measures on the Reporting of Cybersecurity Incidents (Measures), together with the Guidelines on Grading of Cybersecurity Incidents (Guidelines) and the Reporting Form of Cybersecurity Incident Information (Reporting Form). The drafts are open for public comment until 7 January 2024. Once effective, they will

    On 13 December 2023, the Cyberspace Administration of China and Hong Kong Innovation Technology and Industry Bureau jointly issued the Guidelines for the Implementation of Standard Contract for Cross-boundary Flow of Personal Information in the Guangdong-Hong Kong-Macao Greater Bay Area (Mainland and Hong Kong) (“GBA Standard Contract”).
    Personal data transfers within the Greater Bay Area

    The Privacy and Data Protection Journal has published an article by Duc Tran and Erin Bibb, which addresses the Joint Statement issued by the UK’s Information Commissioner’s Office (“the ICO“) in conjunction with eleven other national data protection authorities on data scraping practices and protecting privacy.
    The Joint Statement served to remind organisations that publicly

    We are pleased to share our latest article that provides a detailed overview of the Saudi Personal Data Protection Law (PDPL) which came into effect on 14 September 2023 and has a one-year grace period.
    The PDPL has taken great strides to align the Kingdom’s data protection framework with international best practice, namely the General