On 18 March 2024, the Information Commissioner’s Office (the “ICO“), issued its Data Protection Fining Guidance (the “Guidance“) on issuing fines under the UK General Data Protection Regulation (the “UK GDPR“) and the Data Protection Act 2018 (the “DPA 2018“). The guidance replaces the sections about penalty notices in the ICO’s Regulatory Action Policy which
Data Notes
Blog Authors
Latest from Data Notes
Cybersecurity law update – New Thai rules mandating baseline cybersecurity requirements for critical systems
The Thai National Cyber Security Committee of Thailand (“NCSC“) has released two notifications requiring critical information infrastructure operators (“CIIOs“)1 to implement baseline cybersecurity protection measures in their data and information systems to enhance their cybersecurity resilience.
These notifications are:
- Notification on standards in determining the security category for data or information systems (“Notification on
…
February Data Wrap: A snapshot of key regulatory developments
As envisaged in our predictions for 2024, close regulatory scrutiny of adtech looks unlikely to wane in 2024. 2023 saw multiple CJEU rulings resulting in Meta relying on three different lawful bases in quick succession when processing its users’ personal data for targeted advertising purposes. The year ended with Meta relying on consent and…
INTERNATIONAL DATA PRIVACY DAY: OUR PREDICTIONS FOR 2024
Happy (belated) International Data Privacy Day for Sunday!
And what better reason than that to explore what 2024 is likely to have in store for data and privacy?
We are just over one year on from the European Commission kick starting the process to adopt an adequacy decision for the EU-US Data Privacy Framework. Two…
Thailand’s New Legislation on Cross-border Transfer of Personal Data
On 25 December 2023, the long-awaited notifications of the Personal Data Protection Committee (the “PDPC”) on cross-border transfer of personal data were finally published on Thailand’s royal gazette.
These notifications are:
…
Oct / Nov / Dec Data Wrap: A snapshot of key regulatory developments
In a last-minute addition to this Data Wrap, after nearly three years of discussions and negotiation, political agreement has finally been reached in relation to the EU’s AI Act – the first major comprehensive regulation specifically in relation to artificial intelligence. While the text is not yet available, the key elements of the agreement are…
China Releases Draft Measures for Cybersecurity Incident Reporting
The Cybersecurity Administration of China (CAC) recently released a consultation draft of the Administrative Measures on the Reporting of Cybersecurity Incidents (Measures), together with the Guidelines on Grading of Cybersecurity Incidents (Guidelines) and the Reporting Form of Cybersecurity Incident Information (Reporting Form). The drafts are open for public comment until 7 January 2024. Once effective, they will…
Greater Bay Standard Contract facilitates personal data transfers between nine Guangdong cities and Hong Kong
On 13 December 2023, the Cyberspace Administration of China and Hong Kong Innovation Technology and Industry Bureau jointly issued the Guidelines for the Implementation of Standard Contract for Cross-boundary Flow of Personal Information in the Guangdong-Hong Kong-Macao Greater Bay Area (Mainland and Hong Kong) (“GBA Standard Contract”).
Personal data transfers within the Greater Bay Area…
Joint Statement from Data Protection Authorities on Data Scraping — a deeper dive: article published in Privacy and Data Protection Journal
The Privacy and Data Protection Journal has published an article by Duc Tran and Erin Bibb, which addresses the Joint Statement issued by the UK’s Information Commissioner’s Office (“the ICO“) in conjunction with eleven other national data protection authorities on data scraping practices and protecting privacy.
The Joint Statement served to remind organisations that publicly…
Saudi Arabia’s Personal Data Protection Law – What you need to know
We are pleased to share our latest article that provides a detailed overview of the Saudi Personal Data Protection Law (PDPL) which came into effect on 14 September 2023 and has a one-year grace period.
The PDPL has taken great strides to align the Kingdom’s data protection framework with international best practice, namely the General…