The UK’s Information Commissioner’s Office (ICO) has launched a public consultation on its draft guidance on data privacy transparency in the health and social care sector. The proposed guidance emphasises the importance of going beyond the legal requirements of the GDPR in order to build trust with patients, and builds on themes of openness, honesty and patient engagement. The consultation is open until 7 January 2024, and is essential reading for tech companies providing services…
The Information Commissioner’s Office (ICO) has released its ICO Audit a Year in Focus. This report outlines the ICO’s regulatory activities and rulings over the last year and provides crucial insights for data protection officials. The takeaways below make clear the current Commissioner approach to setting priorities to areas where the most impact to individuals will be felt. As we will see for the outgoing year, it is protection of children’s data. Here are the key points…
The World Health Organization (WHO) has released a publication outlining key considerations for regulation of artificial intelligence for health. This follows the EMA’s Consultation on the use of Artificial Intelligence (AI) in the medicinal product lifecycle, which is open for public consultation until 31 December 2023 (see our post here for more information). This aims to promote dialogue among stakeholders, including developers, regulators, manufacturers, health workers and patients. The WHO focuses on six key regulatory considerations on…
Employee monitoring has become common practice for many employers in the UK. Monitoring is often part of an organization’s security procedures to secure personal information or prevent loss of property, often deployed for health and safety reasons, or companies may even have to monitor employees to comply with legal requirements (for example, in the financial services sector). Increasingly, employers are monitoring employee office attendance as many organisations are requiring their staff back into the office…
In Brief On September 29, 2023, China’s primary data protection regulator, the Cyberspace Administration of China (“CAC”), proposed new rules for cross-border data transfers from China (the “Draft Rules”). If implemented as written, the Draft Rules, which are currently subject to public comment through mid-October, will significantly roll back requirements for many US and multinational organizations. There is no specific deadline for adoption, but it is expected prior to November 30, 2023, which is the…
*Article originally posted on Law.com authored by Cassandre Coyer at LegalTech News.* This summer marked a key development in the history of data transfers between the U.S. and European Union when the European Commission adopted its adequacy decision for the EU-U.S. Data Privacy Framework after two prior invalidated agreements. But whether that milestone is translating to a wave of companies registering to get certified under the new framework is less apparent. Given the looming possibility of a Schrems…
As we previously covered in a post earlier this month, the California Privacy Protection Agency (“CPPA”) has published draft regulations on risk assessments and cybersecurity audits required by the California Consumer Privacy Act (“CCPA”), as amended by the California Privacy Rights Act (“CPRA”). On September 8, the CPPA held a public board meeting that included discussion of select portions of the regulations. Prior to the meeting, the board circulated copies of the draft regulations for…
With the passage of the Data Protection (Adequacy) (United States of America) Regulations 2023 (Adequacy Regulation), the UK government has made good on its intention to establish a data bridge with the US. This follows the commitment-in-principle reached by President Joe Biden and UK Prime Minister Rishi Sunak on June 8 2023, when the EU-US Data Privacy Framework (“DPF”) was still being evaluated by the European Commission under the EU GDPR. With the DPF’s completion and…
According to Article 40.1 of the GDPR, the national supervisory authorities in the European Economic Area shall “encourage the drawing up of codes of conduct intended to contribute to the proper application” of the GDPR. A prerequisite for codes of conduct to be prepared by Swedish associations and bodies, which represent categories of personal data controllers or processors, is that the Swedish Data Protection Authority (IMY), pursuant to Art. 41 GDPR, establishes the requirements that…
In Brief On September 11, 2023, Delaware Governor John Carney signed the Delaware Personal Data Privacy Act (HB 154) into law, making Delaware the twelfth US state to pass a consumer privacy law (and the seventh in 2023 alone). Like Connecticut, Colorado and Indiana, Delaware’s new law occupies a middle ground between detailed privacy regimes like the California Consumer Privacy Act (CCPA, as modified by the California Privacy Rights Act) and more business-friendly mandates like…