Our London employment team is delighted to share the first edition of our quarterly HR Privacy newsletter keeping you updated with key cases, developments and trends in UK and EU-wide HR data privacy matters. This edition includes an interesting employment tribunal decision considering whether an employee had a reasonable expectation of privacy over her private Facebook posts, the latest guidance on data subject access requests and an update in relation to the EU-US Data Privacy…
On August 9, India’s Digital Personal Data Protection Bill, 2023 (“DPDP Bill”) passed both houses of the Indian Parliament and now awaits Presidential assent. In 2017, India’s Supreme Court mandated that privacy is a fundamental human right. Since that time, India has been working to pass data protection legislation. The DPDP Bill is India’s fifth draft of the bill. The DPDP Bill only applies to the processing of digital personal data in India, where the personal…
On 6 July 2023, the United Kingdom (“UK”) became the first country to be granted Associate status in the Global Cross Border Privacy Rules (“CBPR”) Forum. In addition to the benefits of sharing best practices and pursuing interoperability with other privacy frameworks, the Global CBPR Forum seeks to establish and promote adoption of the Global Cross-Border Privacy Rules (CBPR) System and Global Privacy Recognition for Processors (PRP) System to facilitate data protection and free flow…
Brief refresher on the Children’s Code: In 2020, the ICO published its Age appropriate design: a code of practice for online services (the “Code”). The Code set out 15 standards applicable to information society services (“ISS”) aimed at or likely to be accessed by children, requiring the “best interests” of the child to be the primary driver of product and service design. We have published an article setting out the aims of the Code and…
The European Commission’s adequacy decision for the EU-US Data Privacy Framework (the ‘Framework’) still has a significant beneficial impact for companies even if they continue to rely on the EU Standard Contractual Clauses (‘SCCs’) for transatlantic data transfers instead of participating in the Framework due to the findings in the decision regarding updated US laws and practices. The decision confirms that the EU Commission considers the designation of the EEA as a qualifying organisation under…
Just a few weeks after California Attorney General Bonta announced an investigative sweep through inquiry letters sent to California employers, today the California Privacy Protection Agency (CPPA) announced a California Consumer Privacy Act (CCPA) review of data privacy practices by connected vehicle manufacturers and related technologies, focusing on embedded features including “location sharing, web-based entertainment, smartphone integration, and cameras,” because “vehicles often automatically gather consumers’ locations, personal preferences, and details about their daily lives.” In…
So far this year, three US states have passed laws with specific obligations related to consumer health privacy law: Washington, Connecticut, and Nevada. When it comes to California, the omnibus California Consumer Privacy Act (CCPA) applies also to the processing of health information. But, if the sectoral Confidentiality of Medical Information Act (CMIA) applies and is complied with, CMIA, and not the CCPA, applies. Most companies that do business in California are subject to CMIA,…
On 19 July 2023, the European Data Protection Board (EDPB) announced that it had adopted a statement on the European Commission’s first review of the functioning of the adequacy decision for Japan during its 82nd plenary meeting. The context In January 2019 the European Commission adopted an adequacy decision in relation to transfers of personal data from the EU to businesses in Japan. The adequacy decision means that EU standard contractual clauses are not required…
Background On 18 July 2023, the Information Commissioner’s Office (“ICO”) and Financial Conduct Authority (“FCA”) issued a joint statement in response to queries from some firms regarding whether UK data protection laws prevented sending communications to customers about better savings rates. In the joint letter, the ICO and FCA confirmed that data protection and direct marketing laws do not prevent organisations from sending such “regulatory communications”. Summary The joint letter reiterates the ICO’s existing direct…
On July 18, Oregon Governor Tina Kotek signed SB 619 into law as the Oregon Consumer Privacy Act, making Oregon the eleventh U.S. state to enact consumer privacy legislation and the seventh in 2023 alone. The compliance deadline for for-profit entities is July 1, 2024. In Brief: The Oregon Consumer Privacy Act has no revenue threshold and applies to any person that conducts business in Oregon or provides products or services to Oregon residents and…