Nearly five years after a landmark Supreme Court ruling, which reiterated that information privacy is a fundamental right enshrined in the Constitution, India finally enacted its Digital Personal Data Protection Act, 2023 (the “DPDPA” or “Act”), on August 11, 2023.Continue Reading Comparing Global Privacy Regimes Under GDPR, DPDPA and US Data Protection Laws

On May 22, 2023, the Irish Data Protection Commission (the “DPC”) published its decision on Meta Platforms Ireland Limited (“Meta”).[1] The decision has wider implications for any company that routinely transfers personal data from the EEA to third countries, in particular, to the US.Continue Reading Key Takeaways from the Irish Data Protection Commission’s decision on Meta Data Transfers

On July 10, 2023, the European Commission officially adopted its adequacy decision for the new EU-U.S. Data Privacy Framework (“DPF”), concluding that the U.S. ensures an adequate level of protection for personal data transferred from the EU to U.S. organisations participating in the EU-U.S. Data Privacy Framework.[1] This allows EU organizations to freely transfer personal data that is subject to the GDPR to participating organizations in the U.S.Continue Reading EU-U.S. Data Privacy Framework

Following the lead of California, Virginia, Colorado, Connecticut and Utah (as previously discussed here, here, here, here and here respectively), on March 29, 2023, Iowa passed the Iowa Consumer Privacy Act (the “ICPA”), creating compliance obligations for businesses that collect and process personal data of Iowa residents and providing such residents more control over their data. The ICPA will go into effect on January 1st, 2025.Continue Reading Iowa Becomes the Sixth State to Enact a Comprehensive Privacy Law

On January 4, 2023, the Irish Data Protection Commission (the “DPC”) announced it issued two decisions that have wide relevance for the adtech industry.  The decisions focus on the extent to which businesses can rely on the GDPR legal basis of ‘performance of a contract’ to justify delivering behavioural advertising to users without separately seeking their consent. Continue Reading Irish Data Protection Commission’s decisions regarding Facebook and Instagram

On December 13, 2022, the European Commission (“Commission”) formally launched the process to adopt an adequacy decision for the EU – U.S. Data Privacy Framework and proposed a draft adequacy decision concerning personal data transfers to the U.S. (available here).Continue Reading The Draft Adequacy Decision on the EU-US Data Privacy Framework

On 24 November 2022, the UK government announced its adequacy decision for the Republic of Korea, which will allow UK organizations to share personal data with Korean organizations more freely under the UK General Data Protection Regulation (“UK GDPR”).Continue Reading The United Kingdom and the Republic of Korea Finalize Data Sharing Agreement

The Information Commissioner’s Office (“ICO”) has opened a consultation on new draft guidance on monitoring at work (the “Draft Guidance”).  The Draft Guidance applies in both the private and public sectors in respect of any worker, a term which is used to include employees as well as non-employee workers, independent contractors and volunteers.
Continue Reading UK ICO Issues Draft Guidance on Monitoring at Work