On 20 November 2024, the EU Cyber Resilience Act (CRA) was published in the Official Journal of the EU, kicking off the phased implementation of the CRA obligations.
What is the CRA?
The CRA is a harmonising EU regulation, the first of its kind focusing on safeguarding consumers and businesses from cybersecurity threats.
Continue Reading EU: Cyber Resilience Act published in EU Official Journal
On November 18, 2024, the German Federal Court of Justice (Bundesgerichtshof – “BGH”) made a (to date unpublished) judgment under the case number VI ZR 10/24 regarding claims for non-material damages pursuant to Art. 82 GDPR, due to the loss of control over personal data.
The judgment is based on a personal
Continue Reading Germany: Judgment on Non-Material Damages for Loss of Control over Personal Data
This is Part 3 in a series of articles on the European Health Data Space (“EHDS“). Part 1, which provides a general overview of the EHDS, is available here. Part 2, which deals with the requirements on the manufacturers of EHR-Systems under the EHDS, is available here.
This article provides an
Continue Reading EU: EHDS – Access to health data for secondary use under the European Health Data SpaceThe European Data Protection Board (“EDPB“) adopted an opinion on 7 October 2024, providing guidance for data controllers relying on processors (and sub-processors) under the GDPR. The two key themes are:
For many financial institutions, the emphasis on these obligations should not come as a
Continue Reading EU: Engaging vendors in the financial sector: EDPB clarifications mean more mapping and management
At the Legislative Council Panel on Constitutional Affairs held on 19 February 2024, the Privacy Commissioner (“Commissioner“) reported that the Office of the Privacy Commissioner for Personal Data was working with the Government to review the Personal Data (Privacy) Ordinance (“PDPO“) to strengthen personal data protection in Hong Kong. At the
Continue Reading Hong Kong: Updates to the Personal Data (Privacy) Ordinance put on hold
Déjà vu in the world of UK data law: the Labour government has proposed reforms to data protection and e-privacy laws through the new Data (Use and Access) Bill (“DUAB“). The DUAB follows the previous government’s unsuccessful attempts to reform these laws post-Brexit, which led to the abandonment of the Data Protection
Continue Reading UK: Data (Use and Access) Bill: newcomer or a familiar face?CFPB finalized the “Open Banking Rule” granting customers greater control over their personal financial data
Continue Reading US: CFPB Finalizes Open Banking Rule Under Section 1033: Key Takeaways for Accessing Consumer Financial Data
It’s the turn of South-East Asian countries to update their data protection laws. Here is our summary of the proposed new data protection laws in Vietnam, Malaysia and Indonesia. Organisations are advised to update their data protection compliance programmes as soon as possible to reflect these developments.
Vietnam
Vietnam issued its first draft of a
Continue Reading VIETNAM, MALAYSIA AND INDONESIA: what you need to know about the new SE Asia data protection laws
Planning and developing an effective communications strategy is a critical step in preparing for a cyber security incident. Last week, the UK’s National Cyber Security Centre published guidance on communicating with stakeholders before, during and after a cyber security incident. The guidance is published with organisations of all sizes in mind, and sets out three
Continue Reading UK: NCSC issue guidance on how to communicate effectively in a cyber incident
Today marks the deadline for EU Member State implementation of the Network and Information Systems Directive II (“NIS2“) into national law.
NIS2 is part of the EU’s Cybersecurity Strategy and repeals and replaces the original NIS Directive which entered into force in 2016 (with Member State implementation by 9 May 2018). Much like
Continue Reading EU: NIS2 Member State implementation deadline has arrived
