Thai privacy regulator announces enforcement of PDPA breaches

On 24 November 2023, the Thai privacy regulator, Personal Data Protection Committee (the “PDPC”) issued a press release for the first time that they are taking enforcement action under the Thai Personal Data Protection Act B.E. 2562 (2019) (the “PDPA“) for non-compliance with the PDPA by a Thai insurance company in relation to its handling … Read more

Insights on outsourcing and other lessons from a data breach – the UK FCA perspective

On 13 October 2023, the UK FCA published its Final Notice to Equifax Ltd, the UK subsidiary of US company Equifax Inc, in relation to a major 2017 data breach which affected over 13.7 million UK consumers. The FCA determined that Equifax Ltd had breached Principles 3, 6 and 7 of its Principles  and imposed a fine of over £11m. The firm agreed to resolve the matter and so qualified for a 30% discount for early settlement. The FCA's Final Notice helps to explain the rationale behind the UK regulatory authorities developing and enhancing the operational resilience regime in 2019. It also highlights some particular pitfalls in managing intra-group outsourcings effectively. Read more

New sector-specific data privacy requirements for telecom operators in Thailand

On 4 September 2023, the National Broadcasting and Telecommunications Commission (“NBTC“) Notification regarding Measures to Protect Rights of Telecom Service Users relating to Personal Data, Privacy Rights and Communication Freedom in Telecom B.E. 2566 (2023) (the “Notification“) was gazetted and came into force on the same day. What is the Notification about? The Notification imposes … Read more

India’s new data protection law: How does it differ from GDPR and what does that mean for international businesses?

On August 11, 2023, India’s long-awaited general personal data protection legislation, the Digital Personal Data Protection Act, 2023 (“DPDPA”) was finally enacted. Governing the world’s fifth largest economy and one of its fastest growing digital markets, the DPDPA will be of importance to a large number of international businesses that operate in India, rely on … Read more

China relaxes measures on cross-border data transfers from China

The Cyberspace Administration of China (CAC) has released draft provisions which will relax the current requirements on cross border data transfers. The draft provisions set out exemptions from the need to comply with one of the three transfer mechanisms that would otherwise be required, namely (i) CAC assessment (ii) China’s standard contract or China standard … Read more

Common Concepts In The Data Protection Laws Of India And Singapore

India’s omnibus data protection legislation, the Digital Personal Data Protection Act, 2023 (“India’s DPDPA”), was passed and gazetted in August 2023. Notably, it shares several common concepts with Singapore’s Personal Data Protection Act 2012 (“Singapore’s PDPA”), some of which are not readily found in other laws including the European Union’s General Data Protection Regulation (“GDPR“). … Read more

July Data Wrap: A snapshot of key regulatory developments

As mentioned in a last-minute entry to our June Data Wrap, on 10 July 2023, the European Commission adopted its long-awaited adequacy decision for the EU-US Data Privacy Framework (“DPF“), determining that data transfers pursuant to the DPF benefited from an adequate level of data protection. This means that personal data can now freely flow … Read more