UK: ICO announces first ‘mega fines’ for data breach under GDPR

In the last couple of days, the Information Commissioner’s Office has issued two notices of intent to impose the first ‘mega fines’ under the GDPR regime for data breaches by British Airways (for £183.39 milion) and Marriott International (for £99.2 million).  Both companies now have the chance to respond to the notices of intent, after … Read more

Hong Kong: Data Access Request or Pre-Action Discovery in Disguise?

Employers control the extent of information that they provide employees – from how well they are meeting KPIs, to internal discussions about grievances, remuneration and disciplinary actions. In the majority of cases, employers have no obligation to provide to employees information setting out the basis for remuneration or disciplinary outcomes including information which is part … Read more

Compliance Check: China – changes to how employers handle personal data

The Chinese Cybersecurity Law (CSL) introduced in 2017 is the nation’s first comprehensive privacy and security regulation for cyberspace, setting out strict controls on companies operating in China over their online activities, data storage and handling of personal information. The National Standard (GB/T 35273–2017) provided detailed guidance on the collection, use and storage of personal … Read more

UK: DSAR ruling confirms that descriptions of the purposes of processing and recipients of personal data can be general, but actual identity of sources must be provided

The recent High Court judgment in Rudd v Bridle & J&S Bridle Ltd provides some useful guidance on subject access requests under the Data Protection Act 1998 (equally relevant to the new GDPR regime). Dr Rudd, a medical expert on exposure to asbestos, was the subject of a campaign by a lobbyist for the asbestos … Read more

France: Recent and Upcoming Labour Reforms

Several important employment law reforms have come into force recently or will come into force shortly, both at the EU and French level. Below are some of the changes to expect for 2019: Read more

EU: draft guidelines on GDPR extra-territoriality published

On 23 November 2018, the European Data Protection Board published its draft guidelines on Article 3 of the GDPR, being the provision that sets out the territorial scope of Europe’s data protection legislation. The GDPR seeks (via Article 3) to extend its reach beyond European borders, making non-EU organisations directly subject to its obligations when processing … Read more