Data Dive
Written and curated by a multidisciplinary group of attorneys, Data Dive delivers key insights on cybersecurity, privacy and other data-related topics impacting organizations across the globe.
Search Results
Data Dive
The Implementing Regulations of the Personal Data Protection Law and the Regulations on Personal Data Transfer outside the Geographical Boundaries of the Kingdom (together, the Regulations) were recently issued by the Saudi Authority for Data and Artificial Intelligence. We set out in this post the key features of the Regulations.
Data Dive
On August 7, 2023, the Commissioner of Data Protection of the Dubai International Financial Centre (the DIFC), a financial free-zone in the United Arab Emirates, issued the first adequacy decision regarding the California Consumer Privacy Act of 2018 (as amended by the California Privacy Rights Act of 2020, the CCPA), recognizing the essential equivalence of the CCPA with the DIFC Data Protection Law (DIFC Law No. 5 of 2020, as amended the DIFC DPL). Importantly, the issuance of the decision helps to facilitate the transfer of data between the DIFC and entities based in California in accordance with the DIFC DPL without requiring such entities to apply additional contractual measures. Furthermore, the Commissioner’s press release expressly notes that the issuance of the adequacy decision may serve as a precedent for the DIFC establishing a similar relationship with other U.S. states. California is now one of 49 countries, jurisdictions or organizations subject to an adequacy decision by the DIFC (the full list can be found here).
Data Dive
Amendments to the Kingdom of Saudi Arabia (KSA) Personal Data Protection Law (PDPL) were recently approved by the KSA Council of Ministers. Constituting the country’s first comprehensive national data protection legislation, the PDPL becomes effective in September 2023. As the effective date approaches, businesses required to comply with the new PDPL should start examining their data processing activities, including any cross-border data transfers, to ensure timely compliance with the PDPL.
Data Dive
On Tuesday, December 13, the European Commission initiated its long-awaited process towards the adoption of an adequacy decision for the European Union (EU)-U.S. Data Privacy Framework (EU-U.S. DPF), which aims to address the concerns raised by the Court of Justice of the EU when it struck down the European Commission’s adequacy decision underlying the EU-U.S. Privacy Shield framework in 2020.
Data Dive
On November 20, 2022, the Saudi Data and Artificial Intelligence Authority (SDAIA) launched a public consultation (which is open until December 20, 2022) on its proposed amendments to the Personal Data Protection Law (PDPL). Previously, on September 24, 2021, the Kingdom of Saudi Arabia published the long-anticipated PDPL pursuant to Royal Decree M/19 of 9/2/1443H, constituting the country’s first comprehensive national data protection legislation; although the PDPL was due to become effective on March 23, 2022, on March 22, 2022, SDAIA announced that it had decided to postpone the full enforcement of the PDPL to March 17, 2023, and, in collaboration with the National Data Management Office, further issued the Draft Executive Regulations supplementing the PDPL. The issuance of these draft regulations on March 10, 2022, was followed by a period of inactivity (and it is likely such regulations will be updated once the amendments to the PDPL are finalized) such that the launch of the public consultation now revives focus on the PDPL. The proposed amendments (the “Amendments”) contain significant changes to the prior version of the PDPL, including:
Data Dive
The European Parliament has reached agreement on the text of the Digital Services Act (DSA). The DSA is new legislation that will require certain providers of online services to comply with new obligations in order to ensure online safety and to prevent the spread of illegal content. The practical effects of the legislation will likely include increased compliance costs for businesses, possible organisational/personnel changes at a compliance level and increased accountability to relevant authorities.
Data Dive
The U.S. Department of Commerce implemented new U.S. export controls applicable to “cybersecurity items” based on an interim final rule published by BIS. The change introduces new, narrowly tailored restrictions designed to minimize disruptions to legitimate cybersecurity activities. This post summarizes the key takeaways for affected companies.
Data Dive
The ground-breaking draft European Union Act on Artificial Intelligence (AI), which has far-reaching implications beyond Europe (see here), is currently going through the legislative procedure of the European Parliament and Council. The draft AI Act is extraterritorial, sector-agnostic, carries steep noncompliance penalties and applies to multiple stakeholders across the AI value chain, including users and providers. It is the world’s first attempt at comprehensive regulation of AI and it may well become the global standard. Adopting the AI Act is one of the priorities of the European Commission.