Data Protection

Chinese Government recently enhanced the regulations on mobile apps’ data processing through new regulations and active law enforcement actions . On March 22, 2021, Cybersecurity Administration of China (CAC) jointly with other government authorities issued Regulations on the Scope of Necessary Personal Information for Common Types of Mobile Internet Applications, which defined the scope of necessary personal information for 39 common types of apps and prohibited the operators of the apps from collecting “unnecessary” personal information from the users. Since the Regulations come into effective as of May 1, 2021, CAC has released four announcements on a total number of 351 apps with irregularities in personal information processing activities. In this articles, we summarized the trends reflected in those recent law enforcement actions of CAC and provided several key points on the compliance works for personal information protection in the development and operation of Apps.
On June 10, 2021, China's National People’s Congress Standing Committee passed the Data Security Law (DSL). The DSL will become effective as of September 1, 2021, leaving less than three months for companies to adapt to the new data security regime. Garrigues has been closely following the legislative process of such law and we hope this article will help you to better understand the key contents of the DSL and its major implications on your business.
China’s data protection authorities have strengthened the regulations on personal information processing activities of mobile internet applications (App). Since May 1, 2021, in the law enforcement campaigns against over collection and coercive collection of personal information by Apps, a total number of 222 Apps have been ordered to be removed from App stores. On April 26, 2021, Communications Administration of Ministry of Industry and Information Technology of China released the Interim Provisions on Administration of Personal Information Protection of Mobile Internet Applications (Draft for Public Comment) (Provisions) seeking for public opinions. The Provisions detailed the compliance requirements on the personal data protection for Apps and provided policies and standards reflected in the recent law enforcement proceedings comprehensively for the first time.
China recently published the second version of the draft Data Security Law (DSL) with the purpose of seeking public opinions. According to the legislative plan of its legislative authority, China will formally enact the DSL within 2021. Hence the legislative authority is expected to perform a final review on the DSL and then pass the bill into law in the next few months. Considering the immediate and significant implications of the DSL on the PRC data protection and data security legal regime, in this article we provide you with some highlights of this new version of DSL (New Version of DSL).
China published the second version of its draft Personal Information Protection Law (PIPL) recently to seek public comments until May 28, 2021. Most of the articles of the previous draft PIPL have been maintained in this second draft (Second Draft) but there are important modifications made to address the new challenges to the personal information protection. Here we summarize the highlights in the Second Draft. 
The Council of the European Union announced yesterday in a press release that Member States have agreed at negotiating a mandate for the revision of the rules on the protection of privacy and confidentiality in the use of electronic communications services, which include rules on the processing of metadata, the use of cookies and the sending of marketing communications.
On International Data Protection Day, the Spanish Data Protection Agency (AEPD) honored Foundation 29 as one of the two recipients tying for the Award for Proactivity and Best Practices in comply with the General Data Protection Regulation and the Spanish Law on Personal Data Protection and the Safeguard of Digital Rights (Category A) for its project HealthData 29 Playbook, a guide to creating a public data repository of health systems, in which Garrigues advised.
On November 13, the Portuguese Data Protection Authority (Comissão Nacional de Proteção de Dados or CNPD) issued guidelines on the processing of health data regulated under Decree no. 8/2020, dated November 8, in particular, on the processing of health data carried out  within the scope of (i) body temperature measurements in controlling access to workplaces, services or public institutions, education and commercial establishments, cultural or sports spaces, means of transport, residential buildings, healthcare establishments, prison establishments or centers of education and (ii) the performance of SARS-CoV-2 diagnostic tests to the data subjects listed in the aforementioned decree.
Last week, the British journalist Martin Bryant revealed through his blog that he has brought a class action before the High Court of England and Wales representing seven million guests residing in England and Wales. The purpose was to obtain compensation due to the loss of control of personal data suffered as a result of a data breach which took place between 2014 and 2018, through which there was unauthorized access to the reservation database of the Starwood Group (since acquired by the Marriott Group), including, inter alia, passport numbers, dates of birth and possibly credit card details.