Select a topic from the list to see more details.
Antitrust and competition aims to ensure fair competition and protect against trade and commercial practices that may lead to unlawful restraints, monopolies, and/or unfair business practices etc. There is a growing focus on anti-competitive acts in digital markets and the protection of users' privacy.
The recent proliferation of Artificial Intelligence has seen many jurisdictions introduce specific AI laws and frameworks. These typically focus on governance, classification, development, training, assessment, transparency, and risk management etc.
Biometric data generally refers to physical, physiological and/or the biological characteristics of an individual. Due to the sensitive nature of biometric data, many jurisdictions classify such data as sensitive or special category and have adopted specific rules surrounding its processing and use.
Various fields such as privacy and cybersecurity impose breach notification obligations on organizations meeting the relevant thresholds. While requirements vary globally, legislation may stipulate: when notification is required, in what format, to whom, within what timeframe, and also detail the content to be included within the notification.
Generally, data protection and privacy legislation afford children special protection regarding the processing of their personal data as they are deemed unable to fully understand the risks associated with data processing activities.
Consent generally signifies the individual's agreement to the processing of their personal data and in many jurisdictions is viewed as a legal bases of data processing. Key elements of valid express consent include that the consent is clear, freely given, specific, informed, unambiguous, and an affirmative action.
Cookies are used for a variety of purposes including platform functionality, performance, and increasingly, behavioral tracking and advertising. Information on cookie consent management include requirements for valid consent, conditions for valid consent, cookie information requirements, cookie walls, and the duration of consent itself.
Critical infrastructure refers to systems, services, and assets deemed crucial for society's functioning. While definitions may differ, these primarily include energy, national security, transportation, public health, and financial services. Many jurisdictions have issued specific measures and enhanced security requirements for providers of such services to protect critical infrastructure from a range of threats.
Cybersecurity laws impose obligations on various actors including network and information systems operators, critical information infrastructure operators, cloud computing services. Requirements in this field focus on technical or organizational security measures, incident notification, registration, and the appointment of security officer etc.
Data residency refers to information that must be stored geographically within a jurisdiction. Data residency is a subset of data transfer obligations and often resides within sectoral legislation such as cybersecurity, finance, and public law in addition to data protection and privacy legislation.
Data retention relates to the minimum and maximum storage periods for different types of data records. Requirements in this area may derive from statutory requirements as well as recommendations set out by regulatory authorities. Several jurisdictions also outline procedure for secure data retention and storage.
Increasingly, laws are imposing restrictions on the cross-border transfer of personal information to ensure data protections are maintained across jurisdictions. Data transfer restrictions provide specific mechanisms through which personal data can be transferred outside of a jurisdiction including adequate protection (whitelists), Standard Contractual Clauses (SCCs), intra-group agreements, and/or consent.
Direct marketing laws and guidance commonly outline requirements for valid consent, exceptions to obtaining consent, and national mechanisms for opt-out of marketing including Do-Not Call registries. In some cases, data protection and privacy laws will apply in addition to industry specific advertising laws.
Employee monitoring refers to the surveillance of employees in the workplace. Many regulators have imposed rules around notification, consent, and limits on the location and types of monitoring that can take place, and several jurisdictions impose further restrictions on the use of consent in the employment context due to the imbalance of power between employees and employers.
Legislation in this area applies to data processing during recruitment and selection, the use and maintenance of employee records, as well as the retention of employee data after employment. Legislation may impose specific restrictions and/or prohibitions on the processing of certain types of data such as sensitive or criminal data, and accounts for the special nature of the employee-employer relationship.
Enforcement focuses on regulatory actions taken by authorities and courts that have jurisdictional power to enforce laws and regulation on data protection. Such authorities include data protection as well as sectoral regulators which governed data protection within sector-specific laws. Enforcement can take various forms including investigations, the issuance of fines, corrective measures, case law, and/or court decisions.
Environmental, social, and governance (ESG) refers to three central factors in measuring the impact of an organization's policies and processes. ESG covers a broad range of topics, from board and workforce diversity to carbon emissions, to bribery and corruption. ESG may also encompass the environmental and governance programs related to privacy and cybersecurity risks.
Privacy by Design refers to the concept and practice of integrating privacy into the design and operation of systems, products, and services from the very beginning; whereas Privacy by Default signifies the practice of ensuring that default settings provide the highest privacy protection.
Privacy Impact Assessment (PIA) and Data Protection Impact Assessment (DPIA) are used synonymously to refer to the process used to identify privacy and security risks within processing activities to evaluate their impact on individuals. Many jurisdictions have developed specific requirements for when and how the impact assessments must be carried out.
A privacy notice is an external statement provided by an organization informing individuals about the type of data that is collected, how it is processed, with whom it is shared, and privacy rights of individuals. The provision of privacy notices usually forms part of transparency obligations placed on controllers by applicable privacy laws, with several jurisdictions outlining which information must be provided to the individuals.
Privacy laws generally contain baseline obligations and rights such as legal bases for processing, data protection principles, controller and processor obligations, data subject rights, and penalties. The privacy landscape within a given jurisdiction generally derives from enacted or draft data protection and privacy laws as well as data protections provided within sector specific legislation.
In many jurisdictions, privacy and data protection laws grant individuals privacy rights (or data subject rights). Detailed guidelines and requirements on the processes for exercising and fulfilling privacy rights have also developed, such as the imposition of fees, relevant forms, and exceptions, as well as applicable deadlines.
Processing activities refers to any operation or set of operations performed on personal data, such as collection, storage, use, or deletion. This often includes both automated and manual processes involving personal data. Many jurisdictions have enacted laws and guidance to clarify the scope of processing activities, as well as the compliance requirements for general and specific processing activities.
Standards and frameworks can be issued by supervisory authorities as well as intergovernmental organizations such as the International Organization for Standardization (ISO) that help develop global regulatory systems and provide practical methods for the implementation of governance or management systems within different sectors.
Vendor management involves overseeing third-party or service providers to ensure they process personal data in compliance with the applicable privacy laws and security standards. Several jurisdictions have issued requirements on due diligence in vendor selection as well as vendor risk assessments, and ongoing monitoring of vendor activities.
Whistleblowing refers to an act, usually by an employee, that exposes some form of wrongdoing, such as unethical, illegal, or improper conduct within an organization. Reporting is usually carried out in the public interest and often involves the wrongdoing of public authorities or higher management. Due to the risks that whistleblowers can face many jurisdictions have enacted laws to protect them.