Support Centre



Organisations are increasingly focused on Environmental, Social, and Governance ('ESG') and sustainability in an effort to highlight non-financial considerations that have long-term impacts on shareholder and stakeholder value. By engaging in ESG initiatives, organisations can demonstrate to investors, regulators, and stakeholders their commitment to being good corporate citizens while also increasing the bottom line on their balance sheet. Given the number of new regulations around ESG disclosures and ESG reporting frameworks, Sarah Hutchins, Robert Botkin, and Noah Ganz, from Parker Poe Adams & Bernstein LLP, provide three key areas to focus on to potentially improve your organisation's ESG score as it relates to data privacy.

The International Organization for Standardization ('ISO') announced, on 25 October 2022, that it had updated its standard ISO/IEC 27001:2022 Information security, cybersecurity and privacy protection - Information security management systems -Requirements ('ISO/IEC 27001:2022'). Gustavo Bethular and Sofia Grassi, from RCTZZ, discuss specifics around the implementation of ISO/IEC 27001:2022, its scope, and benefits for organisations.

The European Commission published, on 13 December 2022, its draft adequacy decision for the EU-US Data Privacy Framework1 ('EU-US DPF'), aimed at fostering safe data flows and addressing concerns raised by the Court of Justice of the European Union's ('CJEU') judgment in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('the Schrems II Case'). OneTrust DataGuidance provides an overview of the draft decision including its impact on companies moving forward, with expert comments from Odia Kagan, Partner and Chair of GDPR Compliance & International Privacy at Fox Rothschild LLP, David Dumont, Partner at Hunton Andrews Kurth, and Mark Francis, Partner at Holland & Knight LLP.

Consent is, in any context, a challenging concept. At the intersection of marketing and data privacy, what the law attempts to do is distil the expectations into clear requirements. In this Insight article, Joanna Kennedy, Director, Marketing & Communications at the Performance Review Institute and Group Data Protection Officer at SAE Group, outlines some of the key considerations to bear in mind when looking at consent for marketing.

On 7 October 2022, the U.S. Department of Justice's ('DOJ') Office of the Attorney General ('AG') published regulations ('the Regulations') establishing a Data Protection Review Court ('DPRC') within the DOJ1. Hannah Schaller, Jacob Sommer, and Mason Weisz, from ZwillGen PLLC, give an overview of the Regulations, touching on the function and structure of the DPRC and its review process, as well as key considerations for businesses.

On 7 October 2022, Joseph Biden signed an Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities ('the Executive Order'), which directs the steps that the US will take to implement its commitments under the European Union - U.S. Data Privacy Framework ('EU-US DPF'). Mark Francis, Partner at Holland & Knight LLP, traces the history of EU-US data transfer frameworks, and discusses the EU-US DPF and how it will impact businesses.

As the metaverse is being accessed by means of an avatar and, in some cases, by means of technologically advanced devices, the avatar and these devices can be regarded as the 'keys' to the metaverse environment. However, this poses specific data integrity risks for the end-user's personal data, as well as privacy-related ethical challenges related to specific categories of end-users, such as children1.

Therefore, in part one of this two-part Insight series, Danique Knibbeler, Max Mohrmann, and Sarah Zadeh, from NautaDutilh N.V., focus on the data integrity risks and ethical challenges related to the end-user and its avatar and discuss potential remedies in this regard.

The US is close to adopting a national privacy and data protection law that could impact how your business operates as it considers approving the American Data Privacy and Protection Act ('ADDPA'). This article looks at the differences (and similarities) between the EU's General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') and the ADDPA, and calls out those items that Australian business should be aware of if it interacts with US citizens and residents. The ADPPA and the GDPR are different, so it will be prudent for businesses and organisations to understand how their obligations may differ from GDPR. Katherine Sainty and Aisling Hamilton, from Sainty Law, discuss how the ADPPA may affect businesses, and how its provisions compare to those of the GDPR.

Since the invalidation of the EU-US Privacy Shield following the Schrems II Case, organisations have been required to find alternative mechanisms for personal data being transferred from the EU to the US in order to ensure an essentially equivalent level of protection is provided. However, following several months of negotiation, on 7 October 2022, the President Joe Biden, signed the Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities1 ('EO')  which outlines how the US plans to implement its commitments under the European Union-US Data Privacy Framework ('EU-US DPF'). This constitutes a significant next step towards reinstating an adequacy decision from the European Commission, which would facilitate the transatlantic flow of personal data between the two regions.

Whilst reactions and questions surrounding the protections provided by the EO arise, OneTrust DataGuidance provides an outline of the main provisions of the EO, with comments provided by David Dumont, Partner at Hunton Andrews Kurth, and Odia Kagan, Partner and Chair of GDPR Compliance & International Privacy at Fox Rothschild LLP.

Both Brazil and Chile have existing data protection frameworks which have, in part, been influenced by the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). Samara Schuch and Debora Batista Araújo, from Schuch & Araújo Specialized Law Firm, provide a comparison between the frameworks in both Brazil and Chile, and discuss the challenges and successes of both.

The Southern African Development Community ('SADC') is one of the thriving regional economic blocks on the African continent which has taken steps to support and enable the flow of personal data in the region. In this article, Melody Musoni, an independent privacy professional, discusses data protection laws and provisions on cross-border data flows in countries in Southern Africa, with a particular focus on Botswana.

The American Data Privacy and Protection Act1 ('ADPPA'), whilst still under review, has many similarities with existing privacy legislation, including Australia's Privacy Act 1988 (Cth) ('the Privacy Act'). Katherine Sainty and Aisling Hamilton, from Sainty Law, provide an introduction to some of the main features of the ADPPA, as well as a glance into how the ADPPA compares with the Privacy Act.