On August 1, 2022, the CJEU issued its ruling in Case 184/20 (OT v Vyriausioji tarnybinės etikos komisija) following a referral from the Lithuanian Regional Administrative Court. In this ruling, the CJEU elected to interpret the GDPR very broadly in a judgment that is likely to have a significant impact for organisations processing personal data.
UK Government Sets Out Sector-Specific Vision for Regulating AI
The UK Government recently published its AI Governance and Regulation: Policy Statement (the “AI Statement”) setting out its proposed approach to regulating Artificial Intelligence (“AI”) in the UK. The AI Statement was published alongside the draft Data Protection and Digital Information Bill (see our blog post here for further details on the Bill) and is…
Inside Privacy Audiocast: Episode 19 – New China Draft SCCs: How to Manage Your Cross-Border Data Transfers
On Episode 19 of Covington’s Inside Privacy Audiocast, Dan Cooper and and Yan Luo discuss the key provisions of China’s draft SCCs, compare the draft legislation with the GDPR, and talk through actions that companies should be considering in order to comply with the new cross-border data requirements.
This audiocast episode is repurposed from a…
Ireland Expands Leadership Structure of Data Protection Commission

The leadership of Ireland’s Data Protection Commission (“DPC”) is to be expanded to a three-person Commission, with the current Commissioner taking the lead role as Chair. The Irish Minister for Justice announced the decision on July 27, 2022, along with the Government’s decision to undertake a review of its governance structures, staffing arrangements and processes…
A Cautious Approach: the UK Government’s Data Protection and Digital Information Bill

On 18 July 2022, following its recent response to the public consultation on the reform of UK data protection law (see our blog post on the response here), the UK Government introduced its draft Data Protection and Digital Information Bill (the “Bill”) to the House of Commons.
The Bill is 192 pages, and contains…
California Privacy Protection Agency to Hold Special Meeting to Discuss Proposed Federal Privacy Legislation
The California Privacy Protection Agency (“CPPA”) announced it will hold a special meeting on July 28, 2022 at 9 a.m. PST to discuss and potentially act on proposed federal privacy legislation, including the bipartisan American Data Protection and Privacy Act (“ADPPA”) (H.R. 8152). The ADPPA is a comprehensive data privacy bill that advanced through…
UK and U.S. Governments set a date for the entry into force of the UK-U.S. CLOUD Act Agreement

In October 2019, the UK and U.S. Governments signed an agreement on cross-border law enforcement demands for data from Communication Service Providers (the “Agreement”, which we described in our earlier post here). Only now, however, have the two countries completed the procedural steps required to bring the Agreement into force. On July 21, 2022,…
China Imposes $1.2 Billion Fine for Data Violations
On July 21, 2022, the Cyberspace Administration of China (“CAC”) – the country’s primary regulator for cybersecurity and privacy – imposed a fine of RMB 8.026 billion (around $1.2 billion USD) on China’s largest ride-hailing company for violating data protection laws, including the Cybersecurity Law, Data Security Law and Personal Information Protection Law. In addition,…
CISA and NIST Urge Companies to Prepare to Transition to a Post-Quantum Cryptographic Standard
On July 5, 2022, the Cybersecurity and Infrastructure Security Agency (“CISA”) and the National Institute of Standards and Technology (“NIST”) strongly recommended that organizations begin preparing to transition to a post-quantum cryptographic standard. “The term ‘post-quantum cryptography’ is often referred to as ‘quantum-resistant cryptography’ and includes, ‘cryptographic algorithms or methods that are assessed not…
China Releases Measures for a Security Assessment of Cross-Border Data Transfers To Take Effect in September 2022

In addition to the two developments we reported on in our last blog post, on July 7, 2022, the long-waited, final version of the Measures for Security Assessment of Cross-border Data Transfer (《数据出境安全评估办法》, “Measures”) were released by the Cyberspace Administration of China (“CAC”). With a very tight implementation schedule, the Measures will…