Autumn 2023 Global Privacy Highlights

UK-US data bridge

The UK-US data bridge, an extension of the EU-US DPF (Data Privacy Framework), entered into force on 12 October, allowing easier transfer of personal data from the UK to US organisations certified under the DPF.


Switzerland’s nFADP (New Federal Act on Data Protection) came into force on 1 September, which better aligns Swiss privacy law with the UK and EU GDPR. Only data of natural persons is now covered by the nFADP.

Quebec, Canada

An amendment to the Act respecting the protection of personal information in the private sector (Quebec Privacy Act) introduced new obligations from 22 September. These include the requirement for well-documented policies and procedures around privacy, privacy impact assessments, data processing agreements, additional consent requirements, anonymisation and retention.

UK: first GDPR appeal to reach Upper Tribunal dismissed – civil standard of proof applies to ICO penalties

In 2018, Doorstep Dispensaree, a pharmaceutical company, left 47 crates of documents, including prescriptions and medical admin records, unsecured in a courtyard. The organisation was subsequently fined by the ICO. At an Upper Tribunal appeal, Doorstep Dispensaree argued that the ICO should have the burden of proof (criminal burden of proof, which is a higher level of proof).

However, the Upper Tribunal did not agree, and its judgement was in line with the current position that UK GDPR monetary penalties are administrative in nature.

China intends to make cross-border transfers of personal information simpler

The Chinese security regulator (CAC) has released new draft regulations intended to make privacy compliance easier and less costly. They will also make data transfers less burdensome and are especially beneficial to multinationals as they contain exemptions from certain statutory requirements such as certification for personal information transfers to other countries.

These exemptions include non-People’s Republic of China original information, information necessary for contracting with a party, employee data transfers to HR departments, processor transfers involving less than 10,000 records, and outbound transfers necessary for the protection of life, health and property.

Jordan issues first data protection law

Jordan’s first comprehensive national legislation (PDPL) relating to the collection and processing of personal information was published in its Official Gazette on 17 September.

Argentina updates standard contractual clauses

Argentina has updated its standard contractual clauses for international transfers of personal data to improve compliance with the principles of personal data protection and improve its economic viability. This is also a positive step closer to more standardised standard contractual clauses globally.

Irish Data Protection Commission fines TikTok

The Data Protection Commission has fined TikTok €345 million for violating the GDPR. This mainly related to its handling of minors’ accounts and for its failures to adequately protect child users’ personal data from public visibility.

Our approach to data privacy

You can find the support you need to get started with GRCI Law’s Privacy as a Service solution.

We will provide guidance on everything from GDPR compliance monitoring and data breach notification to data privacy management and DSARs (data subject access requests).

With the help of our team of experts, you will be equipped to prevent costly data breaches and GDPR fines.

Contact us to find out more