UK Court of Appeal Rules that Exemptions to Access Rights are Construed Narrowly

Data Protection Report - Norton Rose Fulbright

Under the UK Data Protection Act 1998 (“DPA“), data subjects have rights to obtain copies of their personal information through a data subject access request (“DSAR“). Data subjects frequently use DSARs to obtain information in the context of non-data protection disputes with data controllers. There has been much controversy over this practice, particularly as the £10 maximum fee the data controller may charge dwarfs the cost of complying with the request.

On 16 February 2017. In Dawson-Damer v. Taylor Wessing LLP, [2017] EWCA Civ 74, the English Court of Appeal ordered a law firm, Taylor Wessing LLP (“TW“), to comply with the Appellants’ DSARs. The Court’s order unanimously overturned the first instance decision that held that a data controller could refuse to respond to a DSAR on the basis that it would be costly or time consuming to do so, or because the data subject has made the DSAR in furtherance of litigation.

In this post we cover the key issues considered by the Court of Appeal, namely:

  • the extent of the DPA’s legal professional privilege exemption;
  • what amounts to “disproportionate effort” under the DPA; and
  • whether the court can use its discretion not to compel compliance with a DSAR made in furtherance of litigation.

Continue reading

Settlement of Target Data Breach Consumer Class Action Is Derailed On Appeal

Data Protection Report - Norton Rose Fulbright

The Eighth Circuit Court of Appeals last week reversed the district court’s approval of a settlement and settlement class in the consolidated consumer class action arising from Target Corporation’s 2013 security incident.  This decision provided a new perspective on a persistent dilemma in the evolving law of data breaches:  how to handle data breach victims whose data was compromised but not misused, and therefore they cannot show concrete monetary harm.  Here, that issue has at least temporarily derailed a multi-million settlement of the last major lawsuit arising out of Target’s high-profile incident.

Continue reading

NIST Releases Internet of Things (IoT) Security Guidance

Data Protection Report - Norton Rose Fulbright

Late last year, the National Institute of Standards and Technology (“NIST”) released  Special Publication 800-160 (the “Guidance”) on implementing security in Internet-of-Things (“IoT”) devices.  The Guidance was released following several highly-publicized distributed denial-of-service (“DDoS”) attacks in 2016 and is intended to provide a framework for software engineers to better address security issues and to develop more defensible and survivable systems in a sustainable manner throughout the life cycle of these devices.

Continue reading

European Commission Publishes Proposal for the New e-Privacy Regulation

Data Protection Report - Norton Rose Fulbright

On 10 January 2017, the European Commission published the official proposal of the revised e-Privacy Regulation, which amends the current e-Privacy Directive. Many of the alarming changes that were included in the leaked December draft of the Regulation, which we covered, have been changed, resulting in a practical set of rules that align with the wider EU data protection framework. Below, we highlight key points in the official proposal. Continue reading

EU Data Package Highlights Connections between Data Protection and the Digital Single Market

Data Protection Report - Norton Rose Fulbright

On January 10, 2017, the EU Commission published a package of documents on the EU’s data economy strategy, including e-privacy, data protection and the “European Data Economy.” The Commission documents,  published in the context of the Commission’s digital single market (“DSM”) initiative announced in May 2015, illustrate again the strong links between the EU’s digital regulatory strategy, data protection, intellectual property and antitrust policy, notably including the Commission’s preliminary report on its sector inquiry on e-commerce, also launched in May 2015.

Continue reading

FDA issues final guidance on postmarket medical device cybersecurity

Data Protection Report - Norton Rose Fulbright

On December 28, 2016, the U.S. Food and Drug Administration (FDA) released final guidance on the management of cybersecurity vulnerabilities for marketed and distributed medical devices.  The guidance establishes a risk-based approach for the reporting of medical device cybersecurity vulnerabilities to the FDA.

Continue reading

Identifying and Mitigating Data Privacy Risks in Vendor Contracts

Data Protection Report - Norton Rose Fulbright

Norton Rose Fulbright has teamed up with the global risk advisory company Willis Towers Watson to help provide their clients with the information they need to manage data privacy risks.  In Willis Towers Watson’s Winter 2016 Cyber Claims Brief, Norton Rose Fulbright attorneys Dave Navetta and Matt Spohn worked with Willis Towers Watson Executive Vice President and cyber thought leader Adeola Adele to address the risks presented when companies contract with vendors to handle their sensitive data.

The collaborative article highlights the risks of providing vendors with personal data, and addresses common pitfalls in the vendor contracting process.  It concludes with a list of considerations for such situations, such as:

  • Performing appropriate due diligence on a vendor’s data security practices, and its financial ability to satisfy its obligations in the event of a breach
  • Limiting the data provided to a vendor
  • Specifying prophylactic security measures to protect the data provided to the vendor
  • Properly addressing legal risks in the vendor contract, with special attention to the warranty, damage limitation, and indemnity provisions
  • Assessing whether to be named as an additional insured on the vendor’s cyber insurance policy, and coordinating any such coverage with existing coverage

Hong Kong Monetary Authority Announces Enhanced Competency Framework on Cybersecurity

Data Protection Report - Norton Rose Fulbright

On 19 December 2016, the Hong Kong Monetary Authority (“HKMA”) announced the launch of the Enhanced Competency Framework on Cybersecurity (“ECF-C”).

Continue reading

Article 29 Working Party Releases GDPR Implementation Guidance

Data Protection Report - Norton Rose Fulbright

On 15 December 2016, the Article 29 Working Party (WP29) issued guidelines and FAQs on the provisions in the General Data Protection Regulation (the GDPR) relating to data portability (Guidelines / FAQs), data protection officers (Guidelines / FAQs), and the lead supervisory authority (Guidelines / FAQs). WP29 will accept comments on these guidelines until the end of January 2017.
Continue reading

Leaked Draft of ePrivacy Regulation Published

Data Protection Report - Norton Rose Fulbright

Earlier this week, the first draft of the EU’s ePrivacy Regulation was leaked. ePrivacy laws in Europe aim to protect the right to privacy and confidentiality with respect to the processing of personal data in the electronic communications sector (e.g., relating to cookie usage and online direct marketing). The leaked draft is intended to bring the law up-to-date and to align it with other developments in European data protection law. We understand that the leaked draft is still under discussion (and may have been superseded). Nevertheless, the leaked draft may foreshadow what will be contained in the official draft, which sources at the International Association of Privacy Professionals (IAPP) say is expected to be released in January 2017. Based on the leaked draft, we expect that many technology companies and online advertisers will not be happy with the official draft.

Continue reading

LexBlog