Canada Passes Legislation Protecting Genetic Information

Data Protection Report - Norton Rose Fulbright

The Canadian Parliament recently passed Bill S-201, the Genetic Non-Discrimination Act, which protects individuals from having to disclose information related to genetic testing and test results. Specifically, the Act prohibits any person from requiring an individual to undergo a genetic test or disclose the results of a genetic test as a condition of providing goods or services to, entering into or continuing a contract or agreement with, or offering specific conditions in a contract or agreement with, the individual. Contravention of the Act is punishable by significant fines and even potential imprisonment. There are express exceptions for health care practitioners who are providing health services to patients and researchers who are collecting information from participants in medical, pharmaceutical or scientific research.

Continue reading

New York Event: Cybersecurity Developments in Asia

Data Protection Report - Norton Rose Fulbright

The past year has seen data breaches in the headlines for Asia-based companies and the continued strengthening of privacy and security laws in this region. Please join us for a panel discussion at our New York office on Friday, April 21, 2017, regarding cybersecurity developments in Asia, including China’s new cybersecurity law that comes into effect in June.

This presentation will focus on:

  • The overall privacy and cybersecurity landscape in Asia
  • Recent developments in laws, focusing on China, Hong Kong, and Singapore
  • Navigating the legal landscape and building trust

Speakers:

  • Stella Cramer, Co-head of Asia Technology & Innovation, Singapore
  • Anna Gamvros, Co-head of Asia Technology & Innovation, Hong Kong
  • Boris Segalis, Partner; Co-Chair, Data Protection, Privacy & Cybersecurity, US Norton Rose Fulbright

Date and time:

Friday, April 21, 2017

  • 8:30 a.m. Registration and breakfast
  • 9:00 a.m. Program begins
  • 10:00 a.m. Program adjourns

Location:

Registration:

  • Click here to RSVP.

Continuing legal education:

We have applied for 1.0 hour of New York CLE credit.

For this event, Norton Rose Fulbright is responsible for obtaining CLE accreditation for New York state. If you have questions regarding CLE approval of this course in your applicable bar, please contact your bar administrator.

Singapore legal update: Firm warned for WhatsApp personal data disclosure

Singapore’s Personal Data Protection Commission has on 21 March 2017 issued a warning to a local firm for disclosing a former employee’s personal information in a company WhatsApp group.

A director at the firm, Executive Coach International, had shared highly sensitive information about the former employee with 58 members of a chat group comprising staff and volunteers. The firm provides life and executive coaching services to individuals and corporate clients.

The case is the first in Singapore to find that sharing personal data via a private, members-only instant messaging group is still a breach of the Personal Data Protection Act if the relevant individual has not consented to the disclosure. It is a reminder that all forms of unauthorised disclosure – not merely those to the public at large – will place an organisation at risk. Particularly with chat platforms, both employers and employees can be lulled into the false belief that communications are private and secured, and are more casual with sharing personal or confidential information as a result. This should be approached with caution where work matters are concerned, particularly those involving clients’ or colleagues’ personal or confidential data. Company policy should specify to employees that chat platforms (whether Whatsapp or intranet messengers) should only be used to share non-sensitive information. Another difficulty with large chat groups is that it is easy to forget who its participants are. Employees should be alive to the distinction between data which can be shared freely amongst their colleagues; and information which a client or colleague means to share only with a limited group of people (for instance, a specific employee or his team).

Another interesting feature of the case is the nature of “personal data” disclosed – “personal data” is often considered to be hard data – such as names, credit card numbers, passwords, and so on. However, the “personal data” shared by the employer in this case comprised details of the employee’s “drug problem” and “issue with infidelity in her amorous relationship”. These may seem like idle gossip, but they also fall under the wide definition of “personal data” in the Singapore Act – “data, whether true or not, about an individual who can be identified from that data and/or other information to which the organisation has or is likely to have access”. Aside from personal issues, the definition captures other non-intuitive forms of data including political opinions, hobbies, and location data. Companies should consider reviewing their systems to determine if there is “personal data” of this nature which they are collecting but have not made arrangements to protect.

IAPP San Francisco KnowledgeNet Event – Privacy Developments in Asia

Data Protection Report - Norton Rose Fulbright

Please join us for a panel discussion as we host the upcoming IAPP San Francisco Bay Area KnowledgeNet Chapter meeting on April 27, 2017. This presentation will focus on the new China Cybersecurity Law, the latest developments with Asia-Pacific Economic Cooperation (APEC) Cross Border Privacy Rules (CBPR), and privacy laws in Asia.

Panelists:

  • Anna Gamvros, CIPP/A, CIPT, FIP, Partner and Asia Technology and Innovation Practice Co-Head, Hong Kong, Norton Rose Fulbright
  • Barbara Li, Partner, Beijing, Norton Rose Fulbright
  • Hilary Wandall, CIPP/E, CIPP/US, CIPM, General Counsel and Chief Data Governance Officer, TRUSTe

Date and time:

  • Thursday, April 27, 2017
  • 8:30 – 11:00 a.m.
  • Registration will begin at 8:30 a.m. with a panel discussion to start at 9 a.m. Networking will follow from 10:00 – 11:00 a.m.

Location:

Norton Rose Fulbright, 555 California Street, Concourse Floor, San Francisco, CA 94104-1609

Register Now:

  • Online registration can be found here.
  • Registration is REQUIRED by April 26, 2017. Space is limited.
  • Attendees are eligible to receive California MCLE credit.
  • IAPP CIPP/A, CIPM and CIPT certificate holders will automatically receive one Group A continuing privacy education (CPE) credits for attending this KnowledgeNet Chapter meeting. More information on how CPE credits will be applied can be found on the registration page.

Fourth Circuit Weighs In On What Constitutes “Injury-in-Fact” in Data Breach Cases

Abstract data bits stream background. Digital cyber pattern.

In Beck v. McDonald, 848 F.3d 262 (4th Cir. 2017), the U.S. Court of Appeals for the Fourth Circuit joined at least five other circuits in analyzing whether mere allegations of future identity theft can establish injury-in-fact as required to confer Article III standing.  There, the Court found that allegations of future harm were too speculative, particularly where there was no allegation or evidence that the confidential information was targeted or had been used fraudulently. The analysis aligns with distinctions made by other circuits between misplaced or stolen physical property cases, where the loss of confidential information is incidental, and cyberattack and hacking cases, where the thief’s intent to wrongfully use the information can be inferred.

Continue reading

Singapore cybersecurity – new amendments introduce four key changes

Singapore’s Ministry of Home Affairs has announced amendments to the Republic’s cybersecurity laws, i.e. the Computer Misuse and Cybersecurity Act (CMCA), after a series of high-profile cyberattacks in recent years.

The Computer Misuse and Cybersecurity Amendment Bill (the Bill), which will be discussed when Parliament sits on 3 April 2017, introduces four key changes to the CMCA:

  1. Making it an offence to obtain, retain or supply personal information obtained through cybercrime
  2. Making it an offence to obtain items which can be used to commit cybercrimes
  3. Targeting cybercrimes committed overseas, against overseas computers, which create a significant risk of serious harm in Singapore
  4. Allowing amalgamation of cybercrime charges

In this briefing, we outline the key aspects of the amendments to the cybersecurity laws and discuss the implications for businesses in Singapore.

Event: Cybersecurity Updates in the Financial Services Sector – April 6, 2017

Data Protection Report - Norton Rose Fulbright

Please join us for a 40-minute briefing on the latest developments in cybersecurity and what the financial services sector needs to know in order to comply.

There are new regulatory initiatives at the international, US national and US state levels. With the consistent threat of security breach, financial institutions need to be aware of the latest developments in order to remain compliant and avoid becoming yet another victim of cyber hackers.

Topics will include:

  • International Standard
  • Cyber initiatives by the Trump Administration
  • CFTC Rules on Cybersecurity Testing and Systems Safeguards Risk Analysis
  • The New York State DFS Cybersecurity Regulations and what the federal banking regulators are doing to address cybersecurity risk management

Speakers:

Date and time:

Thursday, April 6, 2017

  • 8:30 a.m. Registration and breakfast
  • 9:00 a.m. Program begins
  • 9:40 a.m. Program concludes
  • 9:50 a.m. Q&A concludes; adjournment

Location:

  • Norton Rose Fulbright, 1301 Avenue of the Americas, New York, NY 10019
  • This program can also be attended via webinar.

Registration:

  • Click here to RSVP for the live event or webinar.

Continuing legal education:

We have applied for 1.0 hour of California and Texas CLE credit. For all New York participants, this program has been approved for 1.0 hour of professional practice CLE credit.

For this event, Norton Rose Fulbright is responsible for obtaining CLE accreditation for California, Texas and New York states. If you have questions regarding CLE approval of this course in your applicable bar, please contact your bar administrator.

The Long Arm of Canadian Privacy Law

Data Protection Report - Norton Rose Fulbright

Earlier this year, a Canadian trial court ruled that Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”) has extra-territorial application and restricts the dissemination of personal information of Canadians, even where the information is already public, and even though it is made available from outside Canada.

Continue reading

UK Information Commissioner Updates Paper on Big Data, Artificial Intelligence, Machine Learning, and Data Protection

Data Protection Report - Norton Rose Fulbright

On 1 March 2017, the UK Information Commissioner’s Office (ICO) published a paper on big data, artificial intelligence, machine learning and data protection (replacing its early paper published in 2014). Although the paper is described as a “discussion paper”, it makes a number of recommendations that those involved in big data projects would be well advised to incorporate into their projects, and it firmly rejects suggestions that either the existing data protection framework or the GDPR cannot be applied in this context.

The paper works through the implications of big data against the core data protection principles; it then discusses compliance tools that can be used to meet those implications (including a useful analysis of how its current Privacy Impact Assessment Code of Practice is still fit for purpose under the GDPR and for big data projects). It concludes with six key recommendations.

Continue reading

UK Information Commissioner Publishes Draft GDPR Consent Guidance

Data Protection Report - Norton Rose Fulbright

On March 2, 2017, the UK Information Commissioner’s Office (ICO) published its draft General Data Protection Regulation (GDPR) consent guidance, and called for comments on the guidance. The consultation is open until March 31, 2017. The ICO will issue final guidance in May 2017.

The guidance is detailed, and references the various GDPR Articles and recitals and previous Article 29 Working Party opinions on which it is based. The guidance is also conservative and keen to emphasize the heightened consent requirements that the GDPR mandates (over and above the current data protection law), particularly in the UK.

Continue reading

LexBlog