Norton Rose Fulbright Nominated for Cyber Law Firm of the Year

Data Protection Report - Norton Rose Fulbright

The 2017 Advisen Cyber Risk Awards nominees have been announced, and Norton Rose Fulbright is shortlisted for Cyber Law Firm of the Year.  Ballots are now open, and you can show your support for Norton Rose Fulbright by casting your vote before Friday, May 19 at 11:59 pm ET.

Each year, Advisen recognizes the most influential and innovative leaders in the cyber risk profession, including service providers, broking teams, insurers and reinsurers.  This is the first year that Advisen has recognized an awards category for Law Firm of the Year, and we are honored to be included as a nominee.

Norton Rose Fulbright provides data protection, privacy and incident response services around the globe, and works closely with the insurance industry to address cyber and technology-related risks.

Winners will be announced at the fourth annual Advisen Cyber Risk Awards gala in New York City on June 14, 2017.

For more information about Norton Rose Fulbright’s global data protection and incident response capabilities, please visit our website.

To subscribe for updates from our Data Protection Report blog, visit the email sign-up page.

Cross-border data transfers: China issues new measures to strengthen data localisation

Hacker using laptop. Lots of digits on the computer screen.

The Cyberspace Administration of China (CAC) issued draft measures for implementing the data localisation provisions under the Cybersecurity Law of China (Cybersecurity Law) and the National Security Law of China on 11 April 2017. The draft regulations are open for public comment until 11 May 2017.

Continue reading

Germany’s Parliament Approves Local Data Protection Law to Operate Alongside GDPR

EU flags in front of European Commission building in Brussels

On April 27, 2017, the German Federal Parliament voted to approve the new proposed German Federal Data Protection Act (“new FDPA”). The law would adapt the current German data protection law to the EU General Data Protection Regulation (GDPR). The federal chamber of the states, the German Federal Council, is expected to approved the new FDPA in the next month, without major changes.  Once approved by the Federal Council, the new FDPA will become effective on May 25, 2018, the same date as the GDPR.

The new FDPA seeks to enhance privacy protections in areas where the GDPR allows EU Member States to deviate from the Regulation. Continue reading

Canada Passes Legislation Protecting Genetic Information

Data Protection Report - Norton Rose Fulbright

The Canadian Parliament recently passed Bill S-201, the Genetic Non-Discrimination Act, which protects individuals from having to disclose information related to genetic testing and test results. Specifically, the Act prohibits any person from requiring an individual to undergo a genetic test or disclose the results of a genetic test as a condition of providing goods or services to, entering into or continuing a contract or agreement with, or offering specific conditions in a contract or agreement with, the individual. Contravention of the Act is punishable by significant fines and even potential imprisonment. There are express exceptions for health care practitioners who are providing health services to patients and researchers who are collecting information from participants in medical, pharmaceutical or scientific research.

Continue reading

New York Event: Cybersecurity Developments in Asia

Data Protection Report - Norton Rose Fulbright

The past year has seen data breaches in the headlines for Asia-based companies and the continued strengthening of privacy and security laws in this region. Please join us for a panel discussion at our New York office on Friday, April 21, 2017, regarding cybersecurity developments in Asia, including China’s new cybersecurity law that comes into effect in June.

This presentation will focus on:

  • The overall privacy and cybersecurity landscape in Asia
  • Recent developments in laws, focusing on China, Hong Kong, and Singapore
  • Navigating the legal landscape and building trust


  • Stella Cramer, Co-head of Asia Technology & Innovation, Singapore
  • Anna Gamvros, Co-head of Asia Technology & Innovation, Hong Kong
  • Boris Segalis, Partner; Co-Chair, Data Protection, Privacy & Cybersecurity, US Norton Rose Fulbright

Date and time:

Friday, April 21, 2017

  • 8:30 a.m. Registration and breakfast
  • 9:00 a.m. Program begins
  • 10:00 a.m. Program adjourns



  • Click here to RSVP.

Continuing legal education:

We have applied for 1.0 hour of New York CLE credit.

For this event, Norton Rose Fulbright is responsible for obtaining CLE accreditation for New York state. If you have questions regarding CLE approval of this course in your applicable bar, please contact your bar administrator.

Singapore legal update: Firm warned for WhatsApp personal data disclosure

Singapore’s Personal Data Protection Commission has on 21 March 2017 issued a warning to a local firm for disclosing a former employee’s personal information in a company WhatsApp group.

A director at the firm, Executive Coach International, had shared highly sensitive information about the former employee with 58 members of a chat group comprising staff and volunteers. The firm provides life and executive coaching services to individuals and corporate clients.

The case is the first in Singapore to find that sharing personal data via a private, members-only instant messaging group is still a breach of the Personal Data Protection Act if the relevant individual has not consented to the disclosure. It is a reminder that all forms of unauthorised disclosure – not merely those to the public at large – will place an organisation at risk. Particularly with chat platforms, both employers and employees can be lulled into the false belief that communications are private and secured, and are more casual with sharing personal or confidential information as a result. This should be approached with caution where work matters are concerned, particularly those involving clients’ or colleagues’ personal or confidential data. Company policy should specify to employees that chat platforms (whether Whatsapp or intranet messengers) should only be used to share non-sensitive information. Another difficulty with large chat groups is that it is easy to forget who its participants are. Employees should be alive to the distinction between data which can be shared freely amongst their colleagues; and information which a client or colleague means to share only with a limited group of people (for instance, a specific employee or his team).

Another interesting feature of the case is the nature of “personal data” disclosed – “personal data” is often considered to be hard data – such as names, credit card numbers, passwords, and so on. However, the “personal data” shared by the employer in this case comprised details of the employee’s “drug problem” and “issue with infidelity in her amorous relationship”. These may seem like idle gossip, but they also fall under the wide definition of “personal data” in the Singapore Act – “data, whether true or not, about an individual who can be identified from that data and/or other information to which the organisation has or is likely to have access”. Aside from personal issues, the definition captures other non-intuitive forms of data including political opinions, hobbies, and location data. Companies should consider reviewing their systems to determine if there is “personal data” of this nature which they are collecting but have not made arrangements to protect.

To subscribe for updates from our Data Protection Report blog, visit the email sign-up page.

IAPP San Francisco KnowledgeNet Event – Privacy Developments in Asia

Data Protection Report - Norton Rose Fulbright

Please join us for a panel discussion as we host the upcoming IAPP San Francisco Bay Area KnowledgeNet Chapter meeting on April 27, 2017. This presentation will focus on the new China Cybersecurity Law, the latest developments with Asia-Pacific Economic Cooperation (APEC) Cross Border Privacy Rules (CBPR), and privacy laws in Asia.


  • Anna Gamvros, CIPP/A, CIPT, FIP, Partner and Asia Technology and Innovation Practice Co-Head, Hong Kong, Norton Rose Fulbright
  • Barbara Li, Partner, Beijing, Norton Rose Fulbright
  • Hilary Wandall, CIPP/E, CIPP/US, CIPM, General Counsel and Chief Data Governance Officer, TRUSTe

Date and time:

  • Thursday, April 27, 2017
  • 8:30 – 11:00 a.m.
  • Registration will begin at 8:30 a.m. with a panel discussion to start at 9 a.m. Networking will follow from 10:00 – 11:00 a.m.


Norton Rose Fulbright, 555 California Street, Concourse Floor, San Francisco, CA 94104-1609

Register Now:

  • Online registration can be found here.
  • Registration is REQUIRED by April 26, 2017. Space is limited.
  • Attendees are eligible to receive California MCLE credit.
  • IAPP CIPP/A, CIPM and CIPT certificate holders will automatically receive one Group A continuing privacy education (CPE) credits for attending this KnowledgeNet Chapter meeting. More information on how CPE credits will be applied can be found on the registration page.

Fourth Circuit Weighs In On What Constitutes “Injury-in-Fact” in Data Breach Cases

Abstract data bits stream background. Digital cyber pattern.

In Beck v. McDonald, 848 F.3d 262 (4th Cir. 2017), the U.S. Court of Appeals for the Fourth Circuit joined at least five other circuits in analyzing whether mere allegations of future identity theft can establish injury-in-fact as required to confer Article III standing.  There, the Court found that allegations of future harm were too speculative, particularly where there was no allegation or evidence that the confidential information was targeted or had been used fraudulently. The analysis aligns with distinctions made by other circuits between misplaced or stolen physical property cases, where the loss of confidential information is incidental, and cyberattack and hacking cases, where the thief’s intent to wrongfully use the information can be inferred.

Continue reading

Singapore cybersecurity – new amendments introduce four key changes

Singapore’s Ministry of Home Affairs has announced amendments to the Republic’s cybersecurity laws, i.e. the Computer Misuse and Cybersecurity Act (CMCA), after a series of high-profile cyberattacks in recent years.

The Computer Misuse and Cybersecurity Amendment Bill (the Bill), which will be discussed when Parliament sits on 3 April 2017, introduces four key changes to the CMCA:

  1. Making it an offence to obtain, retain or supply personal information obtained through cybercrime
  2. Making it an offence to obtain items which can be used to commit cybercrimes
  3. Targeting cybercrimes committed overseas, against overseas computers, which create a significant risk of serious harm in Singapore
  4. Allowing amalgamation of cybercrime charges

In this briefing, we outline the key aspects of the amendments to the cybersecurity laws and discuss the implications for businesses in Singapore.

Event: Cybersecurity Updates in the Financial Services Sector – April 6, 2017

Data Protection Report - Norton Rose Fulbright

Please join us for a 40-minute briefing on the latest developments in cybersecurity and what the financial services sector needs to know in order to comply.

There are new regulatory initiatives at the international, US national and US state levels. With the consistent threat of security breach, financial institutions need to be aware of the latest developments in order to remain compliant and avoid becoming yet another victim of cyber hackers.

Topics will include:

  • International Standard
  • Cyber initiatives by the Trump Administration
  • CFTC Rules on Cybersecurity Testing and Systems Safeguards Risk Analysis
  • The New York State DFS Cybersecurity Regulations and what the federal banking regulators are doing to address cybersecurity risk management


Date and time:

Thursday, April 6, 2017

  • 8:30 a.m. Registration and breakfast
  • 9:00 a.m. Program begins
  • 9:40 a.m. Program concludes
  • 9:50 a.m. Q&A concludes; adjournment


  • Norton Rose Fulbright, 1301 Avenue of the Americas, New York, NY 10019
  • This program can also be attended via webinar.


  • Click here to RSVP for the live event or webinar.

Continuing legal education:

We have applied for 1.0 hour of California and Texas CLE credit. For all New York participants, this program has been approved for 1.0 hour of professional practice CLE credit.

For this event, Norton Rose Fulbright is responsible for obtaining CLE accreditation for California, Texas and New York states. If you have questions regarding CLE approval of this course in your applicable bar, please contact your bar administrator.