New German fine: EUR 10.4 million for unlawful CCTV

A German state data protection authority has issued a fine of EUR 10.4m against a mid-size online retailer who allegedly violated the EU General Data Protection Regulation (GDPR) by monitoring their employees using CCTV.

The State Commissioner for Data Protection and Freedom of Information (Landesbeauftragte für Datenschutz und Informationsfreiheit) of Lower Saxony (the State Commissioner) imposed the fine on the electronics retailer “notebooksbilliger.de AG” (the Retailer) at the end of 2020.

The Retailer used CCTV in its premises to prevent and investigate criminal offences and to track the flow of goods in the warehouses over a period of at least … Continue Reading

Post-Brexit Personal Data Breach Reporting – An End to the ICO’s Role as One-Stop-Shop Lead Supervisory Authority

Data Protection Report - Norton Rose Fulbright

The end of the Brexit implementation period on 31 December 2020 has brought with it significant changes to the data protection landscape for UK-based businesses. Amid headlines about data transfer issues and a potential adequacy decision for the UK in the coming months, businesses also need to be aware of significant changes to the way in which cross-border personal data breaches with a UK angle will need to be notified to data protection authorities (DPAs) in future.

The GDPR established a “one-stop-shop” principle, allowing companies to notify cross-border personal data breaches to a lead supervisory authority (LSA) in the EU … Continue Reading

US banking regulators propose a rule for 36-hour notice of breach

US banking regulators propose a rule for 36-hour notice of breach

On December 18, 2020, the US Department of the Treasury (Office of the Comptroller of the Currency), Federal Reserve and Federal Deposit Insurance Corporation (FDIC) jointly announced a 53-page proposed rule that would require banks to notify their regulators within 36 hours of a “computer-security incident” that rises to the level of a “notification incident.” The proposed rule would also affect companies that provide certain services to those banks, including data processing. Those service providers would be required to notify “at least two individuals at affected banking organization customers immediately after the bank service provider experiences a computer-security incident that … Continue Reading

EU-UK Trade and Cooperation Agreement: Implications for data protection law

Norton Rose Fulbright - Data Protection Report blog

On Christmas Eve, the EU and UK announced that a Trade and Cooperation Agreement (TCA) had been finalised. With it, came a sigh of relief from data protection practitioners everywhere. This is because the TCA provides an extension period, of a sort, to allow the European Commission time to conclude its adequacy assessment of the UK. Without this, EEA-UK data transfers would otherwise have been restricted at the end of the Brexit transition period.

The main points of the TCA relating to data protection are set out below.

1.) Data transfers from the EEA to the UK…

  • The
Continue Reading

EU data governance regulation – A wave of digital, regulatory and antitrust reform begins – Part Three

Norton Rose Fulbright - Data Protection Report blog

On 25 November 2020, the European Commission (EC) published its proposed Data Governance Regulation (the DGR), which will create a new legal framework to encourage the development of a European single market for data.

This is part three of a series of three blog posts.  In this blog post, we consider the DGR’s relationship to competition law rules.

The DGR’s relationship to competition law rules

The DGR specifies that:

  • It does not affect the application of EU competition rules – in particular rules on the exchange of competitively sensitive information between actual or potential competitors through data
Continue Reading

EU data governance regulation – A wave of digital, regulatory and antitrust reform begins – Part Two

Norton Rose Fulbright - Data Protection Report blog

On 25 November 2020, the European Commission (EC) published its proposed Data Governance Regulation (the DGR), which will create a new legal framework to encourage the development of a European single market for data.

This is part two of a series of three blog posts.  In this blog post, we outline the new regimes for data sharing service providers and data altruism under the DGR, and consider the potential impact on businesses.

New regime for data sharing service providers

The EC anticipates that providers of data sharing services, or data intermediaries, will play a key role in … Continue Reading

EU data governance regulation – a wave of digital, regulatory and antitrust reform begins – Part 1

Norton Rose Fulbright - Data Protection Report blog

On 25 November 2020, the European Commission (EC) published its proposed Data Governance Regulation (the DGR), which will create a new legal framework to encourage the development of a European single market for data.

This is part one of a series of three blog posts.  In this first blog post, we outline key aspects of the DGR, set it in the context of other reforms proposed by the EC, consider public-sector data sharing under the DGR, and look at its potential impact on businesses.

The DGR, proposed in the EC’s February 2020 Digital Strategy, is the … Continue Reading

Bill C-11: Canada proposes new data privacy legislation

Norton Rose Fulbright - Data Protection Report blog

On November 17, 2020, the Minister of Innovation, Science and Industry, Navdeep Bains, tabled proposed legislation in Parliament that aims to overhaul Canada’s data privacy law. Bill C-11, entitled An Act to enact the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act and to make consequential and related amendments to other Act, will create new data privacy obligations and new enforcement mechanisms for these obligations if it becomes law.… Continue Reading

COVID tracing & AI: Physically distant, socially together

Data Protection Report - Norton Rose Fulbright

As the second wave of COVID-19 spreads across Canada, the use of COVID-19 tracing apps is on the rise. For example, the Government of Canada released COVID Alert–an app using Bluetooth technology to help people report positive diagnoses, and control the spread of the virus. The success of the app depends on a high quantity of users, but concerns over privacy and the use of artificial intelligence (AI) in analyzing the data may hinder that objective.

COVID tracing apps

With the launch of COVID Alert, Canada joined 40 other countries that have launched tracing apps. The Bluetooth-based app … Continue Reading

LexBlog