By June 30, 2018, retailers accepting digital (online) credit card transactions must cease using encryption protocols known as SSL or TLS 1.0. Retailers must transition to TLS 1.1 or higher (such as the popular TLS 1.2) or else lose the ability to accept credit card payments. Continue reading
Websites go dark, complaints are filed within an hour, European Commission suffers an embarrassing data leak, and the US Commerce Secretary warns about the unintended trade impact of the law – all in the first week of the GDPR
The European Union’s far-reaching General Data Protection Regulation (GDPR) went into effect on 25 May amid much anticipation. Although the date itself was seen as a watershed moment, what comes after will reveal the full impact of the law. Even for those businesses that have declared that their GDPR compliance efforts have completed, the work of maintaining and updating their privacy and data protection framework will need to continue well after 25 May. We have also yet to see how 28 EU member states and the Court of Justice of the European Union will interpret the law.
In the days leading up to 25 May, millions of inboxes were filled with updated privacy notices and requests for marketing consent and pop-up notices for cookies were added to websites across the globe, as many businesses contemplated if and how the new law applies to them. Just in the first week, we are seeing glimpses of what lays ahead. Certain American news publications decided to shut themselves off to European users on their websites, a first series of complaints were filed against US tech giants and their subsidiaries, and the European Commission, in an embarrassing turn of events, was found to have had a data leak on one of its websites, Europa.eu. Just five days after the law has gone into effect, Wilbur Ross, the US Commerce Secretary, published an opinion piece in the Financial Times, that warns: “EU data privacy laws are likely to create barriers to trade.”
We take a look at the initial reactions and events that occurred in the first week following the implementation of the GDPR, provide some insight into the GDPR’s impact on the digital economy and trade and provide, as we always do, some practical tips for how to manage privacy and cybersecurity risks in this ‘new era’.
The wait is finally over—this Friday the European Union General Data Protection Regulation (GDPR) will come into force. For many readers of this post, a huge amount of work will have been done in recent months in building up to compliance with the new regime. However, the challenges of GDPR certainly don’t end on the date this law goes into implementation. We have shared below some interesting points that we’ve seen arising recently, all of which relate to how things are likely to develop from today onwards, including enforcement predictions, challenges related to operationalizing data subject access procedures, and how the GDPR may change the data privacy litigation landscape in Europe.
For many organizations that are based outside the EU and took the “wait and see” approach, our checklist may come in handy, which gives an illustrative overview of the requirements likely to impact most types of businesses and the practical steps that organizations need to take to meet those requirements. We also have a chatbot powered by artificial intelligence that helps clients to determine whether the GDPR applies to their business.
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) plans to issue an advance notice of proposed rulemaking this November on potentially sharing HIPAA breach settlements with victims.
The UK NIS Regulations (implementing the NIS Directive) come into force in the UK today (10 May 2018). These Regulations have received limited press attention, in part due to the emphasis that has been placed on GDPR implementation. However, the NIS Regulations represent a significant change in the legal environment relating to cybersecurity in the UK. Continue reading
On April 30, 2018, the U.S. Federal Trade Commission (FTC) released for public comment an administrative complaint and proposed consent agreement with mobile phone manufacturer BLU Products Inc. and its owner and president. Although the FTC has entered into many settlements relating to privacy and data security, this proposed settlement is particularly noteworthy for two reasons: (1) the FTC allegation that a company’s failure to implement appropriate security procedures to oversee a vendor’s security practices (including a lack of vendor due diligence) can violate Section 5 of the Federal Trade Commission Act; and (2) the proposed remedy includes a separate notice and affirmative opt-in consent relating to collection, use, and sharing of certain consumer information. BLU does not admit or deny any of the FTC’s allegations. Continue reading
On Thursday, April 26, 2018, the Massachusetts Senate unanimously passed a data breach protection bill that strengthens consumer protections after security breaches involving consumer credit reporting agencies. If passed, the proposed legislation would amend Massachusetts’s current breach notification law. The bill aims to help consumers protect their sensitive information before, during, and after a data breach.
A little more than one month from implementation of GDPR, companies may be tempted to relax and exhale (and if GDPR is still causing you headaches, consult our checklist). After all, the U.S. couldn’t be crazy enough to implement something as onerous and difficult, right? RIGHT?!?
Enter California, which appears likely to place an initiative on the November 2018 ballot that could bring some familiar aspects of GDPR to the sixth largest economy in the world. The proposed initiative, the Consumer Right to Privacy Act of 2018 (the “CRPA”), still needs to obtain the necessary signatures to appear on the ballot and then be passed by a majority of California voters. However, given the high profile data misuse and breach stories in the news over the past several months, the possible passage of the initiative must be taken seriously. Continue reading
On April 16, 2018, the National Institute of Standards and Technology (NIST) unveiled Version 1.1 of its widely known Cybersecurity Framework, which incorporates changes based on feedback collected through comments, questions, and workshops held in 2016 and 2017. Continue reading
As of November 1, 2018, organizations across Canada subject to the Personal Information Protection and Electronic Documents Act (PIPEDA) will be required to provide notice of certain privacy breaches.
Through an Order in Council, the Federal Government has announced that previous PIPEDA breach notification amendments will come into force this November.