Relying on the Legitimate Interests Exception under the Personal Data Protection Act 2012

In a recent decision (the Decision),[1] the Personal Data Protection Commission (PDPC) considered for the first time a company’s reliance on the Legitimate Interests Exception (as defined below) under the Personal Data Protection Act 2012 (PDPA) when the consent procured is invalid. The General Legitimate Interests Exception The general Legitimate Interests Exception was introduced to … Continue reading

Privacy law is becoming more technically sophisticated. So should you.

As privacy laws and requirements become more technically sophisticated, businesses may want to consider how they can follow suit.… Continue reading

Cyber-insurance – 72 hours for the insured party to file a criminal complaint: GDPR’s false friend

Cyberattacks have become more frequent, problematic and complex over the years – so much so that they now represent a real threat to economic activities. The French Information and Digital Security Experts Club (CESIN) has estimated that 54% of French companies were subject to cyberattacks in 2021,[1] while France Assureurs has put cyberattack risks on … Continue reading

FTC proposed consent order prohibits perpetual retention of personal information

We had previously written about an FTC proposed consent order that would prohibit a company from perpetual retention of personal health information.  On March 2, 2023, the FTC announced a complaint and proposed consent with BetterHelp, Inc. that would prohibit the company from perpetual retention of personal information—a broader category.   Also unlike the previous matter, … Continue reading

EDPB Guidelines on international transfers: 6 key takeways

EDPB Guidelines on the interplay between Article 3 and the provisions in Chapter V of the General Data Protection Regulation on international data transfers On 14 February 2023, the European Data Protection Board (EDPB) published its Guidelines on the interplay between Article 3 and the provisions in Chapter V of the General Data Protection Regulation … Continue reading

Practical steps for businesses to comply with Bill C-27: part 2

In our previous update, we summarized key operational elements that businesses should be aware of under the proposed Consumer Privacy Protection Act (CPPA), and provided practical tips to help businesses comply with these new requirements. As currently drafted, the CPPA codifies a number of best practices and recommendations issued by the Office of the Privacy Commissioner of Canada … Continue reading

Hong Kong’s data privacy law reform may come in 2023

The reform of Hong Kong’s Personal Data (Privacy) Ordinance (Cap.486) (the PDPO) is back on the agenda. In our earlier post in 2020, we reported that the Constitutional and Mainland Affairs Bureau published a discussion paper (the Discussion Paper) seeking the Legislative Council’s Panel on Constitutional Affairs’ (the Panel) views on proposed changes to the … Continue reading

BIPA damages accrue per transaction

Data Protection Report - Norton Rose FulbrightOn February 17, 2023, the Illinois Supreme Court decided, by a 4-3 vote, that each time a private entity scans or transmits an individual’s biometric information without complying with Illinois Biometric Information Privacy Act (BIPA), that constitutes a separate violation under BIPA.  (Cothron v. White Castle System, Inc., 2023 IL 128004 (Ill. Feb. 17 2023).)  … Continue reading

Hong Kong: Data Security Measures Guidance published by the PCPD

As data breaches and cyber attacks continue to surge and attackers become more sophisticated, organisations are well aware that the need for robust data security measures is becoming increasingly important. In Hong Kong, the Office of the Privacy Commissioner for Personal Data (the PCPD) recently published a Guidance Note on Data Security Measures for Information … Continue reading

Privacy Act Review report

Norton Rose Fulbright - Data Protection Report blogThe Attorney General’s Department released its Privacy Act Review report on 16 February 2023, that includes the broad suite of reforms you would expect to bring Australia’s privacy laws in to line with both international standards and the reality of our data-based economy. These include enhanced data subject rights and increased accountability requirements for organisations collecting and … Continue reading
LexBlog