For whom the bell tolls: FTC, regulators and private parties are coming for online tracking technologies  

Photo of Anna Rudawski (US)Photo of Alexis Wilpon (US)By Anna Rudawski (US) and Alexis Wilpon (US) on Posted in Compliance and risk management
Over a year ago the FTC fired the first warning shot – the FTC health breach notification rule would be used as the basis for enforcement actions where sites and apps shared health information without a user’s permission.  Following suit, a few months ago, OCR announced guidance of its own that expanded the class of … Continue reading

ICYMI – Late December in privacy and cybersecurity

Photo of David Kessler (US)Photo of Susan Ross (US)By David Kessler (US) and Susan Ross (US) on Posted in Cybersecurity, Privacy law
Late December and early January tend to be a busy time for everyone, so you may have missed a privacy update or two during that time.  We have set out some updates in the form of questions, with some links where you can find more information. Answers are below. 1.         Colorado issued a revised draft … Continue reading

Ontario Court of Appeal Limits Application of Tort of Intrusion Upon Seclusion for Cyberattacks

Photo of Travis WalkerPhoto of Imran Ahmad (CA)By Travis Walker and Imran Ahmad (CA) on Posted in Cybersecurity, Data breach, Data Protection, Privacy law
Data Protection Report - Norton Rose FulbrightIn three recent cases, the Court of Appeal for Ontario effectively curtailed the ability of privacy breach victims to advance claims under the tort of intrusion upon seclusion against organizations for failing to prevent unauthorized access to personal information by third parties. However, while these cases should provide some reassurance that a cyberattack may not … Continue reading

New guidance on direct marketing

Photo of Ali Fazeli-NiaPhoto of Lara White (UK)By Ali Fazeli-Nia, Lara White (UK) and Janine Regan (UK) on Posted in Data Protection, Privacy law
Introduction On 5 December 2022, the Information Commissioner’s office (ICO) published its new guidance on direct marketing (the Direct Marketing Guidance). The Direct Marketing Guidance is accompanied by various resources, including checklists, FAQs, an online training module, specific guidance relating to SMEs, B2B marketing, data brokers, political campaigning and direct marketing in the public sector. … Continue reading

A Look Back On Five Key Developments in Cybersecurity and Data Protection in Southeast Asia in 2022

Photo of Wilson Ang (SG)Photo of Jeremy Lua (SG)By Wilson Ang (SG), Jeremy Lua (SG) and Ernest Cheong on Posted in Data Protection
With the year 2022 firmly in the rear view, and as we look to start the new year in 2023, Norton Rose Fulbright’s Regulatory Compliance and Investigations team looks back and rounds up the five key cyber and data protection developments that took place in Southeast Asia in 2022.    Enhanced financial penalties under the … Continue reading

Autonomous Vehicles – Canada’s Current Legal Framework: Liability in Motor Vehicle Accidents (Part 3)

Photo of Suzie Suliman (CA)Photo of Imran Ahmad (CA)By Suzie Suliman (CA) and Imran Ahmad (CA) on Posted in Cybersecurity, Data Protection
As autonomous vehicle (AV) technology continues to grow in functionality and sophistication, it is only a matter of time before AVs become commercially available across Canada. The arrival of autonomous vehicles in Canada will raise a number of liability-related questions that touch on the areas of owner liability, product liability, and auto insurance. In this … Continue reading

Draft European Commission EU-US Data Privacy Framework adequacy decision published

Photo of Marcus Evans (UK)Photo of Lara White (UK)Photo of Shiv Daddar (UK)By Marcus Evans (UK), Lara White (UK), Shiv Daddar (UK) and Janine Regan (UK) on Posted in Data Protection, Privacy law
On 13 December, the European Commission launched the process to adopt an adequacy decision for the EU-US Data Privacy Framework (EU-US DPF).  The draft decision – available here – addresses the concerns raised by the Court of Justice  of the European Union (CJEU) in its Schrems II decision of July 2020.  These concerns centred around … Continue reading

Rare recovery in a complex ransomware case: Major NetWalker arrest leads to significant asset seizure

Photo of Andrew McCoombBy Andrew McCoomb on Posted in Cybercrime, Cybersecurity, Data breach, Data Protection, Ransomware
Data Protection Report - Norton Rose FulbrightNorton Rose Fulbright Canada’s cyber litigation team recently obtained an order in favour of an insurer, granting it relief from forfeiture in respect of more than 11 bitcoins from the assets seized from a prolific ransomware gang.[1] This case was the first of its kind and confirms an insurer’s ability to seek recovery for losses … Continue reading

New UK guidance on Transfer Risk Assessments

Photo of Lara White (UK)Photo of Fiona Bundy-Clarke (UK)By Lara White (UK) and Fiona Bundy-Clarke (UK) on Posted in Data Protection, Data Transfer
On 17 November 2022, the Information Commissioner’s Office (ICO) published an update to its guidance on international transfers (Transfers Guidance).  This included specific guidance about transfer risk assessments or TRAs and a tool for undertaking TRAs (the TRA Guidance and TRA Tool, respectively).  In its blog post accompanying the updated Transfers Guidance, the ICO makes … Continue reading

BIPA and the record retention requirement

Photo of David Kessler (US)Photo of Anna Rudawski (US)Photo of Susan Ross (US)Photo of Susana Medeiros (US)By David Kessler (US), Anna Rudawski (US), Susan Ross (US) and Susana Medeiros (US) on Posted in BIPA
Norton Rose Fulbright - Data Protection Report blogOn November 30, 2022, an Illinois court of appeals ruled that Illinois’ biometrics privacy law—known as BIPA—requires that anyone subject to that law must develop a retention and destruction schedule when it possesses biometric data.  In this case, the court found that the employer (J&M Plating Inc.) violated BIPA because it did not create its … Continue reading
LexBlog