Data protection and cyber risk issues in arbitration – dealing with regulation, cyber attacks and hacked evidence

The GDPR has significantly altered the landscape of data protection. Its broad scope and potentially severe penalties have forced those who hold and process data to take note of its provisions. In certain instances, that will include many in the international arbitration community, such as arbitral institutions. In parallel, cyber attacks and instances of hacking in the arbitration context have brought cyber security issues to the fore.

As a result, data protection and cyber security are now hot topics in international arbitration. A majority of respondents in the 2018 Queen Mary International Arbitration Survey listed “security of electronic communications and information” as an issue which should be addressed in arbitration rules. This clearly demonstrates that the users of arbitration are concerned about data security. While there are signs that the market is listening, users seem to think that arbitral institutions, counsel and tribunals could do more to address cybersecurity.

In our article published in the latest International Arbitration Report, we examine three areas of data protection and cyber security in arbitration:

  • The EU’s GDPR and how it bears on international arbitration;
  • Data breaches in arbitral proceedings and cyberattacks on institutions, and how institutions are responding; and
  • How hacked evidence might appear in arbitration, and how tribunals have dealt with this issue.

The full article is available here.

Deadline extended for compulsory registration on Data Controller registry

Norton Rose Fulbright - Data Protection Report blog

Obligations

We previously reported that Turkey’s data protection legislation (TDPL) requires data controllers to notify the Turkish DPA of their processing activities. Unless exempt from the requirement, all data controllers (individuals and legal entities) who process personal data in Turkey must be registered with the Turkish DPA’s Register of Data Controllers Information System (VERBİS), prior to processing any personal data.

Continue reading

CCPA: “Wait and see” is not the right approach

Data Protection Report - Norton Rose Fulbright

We are seeing companies use many different approaches to the California Consumer Privacy Act (“CCPA”) compliance, but the “wait and see” approach in particular is not advisable.

Companies who want to “wait and see” point to the pending amendments to CCPA that are currently working through the California Senate (as we have previously described—see links below). Others point to the California Attorney General regulations that will be released in draft form in the next few months, which should provide some guidance to implementing CCPA.

Those statements are indeed accurate, as far as they go. However, they neglect the fact that most business cannot turn on a dime and do not have a robust grasp on the IT and business systems that collect and share personal information. Given that January 1, 2020 is almost upon us and July 2020 follows close behind, there simply will not be enough time once the amendments are passed and the guidance provided, to implement CCPA if you do not start now (or ideally, have started already). Continue reading

Turkey’s data protection legislation on data controller registry to impact data controllers outside of Turkey

Norton Rose Fulbright - Data Protection Report blog

Obligations

Turkey’s data protection legislation (TDPL) requires data controllers to notify the Turkish DPA of their processing activities. Unless exempt from the requirement, all data controllers (individuals and legal entities) who process personal data in Turkey must be registered with the Turkish DPA’s Register of Data Controllers Information System (VERBİS), prior to processing any personal data.

Data controllers which fail to fulfil this obligation may be subject to an administrative fine of an amount between TL 20,000–1,000,000 (approximately USD 3,600-180,000). Such fines will be issued at the discretion of the Data Protection Board and will be determined based on the facts of each specific breach.

Implications for non-Turkish controllers

The obligation to register under TDPL applies to data controllers based outside of Turkey as well as Turkish controllers. Consequently, natural and legal persons who are currently processing personal data but who are based outside of Turkey, are still obliged to comply with the obligation to register. The registration process is different for Turkish and non-Turkish data controllers. Data controllers located outside of Turkey will need to appoint a data controller representative, who must be a Turkish citizen resident in Turkey or a Turkish entity. The representative must complete the registration form available online, and submit it to the DPA. The representative will then appoint a contact person (irtibat kişisi) who must also be a Turkish citizen resident in Turkey (a natural person representative may appoint herself as the contact person). The contact person will submit the required information and complete registration with VERBİS.

Deadline for registration

The deadline for completing the registration process is fast approaching. Specifically, the following data controllers must complete their registration with VERBİS prior to the deadlines set out below:

  • Real and legal persons who have settled abroad (i.e. non-Turkish controllers) before 30 September 2019;
  • Workplaces that have over 50 employees yearly, or have financial balance sheet over TL 25,000,000 (approx. USD 4,500,000) before 30 September 2019;
  • Legal entities which have less than 50 employees annually and whose annual total financial statement is less than TL 25,000,000 but whose main business is processing sensitive personal data to register before 31 March 2020.

The CNIL publishes new guidelines on cookies and other similar technologies

US Supreme Court expands digital privacy rights in Carpenter v. United States

On 4 July 2019, the CNIL published new guidelines on cookies and other similar technologies, repealing its 2013 cookie guidance in order to align its position with the GDPR’s new requirements on consent. These guidelines will be supplemented during the first quarter of 2020 by sectoral recommendations aimed at providing practical guidance to stakeholders on how to collect consent.

Continue reading

One-Month Countdown to Pass CCPA Amendments Begins

Data Protection Report - Norton Rose Fulbright

On August 12, the California legislature returns after its summer recess. Starting with the Senate Appropriations Committee Hearing today, the legislature will now have approximately a month to continue the markups and send California Consumer Privacy Act (CCPA) amendments to the Governor’s desk for signature before the September 13 deadline.  As previously reported, any amendment that passes from the Senate will likely need to go back to the Assembly since many of them have been marked up significantly by the Senate. Below is a summary of the seven amendments that are moving forward and what they mean for businesses who are working on implementing a CCPA program.  Click here for our previous coverage of AB 25 (employee exception), AB 846 (customer loyalty program), and AB 1564 (consumer request methods). Continue reading

Website operators joint controllers with third-party plugin providers

Norton Rose Fulbright - Data Protection Report blog

On 29 July 2019, the European Court of Justice (ECJ) issued its judgement on Case C-40/17 (the “Fashion-ID” case). In its ruling, the ECJ held that operators of websites embedding Facebook’s “Like” button act as data controllers jointly with Facebook in respect of the collection and transmission to Facebook of the personal data of visitors to the relevant websites. In relation to these processing activities, the website operators must inform their website visitors about the data processing activities for which they act as a joint controller with Facebook, must establish a lawful basis for these processing activities and, where applicable, must collect relevant consent from the website visitor.

Continue reading

US CLOUD Act and International Privacy

Norton Rose Fulbright - Data Protection Report blog

The U.S. Clarifying Lawful Overseas Use of Data Act (“CLOUD Act”) is apparently the Goldilocks of the privacy world, according to recent statements issued by two international jurisdictions. The CLOUD Act’s requirements are “too hard” for Australian law, according to the Law Council of Australia, but the privacy protections are “too soft” for the European Data Protection Board and European Data Protection Supervisor. The current lack of any executive agreements between the U.S. and another jurisdiction under the CLOUD Act seems to indicate that the U.S. has not yet found a jurisdiction that is “just right” for the CLOUD Act. Continue reading

LexBlog