California privacy initiative likely to increase costs of civil litigation if passed in November

By Spencer Persson on April 23, 2018 Posted in Compliance and risk management

Norton Rose Fulbright - Data Protection Report blog

A little more than one month from implementation of GDPR, companies may be tempted to relax and exhale (and if GDPR is still causing you headaches, consult our checklist). After all, the U.S. couldn’t be crazy enough to implement something as onerous and difficult, right? RIGHT?!?

Enter California, which appears likely to place an initiative on the November 2018 ballot that could bring some familiar aspects of GDPR to the sixth largest economy in the world. The proposed initiative, the Consumer Right to Privacy Act of 2018 (the “CRPA”), still needs to obtain the necessary signatures to appear on the ballot and then be passed by a majority of California voters. However, given the high profile data misuse and breach stories in the news over the past several months, the possible passage of the initiative must be taken seriously. Continue reading

NIST releases latest version of its Cybersecurity Framework

By Kim Gold (US) on April 19, 2018 Posted in Compliance and risk management

Data Protection Report - Norton Rose Fulbright

On April 16, 2018, the National Institute of Standards and Technology (NIST) unveiled Version 1.1 of its widely known Cybersecurity Framework, which incorporates changes based on feedback collected through comments, questions, and workshops held in 2016 and 2017. Continue reading

Canada’s Mandatory Privacy Breach Reporting Requirements coming into force November 1, 2018

By Ryan Berger (CA), Julie Himo (CA), Caroline Deschênes (CA) and John Cassell (CA) on April 10, 2018 Posted in Data breach

As of November 1, 2018, organizations across Canada subject to the Personal Information Protection and Electronic Documents Act (PIPEDA) will be required to provide notice of certain privacy breaches.

Through an Order in Council, the Federal Government has announced that previous PIPEDA breach notification amendments will come into force this November.

Ninth Circuit further entrenches circuit split over standing in data breach cases

By Sarah Moses and Spencer Persson on March 20, 2018 Posted in Data breach, Dispute resolution and litigation

On March 8, 2018, the Ninth Circuit issued its highly anticipated decision in In re Zappos.com, Inc., finding that allegations of future risk of identity theft from a data breach are sufficient to confer standing. This decision fuels an ongoing circuit split, pitting the D.C., Sixth, Seventh and now Ninth Circuits against the Second, Fourth, and Eighth Circuits over whether the mere exposure of personal information – without actual identity theft or credit/debit card fraud – establishes Article III standing. Continue reading

FCC TCPA order partially upheld and partially set aside

By Susan Ross (US) on March 17, 2018 Posted in Dispute resolution and litigation

On March 16, 2018, the U.S. Court of Appeals for the District of Columbia Circuit issued its decision on the Federal Communications Commission (FCC) omnibus order of 2015, relating to challenges to four of the FCC’s determinations relating to cell phones. The appellate court upheld the FCC’s determinations that consumers can revoke consent to receive marketing calls by “any reasonable means” that clearly expresses the desire to receive no further messages from the caller, and an exception for certain “emergency” healthcare-related calls. On the other hand, the court set aside the FCC’s decision regarding the definition of an “automatic telephone dialing system” (ATDS), and how callers can deal with reassigned numbers where the previous owner had consented to receive marketing calls. Continue reading

Singapore PDPC responds to feedback on public consultation on approaches to managing personal data

By Stella Cramer (SG), Wilson Ang, Jessica Paulin, David Olds and Jeremy Lua on March 11, 2018 Posted in Compliance and risk management, Data breach, Regulatory response

On 1 February 2018, Singapore Personal Data Protection Commission (PDPC) released its response to feedback on its public consultation on approaches to managing personal data in the digital economy, which took place in Q3 2017 (the Public Consultation). The purpose of the Public Consultation, was to seek public feedback on proposed changes to Singapore’s data protection regime, the Personal Data Protection Act (PDPA). The key proposed changes to the PDPA include the relaxation of the consent requirement to collect, use and disclose personal data in Singapore and the introduction of a mandatory data breach notification regime.

We set out below a summary of the key points that you should know about the public feedback and PDPC’s response.

Uber as a HIPAA business associate

By Kim Gold (US) and Alexis Wilpon (US) on March 7, 2018 Posted in General

Uber recently announced the launch of Uber Health, a non-emergency ride service that allows healthcare providers to schedule and pay for transportation for their patients. The stated purpose of the service is to expand medical transportation to traditionally underserved areas. Roughly 3.6 million Americans miss medical appointments each year due to lack of reliable transportation, contributing to the roughly $150 billion per year the healthcare industry loses due to missed appointments. Continue reading

German DPAs publish templates and guidance on records of processing activities pursuant to Art. 30 GDPR

By Christoph Ritzer (DE) and Thorben Schläfer (DE) on March 5, 2018 Posted in Compliance and risk management

The German Data Protection Authorities (DPAs, acting as the German Data Privacy Conference, Konferenz der unabhängigen Datenschutzbehörden des Bundes und der Länder) recently published templates for the records of processing activities for controllers (Art. 30 para. 1 GDPR) and processors (Art. 30 para. 2 GDPR) together with a corresponding guidance document. This guidance was expected to be released earlier as the EU General Data Protection Regulation (GDPR) will take effect in less than a hundred days and organisations must meet its requirements from 25 May 2018. However, the guidance does not contain significant new information and mainly confirms previous understanding.

In detail:

The guidance describes the register as being the core element for GDPR compliance, i.e., core for a comprehensive data privacy and information security management system. It is described as the most important document to demonstrate data privacy compliance with regard to the principle of accountability.
Unsurprisingly, the guidance expects a register to be submitted to a German DPA upon request in German language. Although, the register may be kept in different languages as long as the organisation is able to swiftly present a German translation upon request.
What is a little more unexpected is the DPAs’ recommendation that organisations list not only the recipients of data transfers outside the organisation but also the details of the internal groups or persons having access to the processing’s data. This may require a greater level of detail than some organisations have included in their registers to date.
The guidance also elaborates on the threshold of 250 employees above which the GDPR requires a register to be maintained. In practice, the DPAs say this threshold is more or less irrelevant as even with one employee a company would be processing sensitive data – in which case a register is required.
Finally, the guidance suggests linking further data privacy documents (e.g. general privacy policies, data security information or documents on PIA procedures) from the register as reference documents.

Our take

This guidance has been released less than 100 days before the GDPR enters into force. This is very late, given that the registers are a logical first step of a GDPR preparation project. It would seem unreasonable for DPAs to expect that organisations which have finished their registers to go back and rework them to be in line with this guidance (at least in the short term).

However, in terms of content, the guidance generally confirms current views. It is interesting to see the emphasis put on the importance of data mapping to comply with the accountability requirements of the GDPR.

Working party publishes draft of GDPR guidelines for Article 49 (export derogations)

By David Kessler (US) and Anna Rudawski (US) on March 5, 2018 Posted in Compliance and risk management

On February 12, 2018, the Article 29 Working Party (WP29) published guidance regarding Article 49 of the General Data Protection Regulation (GDPR) for public comment. The deadline for submitting comments on the draft is March 26, 2018, and responses should be emailed to JUST-ARTICLE29WP-SEC@ec.europa.eu.

Like the current EU Data Protection Directive, the GDPR prohibits the onward transfer of Personal Data to: (1) a country that has not been deemed to provide an adequate level of protection (e.g. the U.S.); and (2) where the entity therein has committed to handle the Personal Data of European data subjects applying appropriate safeguards in accordance with Article 46 of the GDPR. For example, organizations comply with Article 46 by implementing Binding Corporate Rules (BCRs) or Standard Contractual Clauses or by participating in a recognized certification mechanism such as the EU-US Privacy Shield Framework. However, Article 49 of the GDPR provides for transfers to entities in a country without an adequate level of protection under a series of narrowly tailored exceptions called derogations. Continue reading

WP29 brings Binding Corporate Rules in line with the GDPR

By Lara White and Anna Rudawski (US) on February 28, 2018 Posted in Regulatory response

On February 6, 2018, the Article 29 Working Party (WP29) adopted updated guidelines on Binding Corporate Rules (“BCRs“), which replace the previous WP29 working documents 153 and 195 on BCRs and Processor BCRs.