Canada’s artificial intelligence legislation is here

By Maya Medeiros and Jesse Beatson on June 28, 2022 Posted in General

On 16 June 2022 the Canadian federal government introduced Bill C-27, also known as the Digital Charter Implementation Act 2022. If passed, this package of laws will: Implement Canada’s first artificial intelligence (AI) legislation, the Artificial Intelligence and Data Act (AIDA). Reform Canadian privacy law, replacing the Personal Information Protection and Electronic Documents Act with … Continue reading

Bill C-26: a first step at reinforcing Canadian cybersecurity

By Jeremie Wyatt (CA), Imran Ahmad (CA), John Cassell (CA), Tiana Corovic (CA), Roohie Sharma and Katarina Duke on June 22, 2022 Posted in Compliance and risk management, Cybersecurity

On June 14, the House of Commons introduced Bill C-26: An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts (Bill C-26). This bill is presented in two parts: The first is to amend the Telecommunications Act to promote the security of the Canadian telecommunications system; The second is to enact the Critical Cyber … Continue reading

UK GDPR Reform: government publishes response to consultation – likely to form basis of forthcoming UK Data Reform Bill

By Marcus Evans (UK), Fiona Bundy-Clarke (UK) and Shiv Daddar (UK) on June 22, 2022 Posted in Compliance and risk management, Regulatory response

The Department for Culture, Media and Sport (DCMS) has finally published the UK government’s long-awaited response to the consultation on the future of the UK data protection regime. The government set out very high level principles for a Data Reform Bill in the Queen’s Speech in May. If legislation is to be passed in this … Continue reading

The aftermath of an incident – why keeping records of data breaches and privacy incidents matters

By Jeremie Wyatt (CA), Imran Ahmad (CA) and Sara A. Levine, QC (CA) on June 14, 2022 Posted in Compliance and risk management, Data breach, Regulatory response

As privacy incidents and security breaches involving personal information become increasingly frequent, organizations are more and more aware of the importance of implementing a robust privacy program to mitigate the risks and impacts of such incidents. While this preparation is important, organizations must also consider the aftermath of a privacy incident. In this first blog … Continue reading

Points to note on the European Commission’s questions and answers on the Revised Standard Contractual Clauses (SCCs)

By Marcus Evans (UK) and Shiv Daddar (UK) on June 10, 2022 Posted in General

On May 25th 2022, the European Commission published a series of questions and answers on the SCCs to be used between controllers and processors within the European Economic Area (EEA), and the SCCs to be used for transfers to countries not considered adequate by the European Commission (Third Countries) (the Q&As). The text of the … Continue reading

EDPB publishes guidance on calculating GDPR fines

By Polina Maloshchinskaia, Steven Hadwin (UK), Marcus Evans (UK) and Christoph Ritzer (DE) on June 9, 2022 Posted in General

On 12 May 2022 EDPB adopted Guidelines on the calculation of administrative fines (the Guidelines).  The Guidelines supplement the Article 29 Working Party’s Guidelines on the application and setting of administrative fines (WP253) adopted in October 2017 and recommends that the two are read together.  Whereas the previous guidance set out general principles for when … Continue reading

Maybe This Time : Federal Government Proposes the American Data Privacy and Protection Act

By Anna Rudawski (US), Chris Cwalina (US) and David Kessler (US) on June 8, 2022 Posted in CCPA, Compliance and risk management, Privacy law

On Friday, June 3, 2022, the Senate and House released a draft of the American Data Privacy and Protection Act, (ADPPA), a watershed privacy bill that would introduce a federal standard.  Currently, a hodgepodge of industry-specific and state laws make up the backbone of American privacy regulations and rights, so a national framework for privacy … Continue reading

FTC Signals Additional Scrutiny for Data Breaches

By Anna Rudawski (US) and Chris Cwalina (US) on May 25, 2022 Posted in Cybersecurity, Data breach, Privacy law, Ransomware, Regulatory response

On May 20, 2022, the Federal Trade Commission (FTC) stated that failure to disclose a data breach may be a violation of Section 5 of the FTC Act.  Historically, the FTC has not been explicit about its notification expectations, but in blog post published by the FTC’s CTO and Division of Privacy and Identity Protection, … Continue reading

Was RI Advice a watershed for cybersecurity law in Australia or a damp squib?

By Ehsan Ghavidel on May 25, 2022 Posted in Cybersecurity

In this article we distil critical lessons from the Federal Court’s recent decision in Australian Securities and Investments Commission v RI Advice Group Pty Ltd[1] and practical actions to be taken by Boards and executive management. Boards and organisations should assess their cybersecurity risk management activities in light of the decision and ask whether current … Continue reading

Federal Privacy Commissioner Published Guidance on What Is “Sensitive” Personal Information

By Tiana Corovic (CA), Imran Ahmad (CA), John Cassell (CA), Katarina Duke and Roohie Sharma on May 18, 2022 Posted in PIPEDA, Privacy law

On May 16, 2022, the Office of the Privacy Commissioner of Canada (the “OPC”) released an Interpretation Bulletin (the “Bulletin”) on what it considers to be “sensitive” personal information under the federal Personal Information Protection and Electronic Documents Act (“PIPEDA”). The Bulletin is  meant to act as a consolidated guide based on jurisprudence, regulatory findings, … Continue reading