Google/Android announces privacy requirements

By Daniel Rosenzweig (US) and Wenda Tang (US) on May 12, 2021 Posted in NT Analyzer Blog Series

NT Analyzer | Google Announces App Privacy Requirements

Google announced that it will follow industry standards with respect to privacy obligations. All developers with apps on Google Play will be required to disclose the type of data collected and stored and how such data is used by Q2 of 2022. These are in addition to other elements, such as security practices, data deletion upon uninstallation of app, etc.

Violators, according to Google, will be required to fix identified violations; failure to do so could result in policy enforcement.

NT Analyzer is equipped to provide organizations with a solution to meet this requirement. Read more about these requirements and … Continue Reading

DSAR – No copy of work emails required in Germany

By Christoph Ritzer (DE) and Natalia Filkina (DE) on April 30, 2021 Posted in Compliance and risk management

German Federal Labour Court dismissed employee’s claim

On 27 April 2021, the German Federal Labour Court (Bundesarbeitsgericht, the Federal Court) held that employees cannot request their employer to provide them with copies of all (i) the employee’s entire email correspondence; and (ii) any emails mentioning the employee by name.

The Federal Court said that under applicable civil procedural rules the request was not specific enough – it was not possible precisely identify the emails such that any order could be enforced. The court chose to base its decision on civil proceedings laws, not on data protection law.… Continue Reading

iOS 14.5 and ATT Framework is coming

By Steve Roosa (US) and Daniel Rosenzweig (US) on April 22, 2021 Posted in NT Analyzer Blog Series

ATT Framework is coming. Read more on NT Analyzer

On April 26, 2020, iOS/iPadOS/tvOS 14.5 and the enforcement of the AppTrackingTransparency (‘ATT’) go into effect.

Read more about this on Steve Roosa and Daniel Rosenzweig’s blog post on NT Analyzer.… Continue Reading

NYDFS settles cybersecurity regulation matter for $3 million

By David Kessler (US) and Susan Ross (US) on April 22, 2021 Posted in Cybersecurity, Data breach, Regulatory response

Data Protection Report - Norton Rose Fulbright

On April 14, 2021, the New York Department of Financial Services (NYDFS) announced a $3 million settlement with insurance company National Securities Corp. (NSC), relating to violations of three different requirements of the NYDFS cybersecurity regulation during the period 2018 to 2020.… Continue Reading

EDPB cautiously welcomes UK adequacy finding

By Lara White (UK) and Janine Regan (UK) on April 16, 2021 Posted in General, Regulatory response

Norton Rose Fulbright - Data Protection Report blog

Yesterday, the European Data Protection Board (EDPB) published its opinion on the European Commission’s draft Decision that the UK ensures an adequate level of protection for personal data (the Opinion). The Opinion was adopted by the EDPB on 13 April 2021, a couple of days before the Opinion’s official publication on 15 April 2021.

The EDPB recognises that the UK’s adequacy assessment is unique given it was an EU Member State until very recently and therefore acknowledges there are many areas of convergence between the UK and EU regimes. However, much of the Opinion examines a number of “challenges” with … Continue Reading

Don’t let Apple determine your app’s fate

By Steve Roosa (US) and Daniel Rosenzweig (US) on April 13, 2021 Posted in NT Analyzer Blog Series

Apple, in centralizing control over data collected on iOS, is rejecting apps from the App Store, essentially 50,000 apps at a time.

For example, the App Store recently rejected updates to an app that used a third party software development kit (“SDK”) from Adjust. As a result of the SDK and according to Apple (as reported by Forbes):

“[Your app]…collects user and device information to create a unique identifier for the user’s device [via fingerprinting] … Per section 3.3.9 of the Apple Developer Program License Agreement, neither you nor your app can use any permanent, device-based identifier … for … Continue Reading

Navigating Virginia’s new privacy law

By Steve Roosa (US) and Daniel Rosenzweig (US) on April 8, 2021 Posted in NT Analyzer Blog Series

Virginia recently enacted its own data protection/privacy law and like its European and Californian predecessors, the technical piece is key.

Like the GDPR and CCPA, the Consumer Data Protection Act (“CDPA”), which goes into effect on January 1, 2023, broadly defines “personal data” as “any information that is linked or reasonably linkable to an identified or identifiable natural person.” The law also requires controllers to conduct a data protection assessment and implement technical data security practices.

NT Analyzer is equipped to provide organizations with a solution to meet this requirement. Read more about this new law and our solution on … Continue Reading

To be or not to be . . . an “autodialer”

By David Kessler (US) and Susan Ross (US) on April 5, 2021 Posted in Compliance and risk management

Data Protection Report - digital privacy, CCPA and cybersecurity

On April 1, 2021, the U.S. Supreme Court decided the question whether the Telephone Consumer Protection Act’s (TCPA) definition of “autodialer”

encompasses equipment that can “store” and dial telephone numbers, even if the device does not “us[e] a random or sequential number generator.” It does not. To qualify as an “automatic telephone dialing system,” a device must have the capacity either to store a telephone number using a random or sequential generator or to produce a telephone number using a random or sequential number generator.

Facebook, Inc. v. Duguid, No. 19-511 (April 1, 2021) (2021 WL 1215717).

Background

The … Continue Reading

New York State imposes a US$1.5 million penalty in cybersecurity breach case

By Susan Ross (US) and Kathleen Scott (US) on March 17, 2021 Posted in Cybersecurity

On March 3, 2021, the New York Department of Financial Services (NYDFS) announced a Consent Order with a NYDFS-licensed Maine-based mortgage banker and loan servicer settling alleged violations of the NYDFS cybersecurity regulations. (In the matter of Residential Mortgage Services, Inc., March 3, 2021).

The Consent Order required RMS to pay $1.5 million, and within 90 days, submit to NYDFS all of the following: a comprehensive written Cybersecurity Incident Response Plan; a comprehensive cyber risk assessment; RMS’ risked-based policies, procedures and controls; and documentation on its more recent cyber training.

The full post appears on the firm’s Financial … Continue Reading

Privacy commissioners take position on using facial recognition technology

By Imran Ahmad (CA), Sara A. Levine, QC (CA), Alexis Kerr (CA), Julie Himo (CA), Saba Samanian (CA) and John Cassell (CA) on March 11, 2021 Posted in Cybersecurity, Data breach

Investigative findings

In a joint investigation report, the Privacy Commissioner of Canada, together with the commissioners of BC, Alberta, and Quebec concluded that Clearview AI violated Canadians’ privacy rights under federal and provincial privacy laws by scraping billons of images of people available online to be continually used in what amounted to a virtual “police lineup.” They found Clearview collected highly sensitive information without the knowledge or consent of individuals, and did so for an inappropriate purpose.

Several key considerations informed the commissioners’ views.

Online data is protected

Heavy reliance on social media, and on the readily available personal information … Continue Reading