Over-Retention of Personal Data

Photo of David Kessler (US)Photo of Marcus Evans (UK)Photo of Susan Ross (US)By David Kessler (US), Marcus Evans (UK) and Susan Ross (US) on Posted in Compliance and risk management

The declining cost of electronic data storage may have caused some company executives to conclude that retaining personal data forever is “cheap.”  Perhaps the CNIL’s  €1.75 million (USD $2,051,930) penalty for over-retention will lead to a different view.

The matter involved one of France’s largest insurers, SGAM AG2R LA MONDIALE, which was subject to an inspection by the French data protection authority (the CNIL), in 2019.  The CNIL’s inspection included the insurer’s compliance with Section 5-1(e) of GDPR, which reads:

Personal data shall be . . . (e) kept in a form which permits identification of data subjects for … Continue Reading

OFAC Announces New Measures to Address Ransomware Attacks

Photo of Chris Cwalina (US)Photo of Ashley Zatloukal (US)Photo of Stefan H. Reisinger (US)By Chris Cwalina (US), Ashley Zatloukal (US) and Stefan H. Reisinger (US) on Posted in Cybercrime, Cybersecurity, Ransomware

The U.S. Department of Treasury, Office of Foreign Assets Control (“OFAC”) implemented additional measures today to combat the growing ransomware problem.  OFAC’s measures consist of: (1) the designation of the entire SUEX OTC, S.R.O. (“SUEX”) crypto-currency exchange (SUEX) to the SDN List; (2) designating a fairly large number (~25) additional digital currency addresses to the SDN List; and (3) amending its earlier October 1, 2020 guidance to companies on the potential sanctions risks for facilitating ransomware payments.  OFAC’s summary of the additional sanctions designations is available here and its updated guidance is available here.

While OFAC has previously designated … Continue Reading

Essential guidance for employers implementing COVID-19 measures at the workplace

Photo of Wilson Ang (SG)Photo of Jeremy Lua (SG)Photo of Ian CheongBy Wilson Ang (SG), Jeremy Lua (SG), Ian Cheong and Parry Tan on Posted in PDPA, Privacy law

As Singapore moves towards living with COVID-19 as an endemic disease, the Government has issued guidance for employers on the COVID-19 measures to be implemented at the workplace. We will discuss the guidance issued by (i) the Ministry of Manpower (“MOM”) on the updated safe management measures at the workplace; (ii) the MOM on COVID-19 vaccination in relation to the workplace; and (iii) the Personal Data Protection Commission (“PDPC”) on the collection of personal data at the workplace for COVID-19 contact tracing.

MOM guidance on the updated Safe Management Measures at the workplace[1]

MOM has … Continue Reading

US SEC announces three actions charging firms for cybersecurity deficiencies

Photo of Kevin Harnisch (US)Photo of Chris Cwalina (US)Photo of Will Daugherty (US)Photo of Ashley Zatloukal (US)Photo of Matthew Niss (US)By Kevin Harnisch (US), Chris Cwalina (US), Will Daugherty (US), Ashley Zatloukal (US) and Matthew Niss (US) on Posted in Cybersecurity, Enforcement

On August 30, 2021, the Securities and Exchange Commission (SEC) announced enforcement actions against three sets of broker-dealer and/or investment advisers for alleged failures in the entities’ cybersecurity policies and procedures with respect to email account compromises and the exposure of customer information in violation of Regulation S-P, known as the Safeguards Rule.

In a recent legal update, “US SEC announces three actions charging firms for cybersecurity deficiencies,” Kevin Harnisch, Chris Cwalina, Will Daugherty, Ashley Zatloukal and Matthew Niss discuss the SEC’s enforcement actions and provide further information on the Safeguards Rule.… Continue Reading

Proposed “Cyber Incident Reporting for Critical Infrastructure Act of 2021”

Photo of Will Daugherty (US)Photo of Susan Ross (US)By Will Daugherty (US) and Susan Ross (US) on Posted in Cybersecurity

On August 27, 2021, the U.S. House Homeland Security Committee released a draft bill that would, among other things, establish a Cyber Incident Review Office (CIR Office) within the Cybersecurity and Infrastructure Security Agency (CISA), which is part of the U.S. Department of Homeland Security (DHS), and require critical infrastructure owners and operators to report cybersecurity incidents to the CIR Office. The bill would be known as the “Cyber Incident Reporting for Critical Infrastructure Act of 2021” (the Act) and would build on recent Executive Orders and directives aimed at the U.S. critical infrastructure (including pipelines).… Continue Reading

The UK Government unveils its post-Brexit plans to shake up data protection laws

Photo of Lara White (UK)Photo of Marcus Evans (UK)By Lara White (UK), Marcus Evans (UK) and Isabella Martinez-Sistac Orozco on Posted in General, Privacy law, Regulatory response

On 26 August 2021, in a move that puts it on a potential collision course with the EU, the UK Government made a number of announcements relating to the future of the UK’s data protection regime, with the stated intention of “seizing the opportunity” by “developing a world leading data policy that will deliver a Brexit dividend for individuals and businesses across the UK”.

The key points to note in relation to the UK Government’s announcement are the following:

  • the UK Government has set out its Mission Statement on the UK’s approach to international data transfers, announcing those countries that
Continue Reading

Ontario moves towards introducing new privacy law

Photo of Imran Ahmad (CA)Photo of Liana Di Giorgio (CA)By Imran Ahmad (CA) and Liana Di Giorgio (CA) on Posted in General, PHIPA, PIPEDA, Privacy law
Data Protection Report - Norton Rose Fulbright

Given global trends in the development of privacy laws and enforcement, Canada and several provinces are looking at modernizing their respective privacy regimes. Ontario’s new proposed privacy law, which would govern commercial activities more broadly than current legislation (i.e., our federal legislation, the Personal Information Protection and Electronic Documents Act (PIPEDA), and Ontario’s health privacy legislation, the Personal Health Information Protection Act (PHIPA)), is intended to enhance the public’s confidence in Ontario’s digital economy by recognizing individuals’ fundamental right to privacy and imposing strict compliance obligations and financial penalties on organizations doing business in Ontario.

On June 17, 2021, the … Continue Reading

PIPL: A game changer for companies in China

Photo of Anna Gamvros (HK)Photo of Lianying Wang (CN)By Anna Gamvros (HK) and Lianying Wang (CN) on Posted in Compliance and risk management, Cybersecurity
Data Protection Report - Norton Rose Fulbright

China passed its Personal Information Protection Law (PIPL) on 20 August 2021. This is China’s first omnibus data protection law, and will take effect from 1 November 2021 allowing companies just over two months to prepare themselves. The PIPL is a game changer for any company with data or business in China. It will add another layer of complexity with respect to compliance with China’s security and data laws and regulations.

As is usual with all China laws, many of the concepts and requirements are high-level and we expect that some further details will be provided in regulations and practical … Continue Reading

China passes the Personal Information Protection Law

Photo of Anna Gamvros (HK)Photo of Lianying Wang (CN)By Anna Gamvros (HK) and Lianying Wang (CN) on Posted in Compliance and risk management, Cybersecurity
Data Protection Report - Norton Rose Fulbright

China passed its Personal Information Protection Law (PIPL) on 20 August 2021.  The new law will take effect from 1 November 2021 allowing companies just over 2 months to prepare themselves. The full text has not been made public yet.

In addition, China published the Provisions on the Administration of Security of Automobile Data (For Trial Implementation) (Automobile Data Regulation) today, which will take effect on 1 October 2021.

With respect to the PIPL, it is reported that the final version will include some new rules on the processing of personal information, such as:

  • If information push or
Continue Reading

“Am I a CII operator?” – New regulation in China provides more clarity

Photo of Anna Gamvros (HK)Photo of Lianying Wang (CN)By Anna Gamvros (HK) and Lianying Wang (CN) on Posted in Cybersecurity, Data Transfer, Regulatory response
Data Protection Report - Norton Rose Fulbright

China’s Cyber Security Law (CSL), enacted in 2016, requires operators of critical information infrastructure (CII) to follow a number of enhanced security obligations, including storing within China all personal information and important data collected or generated during their operations in China. Given the more onerous obligation on CII operators, we are constantly asked the same key question by our clients who do business in China: “Am I a CII operator?”. Now, a new regulation provides more clarity on this.

On 17 August 2021, the State Council of China published the Regulation on Protection of Security Continue Reading

LexBlog