EDPB cautiously welcomes UK adequacy finding

By Lara White (UK) and Janine Regan (UK) on April 16, 2021 Posted in General, Regulatory response

Norton Rose Fulbright - Data Protection Report blog

Yesterday, the European Data Protection Board (EDPB) published its opinion on the European Commission’s draft Decision that the UK ensures an adequate level of protection for personal data (the Opinion). The Opinion was adopted by the EDPB on 13 April 2021, a couple of days before the Opinion’s official publication on 15 April 2021.

The EDPB recognises that the UK’s adequacy assessment is unique given it was an EU Member State until very recently and therefore acknowledges there are many areas of convergence between the UK and EU regimes. However, much of the Opinion examines a number of “challenges” with … Continue Reading

Don’t let Apple determine your app’s fate

By Steve Roosa (US) and Daniel Rosenzweig (US) on April 13, 2021 Posted in NT Analyzer Blog Series

Apple, in centralizing control over data collected on iOS, is rejecting apps from the App Store, essentially 50,000 apps at a time.

For example, the App Store recently rejected updates to an app that used a third party software development kit (“SDK”) from Adjust. As a result of the SDK and according to Apple (as reported by Forbes):

“[Your app]…collects user and device information to create a unique identifier for the user’s device [via fingerprinting] … Per section 3.3.9 of the Apple Developer Program License Agreement, neither you nor your app can use any permanent, device-based identifier … for … Continue Reading

Navigating Virginia’s new privacy law

By Steve Roosa (US) and Daniel Rosenzweig (US) on April 8, 2021 Posted in NT Analyzer Blog Series

Virginia recently enacted its own data protection/privacy law and like its European and Californian predecessors, the technical piece is key.

Like the GDPR and CCPA, the Consumer Data Protection Act (“CDPA”), which goes into effect on January 1, 2023, broadly defines “personal data” as “any information that is linked or reasonably linkable to an identified or identifiable natural person.” The law also requires controllers to conduct a data protection assessment and implement technical data security practices.

NT Analyzer is equipped to provide organizations with a solution to meet this requirement. Read more about this new law and our solution on … Continue Reading

To be or not to be . . . an “autodialer”

By David Kessler (US) and Susan Ross (US) on April 5, 2021 Posted in Compliance and risk management

On April 1, 2021, the U.S. Supreme Court decided the question whether the Telephone Consumer Protection Act’s (TCPA) definition of “autodialer”

encompasses equipment that can “store” and dial telephone numbers, even if the device does not “us[e] a random or sequential number generator.” It does not. To qualify as an “automatic telephone dialing system,” a device must have the capacity either to store a telephone number using a random or sequential generator or to produce a telephone number using a random or sequential number generator.

Facebook, Inc. v. Duguid, No. 19-511 (April 1, 2021) (2021 WL 1215717).

Background

The … Continue Reading

New York State imposes a $1.5 million penalty in cybersecurity breach case

By Susan Ross (US) and Kathleen Scott (US) on March 17, 2021 Posted in Cybersecurity

On March 3, 2021, the New York Department of Financial Services (NYDFS) announced a Consent Order with a NYDFS-licensed Maine-based mortgage banker and loan servicer settling alleged violations of the NYDFS cybersecurity regulations. (In the matter of Residential Mortgage Services, Inc., March 3, 2021).

The Consent Order required RMS to pay $1.5 million, and within 90 days, submit to NYDFS all of the following: a comprehensive written Cybersecurity Incident Response Plan; a comprehensive cyber risk assessment; RMS’ risked-based policies, procedures and controls; and documentation on its more recent cyber training.

The full post appears on the firm’s Financial … Continue Reading

Privacy commissioners take position on using facial recognition technology

By Imran Ahmad (CA), Sara A. Levine, QC (CA), Alexis Kerr (CA), Julie Himo (CA), Saba Samanian (CA) and John Cassell (CA) on March 11, 2021 Posted in Cybersecurity, Data breach

Investigative findings

In a joint investigation report, the Privacy Commissioner of Canada, together with the commissioners of BC, Alberta, and Quebec concluded that Clearview AI violated Canadians’ privacy rights under federal and provincial privacy laws by scraping billons of images of people available online to be continually used in what amounted to a virtual “police lineup.” They found Clearview collected highly sensitive information without the knowledge or consent of individuals, and did so for an inappropriate purpose.

Several key considerations informed the commissioners’ views.

Online data is protected

Heavy reliance on social media, and on the readily available personal information … Continue Reading

Virginia’s new Consumer Data Protection Act

By David Kessler (US) and Susan Ross (US) on March 8, 2021 Posted in Compliance and risk management

On March 2, 2021, the Governor of the Commonwealth of Virginia signed into law the Consumer Data Protection Act, which contains many elements of California’s Consumer Privacy Act (CCPA) and Europe’s General Data Protection Regulation (GDPR). The new law goes into effect on January 1, 2023.

But first, you need to determine whether the law applies to your business. The law begins:

This chapter applies to persons that conduct business in the Commonwealth or produce products or services that are targeted to residents of the Commonwealth and that (i) during a calendar year, control or process personal data of … Continue Reading

Deutsche Wohnen fine now declared invalid by a German court

By Christoph Ritzer (DE) and Natalia Filkina (DE) on February 25, 2021 Posted in Data breach, Enforcement

Data Protection Report - Norton Rose Fulbright

There has been a big bang in the data protection world in Berlin as the first and most spectacular GDPR fine in Germany has just been declared invalid.

The Berlin Commissioner for Data Protection for Freedom of Information (Berliner Beauftragte für den Datenschutz und Informationsfreiheit, “Berlin DPA”) issued a EUR 14.5 million fine against a German real estate company, die Deutsche Wohnen SE (“Deutsche Wohnen”). The Regional Court (Landgericht) of Berlin has now declared this fine invalid and closed the proceedings. The Berlin DPA will ask the public prosecutor’s office to appeal the Court’s … Continue Reading

EU Commission draft UK Data Protection Adequacy Decision published

By Marcus Evans (UK) and Shiv Daddar (UK) on February 19, 2021 Posted in Enforcement, General, Regulatory response

Following nine months of assessment of the UK’s data protection laws (including the rules on access to data by public authorities), the European Commission has today published its draft decision on the adequate protection of personal data by the United Kingdom. The draft decision can be found here.

The draft decision is welcome news to the UK government, which has stressed that adequacy will provide certainty for businesses and enable continued cooperation between the UK and EU.

The European Commission’s statement highlights that EU law has shaped the UK’s data protection regime for decades; and that whilst the … Continue Reading

Germany: Data protection authorities announce closer monitoring of data transfers to the US after Schrems II

By Ingemar Kartheuser and Natalia Filkina (DE) on February 18, 2021 Posted in Data Transfer, Regulatory response

Following the CJEU’s Schrems II ruling (case C-311/18 of July 16, 2020), transfers of personal data to the US are coming under close scrutiny by the German data protection authorities. Some German data protection authorities have announced that they will be taking a stricter approach against companies that fail to comply with the Schrems II requirements. The Hamburg data protection authority which is leading a working group focusing on cloud providers is reported to be considering regulatory sanctions should companies not be able to explain the legal grounds on which they rely to transfer personal data to the US. The … Continue Reading