Apple’s New Privacy Requirement: The Impact and the Solution

By Steve Roosa (US) and Daniel Rosenzweig (US) on October 16, 2020 Posted in NT Analyzer Blog Series

Solving Apple's New App Privacy Requirement

Apple recently announced that it will require app developers to provide extensive, granular information about their app’s privacy practices on App Store Connect, such as the type of data collected from users as well as the identity of third parties and the specific purpose of the collection. (See https://developer.apple.com/support/app-privacy-on-the-app-store/.)

NT Analyzer is equipped to provide organizations with a digestible and readily available report to meet this requirement. Read more about the requirements and our solution on our NT Analyzer website.… Continue Reading

Just when you thought it was safe—California AG issues proposed CCPA regulation changes

By David Kessler (US) and Susan Ross (US) on October 15, 2020 Posted in CCPA, Compliance and risk management

Norton Rose Fulbright - Data Protection Report blog

The California Attorney General has just issued some proposed revisions to the California Consumer Privacy Act (CCPA) regulations and our readers may be surprised by one of the proposed changes. You may recall that California’s Office of Administrative Law (OAL) had rejected some the proposed CCPA regulations during the summer, but accepted most of them. The accepted regulations became final on August 14, 2020.

The proposed regulatory changes from October 12 are available at www.oag.ca.gov/privacy/ccpa/current The proposed changes would affect four sections of the CCPA regulations, but the one most likely to affect our readers is this one:

999.315 (Requests

Two new CJEU judgments further tighten limits of government surveillance – significant for impending UK adequacy decision and “Schrems II country assessments”

By Marcus Evans (UK) and Janine Regan (UK) on October 15, 2020 Posted in Data breach, Data Transfer, Regulatory response

On 6 October 2020, the Court of Justice of the European Union (CJEU) published two decisions that further define the permitted scope of governmental access to personal data.

These decisions are relevant in two key areas:

Complying with the Schrems II judgement: The judgment provides some guidance on how organisations should undertake the “case-by-case assessments” of third countries to which they are transferring personal data using the European Commission approved Standard Contractual Clauses (SCCs); and
Brexit: The judgement also gives some clues as to the standard to which the UK will be held as it

Singapore tables changes to the Personal Data Protection Act in Parliament

By Wilson Ang (SG), Stella Cramer (SG), Jessica Paulin (SG) and Jeremy Lua (SG) on October 12, 2020 Posted in Cybersecurity, Data breach

Following the Singapore Ministry of Communications and Information (MCI) and the Personal Data Protection Commission of Singapore (PDPC) public consultation in May this year (Public Consultation), the Personal Data Protection (Amendment) Bill (Bill) was introduced and had its first reading in Parliament on 5 October 2020.

The Bill introduces five key changes to the Personal Data Protection Act 2012:

Increased financial penalties: Up to 10% of annual turnover in Singapore (if the organisation’s annual turnover in Singapore exceeds SGD 10 million), or S$ 1 million, whichever is higher.
Mandatory data breach notification: Organisations must notify the PDPC of any

Thermal cameras and COVID-19 – The German DPAs have spoken

By Christoph Ritzer (DE) and Natalia Filkina (DE) on October 9, 2020 Posted in Compliance and risk management

On September 11, 2020, the German Datenschutzkonferenz (DSK), the joint body of the German data protection authorities, published its position on the use of thermal cameras and electronic temperature checks in the context of the COVID-19 pandemic.

Despite voicing general criticisms of body temperature checking in the context of COVID-19, the DSK stated that it considers the use of thermal cameras in the work place to be admissible, provided that the requirements of data protection by design laid down in Art. 25 GDPR and security of data processing in to Art. 32 GDPR are complied with.

In detail:

German

ICO provides guidance on calculating monetary penalties

By Marcus Evans (UK), Lara White (UK), Steven Hadwin (UK), Janine Regan (UK) and Ally Corbridge (UK) on October 7, 2020 Posted in Enforcement, Regulatory response

Data Protection Report - Norton Rose Fulbright

On 1 October 2020, the UK Information Commissioner’s Office (ICO) published draft statutory guidance, providing clarity about how it will regulate and enforce data protection legislation in the UK. The guidance, which sits alongside the ICO’s Regulatory Action Policy, covers the ICO’s range of enforcement powers, but of most interest is the section on how the ICO will calculate fines under the Data Protection Act 2018 and the EU General Data Protection Regulation (GDPR).

The ICO has launched a public consultation on its draft guidance which will remain open until 12 November 2020; as statutory guidance, the guidance … Continue Reading

Germany: New 35 million fine for breaching employee privacy

By Christoph Ritzer (DE) and Natalia Filkina (DE) on October 5, 2020 Posted in Data breach

On 1 October 2020, the State Commissioner for Data Protection and Freedom of Information (Landesbeauftragte für Datenschutz und Informationsfreiheit) of Hamburg (the DPA) imposed a fine of EUR 35.3 million under the GDPR against the German subsidiary of the fashion retailer H&M.

The German subsidiary operates a central service centre in Nuremberg. The DPA found that the company had collected extensive records relating to the private lives of several hundred employees, which included health data and sensitive data. Apparently some of the records went back as far as 2014.

The DPA also expressed concerns over personal data collected in relation … Continue Reading

101 Problems and Schrems Ain’t One

By Steve Roosa (US) and Daniel Rosenzweig (US) on September 29, 2020 Posted in General

Eureka! After burning the midnight oil, we’ve built an automated scanner to identify and sort the Schrems II risk of data flows for further legal handling. The scanner uses more than 20 different data points derived from network metadata to scan and classify data flows based on mass surveillance risk under the NSA’s so-called “Upstream” and “Downstream” data collection programs. This is important to do because not all endpoints are created equal in this regard.

The main questions facing companies at this point are:

Do my websites and mobile apps, when used in the EU, transmit data to the US,

NYAG Proposed Settlement for Credential Stuffing Attacks with 3-Business-Day Access Request Response

By David Kessler (US) and Susan Ross (US) on September 23, 2020 Posted in Compliance and risk management, Cybersecurity, Data breach

On September 15, 2020, the New York Attorney General (NYAG) announced a proposed settlement with Dunkin’ Brands, relating to brute force and credential stuffing attacks against members’ online accounts (including stored value cards). Dunkin’ does not admit or deny any of the NYAG’s allegations in the complaint. (New York v. Dunkin’ Brands, No. 451787/2019 (N.Y. Sup. Sept. 5, 2020).

2019 Complaint

According to the NYAG’s 2019 complaint, Dunkin’ had been the subject of hacker attacks attempting to breach its members’ online accounts and steal money from the stored value cards that members registered to those accounts. The … Continue Reading

CCPA – Health Research Bill Passes Legislature

By David Kessler (US), Susan Ross (US) and Anna Rudawski (US) on September 9, 2020 Posted in CCPA

Although the bill to amend the California Consumer Privacy Act (CCPA) to extend the so-called “B-to-B” and “employee” exceptions for one more year has garnered many headlines, the California legislature passed a second CCPA amendment (AB 713) that will be of interest to anyone involved in medical research as the new bill would ease some CCPA restrictions on research. The changes pertaining to healthcare data are expected to pass and are clearly responsive to additional needs to share information and conduct research on potential treatments and vaccines for the ongoing COVID pandemic. The bill has been sent to … Continue Reading