California AG Issues Significant Changes to Draft CCPA Regulations as of March 2020

On February 7, 2020, and again on March 11, 2020, the Office of the Attorney General (OAG) issued revisions to the proposed California Consumer Privacy Act (CCPA) regulations, and there are some surprises in both the additions and in the deletions.  For the CCPA regulations to become effective on July 1, the final regulation text must be filed with the Secretary of State by May 29.

Click here for the text of modified regulations.  Our white paper with a summary of the changes is available for download here.

Obtaining and sharing employee health status information in a pandemic

Norton Rose Fulbright - Data Protection Report blog

Employers across the world are facing extremely difficult challenges in keeping their workplaces safe for their employees, contractors and visitors during the COVID-19 pandemic.

Although the prevailing instinct is likely to be to protect and to prevent the spread of the virus at all costs, under data protection laws this still needs to be weighed against the privacy rights of employees. Depending on where their employees are located, employers may have to favor privacy over virus detection. This blog sets out a few of the key issues and a snapshot of how they are dealt with across five European jurisdictions (the UK, France, Germany, Italy and the Netherlands), the US and three Asian jurisdictions (China, Hong Kong and Singapore) as of April 3, 2020. It examines the position under labor and data protection laws without exploration of wider State powers that may be exercised in some jurisdictions.

Can we ask our employees to self-declare COVID-19 symptoms?

  • Yes in the US, UK and Singapore. These jurisdictions permit an employer to require self-reporting but, in the UK, an employer would need to explain the reason for the self-reporting to the workforce, i.e. it is required to protect the health and safety of others.
  • In China and Hong Kong, requests can be made but unless their employment contract specifically requires it, employees cannot be required to report their symptoms to employers. Please note that it is, however, possible for Chinese employers to report cases of non-compliance by their employees to certain state authorities (e.g. police and disease control agencies) which do have powers to enforce the declaration of symptoms.
  • In Germany, employers can request that employees self-declare COVID-19 symptoms but they cannot compel this.
  • In France, employees must inform their employer in the event of suspected contact with the virus. However, employers can only request (i.e. they cannot force) employees to provide further information in relation to their exposure. Employees who have symptoms of an illness are not required to divulge to their employer the reason for their sickness leave, or their symptoms.
  • In Italy, self-reporting would be permissible but only via a company doctor.
  • In the Netherlands, employees cannot be required to self-declare, as employers are not allowed to ask about the nature and cause of an employee’s illness.

Can we temperature test on entry to a workplace?

  • In Singapore and the US, temperature testing can be required by employers given the widespread nature of infection. In Germany, this is also permissible provided that it is undertaken by a health care professional.
  • In China, Hong Kong, the Netherlands and the UK, employees can be requested but not compelled to take temperature tests (although if agreed contractually with the employee, in Hong Kong and China, testing may be compelled). In the Netherlands and the UK, the tests would need to be undertaken by a healthcare professional. As a matter of standard practice, it is the norm for property management companies in China to manage testing and reporting in relation to employees of office buildings which they manage. In China, a failure to take the test could be reported to the authorities.
  • In France, employers cannot collect information such as the results of a temperature test and cannot administer the test themselves.

Under what circumstances can the employer divulge information about affected employees?

  • In the UK, France, Italy, Germany and the Netherlands, employee consent, particularly in acute circumstances like these, is very unlikely to be deemed “freely given”. Therefore, (except in the Netherlands, please see below) disclosure of the identity of an infected employee to others should only be undertaken on the grounds that it is necessary to provide a safe workplace or to meet public health requirements (both of which must be prescribed at an EU member state level). This is considered an extreme intrusion into an individual’s private life with the possibility of stigma and recrimination and so is generally only possible to those who are likely to have been in close contact with the infected employee. All decisions related to obtaining and sharing health data in the UK, France, Italy, Germany and the Netherlands in these circumstances should be carefully documented in a  data protection impact assessment, which weighs the benefit to society against the intrusion to the individual’s privacy and sets out the measures that reduce that impact to the minimum necessary. As the consequences of infection recede, the justification for overriding the normal confidentiality of health conditions will diminish so privacy officers need to keep all these measures under review.
  • In the Netherlands, employers are not allowed to inform others of the employee’s infection. The healthcare professional will inform the regional GGD (i.e. the local health organization for preventive healthcare). Subsequently, the GGD can take measures in respect of the workplace involved in consultation with the employer.
  • In Hong Kong, although consent would be necessary before divulging health information, the limits of this type of sharing would be similar to those described above in relation to European jurisdictions.
  • In the US, China and Singapore, it would be necessary to obtain employee consent unless disclosure without consent is permitted by an exception in any applicable data protection legislation or permitted under another law.

What employee works councils or trade unions obligations are applicable in relation to the implementation of these measures?

  • In China, Hong Kong and the Netherlands, no trade union or works council information or consultation obligations would generally apply to the implementation of these measures.
  • In Singapore, the UK and the US any union collective bargaining agreements should be checked and, if these questions are covered, the unions should be consulted prior to their implementation.
  • In France, employers are required to maintain a document which records health and safety assessments of the workplace, including professional risks and actions taken by the business. This document would need to cover the measures discussed regarding COVID-19, together with risks and actions taken. Whenever  this document is updated, it is subject to consultation with the employer’s Social and Economic Committee.
  • In Germany, these measures would be subject to a co-determination right by the works council. The employer is required to consult the works council for approval and conclude a works agreement specifying the relevant data, methods and place of temperature test, retention period, recipients and period for which the access to facilities would be denied.
  • In Italy, because a nationwide union agreement has been signed by unions, government and employers’ associations regarding these matters, further information and consultation with unions is not legally required.

With thanks to Jurriaan Jansen, Christoph Ritzer, Anna Gamvros, Stella Cramer, Barbara Li and Joe Dole for their contribution to this article.

NYDFS Requires COVID-19 Plans by April 9

On March 10, 2020, the New York Department of Financial Services (NYDFS) issued guidance to all of its regulated institutions engaged in virtual currency business activity, requiring them to have plans for preparedness to manage the possible operational and financial risks posed by the COVID-19 pandemic. NYDFS requires the plans to be submitted by Thursday, April 9, 2020.

NYDFS does not have a one-size-fits-all set of requirements, but instead requires that the plan be “sufficiently flexible to effectively address a range of possible effects that could result from an outbreak of COVID-19, and reflect the institution’s size, complexity and activities.” The regulated institution’s board of directors is responsible for ensuring that the plan is in effect, with sufficient resources allocated to its implementation. Senior management are the ones to ensure that specific policies, procedures and processes are in place and effectively communicated to employees.

While this guidance is aimed at those regulated entities engaged in virtual currency activity, other regulated entities also could use the guidance as part of their own pandemic preparedness planning.

The plan must cover nine subjects, as further described in the guidance:

  1. Preventative measures to mitigate the risk of operational disruption, including identifying the impact on your customers, and counterparts;
  2. Strategy to address the impact of the outbreak in stages, so that your efforts can be appropriately scaled, consistent with the effects of a particular stage of the outbreak;
  3. Assessment of all of your facilities, systems, policies and procedures necessary to continue critical operations and services if your employees are unavailable for longer periods or are working off-site, including the effectiveness and security of remote access;
  4. An assessment of potential increased risk of cyber-attacks and fraud due to an outbreak;
  5. Employee protection strategies, including employee awareness and steps that employees can take to reduce the likelihood of contracting COVID-19;
  6. Assessment of preparedness of your critical third-party service providers and suppliers;
  7. Development of an effective communication plan to reach customers, counterparties and the public, as well as to communicate with employees, and provide a way for questions to be raised and answered;
  8. Testing the plan to ensure your policies, processes and procedures are effective; and
  9. Governance and oversight of the plan, including identifying the critical members of your response team, to ensure ongoing review and updates to the plan, including the tracking of relevant information from government sources and your own monitoring program.

The plan also must consider the financial risks to your business:

  • Assessment of the valuation of your assets and investments that may be, or have been, impacted by COVID-19;
  • Assessment of the overall impact of COVID-19 on your earnings, profits, capital, and liquidity of your institutions; and
  • Assessment of reasonable and prudent steps to assist those adversely impacted by COVID-19.

As noted above, the NYDFS wants the plan to include an assessment of potential cyberattacks at the institution, noting it had special  concerns with respect to hacking risks, given how dependent virtual currency businesses are on software and electronic accounts. NYDFS pointed out that bad actors are seeking to take advantage of the disruptions caused by the current coronavirus emergency, thus requiring that the plan include increased security measures to detect possible fraudulent activity. For example, the NYDFS cybersecurity regulations require implementation of multi-factor authentication.

In addition, NYDFS expressed concerns about custody risks, “such as the possible need for special arrangements to move Virtual Currency from ‘cold’ to ‘hot’ wallets during times when employees may not all be working from their usual locations.” Because people likely will be working from alternate locations, employers may wish to remind their employees to be extra vigilant: many employees may have forgotten passwords or other user credentials. Consider using multi-factor authentication or other out-of- band communications to reset credentials for legitimate users, and not for hackers trying to steal cryptocurrency.

The same day, similar letters requiring the submission of preparedness plans also were issued to all NYDFS-regulated institutions covering operational and financial risks, and an additional letter was issued to NYDFS-regulated insurance entities.

The NYDFS has a special webpage devoted to the pandemic. In addition, Norton Rose Fulbright has established a webpage focused on the COVID-19 pandemic, offering a wide variety of information and training resources.

Good news for employers, finally – the UK Supreme Court hands down judgment in WM Morrison Supermarkets plc (Appellant) v Various Claimants (Respondents)

Norton Rose Fulbright - Data Protection Report blog

In a judgment which will be warmly welcomed by employers (and their insurers) in the UK, the UK Supreme Court today overruled the Court of Appeal in holding that that Morrisons supermarkets is not vicariously liable for a data breach maliciously caused by a former employee.

The Supreme Court concluded that the Court of Appeal had misunderstood the principles governing vicarious liability in their previous judgments in the case.

The key issue before the Supreme Court was whether the “close connection” test developed in previous case law was satisfied, and therefore whether vicarious liability could be imposed on Morrisons.  The Supreme Court found that this was not the case, for the following reasons:

  1. The employee’s actions in causing the data breach were not within the “field of activities” of the employee.  This meant that his actions were not so closely connected with that task that they can fairly and properly be regarded as made by him while acting in the ordinary course of his employment;
  2. A temporal and/or causal link is not enough.  The fact that his employment gave the employee the opportunity to commit the data breach is not sufficient to warrant the imposition of vicarious liability; and
  3. An employer is not normally vicariously liable where the employee was not engaged in furthering his employer’s business, but rather was pursuing a personal vendetta (as was the case here – the employee’s motivation in committing the data breach was to harm his employer, not to further its business). The employee’s motive is therefore relevant in that analysis.

This decision sets aside a significant liability risk which had arisen following the previous decisions in the case. In addition, the Court of Appeal’s comment that companies should simply obtain insurance to cover this liability risk will no longer be troubling for the insurance market.

The Supreme Court’s decision largely puts an end to a paradoxical situation that had arisen – specifically that in making findings of vicarious liability against employers in circumstances where an employee was looking to harm their employer by causing a data breach, the courts could in some circumstances be furthering the malicious aims of that employee.

All that said, it is important to note that the judgment does not set aside the possibility of employers being found vicariously liable in the data breach context per se. The Supreme Court was not persuaded by Morrisons’ arguments that the Data Protection Act 1998 (and by implication, its successor legislation in the form of the Data Protection Act 2018 and the EU General Data Protection Regulation) exclude vicarious liability for statutory and common law wrongs in the data breach context. What this means is that if an employee did satisfy the “close connection” test when they caused a data breach, vicarious liability on the part of the employer remains a possibility.

“Heightened risk of cyber criminals exploiting COVID-19 fears”, NCSC warns

Data Protection Report - Norton Rose Fulbright

The National Cyber Security Centre (the NCSC) has warned that businesses and the public face an increased threat from attacks seeking to exploit COVID-19 (coronavirus), particularly given the move to home-working as a result of the COVID-19 outbreak.

We have already seen reports of fraudulent “phishing” emails sent by criminals impersonating the World Health Organisation and the US Center for Disease Control. Individuals in the UK have also been targeted by COVID-19-themed phishing emails with infected attachments containing fictitious ‘safety measures.’ We are also aware of reports that phishing and other cyber attacks have increased in Italy as businesses and individuals deal with the challenges posed by COVID-19, particularly in Italy. We can only expect such potential threats to increase as businesses and individuals adjust to the “new normal” of decentralisation and increased home-working.

Further information, including guidance from the NCSC in relation to staying safe from “phishing” can be found at the link below.

Thailand Personal Data Protection Law

Norton Rose Fulbright - Data Protection Report blog


The Personal Data Protection Act B.E. 2562 (2019) (PDPA) was published on 27 May 2019 in Thailand’s Government Gazette and became effective the following day. However, most of the operational provisions, including provisions relating to the rights of a data subject, the obligations of a data controller and the penalties for non-compliance, will become effective on 27 May 2020, 1 year after the PDPA is published.

The PDPA is under the supervision of the Ministry of Digital Economy and Society and the main supervising authority of the PDPA is the Office of Data Protection Committee (Office). Continue reading

Adventures in cyber litigation: Frozen crypto-assets and the role of cyber insurance

Norton Rose Fulbright - Data Protection Report blog

A few weeks ago, we blogged about the decision of the English High court in AA v. Persons Unknown & Ors.

Given the level of interest in the case, we have prepared a deeper-dive into the facts and the implications of the decision, with a focus on the important role played in the case by cyber insurance. This is set out below. Continue reading

Personal data protection in the time of coronavirus (Covid-19)

Norton Rose Fulbright - Data Protection Report blog

Outbreak of the coronavirus and personal data privacy

The fast-spreading coronavirus (Covid-19) has infected thousands of people in China and in over 20 other countries. This coronavirus outbreak, originating in Wuhan, a large city located in the central region of China, has been declared a Public Health Emergency of International Concern (PHEIC) by the World Health Organization.

Continue reading

Application by Privacy Commissioner To Shed Light on Judicial Enforcement of PIPEDA

Data Protection Report - Norton Rose Fulbright

Recent legal action by the Office of the Privacy Commissioner of Canada (OPC) will shed light on the Federal Court’s willingness to enforce and monitor compliance with the Personal Information Protection and Electronic Documents Act (PIPEDA). On February 6, the OPC filed a notice of application (the Application) in the Federal Court seeking a declaration that Facebook has contravened PIPEDA and various orders that would compel Facebook to bring itself into compliance. [1] Organizations governed by PIPEDA should keep a close eye on the Court’s inquiry as well as any eventual order enforcing compliance with the Act. Continue reading