If you don’t know why November 1 is a big day in Canada, read this!

By Ryan Berger (CA) on October 15, 2018 Posted in Compliance and risk management, Data breach

Like many organizations in Canada, yours is probably not fully prepared for the mandatory breach reporting requirements coming into force under the federal Personal Information Protection and Electronic Documents Act (PIPEDA) November 1, 2018.

Here are three measures your organization ought to take in preparation for mandatory breach reporting:

1. Implement internal breach reporting and response protocols.

Organizations subject to PIPEDA will be required to separately report to individuals and to the Privacy Commissioner of Canada breaches of “security safeguards” involving personal information that pose “a real risk of significant harm” to individuals.

It is likely few employees in an organization will know about this requirement, or understand what sort of breach must be reported. Due diligence requires organizations to have a breach reporting procedure in place, and training on it, to ensure information concerning a breach can be handled appropriately. Studies on breaches demonstrate that employees can be the weakest link. Let your employees help you. Also, prompt recognition and escalation of a real issue, and notifying people affected by a breach that their information may have been compromised can be matters of good customer service.

2. Review and update third-party vendor and service provider agreements.

Your organization will be responsible for personal information under its control, which includes information held by your vendors and service providers. Most third-party services agreements do not contemplate the type of breach reporting up the chain from the service provider required to satisfy the lead organization’s breach reporting and record-keeping requirements.

Most organizations rely on their service providers to safeguard and manage sensitive information. Do not let gaps in your agreements result in a breach of notification or record-keeping requirements, or leave any potential for embarrassing reputational risks.

3. Develop a plan for record retention: do not create evidence or waive privilege.

The new regulations require an organization to maintain a record of every breach of security safeguards for 24 months after the day on which the organization determines that the breach has occurred. This requirement is daunting and you may be asking yourself, “What is the extent of the records required?” and, “Are we just preserving evidence for a class action claim?”

The regulations say the records must contain any information that enables the Commissioner to verify compliance with the reporting requirements, particularly referencing the legal issue of whether it is reasonable in the circumstances to believe that the breach creates “a real risk of significant harm” to an individual. The Commissioner’s guidance on this point calls for a general description of the circumstances of the breach and, if a breach is not reported, a brief explanation as to why not.

Keeping the right records can be tricky. As demonstrated in Kaplan v. Casino Rama Services Inc., 2018 ONSC 3545, it may be too easy to waive privilege over investigation and forensics reports. You need a plan in place that will address the record-keeping requirements and help maintain privilege over records. Involve your legal counsel in the development of your incident response plans and breach response to ensure you get this right.

If you have questions about whether your organization is subject to PIPEDA and a particular data breach needs to be reported, you can ask Parker, our privacy chatbot.

Lloyd v Google – putting the brakes on English data breach litigation?

By Steven Hadwin (UK), Ffion Flockhart (UK), Jonathan Ball (UK), Marcus Evans (UK), Charlie Weston-Simons (UK) and Rahul Mansigani (UK) on October 8, 2018 Posted in Data breach, Dispute resolution and litigation

Norton Rose Fulbright - Data Protection Report blog

A judgment handed down today by the English High Court will be welcomed by UK data controllers. Lloyd v Google [2018] EWHC 2599 represents a corollary to recent case law expanding the circumstances in which litigation may be brought in relation to breaches of data protection legislation.

Most notably, the case:

reinforces the need for “damage” to be proven by claimants before compensation can be obtained in these circumstances; and
makes clear that the courts will not permit representative claims to be brought on behalf of a potentially large population of claimants without close scrutiny of the basis of those claims.

Recent discussion in the UK relating to data breach-related litigation has largely been focussed on the increasing risk of large-scale litigation arising from data breaches. While that risk has undoubtedly grown in the past few months due to recent case law and the implementation of GDPR, Lloyd serves as an important reminder that not all claims brought in these circumstances will be viable.

Background facts: the Safari Workaround

Lloyd v Google concerns an application to serve proceedings out of the jurisdiction on Google, in respect of a claim for compensation arising from the “Safari Workaround”. The Safari Workaround was a well-known means by which Google allegedly obtained private information about internet usage through its use of cookies without individuals’ knowledge or consent, via the Safari web browser used on Apple iPhones. According to the plaintiffs, this information enabled Google to provide information to advertisers to help in targeting or tailoring of advertisements to internet users.

The Safari Workaround was essentially the subject-matter of Vidal-Hall v Google Inc [2015] EWCA Civ 311 [2016] QB 1003. This was a high-profile case which established that compensation could be awarded to individuals under English law if they suffered non-pecuniary loss such as distress arising from a breach of data protection legislation.

The nature of the claim in Lloyd v Google

The representative claimant sought compensation arising from alleged breaches of the data protection principles set out in the Data Protection Act 1998 (the “Act”), committed by the implementation and operation of the Safari Workaround. In bringing the claim, the claimant relied on s13 of the Act which provides data subjects with a means of obtaining compensation should they suffer damage as a result of a contravention of the Act by a data controller. Warby J accepted that there may well have been an actionable breach committed as a result of the Safari Workaround, which could form the basis of a claim for compensation under the Act.

The “damage” requirement

Where the claimant’s position fell down, however, was their inability to demonstrate “damage” as a result of the alleged [tort] – which is a necessary element for any compensation to be awarded pursuant to the Act.

In this regard, the claimant would need to demonstrate material (i.e. pecuniary) loss, or emotional harm such as distress. However, the claimant sought to do neither—relying instead on the commission of the alleged tort (rather than its consequences) as the basis for seeking compensation. The judgment rejected the claimant’s position in stating as follows:

Even if the data controller had no justification for its conduct, and was thus in breach of duty, the remedy which the law requires does not have to be the remedy of compensation, if no consequences followed from the breach.

The judgment goes on to distinguish Lloyd from Vidal-Hall, in which the Court of Appeal concluded that compensation may be awarded where distress has been suffered as a result of a breach of duty. The Lloyd judgment makes clear that no such compensation can be awarded when a breach of duty has caused neither material loss nor emotional harm, and has had no other consequences for the data subject. In referring to previous case law in this area, the Lloyd judgment states as follows:

I do not believe that the authorities show that a person whose information has been acquired or used without consent invariably suffers compensable harm, either by virtue of the wrong itself, or the interference with autonomy that it involves… In short, the question of whether or not damage has been sustained by an individual as a result of the non-consensual use of personal data about them must depend on the facts of the case.

It is clear from the above that any claims brought for compensation of this nature in future will need to be supported by compelling evidence of the damage incurred as a result of the alleged breaches of the legislation.

Representative actions

The claim was brought by the claimant on the basis that it should serve as a representative of a very broad class of potential claimants – which would potentially include all individuals who used the Safari browser in England & Wales while the Safari Workaround was ongoing. Estimates as to the size of this class vary but it is accepted that it would encompass several million individuals.

In order for a representative action to be brought in the English courts, the representative party and those whom that party represents need to have “the same interest in” the claim. In this case, the representative claimant and the potential class of claimants were not deemed to have the same interest in the claim—many claimants would not have suffered any damage at all and those who had suffered damage would not be considered to have suffered the “same” damage, given that each person’s position is inherently fact-specific. A representative claim could not therefore be brought on this basis.

In addition, the reasoning in the judgment was influenced by the fact that there had been essentially no interest from the purported class of claimants in seeking redress in respect of the Safari Workaround. This indicated that whatever the technical position as to the viability of a representative action, such an action would not serve as a means of avoiding a large number of similar claims clogging up the courts. On the contrary, the judgment found as follows:

“It would not be unfair to describe this as officious litigation, embarked upon on behalf of individuals who have not authorised it, and have shown no interest in seeking any remedy for, or even complaining about, the alleged breaches…. the Representative Claimant should not be permitted to consume substantial resources in the pursuit of litigation on behalf of others who have little to gain from it, and have not authorised the pursuit of the claim, nor indicated any concern about the matters to be litigated”

Similar reasoning would most likely have been applied to the case had the claimant sought a Group Litigation Order in respect of the claim, which is another means by which the claims could have been pursued on a collective basis in the English courts.

Applicability to GDPR and the Data Protection Act 2018

It will be apparent from the above that Lloyd v Google was brought under the 1998 Act and therefore refers to the pre-GDPR legal landscape. However, the reasoning set out above would appear to apply equally to Art 82 GDPR and s168 of the Data Protection Act 2018, each of which contemplate compensation only in circumstances where “material or non-material damage” has been suffered. The judgment therefore appears to be of equal relevance to the new legal landscape as to the old.

CCPA extends “right to deletion” to California residents

By David Kessler (US) and Anna Rudawski (US) on September 27, 2018 Posted in Compliance and risk management, General

Data Protection Report - Norton Rose Fulbright

Following Europe’s lead and some recent high profile scandals involving the use of personal information, California passed the California Consumer Privacy Act which goes into effect on January 1, 2020. (You can find our coverage of it here.) The law, the first of its kind in the US, is an omnibus privacy law for the state of California that grants individuals new rights in connection with their data – including, the right to erasure. Continue reading

UK Government guidance on continued EU-UK data flows upon a no deal Brexit

By Marcus Evans (UK) on September 18, 2018 Posted in Compliance and risk management

On 13 September 2018 the UK government’s Department for Digital, Culture, Media & Sport published a notice, Data Protection If There’s No Brexit Deal (the Notice). The Notice sets out the actions UK organisations should take to enable the continued flow of personal data between the UK and the EEA in the event that the UK leaves the EU in March 2019 with no exit agreement in place. If this happens, there would be no immediate change in the UK’s own data protection laws because the Data Protection Act 2018 would remain in place and – more importantly – the UK’s European Union (Withdrawal) Act 2018 would incorporate the GDPR into UK domestic law.

Under the GDPR, organisations are only permitted to transfer personal data outside the EEA if certain conditions are met. The least onerous route for the exporting entity is where the third country to which the proposed transfer is to be made has an adequate data protection regime in place, as assessed by the EU Commission in making an “adequacy decision”.

Once the UK becomes a third country by virtue of Brexit, EU organisations wishing to continue to send personal data to the UK will typically want to rely on such an adequacy decision. Conversely, under UK data protection law (as it currently stands), personal data could continue to flow from the UK to the EEA on the legal basis that EU data protection law is already adequate (in terms of the requirements of UK legislation). The Notice clarifies that this is how the UK government will interpret the export requirements under UK (although it notes that it will keep this under review).

The European Commission has stated that, if it deems the UK’s level of personal data protection essentially equivalent to that of the EU, it would make an adequacy decision, allowing the transfer of personal data to the UK without restrictions.

However, if the European Commission has not made an adequacy decision regarding the UK at the point of Brexit (which is certainly possible in the event of a no-deal Brexit), the Notice suggests that UK businesses wishing to receive personal data from organisations established in the EEA should consider assisting its EEA counterpart in identifying an alternative legal basis for the EEA to UK transfers.

For the majority of UK businesses, the Notice suggests that the most relevant alternative legal basis for transfer to the UK would be the EU standard contractual clauses. These are model data protection clauses that have been approved by the European Commission and enable the free flow of personal data when included in a contract. The clauses contain contractual obligations on both the recipient of personal data (in this context, a UK business) and the EEA counterpart, and provide for directly enforceable rights for the individuals whose personal data is transferred in certain circumstances.

Our take

Given the inflexible nature of the EU data protection export regime and the time and effort it can take to re-paper data processing or sharing agreements, UK businesses should start to review client, business partner and intra-group agreements with EEA counterparties and consider incorporating EU standard contractual clauses covering data flows from the EEA counterparties to the UK now. These standard contractual clauses should bite should there be a “no deal Brexit” and the UK becomes a third country without an adequacy finding.

Businesses should also consider their contingency positions if personal data is unable to flow as freely from EEA subsidiaries to parent companies or European HQs established in the UK as it does today. For example, initial reviews for e-discovery for US litigation or regulatory disclosure might need to be undertaken in an EEA country rather than in the UK in these circumstances.

The work that businesses have undertaken to understand and map their processing to comply with the GDPR will make identifying impacted personal data operations more straightforward.

For more information on the Notice and the UK government’s guidance, see DCMS advises regarding continued UK-EU data flow upon a no deal Brexit.

California Consumer Privacy Act: Disclosure requirements

By Chris Cwalina (US), Jeewon Kim Serrato (US), Steve Roosa (US) and Tristan Coughlin (US) on September 11, 2018 Posted in General

This is the Data Protection Report’s fourth blog in a series of blogs that will break down the major elements of the CCPA which will culminate in a webinar on the CCPA in October. Stay tuned for additional blogs and information about our upcoming webinar on the CCPA.

The California Consumer Privacy Act (the “CCPA” or “Act”) includes significant and new disclosure requirements for businesses that collect and or sell or disclose California residents’ personal information. Below we have outlined: (1) disclosures businesses must make in their privacy policy; (2) disclosures businesses must make upon receipt of a “verifiable consumer request”; and (3) Norton Rose Fulbright’s takeaways.

Singapore’s new Cybersecurity Act comes into force: Here’s what you need to know

By Stella Cramer (SG), Wilson Ang (SG), David Olds (SG), Jessica Paulin (SG) and Jeremy Lua (SG) on September 6, 2018 Posted in General

The much discussed Cybersecurity Act 2018 (Act. 9 of 2018) (the Act), which was passed by the Singapore Parliament on 5 February 2018, came into force on 31 August 2018 [1]. The new law creates a regulatory framework for the monitoring and reporting of cybersecurity threats to essential services in Singapore through the appointment of the Commissioner of Cybersecurity. It also creates a licensing regime that will require certain data security service providers in Singapore to be registered.

Norton Rose Fulbright – cyber law firm of the year nomination

By Chris Cwalina (US), Ffion Flockhart (UK) and Steven Hadwin (UK) on August 29, 2018 Posted in General

We are grateful to our clients and industry contacts for nominating us as cyber law firm of the year at the 2018 Insurance Insider Cyber Rankings Awards. The winner will be determined from the results of a wide-ranging survey of insurers and brokers and will be announced on September 21, 2018.

California Consumer Privacy Act: GDPR-like definition of personal information

By Chris Cwalina (US), Jeewon Kim Serrato (US), Steve Roosa (US) and Tristan Coughlin (US) on August 27, 2018 Posted in General

This is the Data Protection Report’s third blog in a series of blogs that will break down the major elements of the CCPA which will culminate in a webinar on the CCPA in October. This blog focuses on the CCPA’s broad definition of Personal Information. Stay tuned for additional blogs and information about our upcoming webinar on the CCPA.

New law imposes disclosure requirements on software licensors

By Susan Ross (US) on August 24, 2018 Posted in Compliance and risk management

UK NIS Regulations impose new cybersecurity obligations (and a new penalties regime) on operators of essential services and digital service providers in the UK | Norton Rose Fulbright

As a result of the 2019 National Defense Authorization Act, the Secretary of Defense implemented new disclosure obligations on software licensors whose software code has been reviewed or accessed by a foreign government. The Act was signed into law on August 13, 2018 and will significantly impact software licensors who engage with the federal government’s defense agencies relating to “obligations to foreign governments.” Continue reading

California Consumer Privacy Act blog series: Covered entities

By Jeewon Kim Serrato (US), Steve Roosa (US) and Alexis Wilpon (US) on August 16, 2018 Posted in Compliance and risk management, General, Regulatory response

This is the Data Protection Report’s second blog in a series of blogs that will break down the major elements of the CCPA which will culminate in a webinar on the CCPA in October. This blog focuses on covered entities. Stay tuned for additional blogs and information about our upcoming webinar on the CCPA. Continue reading