Bill C-11: Canada proposes new data privacy legislation

By Colin Hyslop (CA) on November 20, 2020 Posted in Enforcement

Norton Rose Fulbright - Data Protection Report blog

On November 17, 2020, the Minister of Innovation, Science and Industry, Navdeep Bains, tabled proposed legislation in Parliament that aims to overhaul Canada’s data privacy law. Bill C-11, entitled An Act to enact the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act and to make consequential and related amendments to other Act, will create new data privacy obligations and new enforcement mechanisms for these obligations if it becomes law.… Continue Reading

COVID tracing & AI: Physically distant, socially together

By Daniel Daniele (CA) on November 18, 2020 Posted in Compliance and risk management, Data Transfer

Data Protection Report - Norton Rose Fulbright

As the second wave of COVID-19 spreads across Canada, the use of COVID-19 tracing apps is on the rise. For example, the Government of Canada released COVID Alert–an app using Bluetooth technology to help people report positive diagnoses, and control the spread of the virus. The success of the app depends on a high quantity of users, but concerns over privacy and the use of artificial intelligence (AI) in analyzing the data may hinder that objective.

COVID tracing apps

With the launch of COVID Alert, Canada joined 40 other countries that have launched tracing apps. The Bluetooth-based app … Continue Reading

German Court cuts multimillion GDPR fine by 90%

By Christoph Ritzer (DE) and Natalia Filkina (DE) on November 17, 2020 Posted in Data breach, Enforcement

In December 2019, the German Federal Commissioner for Data Protection and Freedom of Information (“Federal DPA”) levied a € 9.55m fine against 1&1 Telecom (“1&1”), a German telecom company. On 11 November 2020, the Regional Court (Landgericht) of Bonn (the “Court”) slashed the fine to just € 900,000, on the basis that it was disproportionate. The Court considered that too much emphasis had been given to the turnover of 1&1 at a group level in calculating the fine, calling the calculation model used by the German authorities into question.

The facts

The Federal … Continue Reading

Hong Kong introduces a contact tracing app

By Anna Gamvros (HK) and Edward Yau (HK) on November 15, 2020 Posted in Cybersecurity, Enforcement, Regulatory response

As countries around the globe continue to battle the COVID-19 pandemic, contact tracing apps continue to evolve and be developed.

On November 16, 2020, the Hong Kong government is launching a voluntary contact tracing app. The app, known as LeaveHomeSafe, will enable users to record the date and time they visited participating venues by scanning the venue QR code. It has been reported that over 6,000 public and private venues will support the app.

Also in the region, the Singapore government is aiming to make use of its contact tracing app mandatory by the end of 2020. It is proposed … Continue Reading

NT Analyzer Webinar: Solving Apple’s new app privacy requirement

By NRF Digital Team on November 13, 2020 Posted in Cybersecurity, NT Analyzer Blog Series, Vendor management and transactions

Please join us for an NT Analyzer Webinar, Solving Apple’s new app privacy requirement. Head of NRF Digital Analytics and Technology Assessment Platform for the US Steven Roosa and Associate Dan Rosenzweig as they walk through the upcoming Apple requirements, and showcase the NT Analyzer Apple dashboard solution.… Continue Reading

European data export bonanza: revised SCCs and EDPB Schrems II guidance published

By Marcus Evans (UK), Lara White (UK), Christoph Ritzer (DE) and Janine Regan (UK) on November 13, 2020 Posted in Data Transfer, Regulatory response

On 12 November, the European Commission published revised Standard Contractual Clauses (SCCs) and a draft implementing decision. A feedback period on the draft documents will run until 10 December. Therefore, it is not possible to give a precise date for when the draft SCCs will become final but it could be by the end of the year.

The new SCCs aim to modernise the clauses in line with the GDPR and to cover a multitude of different types of transfers to cater for “the complexity of modern processing chains”. The clauses also aim to “provide for … Continue Reading

California Massachusetts and Michigan – 2020 ballot initiatives on privacy

By David Kessler (US) and Susan Ross (US) on November 6, 2020 Posted in CCPA

The US elections on November 3, 2020 included three states with privacy-related ballot initiatives: California, Massachusetts, and Michigan. Voters supported all three initiatives.… Continue Reading

Apple’s New Privacy Requirement: The Impact and the Solution

By Steve Roosa (US) and Daniel Rosenzweig (US) on October 16, 2020 Posted in NT Analyzer Blog Series

Apple recently announced that it will require app developers to provide extensive, granular information about their app’s privacy practices on App Store Connect, such as the type of data collected from users as well as the identity of third parties and the specific purpose of the collection. (See https://developer.apple.com/support/app-privacy-on-the-app-store/.)

NT Analyzer is equipped to provide organizations with a digestible and readily available report to meet this requirement. Read more about the requirements and our solution on our NT Analyzer website.… Continue Reading

Just when you thought it was safe—California AG issues proposed CCPA regulation changes

By David Kessler (US) and Susan Ross (US) on October 15, 2020 Posted in CCPA, Compliance and risk management

The California Attorney General has just issued some proposed revisions to the California Consumer Privacy Act (CCPA) regulations and our readers may be surprised by one of the proposed changes. You may recall that California’s Office of Administrative Law (OAL) had rejected some the proposed CCPA regulations during the summer, but accepted most of them. The accepted regulations became final on August 14, 2020.

The proposed regulatory changes from October 12 are available at www.oag.ca.gov/privacy/ccpa/current The proposed changes would affect four sections of the CCPA regulations, but the one most likely to affect our readers is this one:

999.315 (Requests

Two new CJEU judgments further tighten limits of government surveillance – significant for impending UK adequacy decision and “Schrems II country assessments”

By Marcus Evans (UK) and Janine Regan (UK) on October 15, 2020 Posted in Data breach, Data Transfer, Regulatory response

On 6 October 2020, the Court of Justice of the European Union (CJEU) published two decisions that further define the permitted scope of governmental access to personal data.

These decisions are relevant in two key areas:

Complying with the Schrems II judgement: The judgment provides some guidance on how organisations should undertake the “case-by-case assessments” of third countries to which they are transferring personal data using the European Commission approved Standard Contractual Clauses (SCCs); and
Brexit: The judgement also gives some clues as to the standard to which the UK will be held as it