Canada’s artificial intelligence legislation is here

On 16 June 2022 the Canadian federal government introduced Bill C-27, also known as the Digital Charter Implementation Act 2022. If passed, this package of laws will: Implement Canada’s first artificial intelligence (AI) legislation, the Artificial Intelligence and Data Act (AIDA). Reform Canadian privacy law, replacing the Personal Information Protection and Electronic Documents Act with … Continue reading

Bill C-26: a first step at reinforcing Canadian cybersecurity

Data Protection Report - Norton Rose FulbrightOn June 14, the House of Commons introduced Bill C-26: An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts (Bill C-26). This bill is presented in two parts: The first is to amend the Telecommunications Act to promote the security of the Canadian telecommunications system; The second is to enact the Critical Cyber … Continue reading

UK GDPR Reform: government publishes response to consultation – likely to form basis of forthcoming UK Data Reform Bill

The Department for Culture, Media and Sport (DCMS) has finally published the UK government’s long-awaited response to the consultation on the future of the UK data protection regime. The government set out very high level principles for a Data Reform Bill in the Queen’s Speech in May. If legislation is to be passed in this … Continue reading

The aftermath of an incident – why keeping records of data breaches and privacy incidents matters

Data Protection Report - Norton Rose FulbrightAs privacy incidents and security breaches involving personal information become increasingly frequent, organizations are more and more aware of the importance of implementing a robust privacy program to mitigate the risks and impacts of such incidents. While this preparation is important, organizations must also consider the aftermath of a privacy incident. In this first blog … Continue reading

Points to note on the European Commission’s questions and answers on the Revised Standard Contractual Clauses (SCCs)

On May 25th 2022, the European Commission published a series of questions and answers on the SCCs to be used between controllers and processors within the European Economic Area (EEA), and the SCCs to be used for transfers to countries not considered adequate by the European Commission (Third Countries) (the Q&As). The text of the … Continue reading

EDPB publishes guidance on calculating GDPR fines

On 12 May 2022 EDPB adopted Guidelines on the calculation of administrative fines (the Guidelines).  The Guidelines supplement the Article 29 Working Party’s Guidelines on the application and setting of administrative fines (WP253) adopted in October 2017 and recommends that the two are read together.  Whereas the previous guidance set out general principles for when … Continue reading

Maybe This Time : Federal Government Proposes the American Data Privacy and Protection Act

On Friday, June 3, 2022, the Senate and House released a draft of the American Data Privacy and Protection Act, (ADPPA), a watershed privacy bill that would introduce a federal standard.  Currently, a hodgepodge of industry-specific and state laws make up the backbone of American privacy regulations and rights, so a national framework for privacy … Continue reading

FTC Signals Additional Scrutiny for Data Breaches

On May 20, 2022, the Federal Trade Commission (FTC) stated that failure to disclose a data breach may be a violation of Section 5 of the FTC Act.  Historically, the FTC has not been explicit about its notification expectations, but in blog post published by the FTC’s CTO and Division of Privacy and Identity Protection, … Continue reading

Was RI Advice a watershed for cybersecurity law in Australia or a damp squib?

Data Protection Report - Norton Rose FulbrightIn this article we distil critical lessons from the Federal Court’s recent decision in Australian Securities and Investments Commission v RI Advice Group Pty Ltd[1] and practical actions to be taken by Boards and executive management. Boards and organisations should assess their cybersecurity risk management activities in light of the decision and ask whether current … Continue reading

Federal Privacy Commissioner Published Guidance on What Is “Sensitive” Personal Information

Data Protection Report - Norton Rose FulbrightOn May 16, 2022, the Office of the Privacy Commissioner of Canada (the “OPC”) released an Interpretation Bulletin (the “Bulletin”) on what it considers to be “sensitive” personal information under the federal Personal Information Protection and Electronic Documents Act (“PIPEDA”). The Bulletin is  meant to act as a consolidated guide based on jurisprudence, regulatory findings, … Continue reading
LexBlog