Posted in Compliance and risk management
On 18 June 2019, Facebook announced plans to launch a new blockchain enabled cryptocurrency called Libra.
Posted in Regulatory responseTurkey’s data protection legislation (TDPL) requires data controllers to notify the Turkish DPA of their processing activities. Unless exempt from the requirement, all data controllers (individuals and legal entities) who process personal data in Turkey must be registered with the Turkish DPA’s Register of Data Controllers Information System (VERBİS), prior to processing any personal data.
Data controllers which fail to fulfil this obligation may be subject to an administrative fine of an amount between TL 20,000–1,000,000 (approximately USD 3,600-180,000). Such fines will be issued at the discretion of the Data Protection Board and will be determined based on the facts of each specific breach.
The obligation to register under TDPL applies to data controllers based outside of Turkey as well as Turkish controllers. Consequently, natural and legal persons who are currently processing personal data but who are based outside of Turkey, are still obliged to comply with the obligation to register. The registration process is different for Turkish and non-Turkish data controllers. Data controllers located outside of Turkey will need to appoint a data controller representative, who must be a Turkish citizen resident in Turkey or a Turkish entity. The representative must complete the registration form available online, and submit it to the DPA. The representative will then appoint a contact person (irtibat kişisi) who must also be a Turkish citizen resident in Turkey (a natural person representative may appoint herself as the contact person). The contact person will submit the required information and complete registration with VERBİS.
The deadline for completing the registration process is fast approaching. Specifically, the following data controllers must complete their registration with VERBİS prior to the deadlines set out below:
Posted in Compliance and risk management
On 4 July 2019, the CNIL published new guidelines on cookies and other similar technologies, repealing its 2013 cookie guidance in order to align its position with the GDPR’s new requirements on consent. These guidelines will be supplemented during the first quarter of 2020 by sectoral recommendations aimed at providing practical guidance to stakeholders on how to collect consent.
On August 12, the California legislature returns after its summer recess. Starting with the Senate Appropriations Committee Hearing today, the legislature will now have approximately a month to continue the markups and send California Consumer Privacy Act (CCPA) amendments to the Governor’s desk for signature before the September 13 deadline. As previously reported, any amendment that passes from the Senate will likely need to go back to the Assembly since many of them have been marked up significantly by the Senate. Below is a summary of the seven amendments that are moving forward and what they mean for businesses who are working on implementing a CCPA program. Click here for our previous coverage of AB 25 (employee exception), AB 846 (customer loyalty program), and AB 1564 (consumer request methods). Continue reading
Posted in Enforcement
On 29 July 2019, the European Court of Justice (ECJ) issued its judgement on Case C-40/17 (the “Fashion-ID” case). In its ruling, the ECJ held that operators of websites embedding Facebook’s “Like” button act as data controllers jointly with Facebook in respect of the collection and transmission to Facebook of the personal data of visitors to the relevant websites. In relation to these processing activities, the website operators must inform their website visitors about the data processing activities for which they act as a joint controller with Facebook, must establish a lawful basis for these processing activities and, where applicable, must collect relevant consent from the website visitor.
The U.S. Clarifying Lawful Overseas Use of Data Act (“CLOUD Act”) is apparently the Goldilocks of the privacy world, according to recent statements issued by two international jurisdictions. The CLOUD Act’s requirements are “too hard” for Australian law, according to the Law Council of Australia, but the privacy protections are “too soft” for the European Data Protection Board and European Data Protection Supervisor. The current lack of any executive agreements between the U.S. and another jurisdiction under the CLOUD Act seems to indicate that the U.S. has not yet found a jurisdiction that is “just right” for the CLOUD Act. Continue reading
Posted in GeneralWe are pleased to report that Norton Rose Fulbright has been shortlisted for cyber law firm of the year at the 2019 Insurance Insider Cyber Rankings Awards. Many thanks to everyone who has voted for us so far. The winner will be determined from the results of a wide-ranging survey of insurers and brokers and will be announced on 20 September 2019. We encourage our insurer and broker clients and contacts to respond to the survey if they have not already done so. Continue reading
In a 12-hour marathon hearing, the California Senate Judiciary Committee on July 9, 2019, debated, struck down, scaled back and put back on the negotiating table key amendments to the California Consumer Privacy Act (“CCPA”). Read below to find out what happened to the much-anticipated “employee exception” bill, “customer loyalty program” bill, and the bill to remove the toll-free number requirement. Continue reading
Posted in Data breach, Regulatory responseOn Friday, July 12, 2019, the Wall Street Journal reported that Federal Trade Commission and Facebook reached a settlement to resolve Facebook’s privacy issues surrounding the Cambridge Analytica disclosure discovered last year. The settlement imposes a US$5 billion dollars on the tech giant, which represents roughly 9% of Facebook’s total yearly revenue and is the largest civil and privacy fine ever imposed by the FTC. The fine largely surpasses the FTC’s previous imposed fine in a privacy action, when the FTC fined Google US$22.5 million to settle claims it misrepresented privacy assurances to Safari users. Continue reading
Posted in Compliance and risk managementOften questioned about online advertising targeting by both the public and professionals, the CNIL released its action plan for 2019-2020 with a view to providing further details about the applicable advertising rules and to support stakeholders in their compliance with them. Continue reading
