Flurry of activity in the Privacy Act review, including tougher penalties and new online privacy framework

By Nick Abrahams (AU), Scott Atkins (AU), Ka-Chi Cheung, Anna Gamvros (HK), Peter Mulligan (AU), Benjamin Kende, Jim Lennon (AU) and Ross Phillipson on November 25, 2021 Posted in Cybersecurity

This article was co-authored with India Bennett. After months of anticipation regarding the ongoing review of the Privacy Act 1988 (Cth), the Federal Government has galvanized the Australian privacy landscape with two significant developments. Firstly, the Government has released a discussion paper about the reform of the Privacy Act. The discussion paper considers stakeholder feedback on the issues paper released in October 2020 … Continue reading

US banking regulators promulgate a final rule for 36-hour notice of breach

By David Kessler (US), David Kitchen, Tim Byrne (US) and Susan Ross (US) on November 23, 2021 Posted in Data breach

On November 18, 2021, the US federal banking regulators Office of the Comptroller of the Currency, Federal Reserve Board and Federal Deposit Insurance Corporation jointly announced a final rule that will require banking organizations (which includes the U.S. operations of foreign banking organizations) to notify their regulators as soon as possible but no later than 36 hours of … Continue reading

Google Play Store Releases Data Safety Form

By Steve Roosa (US) and Daniel Rosenzweig (US) on November 19, 2021 Posted in NT Analyzer Blog Series

Android will adopt iOS-like privacy nutrition labels, called the “Data safety form,” starting April 2022. And according to Google, apps that fail to comply with this upcoming requirement may be “subject to policy enforcement, like blocked updates or removal from Google Play.” While it may be tempting to just repurpose the iOS nutrition labels, Google notes … Continue reading

Privacy legislation reform: Bill 64 has now been passed

By Imran Ahmad (CA), Veronique Barry (CA) and Jeremie Wyatt (CA) on November 17, 2021 Posted in Compliance and risk management, Cybersecurity, Privacy law

Bill 64, which purports to modernise Québec’s privacy legislation, was recently passed. This sweeping reform of the province’s framework for processing personal information hinges on three main axes: increased obligations for enterprises that collect or otherwise process personal information, the creation of new rights for persons whose information is collected, and the imposition of far … Continue reading

Notice of employer electronic monitoring

By David Kessler (US), Susan Ross (US) and Laura Hunt (US) on November 17, 2021 Posted in Privacy law

On November 8, 2021, New York became the third state to require private employers to provide employees with notice of employer monitoring of phone, email, and internet access/usage.  New York’s new law (SB 2628) goes into effect on May 7, 2022.  New York joins Connecticut and Delaware, whose laws are already in effect.  Unfortunately for … Continue reading

Transfer data outside of China: New security review regulation companies should know

By Anna Gamvros (HK) and Lianying Wang (CN) on November 11, 2021 Posted in General

The Cyberspace Administration of China (CAC) released the draft Security Review Measures for Cross-Border Data Transfer (the Draft Security Review Measures) for public comments on 29 October 2021 – shortly before the effective date of the Personal Information Protection Law (PIPL), 1 November 2021. The three pillars of China’s cyber security and data legislation – … Continue reading

Good news for data controllers: Lloyd v Google Supreme Court decision

By Dominic Hennessy, Harriet Jones-Fenleigh and Georgina Fernando on November 10, 2021 Posted in General

On 10 November 2021, the UK Supreme Court handed down the much anticipated judgment in Lloyd v Google LLC [2021] UKSC 50, unanimously allowing Google’s appeal and reversing the decision of the Court of Appeal. In summary, the Supreme Court ruled that damages for “loss of control” are not available for breach of the Data … Continue reading

A Tale of Two Cities: The Right of Private Action in Data Protection in Singapore and Hong Kong

By Wilson Ang (SG), Anna Gamvros (HK), Jeremy Lua (SG) and Edward Yau (HK) on November 2, 2021 Posted in Dispute resolution and litigation, General, PDPA, Privacy law

The Singapore High Court and the Hong Kong District Court have both considered the right to compensation for injury to feelings in two recent cases involving misuse of personal data but arrived at different conclusions. Singapore: In Bellingham, Alex v. Reed, Michael, Mr. Bellingham obtained the email addresses of his former employers’ customers without their … Continue reading

Customers Can Pursue Negligence Claims Directly Against Vendor

By David Kessler (US), Susan Ross (US) and Kevin Lefton (US) on October 29, 2021 Posted in Data breach

On October 19, 2021, a federal trial court in South Carolina ruled that a group of consumers could proceed with common law negligence and gross negligence claims directly against their organizations’ vendor that had been the victim of a security breach—instead of suing the organizations of which they were customers.  In re Blackbaud, Inc. Customer … Continue reading

NT Analyzer: Does your app track users that opted-out of tracking?

By NRF Digital Team, Steve Roosa (US) and Daniel Rosenzweig (US) on October 26, 2021 Posted in NT Analyzer Blog Series

A transparency-focused privacy software company confirms that some apps are continuing to transmit data despite some users having opted-out of “tracking.” The study tested 10 popular apps and discovered that some continue to track even though those users have “ask[ed] app not to track” when presented with the ATT pop-up. Read Steve Roosa and Daniel … Continue reading