CCPA: “Attorney General Amendment” Likely Dead

Norton Rose Fulbright - Data Protection Report blog

This is the Data Protection Report’s ninth blog post in a series of CCPA blog posts that will break down the major elements of the CCPA. Stay tuned for additional posts on the CCPA.

On May 16, 2019, the California Senate Appropriations Committee held a hearing that included S.B. 561, the “Attorney General amendment” to the California Consumer Privacy Act (“CCPA”). The bill is being held in committee and under submission, which means the bill has been blocked and is likely dead. Continue reading

ICO’s draft Age Appropriate Design Code could seriously impact processing of under 18’s personal data

US Supreme Court expands digital privacy rights in Carpenter v. United States

On 15 April 2019, the ICO opened a public consultation on a draft code of practice titled Age Appropriate Design (the “Code”).  The Code will remain open for public consultation until 31 May 2019.

The consultation document is described as a “code of practice for online services likely to be accessed by children.”  However, its potential impact is in fact wider, and is perhaps better described as applying to all online services that are not demonstrably unlikely to be accessed by children, which it controversially defines as individuals under 18.  For this reason, the Code in its current form will have implications for almost all providers and users of online services. Continue reading

OPC reconsiders its approach to cross-border data transfers with the Equifax decision

Data Protection Report - Norton Rose Fulbright

In a significant recent decision, the Office of the Privacy Commissioner of Canada (OPC) altered the regulatory landscape when moving personal information between affiliated companies and across Canada’s border for data processing or storage purposes.

Any organization governed by the federal Personal Information Protection and Electronic Documents Act (PIPEDA) will have to re-evaluate and likely adjust its approach to such cross-border data transfers, possibly affecting its outsourcing and cloud computing relationships with vendors and related companies. The OPC has also initiated a two-month consultation period with stakeholders concerning this important policy change. Continue reading

Google and other big data companies face increased scrutiny

Data Protection Report - Norton Rose Fulbright

Norton Rose Fulbright’s US Head of Data Protection, Privacy and Cybersecurity Jeewon Serrato and Partner Vic Domen write about the increased scrutiny that big data companies like Google and Facebook are now facing.

A number of state attorneys general are preparing to have discussions with the US Federal Trade Commission to discuss their concerns about the use of massive amounts of personal data in the digital ad marketplace.

There is a trend among federal and state enforcers to bring these online platforms and technology markets under higher scrutiny.

Get all the details at the full legal update, “Big data companies face increased state and federal scrutiny.”

ICO blog post on AI and solely automated decision-making

Data Protection Report - Norton Rose Fulbright

The ICO has published a blog post on the role of “meaningful” human reviews in AI systems to prevent them from being categorised as “solely automated decision-making” under Article 22 of the GDPR. That Article imposes strict conditions on making decisions with legal or similarly significant effects based on personal data where there is no human input, or where there is limited human input (e.g. a decision is merely “rubber-stamped”). Continue reading

Parenting support club Bounty fined in ‘unprecedented’ data breach

Norton Rose Fulbright - Data Protection Report blog

On 12 April, the Information Commissioners Office (ICO) fined Bounty, a pregnancy and parent support club, £400,000 for illegally sharing personal data belonging to more than 14 million people. As the contravention took place just before the General Data Protection Regulation (GDPR) came into force, the fine was issued under the Data Protection Act 1998 (DPA). Continue reading

UK Supreme Court grant Morrisons permission to appeal vicarious liability finding

Norton Rose Fulbright - Data Protection Report blog

The UK Supreme Court has confirmed that permission has been granted to Morrisons for it to appeal against the judgment of the Court of Appeal in Morrison Supermarkets PLC v Various Claimants [2018] EWCA Civ 2338. Continue reading

French court issues decision on legality of Privacy Rules and Terms of Use under data protection and consumer law

Norton Rose Fulbright - Data Protection Report blog

Five years after the commencement of legal proceedings against Google by leading French consumer association UFC Que Choisir, the Paris “Tribunal de Grande Instance” (TGI), in a decision dated 12 February 2019, issued its ruling on the legality of the Google+ Terms of Use and Privacy Rules, both with respect to consumer law and personal data protection regulations. Continue reading

EU Advocate General issues opinion on consent for cookies and intersection between ePrivacy-Directive and GDPR

Norton Rose Fulbright - Data Protection Report blog

On March 21, 2019, Advocate General Szpunar released his opinion on the use of consent for the processing of personal data and for the use of cookies pursuant to the ePrivacy-Directive and the General Data Protection Regulation (GDPR).

The opinion includes several key points on whether consent is ‘freely given’ pursuant to the ePrivacy-Directive and the GDPR and also gives insight on what constitutes ‘informed consent.’ Continue reading

LexBlog