The EDPB publishes its finalised version of the Recommendations on supplementary measures

Photo of Marcus Evans (UK)Photo of Lara White (UK)Photo of Christoph Ritzer (DE)By Marcus Evans (UK), Lara White (UK) and Christoph Ritzer (DE) on Posted in Data Transfer, Regulatory response

On 21 June 2021, the European Data Protection Board (EDPB) published its finalised version of the Recommendations on supplementary measures (the Recommendations) to assist companies comply with the Schrems II judgement.

This comes just a couple of weeks after the European Commission (the Commission) published new, revised Standard Contractual Clauses (New SCCs) (read our blog post for more information).  Like the Recommendations, the New SCCs also aim to assist organisations with the complex Schrems II requirements.

The new SCCs and the Recommendations show that compromise between the Commission and the EDPB has been … Continue Reading

Google to nix “GAID” for opted-out users on Android

Photo of Steve Roosa (US)Photo of Daniel Rosenzweig (US)By NRF Digital Team, Steve Roosa (US) and Daniel Rosenzweig (US) on Posted in NT Analyzer Blog Series
Google to nix “GAID” for opted-out users on Android

Steve Roosa and Daniel Rosenzweig report on Google’s recent announcement regarding Android GAID settings.

Beginning later in 2021, for Android 12, Android devices will “zero-out” the Google Advertising ID (“GAID”) for users who have opted out of tracking and personalized advertising. (In other words, using the “Opt out of Ads Personalization” settings).

Read the full post on the NT Analyzer blog.… Continue Reading

Max Schrems’ NGO, noyb, submits mass cookie law compliance complaints

Photo of Lara White (UK)By Lara White (UK) on Posted in Enforcement

Introduction

Max Schrems’ privacy NGO, noyb, has sent hundreds of draft complaints to companies across Europe that it claims use unlawful cookie banners along with a guide of how to comply.  noyb is giving these companies one month to make the changes to their cookie banners and consent management solutions before filing formal complaints with data protection authorities.

noyb’s stated aim is to move to a world where users are presented with simple and clear “accept”/”reject” options and companies do not design their cookie banners to try to “frustrate” users into accepting cookies or design their privacy settings to make … Continue Reading

A deeper dive into the new Standard Contractual Clauses

Photo of Marcus Evans (UK)Photo of Lara White (UK)Photo of Christoph Ritzer (DE)By Janine Regan (UK), Marcus Evans (UK), Lara White (UK) and Christoph Ritzer (DE) on Posted in Data Transfer, Regulatory response

On Friday 4 June, the European Commission published the finalised version of the new Standard Contractual Clauses for transferring personal data from the EU to third countries (the New SCCs).  Privacy professionals have been waiting for the New SCCs for several years and have been particularly interested to know if the New SCCs will help address the complex requirements of the Schrems II case.

The good news is that the New SCCs allow companies to take a risk-based approach when making assessments on whether a third country’s access laws and practices provide adequate protection for personal data.  This approach was … Continue Reading

European Commission publishes much anticipated finalised Standard Contractual Clauses

Photo of Marcus Evans (UK)Photo of Lara White (UK)Photo of Christoph Ritzer (DE)By Marcus Evans (UK), Lara White (UK), Christoph Ritzer (DE) and Janine Regan (UK) on Posted in Data Transfer, Regulatory response
Norton Rose Fulbright - Data Protection Report blog

The European Commission has today published the finalised version of the new Standard Contractual Clauses (the new SCCs).  The purpose of the new SCCs are to help companies legalise transfers of personal data from outside of the EEA.  They will also be a lawful mechanism for UK companies to use too.

The new SCCs were updated to:

  • allow for various types of transfers (in particular those between a processor and a sub-processor);
  • give the clauses a GDPR ‘face lift’; and
  • address the requirements of the Schrems II judgement.

Organisations may continue to use the current SCCs until 27 September … Continue Reading

Top practical tips on the preservation, collection and review of mobile data in investigations.

Photo of Andrew Reeves (UK)Photo of Claudia CulleyBy Andrew Reeves (UK) and Claudia Culley on Posted in Compliance and risk management

Remote working has accelerated the merger of work and private data, particularly on mobile phones and instant messaging services such as WhatsApp.

While employees are performing their jobs, mobile access may be putting their employers at risk – because work-related communications on unapproved platforms are frequently not preserved in accordance with regulatory requirements (where applicable), and are often inaccessible or overlooked in the event of an investigation or litigation.

We have outlined below practical tips for the preservation, collection and review of mobile data in an investigation.

General

  1. Know the expectations of relevant authorities regarding the preservation of mobile data.
Continue Reading

Proposed amendments to the Personal Data (Privacy) Ordinance to combat doxxing acts

Photo of Anna Gamvros (HK)Photo of Ruby Kwok (HK)Photo of Edward Yau (HK)By Anna Gamvros (HK), Ruby Kwok (HK) and Edward Yau (HK) on Posted in Regulatory response

The Hong Kong Government is proposing amendments to the Personal Data (Privacy) Ordinance (the “PDPO”) to combat doxxing acts. On 17 May 2021, the Constitutional and Mainland Affairs Bureau (the “CMAB”) published a discussion paper on the proposed amendments to the Personal Data (Privacy) Ordinance to combat doxxing acts (LC Paper No. CB(4)974/20-21(03)) (the “Paper”).

Doxxing is the act of publishing private or identifying information about an individual on the Internet, typically for malicious purposes, and has become more common in Hong Kong in recent years.

The Paper came more than a … Continue Reading

US NYDFS settles cybersecurity regulation matter for US$1.8M

Photo of David Kessler (US)Photo of Susan Ross (US)Photo of Patrick Burke (US)By David Kessler (US), Susan Ross (US) and Patrick Burke (US) on Posted in Cybersecurity
Data Protection Report - Norton Rose Fulbright

On May 13, 2021, the New York Department of Financial Services (NYDFS) announced a $1.8 million settlement with two related insurance companies, relating to violations of two different requirements of the NYDFS cybersecurity regulation during the period 2018 to 2019.… Continue Reading

Final Revised SCCs expected as early as next week with Final Revised EDPB Recommendations to follow after 15 June

Photo of Marcus Evans (UK)Photo of Christoph Ritzer (DE)By Marcus Evans (UK) and Christoph Ritzer (DE) on Posted in Data Transfer
Data Protection Report - Norton Rose Fulbright

It was reported yesterday that publication of revised final EU Standard Contractual Clauses may be as soon as next week and that revised final EDPB Recommendations possibly following the EDPB’s next plenary meeting on 15 June.  This follows comments made by Ralf Sauer, EU Commission Deputy Head for International Data Flows, and Alexander Filip, Head of International Transfers at the Bavarian DPA at the DACH regional KnowldegeNet.

The initial draft documents can be found here. We will be providing updates on these documents and steps that exporters and importers should take once they are published in final form.… Continue Reading

LexBlog