On December 15, the Civil Liberties Committee (LIBE) of the European Parliament issued a press release announcing a provisional political agreement between the European Parliament and Council negotiators on the texts of both the General Data Protection Regulation and the Police & Judicial Cooperation Data Protection Directive. Formal approval by the Council is expected shortly and by the European Parliament in early 2016, after which the legislation will be published in the Official Journal. The new provisions will apply two years later, in the first quarter of 2018.
December 2015
Major cybersecurity breach hits Hong Kong company
The Office of the Privacy Commissioner for Personal Data (PCPD) announced on 1 December 2015 that it has commenced an investigation on a data breach incident of VTech Holdings Limited (VTech), a Hong Kong stock exchange listed supplier of children’s learning products that is based in Hong Kong. The scope of the data breach is unclear, but it is likely that data subjects other than Hong Kong residents are affected. It was reported that the attorneys-general in the US states of Connecticut and Illinois have also announced plans to conduct their own investigation into this security breach.
Council and European Parliament reach agreement on NIS Directive
On December 7, 2015, the Council of the European Union (the Council) reached an informal agreement with the European Parliament on a new EU directive on network and information security (NISD).
The agreement marks the conclusion of two years of work, since the European Commission (the Commission) and the High Representative of the European Union for Foreign Affairs and Security Policy published a strategy for ‘An Open, Safe and Secure Cyberspace’ and proposed a directive in 2013. Once adopted, likely in early 2016, EU Member States will have 21 months to adopt the necessary national provisions to comply with the NISD.
Data breach notification places cyber-risk at the top of the agenda
The bar is to be raised yet again for privacy compliance in Australia. Cyber-risk has become a key agenda item for boards for the public sector, and the impending mandatory data breach notification regime is set to propel cyber-risk to the top of the agenda.
Canada uses anti-spam law to take down Toronto botnet
The Canadian Radio-television and Telecommunications Commission (CRTC) announced on Thursday, December 3, 2015, that it had served its first-ever warrant under Canada’s anti-spam law (CASL, enacted July 2014) to take down a command-and-control server located in Toronto, Ontario, that was being used to distribute Win32/Dorkbot malware.