November 2016

The United Arab Emirates Penal Code was amended with effect from October 29, 2016 to outlaw the copying, distribution or disclosure of information that a person obtains in the course of their employment. This new offence will target company insiders (or service providers) unlawfully dealing in personal data. Other changes to the Penal Code will increase the maximum penalty payable by organisations for criminal acts committed by their representatives.

On November 7, 2016, the Standing Committee of China’s National People’s Congress (NPC) voted to pass the Cyber Security Law (unofficial English translation). Its draft has gone through three rounds of readings and it will become effective from June 1, 2017. This legislation provides for the Chinese government’s supervisory jurisdiction over cyberspace, defines security obligations for network operators and enhances the protection over personal information. It also establishes a regulation regime in respect of critical information infrastructure and imposes data localization requirements for certain industries.

In this post, we outline the key changes it will bring about and discuss the implications for businesses in China.

The European Medicines Agency (EMA) issued guidance on the implementation of its Policy 0070 on the publication of clinical data for medicines, including with respect to anonymization of clinical reports for publication. (As background, please see our previous briefing on the EMA’s new approach to transparency of clinical studies here.) As of October 2016, all drug manufacturers that are making a marketing authorization application under the centralized procedure in Europe will be subject to the new guidance.[1]

On November 1, 2016, the Payment Card Industry (“PCI”) Security Standards Council’s newest set of Data Security Standards (“DSS”) went into effect.  Announced earlier this year, PCI DSS Version 3.2 has made a variety of changes applicable to both merchants that accept payment cards as well as “Service Providers,” which are defined as third-party entities that “store, process, or transmit cardholder data” or that “manage components such as routers, firewalls, databases, physical security, and/or servers” on behalf of merchants. Below, we provide a summary of some of the more significant changes that affect merchants and Service Providers.

Data protection and privacy issues frequently intersect with other areas of the law. In addition to the Data Protection Report, Norton Rose Fulbright publishes other blogs covering important legal developments across the globe. These blogs sometimes touch on issues

Ten German data protection authorities (DPAs), led by the Berlin DPA, announced today that they will send formal questionnaires to about 500 companies in Germany to assess the scope of the companies’ cross-border data transfers. In a press release, the DPAs pointed out that the export of personal data to non-EU countries has become a common practice for major international, as well as small and medium sized companies, without, as the authorities say, adequate attention being paid to the unique data privacy issues raised by cloud computing and software as a service (SaaS).

On Friday, October 21, a series of Distributed Denial of Service (DDoS) attacks were launched against the servers of Dyn, a major DNS host. DNS hosts operate in a manner akin to a switchboard for the Internet, helping to route domain names (e.g., dataprotectionreport.com) to underlying IP addresses (e.g., 104.28.6.115). By attacking Dyn, hackers were able to prevent end-users from reaching the websites and online services that relied on Dyn, including Netflix, Twitter, Spotify, SoundCloud, Amazon, AirBnB, Reddit, PayPal, Pinterest, CNN, Fox News, the Guardian, the New York Times, and the Wall Street Journal. In a statement, Dyn described the attack as “a sophisticated, highly distributed attack involving 10s of millions of IP addresses.”