Topic: Compliance and risk management

Subscribe to Compliance and risk management RSS feed

CPRA Rulemaking Delayed – California Privacy Protection Agency Meets and Previews CPRA Rulemaking Timeline

On February 17, 2022 the California Privacy Protection Agency’s Board (“Board”) met to discuss their progress launching the new agency.  They also shared their projected timeline for rulemaking.  The California Privacy Protection Agency (CPPA) is the new agency charged with enforcing the California Privacy Rights Act (CPRA).   The big news is that the Board … Continue reading

Rejecting cookies should be as easy as accepting cookies: new sanctions by the French authority (CNIL)

The French Data Protection Authority (the “CNIL”) continues its campaign against companies that do not respect the rules relating to cookies and other trackers, which the CNIL has previously reminded the market about in multiple communications and decisions. The CNIL has already issued four sets of formal notices to over 90 organizations of various sizes … Continue reading

Belgian DPA fines IAB Europe over its consent framework’s GDPR violations

innovation circuit boardOn 2 February 2022, the Belgian Data Protection Authority (the BDPA) fined IAB Europe for various infringements in relation to the IAB Transparency and Consent Framework. This decision could have a huge impact on the majority of players in the online adtech ecosystem who rely on the framework. Background The Interactive Advertising Bureau Europe’s (IAB) … Continue reading

Illinois Supreme Court Rules that Compensation Act is not a bar to BIPA Damages

Cyber authorities sound the alarmIllinois’ Biometric Information Privacy Act (“BIPA”) is considered the most comprehensive law governing the processing of biometric data. Passed in 2008, BIPA sets out requirements for private entities, including employers, that collect, use, store, and share biometric information.  It’s also one of the most popular class action suits today – hundreds, if not thousands of … Continue reading

Privacy legislation reform: Bill 64 has now been passed

Bill 64, which purports to modernise Québec’s privacy legislation, was recently passed. This sweeping reform of the province’s framework for processing personal information hinges on three main axes: increased obligations for enterprises that collect or otherwise process personal information, the creation of new rights for persons whose information is collected, and the imposition of far … Continue reading

UK Government sets out proposals to shake up UK data protection laws

Data Protection Report - Norton Rose FulbrightOn 10 September 2021, the UK Government published its consultation paper on proposals to reform the UK’s data protection regime.  The deadline for responding to the consultation is 19 November 2021. In August, the Government announced that it intended to “seize the opportunity” afforded by the UK’s exit from the European Union to makes some … Continue reading

Over-retention of personal data

Norton Rose Fulbright - Data Protection Report blogThe declining cost of electronic data storage may have caused some company executives to conclude that retaining personal data forever is “cheap.”  Perhaps the CNIL’s  €1.75 million (USD $2,051,930) penalty for over-retention will lead to a different view. The matter involved one of France’s largest insurers, SGAM AG2R LA MONDIALE, which was subject to an … Continue reading

PIPL: A game changer for companies in China

Data Protection Report - Norton Rose FulbrightChina passed its Personal Information Protection Law (PIPL) on 20 August 2021. This is China’s first omnibus data protection law, and will take effect from 1 November 2021 allowing companies just over two months to prepare themselves. The PIPL is a game changer for any company with data or business in China. It will add … Continue reading

China passes the Personal Information Protection Law

Data Protection Report - Norton Rose FulbrightChina passed its Personal Information Protection Law (PIPL) on 20 August 2021.  The new law will take effect from 1 November 2021 allowing companies just over 2 months to prepare themselves. The full text has not been made public yet. In addition, China published the Provisions on the Administration of Security of Automobile Data (For … Continue reading

Top practical tips on the preservation, collection and review of mobile data in investigations.

Cyber authorities sound the alarmRemote working has accelerated the merger of work and private data, particularly on mobile phones and instant messaging services such as WhatsApp. While employees are performing their jobs, mobile access may be putting their employers at risk – because work-related communications on unapproved platforms are frequently not preserved in accordance with regulatory requirements (where applicable), … Continue reading

DSAR – No copy of work emails required in Germany

German Federal Labour Court dismissed employee’s claim On 27 April 2021, the German Federal Labour Court (Bundesarbeitsgericht, the Federal Court) held that employees cannot request their employer to provide them with copies of all (i) the employee’s entire email correspondence; and (ii) any emails mentioning the employee by name. The Federal Court said that under … Continue reading

To be or not to be . . . an “autodialer”

Data Protection Report - digital privacy, CCPA and cybersecurityOn April 1, 2021, the U.S. Supreme Court decided the question whether the Telephone Consumer Protection Act’s (TCPA) definition of “autodialer” encompasses equipment that can “store” and dial telephone numbers, even if the device does not “us[e] a random or sequential number generator.” It does not. To qualify as an “automatic telephone dialing system,” a … Continue reading

Virginia’s new Consumer Data Protection Act

On March 2, 2021, the Governor of the Commonwealth of Virginia signed into law the Consumer Data Protection Act, which contains many elements of California’s Consumer Privacy Act (CCPA) and Europe’s General Data Protection Regulation (GDPR). The new law goes into effect on January 1, 2023. But first, you need to determine whether the law … Continue reading

New German fine: EUR 10.4 million for unlawful CCTV

A German state data protection authority has issued a fine of EUR 10.4m against a mid-size online retailer who allegedly violated the EU General Data Protection Regulation (GDPR) by monitoring their employees using CCTV. The State Commissioner for Data Protection and Freedom of Information (Landesbeauftragte für Datenschutz und Informationsfreiheit) of Lower Saxony (the State Commissioner) … Continue reading

COVID tracing & AI: Physically distant, socially together

Data Protection Report - Norton Rose FulbrightAs the second wave of COVID-19 spreads across Canada, the use of COVID-19 tracing apps is on the rise. For example, the Government of Canada released COVID Alert–an app using Bluetooth technology to help people report positive diagnoses, and control the spread of the virus. The success of the app depends on a high quantity … Continue reading

Just when you thought it was safe—California AG issues proposed CCPA regulation changes

Norton Rose Fulbright - Data Protection Report blogThe California Attorney General has just issued some proposed revisions to the California Consumer Privacy Act (CCPA) regulations and our readers may be surprised by one of the proposed changes.  You may recall that California’s Office of Administrative Law (OAL) had rejected some the proposed CCPA regulations during the summer, but accepted most of them.  … Continue reading

Thermal cameras and COVID-19 – The German DPAs have spoken

Norton Rose Fulbright - Data Protection Report blogOn September 11, 2020, the German Datenschutzkonferenz (DSK), the joint body of the German data protection authorities, published its position on the use of thermal cameras and electronic temperature checks in the context of the COVID-19 pandemic. Despite voicing general criticisms of body temperature checking in the context of COVID-19, the DSK stated that it … Continue reading

NYAG Proposed Settlement for Credential Stuffing Attacks with 3-Business-Day Access Request Response

Norton Rose Fulbright - Data Protection Report blogOn September 15, 2020, the New York Attorney General (NYAG) announced a proposed settlement with Dunkin’ Brands, relating to brute force and credential stuffing attacks against members’ online accounts (including stored value cards). Dunkin’ does not admit or deny any of the NYAG’s allegations in the complaint. (New York v. Dunkin’ Brands, No. 451787/2019 (N.Y. … Continue reading

Schrems II: recent developments – waiting is harder

In the immediate aftermath of the Schrems II judgement, Bruno Gencarelli (Head of the International data flows and protection unit at the European Commission) said that “Schrems II is data transfers from theory to practice”.  There have been several major developments over the last couple of weeks (explained below) which show this to be an … Continue reading

An “enhanced” Privacy Shield is being negotiated – third time a charm?

On 10 August, the European Commission and the US Department of Commerce confirmed that talks have begun between the EU and US for an “enhanced” Privacy Shield. This will be the third attempt to revise this framework, following the invalidation of Safe Harbor in 2015 and Privacy Shield in July 2020. Third time a charm? … Continue reading

Cell phones, robocalls, and text messages – two pronouncements

On July 6, 2020, the U.S. Supreme Court upheld most of the federal law that prohibits “robocalls” to cell phones but struck down the exception for collection of debts owed to the federal government.  (Barr v. American Association of Political Consultants, No. 19–631 (July 6, 2020) (2020 WL 3633780).)  Previously, on June 25, a Bureau … Continue reading

Schrems II judgement due in July – what this might mean for your outsourcing deal

Data Protection Report - Norton Rose FulbrightJust when we thought our summers might have been looking a bit dull, it was announced that the Court of Justice of the European Union (CJEU) will be making its final ruling in Case C-311/18, Data Protection Commissioner v Facebook Ireland & Schrems on 16 July 2020.  This judgement concerns the legality of the European … Continue reading
LexBlog