Topic: Compliance and risk management

Subscribe to Compliance and risk management RSS feed

COVID tracing & AI: Physically distant, socially together

Data Protection Report - Norton Rose Fulbright

As the second wave of COVID-19 spreads across Canada, the use of COVID-19 tracing apps is on the rise. For example, the Government of Canada released COVID Alert–an app using Bluetooth technology to help people report positive diagnoses, and control the spread of the virus. The success of the app depends on a high quantity of users, but concerns over privacy and the use of artificial intelligence (AI) in analyzing the data may hinder that objective.

COVID tracing apps

With the launch of COVID Alert, Canada joined 40 other countries that have launched tracing apps. The Bluetooth-based app … Continue Reading

Just when you thought it was safe—California AG issues proposed CCPA regulation changes

Norton Rose Fulbright - Data Protection Report blog

The California Attorney General has just issued some proposed revisions to the California Consumer Privacy Act (CCPA) regulations and our readers may be surprised by one of the proposed changes.  You may recall that California’s Office of Administrative Law (OAL) had rejected some the proposed CCPA regulations during the summer, but accepted most of them.  The accepted regulations became final on August 14, 2020.

The proposed regulatory changes from October 12 are available at www.oag.ca.gov/privacy/ccpa/current  The proposed changes would affect four sections of the CCPA regulations, but the one most likely to affect our readers is this one:

  • 999.315 (Requests
Continue Reading

Thermal cameras and COVID-19 – The German DPAs have spoken

Norton Rose Fulbright - Data Protection Report blog

On September 11, 2020, the German Datenschutzkonferenz (DSK), the joint body of the German data protection authorities, published its position on the use of thermal cameras and electronic temperature checks in the context of the COVID-19 pandemic.

Despite voicing general criticisms of body temperature checking in the context of COVID-19, the DSK stated that it considers the use of thermal cameras in the work place to be admissible, provided that the requirements of data protection by design laid down in Art. 25 GDPR and security of data processing in to Art. 32 GDPR are complied with.

In detail:

  • German
Continue Reading

NYAG Proposed Settlement for Credential Stuffing Attacks with 3-Business-Day Access Request Response

Norton Rose Fulbright - Data Protection Report blog

On September 15, 2020, the New York Attorney General (NYAG) announced a proposed settlement with Dunkin’ Brands, relating to brute force and credential stuffing attacks against members’ online accounts (including stored value cards). Dunkin’ does not admit or deny any of the NYAG’s allegations in the complaint. (New York v. Dunkin’ Brands, No. 451787/2019 (N.Y. Sup. Sept. 5, 2020).

2019 Complaint

According to the NYAG’s 2019 complaint, Dunkin’ had been the subject of hacker attacks attempting to breach its members’ online accounts and steal money from the stored value cards that members registered to those accounts. The … Continue Reading

Schrems II: recent developments – waiting is harder

In the immediate aftermath of the Schrems II judgement, Bruno Gencarelli (Head of the International data flows and protection unit at the European Commission) said that “Schrems II is data transfers from theory to practice”.  There have been several major developments over the last couple of weeks (explained below) which show this to be an accurate assessment.  Companies can no longer “do nothing” in the hope that the difficult implications will go away.  Regulators are starting to investigate.  Complaints are being submitted. A taskforce has been set up. The Swiss data protection authority (DPA) also thinks Privacy … Continue Reading

An “enhanced” Privacy Shield is being negotiated – third time a charm?

On 10 August, the European Commission and the US Department of Commerce confirmed that talks have begun between the EU and US for an “enhanced” Privacy Shield.

This will be the third attempt to revise this framework, following the invalidation of Safe Harbor in 2015 and Privacy Shield in July 2020. Third time a charm? We’re not so sure.

By way of recap, in Schrems II, the court made clear that Privacy Shield was invalid for three main reasons:

  1. US surveillance rules are disproportionate
  2. There is a lack of proper oversight over US surveillance programmes
  3. EU individuals do not
Continue Reading

Cell phones, robocalls, and text messages – two pronouncements

On July 6, 2020, the U.S. Supreme Court upheld most of the federal law that prohibits “robocalls” to cell phones but struck down the exception for collection of debts owed to the federal government.  (Barr v. American Association of Political Consultants, No. 19–631 (July 6, 2020) (2020 WL 3633780).)  Previously, on June 25, a Bureau of the Federal Communications Commission issued some guidance on what constitutes an “autodialer” (or “automatic telephone dialing system“—“ATDS”) relating to that law’s prohibition on text messages.  (In re Rules and Regulations Implementing the Telephone Consumer Protection Act of 1991, P2P Alliance Petition Continue Reading

Schrems II judgement due in July – what this might mean for your outsourcing deal

Data Protection Report - Norton Rose Fulbright

Just when we thought our summers might have been looking a bit dull, it was announced that the Court of Justice of the European Union (CJEU) will be making its final ruling in Case C-311/18, Data Protection Commissioner v Facebook Ireland & Schrems on 16 July 2020.  This judgement concerns the legality of the European Commission approved Standard Contractual Clauses (SCCs) which many organisations rely on to transfer personal data outside of the UK and the European Economic Area (EEA), particularly in relation to outsourcing services.

On 19 December 2019, the Advocate General (… Continue Reading

Selling and utilising personal data in an insolvency situation

Data Protection Report - Norton Rose Fulbright

Many businesses are suffering serious financial difficulties as a result of COVID-19, particularly those in the retail, hospitality and tourism sectors.  For many of these businesses the one asset that will undoubtedly retain value, despite the pandemic, will be their customer database.  This valuable commodity could help attract potential purchasers.

But this is a tricky area to navigate, particularly following the General Data Protection Regulation (GDPR), since both the ICO and the FCA have started to pay more attention to this area.  For example, in February of this year, the FCA and ICO issued a joint statement warning … Continue Reading

How to process employees’ health data in France after lockdown: dos and don’ts for employers

Norton Rose Fulbright - Data Protection Report blog

A few weeks ago, we provided you with a summary of the rights and obligations of employers with regard to the personal data of their employees during lockdown.

On 11 May, many employees will return to their workplaces. Below you will find answers to the main questions you may have ahead as the end of the lockdown approaches.

Could an employer require its employees to use StopCovid or a similar private app and require to see the results?

No.  The CNIL stated in its opinion of 24 April 2020, that the “voluntary” mode of the app implied that no negative … Continue Reading

StopCovid: the French contact-tracing app

Norton Rose Fulbright - Data Protection Report blog

Following the example of many European countries, the French government plans to introduce a contact tracing app, known as “StopCovid”.  The app is designed to be used by people once they leave the confinement of their homes with the aim of preventing the spread of COVID-19. StopCovid is being developed within the INRIA, the French national research institute for digital sciences and technologies.

This blog post summarises the status of the project and the discussions from legal, political, scientific and technological perspectives.

How will StopCovid work?

For each smartphone on which the app is downloaded, temporary crypto-identifiers will be generated … Continue Reading

Irish data protection authority launches new cookie guidance and indicates cookie investigations are on the horizon

Norton Rose Fulbright - Data Protection Report blog

Last week, the Irish Data Protection Commission (“DPC”) published its much anticipated guidance note on cookies and similar tracking technologies (the “Guidance”).  It also published a report following a “cookie sweep” that took place between August 2019 and December 2019 of 38 data controllers (the “Report”).  The cookie sweep requested information from the data controllers and examined the deployment of cookies on their websites to understand how and whether they were complying with the cookie rules. It is clear the Report significantly influenced the Guidance and, as such, the Report provides an indication of … Continue Reading

Obtaining and sharing employee health status information in a pandemic

Norton Rose Fulbright - Data Protection Report blog

Employers across the world are facing extremely difficult challenges in keeping their workplaces safe for their employees, contractors and visitors during the COVID-19 pandemic.

Although the prevailing instinct is likely to be to protect and to prevent the spread of the virus at all costs, under data protection laws this still needs to be weighed against the privacy rights of employees. Depending on where their employees are located, employers may have to favor privacy over virus detection. This blog sets out a few of the key issues and a snapshot of how they are dealt with across five European jurisdictions … Continue Reading

NYDFS Requires COVID-19 Plans by April 9

Norton Rose Fulbright - Data Protection Report blog

On March 10, 2020, the New York Department of Financial Services (NYDFS) issued guidance to all of its regulated institutions engaged in virtual currency business activity, requiring them to have plans for preparedness to manage the possible operational and financial risks posed by the COVID-19 pandemic. NYDFS requires the plans to be submitted by Thursday, April 9, 2020.… Continue Reading

Personal data protection in the time of coronavirus (Covid-19)

Norton Rose Fulbright - Data Protection Report blog

Outbreak of the coronavirus and personal data privacy

The fast-spreading coronavirus (Covid-19) has infected thousands of people in China and in over 20 other countries. This coronavirus outbreak, originating in Wuhan, a large city located in the central region of China, has been declared a Public Health Emergency of International Concern (PHEIC) by the World Health Organization.… Continue Reading

Application by Privacy Commissioner To Shed Light on Judicial Enforcement of PIPEDA

Data Protection Report - Norton Rose Fulbright

Recent legal action by the Office of the Privacy Commissioner of Canada (OPC) will shed light on the Federal Court’s willingness to enforce and monitor compliance with the Personal Information Protection and Electronic Documents Act (PIPEDA). On February 6, the OPC filed a notice of application (the Application) in the Federal Court seeking a declaration that Facebook has contravened PIPEDA and various orders that would compel Facebook to bring itself into compliance. [1] Organizations governed by PIPEDA should keep a close eye on the Court’s inquiry as well as any eventual order enforcing compliance with the Act.… Continue Reading

The CNIL releases draft practical guidance on cookies consent

Data Protection Report - Norton Rose Fulbright

The CNIL has published draft recommendations on how to obtain consent when placing cookies. This is following the publication of its revised “Guidelines on the implementation of cookies or similar tracking technologies” which was published in July 2019 (see our article here).

The objective of the recommendations is to provide stakeholders with practical guidance and illustrative examples. These recommendations are neither exhaustive nor binding and data controllers are free to consider other practical measures as long as they comply with the revised rules as provided by the CNIL in July 2019. The CNIL also provides a number of “good … Continue Reading

Changes to Hong Kong’s data protection law discussed by government panel

Data Protection Report - Norton Rose Fulbright

The discussion paper on the proposed changes to Hong Kong’s Personal Data (Privacy) Ordinance (Cap.486) (the PDPO) was debated by the  Legislative Council’s Panel on Constitutional Affairs’ (the Panel) on 20 January. The proposals set out in LC Paper. No. CB(2) 512/19-20(03) (the Paper) are summarised in our earlier post.Continue Reading

The Privacy Officers’ New Year’s Resolutions

Data Protection Report - Norton Rose Fulbright

1. Brace yourself (for export turbulence)

2020 could well be a year of data export turmoil – so brace yourself.

The Court of Justice of the European Union (CJEU) will determine the validity of the EU Standard Contractual Clauses (SCCs) (Data Protection Commissioner v Facebook Ireland Limited, Maximillan Schrems) whilst the General Court of the EU will consider the future of Privacy Shield (La Quadrature du Net v Commission).

The Advocate General (AG) delivered his non-binding opinion on the SCCs just before Christmas (see our blog post).  Although the AG’s view was that the SCCs are valid, … Continue Reading

Schrems II: AG deems SCCs valid but comes up with difficult new obligations and expresses “doubts” over privacy shield

What has happened?

Yesterday, the Advocate General (“AG”) concluded that, in his opinion, the EU Standard Contractual Clauses (“SCCs”) are a valid mechanism to transfer personal data outside of the European Economic Area (“EEA”). However, the AG suggested new obligations for those using SCCs. They need to examine the national security laws of the country of the data importer to determine whether they can in fact comply with the terms of SCCs.… Continue Reading

LexBlog