Topic: Compliance and risk management

Subscribe to Compliance and risk management RSS feed

Top practical tips on the preservation, collection and review of mobile data in investigations.

Photo of Andrew Reeves (UK)Photo of Claudia Van GruisenBy Andrew Reeves (UK) and Claudia Van Gruisen on Posted in Compliance and risk management
Cyber authorities sound the alarmRemote working has accelerated the merger of work and private data, particularly on mobile phones and instant messaging services such as WhatsApp. While employees are performing their jobs, mobile access may be putting their employers at risk – because work-related communications on unapproved platforms are frequently not preserved in accordance with regulatory requirements (where applicable), … Continue reading

DSAR – No copy of work emails required in Germany

Photo of Christoph Ritzer (DE)Photo of Natalia Filkina (DE)By Christoph Ritzer (DE) and Natalia Filkina (DE) on Posted in Compliance and risk management
German Federal Labour Court dismissed employee’s claim On 27 April 2021, the German Federal Labour Court (Bundesarbeitsgericht, the Federal Court) held that employees cannot request their employer to provide them with copies of all (i) the employee’s entire email correspondence; and (ii) any emails mentioning the employee by name. The Federal Court said that under … Continue reading

To be or not to be . . . an “autodialer”

Photo of David Kessler (US)Photo of Susan Ross (US)By David Kessler (US) and Susan Ross (US) on Posted in Compliance and risk management
Data Protection Report - digital privacy, CCPA and cybersecurityOn April 1, 2021, the U.S. Supreme Court decided the question whether the Telephone Consumer Protection Act’s (TCPA) definition of “autodialer” encompasses equipment that can “store” and dial telephone numbers, even if the device does not “us[e] a random or sequential number generator.” It does not. To qualify as an “automatic telephone dialing system,” a … Continue reading

Virginia’s new Consumer Data Protection Act

Photo of David Kessler (US)Photo of Susan Ross (US)By David Kessler (US) and Susan Ross (US) on Posted in Compliance and risk management
On March 2, 2021, the Governor of the Commonwealth of Virginia signed into law the Consumer Data Protection Act, which contains many elements of California’s Consumer Privacy Act (CCPA) and Europe’s General Data Protection Regulation (GDPR). The new law goes into effect on January 1, 2023. But first, you need to determine whether the law … Continue reading

New German fine: EUR 10.4 million for unlawful CCTV

Photo of Christoph Ritzer (DE)Photo of Natalia Filkina (DE)By Christoph Ritzer (DE) and Natalia Filkina (DE) on Posted in Compliance and risk management, Data breach
A German state data protection authority has issued a fine of EUR 10.4m against a mid-size online retailer who allegedly violated the EU General Data Protection Regulation (GDPR) by monitoring their employees using CCTV. The State Commissioner for Data Protection and Freedom of Information (Landesbeauftragte für Datenschutz und Informationsfreiheit) of Lower Saxony (the State Commissioner) … Continue reading

COVID tracing & AI: Physically distant, socially together

Photo of Daniel Daniele (CA)By Daniel Daniele (CA) on Posted in Compliance and risk management, Data Transfer
Data Protection Report - Norton Rose FulbrightAs the second wave of COVID-19 spreads across Canada, the use of COVID-19 tracing apps is on the rise. For example, the Government of Canada released COVID Alert–an app using Bluetooth technology to help people report positive diagnoses, and control the spread of the virus. The success of the app depends on a high quantity … Continue reading

Just when you thought it was safe—California AG issues proposed CCPA regulation changes

Photo of David Kessler (US)Photo of Susan Ross (US)By David Kessler (US) and Susan Ross (US) on Posted in CCPA, Compliance and risk management
Norton Rose Fulbright - Data Protection Report blogThe California Attorney General has just issued some proposed revisions to the California Consumer Privacy Act (CCPA) regulations and our readers may be surprised by one of the proposed changes.  You may recall that California’s Office of Administrative Law (OAL) had rejected some the proposed CCPA regulations during the summer, but accepted most of them.  … Continue reading

Thermal cameras and COVID-19 – The German DPAs have spoken

Photo of Christoph Ritzer (DE)Photo of Natalia Filkina (DE)By Christoph Ritzer (DE) and Natalia Filkina (DE) on Posted in Compliance and risk management
Norton Rose Fulbright - Data Protection Report blogOn September 11, 2020, the German Datenschutzkonferenz (DSK), the joint body of the German data protection authorities, published its position on the use of thermal cameras and electronic temperature checks in the context of the COVID-19 pandemic. Despite voicing general criticisms of body temperature checking in the context of COVID-19, the DSK stated that it … Continue reading

NYAG Proposed Settlement for Credential Stuffing Attacks with 3-Business-Day Access Request Response

Photo of David Kessler (US)Photo of Susan Ross (US)By David Kessler (US) and Susan Ross (US) on Posted in Compliance and risk management, Cybersecurity, Data breach
Norton Rose Fulbright - Data Protection Report blogOn September 15, 2020, the New York Attorney General (NYAG) announced a proposed settlement with Dunkin’ Brands, relating to brute force and credential stuffing attacks against members’ online accounts (including stored value cards). Dunkin’ does not admit or deny any of the NYAG’s allegations in the complaint. (New York v. Dunkin’ Brands, No. 451787/2019 (N.Y. … Continue reading

Schrems II: recent developments – waiting is harder

Photo of Marcus Evans (UK)By Marcus Evans (UK) and Janine Regan (UK) on Posted in Compliance and risk management, Data Transfer, Enforcement, Regulatory response
In the immediate aftermath of the Schrems II judgement, Bruno Gencarelli (Head of the International data flows and protection unit at the European Commission) said that “Schrems II is data transfers from theory to practice”.  There have been several major developments over the last couple of weeks (explained below) which show this to be an … Continue reading

An “enhanced” Privacy Shield is being negotiated – third time a charm?

Photo of Lara White (UK)By Lara White (UK) and Janine Regan (UK) on Posted in Compliance and risk management, Data Transfer, Enforcement, General
On 10 August, the European Commission and the US Department of Commerce confirmed that talks have begun between the EU and US for an “enhanced” Privacy Shield. This will be the third attempt to revise this framework, following the invalidation of Safe Harbor in 2015 and Privacy Shield in July 2020. Third time a charm? … Continue reading

Cell phones, robocalls, and text messages – two pronouncements

Photo of David Kessler (US)Photo of Susan Ross (US)By David Kessler (US) and Susan Ross (US) on Posted in Compliance and risk management, Cybersecurity, Regulatory response
On July 6, 2020, the U.S. Supreme Court upheld most of the federal law that prohibits “robocalls” to cell phones but struck down the exception for collection of debts owed to the federal government.  (Barr v. American Association of Political Consultants, No. 19–631 (July 6, 2020) (2020 WL 3633780).)  Previously, on June 25, a Bureau … Continue reading

Schrems II judgement due in July – what this might mean for your outsourcing deal

Photo of Marcus Evans (UK)Photo of Lara White (UK)By Marcus Evans (UK), Lara White (UK) and Janine Regan (UK) on Posted in Compliance and risk management
Data Protection Report - Norton Rose FulbrightJust when we thought our summers might have been looking a bit dull, it was announced that the Court of Justice of the European Union (CJEU) will be making its final ruling in Case C-311/18, Data Protection Commissioner v Facebook Ireland & Schrems on 16 July 2020.  This judgement concerns the legality of the European … Continue reading

Selling and utilising personal data in an insolvency situation

Photo of Marcus Evans (UK)Photo of Rebecca Oliver (UK)By Marcus Evans (UK), Janine Regan (UK), Rebecca Oliver (UK) and Alice Routh (UK) on Posted in Compliance and risk management
Data Protection Report - Norton Rose FulbrightMany businesses are suffering serious financial difficulties as a result of COVID-19, particularly those in the retail, hospitality and tourism sectors.  For many of these businesses the one asset that will undoubtedly retain value, despite the pandemic, will be their customer database.  This valuable commodity could help attract potential purchasers. But this is a tricky … Continue reading

How to process employees’ health data in France after lockdown: dos and don’ts for employers

Photo of Cécile Auvieux (FR)Photo of Nadège Martin (FR)By Cécile Auvieux (FR) and Nadège Martin (FR) on Posted in Compliance and risk management
Norton Rose Fulbright - Data Protection Report blogA few weeks ago, we provided you with a summary of the rights and obligations of employers with regard to the personal data of their employees during lockdown. On 11 May, many employees will return to their workplaces. Below you will find answers to the main questions you may have ahead as the end of … Continue reading

StopCovid: the French contact-tracing app

Photo of Cécile Auvieux (FR)Photo of Nadège Martin (FR)By Cécile Auvieux (FR) and Nadège Martin (FR) on Posted in Compliance and risk management
Norton Rose Fulbright - Data Protection Report blogFollowing the example of many European countries, the French government plans to introduce a contact tracing app, known as “StopCovid”.  The app is designed to be used by people once they leave the confinement of their homes with the aim of preventing the spread of COVID-19. StopCovid is being developed within the INRIA, the French … Continue reading

Irish data protection authority launches new cookie guidance and indicates cookie investigations are on the horizon

Photo of Christoph Ritzer (DE)Photo of Nadège Martin (FR)Photo of Marcus Evans (UK)By Janine Regan (UK), Christoph Ritzer (DE), Nadège Martin (FR) and Marcus Evans (UK) on Posted in Compliance and risk management
Norton Rose Fulbright - Data Protection Report blogLast week, the Irish Data Protection Commission (“DPC”) published its much anticipated guidance note on cookies and similar tracking technologies (the “Guidance”).  It also published a report following a “cookie sweep” that took place between August 2019 and December 2019 of 38 data controllers (the “Report”).  The cookie sweep requested information from the data controllers … Continue reading

Obtaining and sharing employee health status information in a pandemic

Photo of Marcus Evans (UK)Photo of Miranda Byrne Hill (UK)By Marcus Evans (UK) and Miranda Byrne Hill (UK) on Posted in Compliance and risk management
Norton Rose Fulbright - Data Protection Report blogEmployers across the world are facing extremely difficult challenges in keeping their workplaces safe for their employees, contractors and visitors during the COVID-19 pandemic. Although the prevailing instinct is likely to be to protect and to prevent the spread of the virus at all costs, under data protection laws this still needs to be weighed … Continue reading

NYDFS Requires COVID-19 Plans by April 9

Photo of Susan Ross (US)Photo of Kathleen Scott (US)By Susan Ross (US) and Kathleen Scott (US) on Posted in Compliance and risk management, Cybercrime, Cybersecurity, Dispute resolution and litigation, Enforcement, General
Norton Rose Fulbright - Data Protection Report blogOn March 10, 2020, the New York Department of Financial Services (NYDFS) issued guidance to all of its regulated institutions engaged in virtual currency business activity, requiring them to have plans for preparedness to manage the possible operational and financial risks posed by the COVID-19 pandemic. NYDFS requires the plans to be submitted by Thursday, April 9, … Continue reading

Personal data protection in the time of coronavirus (Covid-19)

Photo of Barbara Li (CN)Photo of Bohua Yao (CN)By Barbara Li (CN) and Bohua Yao (CN) on Posted in Compliance and risk management
Norton Rose Fulbright - Data Protection Report blogOutbreak of the coronavirus and personal data privacy The fast-spreading coronavirus (Covid-19) has infected thousands of people in China and in over 20 other countries. This coronavirus outbreak, originating in Wuhan, a large city located in the central region of China, has been declared a Public Health Emergency of International Concern (PHEIC) by the World … Continue reading

Application by Privacy Commissioner To Shed Light on Judicial Enforcement of PIPEDA

Photo of Jean-Simon SchoenholzBy Jean-Simon Schoenholz on Posted in Compliance and risk management, Cybersecurity, Dispute resolution and litigation, Regulatory response
Data Protection Report - Norton Rose FulbrightRecent legal action by the Office of the Privacy Commissioner of Canada (OPC) will shed light on the Federal Court’s willingness to enforce and monitor compliance with the Personal Information Protection and Electronic Documents Act (PIPEDA). On February 6, the OPC filed a notice of application (the Application) in the Federal Court seeking a declaration … Continue reading

The CNIL releases draft practical guidance on cookies consent

Photo of Nadège Martin (FR)Photo of Cécile Auvieux (FR)By Nadège Martin (FR) and Cécile Auvieux (FR) on Posted in Compliance and risk management
Data Protection Report - Norton Rose FulbrightThe CNIL has published draft recommendations on how to obtain consent when placing cookies. This is following the publication of its revised “Guidelines on the implementation of cookies or similar tracking technologies” which was published in July 2019 (see our article here). The objective of the recommendations is to provide stakeholders with practical guidance and … Continue reading
LexBlog