Topic: Compliance and risk management

Subscribe to Compliance and risk management RSS feed

And then there were five: CCPA amendments pass legislature

Jeewon Kim Serrato (US)Susan Ross (US)By Jeewon Kim Serrato (US) and Susan Ross (US) on Posted in CCPA, Compliance and risk management, Enforcement
Norton Rose Fulbright - Data Protection Report blog

Executive Summary

The wait is over:  Only five CCPA amendments made it through the California legislature.  The amendments are limited in scope, which means the CCPA will go into effect, largely intact, on January 1, 2020.

The California legislative session for 2019 ended on September 13 and the following five amendments to the California Consumer Privacy Act (CCPA) were passed: AB 25, 874, 1146, 1355, and 1564. They now move to the Governor’s desk, where he has 30 days to sign or veto them.… Continue Reading

Deadline extended for compulsory registration on Data Controller registry

Ekin Inal (TR)By Ekin Inal (TR) on Posted in Compliance and risk management
Norton Rose Fulbright - Data Protection Report blog

Obligations

We previously reported that Turkey’s data protection legislation (TDPL) requires data controllers to notify the Turkish DPA of their processing activities. Unless exempt from the requirement, all data controllers (individuals and legal entities) who process personal data in Turkey must be registered with the Turkish DPA’s Register of Data Controllers Information System (VERBİS), prior to processing any personal data.

Continue Reading

CCPA: “Wait and see” is not the right approach

Chris Cwalina (US)David Kessler (US)Steve Roosa (US)Jeewon Kim Serrato (US)Susan Ross (US)By Chris Cwalina (US), David Kessler (US), Steve Roosa (US), Jeewon Kim Serrato (US) and Susan Ross (US) on Posted in CCPA, Compliance and risk management
Data Protection Report - Norton Rose Fulbright

We are seeing companies use many different approaches to the California Consumer Privacy Act (“CCPA”) compliance, but the “wait and see” approach in particular is not advisable.

Companies who want to “wait and see” point to the pending amendments to CCPA that are currently working through the California Senate (as we have previously described—see links below). Others point to the California Attorney General regulations that will be released in draft form in the next few months, which should provide some guidance to implementing CCPA.

Those statements are indeed accurate, as far as they go. However, they neglect the fact that … Continue Reading

The CNIL publishes new guidelines on cookies and other similar technologies

Nilofar Moini Shabestari (FR)Nadège Martin (FR)By Nilofar Moini Shabestari (FR) and Nadège Martin (FR) on Posted in Compliance and risk management
Data Protection Report - digital privacy, CCPA and cybersecurity

On 4 July 2019, the CNIL published new guidelines on cookies and other similar technologies, repealing its 2013 cookie guidance in order to align its position with the GDPR’s new requirements on consent. These guidelines will be supplemented during the first quarter of 2020 by sectoral recommendations aimed at providing practical guidance to stakeholders on how to collect consent.… Continue Reading

One-Month Countdown to Pass CCPA Amendments Begins

Jeewon Kim Serrato (US)Susan Ross (US)By Jeewon Kim Serrato (US) and Susan Ross (US) on Posted in CCPA, Compliance and risk management, Enforcement
Data Protection Report - Norton Rose Fulbright

On August 12, the California legislature returns after its summer recess. Starting with the Senate Appropriations Committee Hearing today, the legislature will now have approximately a month to continue the markups and send California Consumer Privacy Act (CCPA) amendments to the Governor’s desk for signature before the September 13 deadline.  As previously reported, any amendment that passes from the Senate will likely need to go back to the Assembly since many of them have been marked up significantly by the Senate. Below is a summary of the seven amendments that are moving forward and what they mean for businesses who … Continue Reading

US CLOUD Act and International Privacy

Marcus Evans (UK)David Kessler (US)Jim Lennon (AU)Susan Ross (US)By Marcus Evans (UK), David Kessler (US), Jim Lennon (AU) and Susan Ross (US) on Posted in Compliance and risk management, Enforcement, General
Norton Rose Fulbright - Data Protection Report blog

The U.S. Clarifying Lawful Overseas Use of Data Act (“CLOUD Act”) is apparently the Goldilocks of the privacy world, according to recent statements issued by two international jurisdictions. The CLOUD Act’s requirements are “too hard” for Australian law, according to the Law Council of Australia, but the privacy protections are “too soft” for the European Data Protection Board and European Data Protection Supervisor. The current lack of any executive agreements between the U.S. and another jurisdiction under the CLOUD Act seems to indicate that the U.S. has not yet found a jurisdiction that is “just right” for the CLOUD Act.… Continue Reading

The UK ICO updates its cookie guidance

Lara White (UK)Marcus Evans (UK)By Lara White (UK) and Marcus Evans (UK) on Posted in Compliance and risk management
Norton Rose Fulbright - Data Protection Report blog

On 3 July 2019, the ICO published its updated guidance on the use of cookies and similar technologies. This came shortly after it updated the cookie consent collection mechanism on its own website. Much of the guidance is unsurprising and reflects what companies already do in practice. However, other parts of the guidance are likely to require many organisations to make changes to their current cookies practices.… Continue Reading

German M&A Deals: Share Deals Remain the Only Secure Way to Transfer All Customer Data

Christoph Ritzer (DE)By Christoph Ritzer (DE) on Posted in Compliance and risk management
Data Protection Report - Norton Rose Fulbright

The German data protection authorities, acting as the German data protection conference (Datenschutzkonferenz), recently published guidance on how to transfer customer data in an asset deal. The guidance runs through various scenarios. In most cases, a bulk transfer of all customer data is not permitted. Further, the guidance makes no mention of, or allowance for, the transfer of marketing permissions which – as these are generally on an opt-in consent basis in Germany – means a buyer cannot rely on the seller’s marketing consents in an asset sale. Therefore, the position in Germany remains that it is highly … Continue Reading

“What’s cooking” in Sacramento: CCPA’s “employee exception” bill is amended; “publicly available information” exception is broadened, and consumer access rights are clarified

Jeewon Kim Serrato (US)Susan Ross (US)By Jeewon Kim Serrato (US) and Susan Ross (US) on Posted in CCPA, Compliance and risk management
UK NIS Regulations impose new cybersecurity obligations (and a new penalties regime) on operators of essential services and digital service providers in the UK | Norton Rose Fulbright

This is the Data Protection Report’s eleventh blog post in a series of CCPA blog posts. Stay tuned for additional posts on the CCPA.

As America prepares for the Fourth of July holiday weekend, the California legislature continues to work on amending the California Consumer Privacy Act (“CCPA”), as it races to get modifications passed through the state legislature before it adjourns for the 2019 calendar year. On June 28, one of those bills, AB 25, the “employee exception” bill was significantly amended by the Senate Judiciary Committee and appears to move forward, despite a recent political setback last month … Continue Reading

NT Analyzer Blog Series: Why So Many Cookie Policies Are Broken, Part I – HTML5 LocalStorage

Steve Roosa (US)By Steve Roosa (US) on Posted in Compliance and risk management, Data breach, NT Analyzer Blog Series
NT Analyzer blog series, cookie

Cookies Are One Piece of a Larger Puzzle

There has been an odd preoccupation with cookies for some time now—to the exclusion of other forms of browser tracking, some of which are much more flexible and more robust in their data collection capabilities than cookies.  Despite this fact, these other, non-cookie tracking technologies are often not referenced in privacy policies and cookie policies, even though they are used to “store information” and / or “gain access to information stored in the terminal equipment” for purposes of the ePrivacy Directive and will presumably qualify as personal information under the CCPA as … Continue Reading

Nevada, New York and other states follow California’s CCPA

Jeewon Kim Serrato (US)Susan Ross (US)By Jeewon Kim Serrato (US) and Susan Ross (US) on Posted in CCPA, Compliance and risk management
Data Protection Report - digital privacy, CCPA and cybersecurity

The US privacy law landscape continues to shift and evolve as state and federal privacy legislative proposals continue to be debated and become enacted.

While CCPA-like bills in Washington and Texas failed to pass, Nevada passed its online privacy amendment and proposals in New York and Washington, DC appear to be gaining momentum.… Continue Reading

CCPA: “Attorney General Amendment” Likely Dead

David Kessler (US)Spencer Persson (US)Steve Roosa (US)Jeewon Kim Serrato (US)Susan Ross (US)By David Kessler (US), Spencer Persson (US), Steve Roosa (US), Jeewon Kim Serrato (US) and Susan Ross (US) on Posted in CCPA, Compliance and risk management
Norton Rose Fulbright - Data Protection Report blog

This is the Data Protection Report’s ninth blog post in a series of CCPA blog posts that will break down the major elements of the CCPA. Stay tuned for additional posts on the CCPA.

On May 16, 2019, the California Senate Appropriations Committee held a hearing that included S.B. 561, the “Attorney General amendment” to the California Consumer Privacy Act (“CCPA”). The bill is being held in committee and under submission, which means the bill has been blocked and is likely dead.… Continue Reading

OPC reconsiders its approach to cross-border data transfers with the Equifax decision

By Tony A. Morris (CA) on Posted in Compliance and risk management, Cybersecurity, Data breach
Data Protection Report - Norton Rose Fulbright

In a significant recent decision, the Office of the Privacy Commissioner of Canada (OPC) altered the regulatory landscape when moving personal information between affiliated companies and across Canada’s border for data processing or storage purposes.

Any organization governed by the federal Personal Information Protection and Electronic Documents Act (PIPEDA) will have to re-evaluate and likely adjust its approach to such cross-border data transfers, possibly affecting its outsourcing and cloud computing relationships with vendors and related companies. The OPC has also initiated a two-month consultation period with stakeholders concerning this important policy change.… Continue Reading

Google and other big data companies face increased scrutiny

Jeewon Kim Serrato (US)Vic Domen (US)By Jeewon Kim Serrato (US) and Vic Domen (US) on Posted in Compliance and risk management, Enforcement
Data Protection Report - Norton Rose Fulbright

Norton Rose Fulbright’s US Head of Data Protection, Privacy and Cybersecurity Jeewon Serrato and Partner Vic Domen write about the increased scrutiny that big data companies like Google and Facebook are now facing.

A number of state attorneys general are preparing to have discussions with the US Federal Trade Commission to discuss their concerns about the use of massive amounts of personal data in the digital ad marketplace.

There is a trend among federal and state enforcers to bring these online platforms and technology markets under higher scrutiny.

Get all the details at the full legal update, “Big data Continue Reading

ICO blog post on AI and solely automated decision-making

Lara White (UK)Marcus Evans (UK)Magdalene Lie (UK)By Lara White (UK), Marcus Evans (UK) and Magdalene Lie (UK) on Posted in Compliance and risk management
Data Protection Report - Norton Rose Fulbright

The ICO has published a blog post on the role of “meaningful” human reviews in AI systems to prevent them from being categorised as “solely automated decision-making” under Article 22 of the GDPR. That Article imposes strict conditions on making decisions with legal or similarly significant effects based on personal data where there is no human input, or where there is limited human input (e.g. a decision is merely “rubber-stamped”).… Continue Reading

GDPR, CCPA and beyond: Changes in data privacy laws and enforcement risks to monitor in 2019

Jeewon Kim Serrato (US)Daniel Rosenzweig (US)By Jeewon Kim Serrato (US) and Daniel Rosenzweig (US) on Posted in CCPA, Compliance and risk management, Enforcement
Norton Rose Fulbright - Data Protection Report blog

This is the Data Protection Report’s eighth blog post in series of CCPA blog posts that will break down the major elements of the CCPA. Stay tuned for additional posts on the CCPA.

With significant enforcement activity and new laws being enacted or proposed since the start of the year, regulators in the EU and the US, several US states, and the US Congress are showing they mean business in terms of data privacy.

To help companies best protect consumer data and remediate enforcement risks, we provide below an overview of the following:

  1. two noteworthy recent EU and US
Continue Reading

EDPB issues new opinion on interplay between Clinical Trials Regulation and the GDPR

David Kessler (US)Christoph Ritzer (DE)Sven Jacobs (DE)Anna Rudawski (US)Max Kellogg (US)By David Kessler (US), Christoph Ritzer (DE), Sven Jacobs (DE), Anna Rudawski (US) and Max Kellogg (US) on Posted in Compliance and risk management, Enforcement, Regulatory response
Norton Rose Fulbright - Data Protection Report blog

On January 23, 2019, the European Data Protection Board (“EDPB”) issued an opinion on the interplay between the Clinical Trials Regulation (“CTR”) and the General Data Protection Regulation (“GDPR”). See our previous blog posts on the GDPR here and here. The opinion also addresses GDPR requirements regarding (1) the legal basis for processing personal data in the course of a clinical trial protocol (primary use) and (2) the further use of clinical trial data for other scientific purposes (secondary use).

Even though the CTR already entered into force on June 16, 2014, the regulation’s application depends on the … Continue Reading

Companies’ right to privacy

David Kessler (US)Susan Ross (US)By David Kessler (US) and Susan Ross (US) on Posted in Compliance and risk management, Dispute resolution and litigation
Data Protection Report - Norton Rose Fulbright

On January 3, 2019, the federal trial court in Manhattan issued a preliminary injunction, temporarily halting a new local law aimed at required disclosures by home-sharing platforms, such as Airbnb and HomeAway, to the city. The court granted the preliminary injunction on the basis that the city’s broad requirement that the services turn over detailed customer information on a monthly basis likely violated the Fourth Amendment to the U.S. Constitution—infringing the privacy rights of the companies, rather than the users. In contrast, the court ruled that the companies’ Stored Communications Act claim did not meet the standard for a … Continue Reading

Comments at CCPA public forum in Los Angeles highlight tensions between businesses and consumer rights groups

Jeewon Kim Serrato (US)Arleen Fernandez (US)By Jeewon Kim Serrato (US) and Arleen Fernandez (US) on Posted in CCPA, Compliance and risk management
Norton Rose Fulbright - Data Protection Report blog

This is the Data Protection Report’s seventh blog post in series of CCPA blog posts that will break down the major elements of the CCPA. Stay tuned for additional posts on the CCPA.

On January 25, 2019, the California Attorney General’s Office held a public forum in Los Angeles to solicit feedback on the California Consumer Privacy Act of 2018 (“CCPA”) as it prepares to draft regulations which must be adopted on or before July 1, 2020. CCPA provides new rights to California consumers with respect to the collection and use of their personal information. The CCPA authorizes the Attorney … Continue Reading

First multi-million Euro GDPR fine: Google LLC fined €50 million under GDPR for transparency and consent infringements in relation to use of personal data for personalized ads

Marcus Evans (UK)Lara White (UK)Cécile Auvieux (FR)By Marcus Evans (UK), Lara White (UK) and Cécile Auvieux (FR) on Posted in Compliance and risk management, Cybersecurity, Enforcement, Regulatory response
Norton Rose Fulbright - Data Protection Report blog

On January 21,2019 the French data protection authority (the CNIL) imposed a major fine on the U.S. Google entity, Google LLC.  It follows two complaints filed as soon as the GDPR came into force by two consumer rights associations, None of Your Business and La Quadrature du Net.

We focus here on four key aspects of the decision: (a) why the Irish Data Protection Commission (Irish DPC) did not take the case; (b) the consent mechanism failings; (c) the privacy policy failings; and (d) the amount of the fine.… Continue Reading

LexBlog