On 2 December, a new law was introduced in Russia to enable substantial administrative fines to be imposed on organizations and individuals that fail to comply with data localization requirements. Both legal entities and responsible managers (e.g. the Data Protection Officer or the CEO) can be fined under the new regime.… Continue Reading
On October 10, 2019, with just weeks to go until the law goes into effect, the California Attorney General released the long-awaited draft regulations for the California Consumer Privacy Act (CCPA).
The proposed rules shed light on how the California AG is interpreting and will be enforcing key sections of the CCPA. In the press release announcing the proposed regulations, Attorney General Becerra described CCPA as “[providing] consumers with groundbreaking new rights on the use of their personal information” and added, “It’s time we had control over the use of our personal data.”… Continue Reading
Although California has recently captured the lion’s share of attention with respect to privacy and security, on October 23, 2019, New York’s amended security breach law goes into effect, and on March 1, 2020, new security safeguards go live (N.Y. S.B. 5575). Anyone with personal information about a New York resident is potentially affected by these far-reaching amendments.
Breach Law Changes
Readers may recall that New York’s security breach notification law (N.Y. Gen. Bus. Law § 899-aa) differs from most states’ law in several ways including (1) using separate definitions of “personal information” and “private information;” and (2) providing factors … Continue Reading
On September 23, the Office of the Privacy Commissioner of Canada (OPC) announced, following consultation with stakeholders, that it will maintain the position set out in its 2009 guidelines that an organization’s transfer of personal information to a third party for processing, including a transfer across the Canadian border, is a “use” of that personal information, and not a disclosure that requires separate consent.
This announcement brings at least temporary clarity to an issue that resulted in a tumultuous summer for organizations and the OPC alike as everyone grappled with the potential consequences of the OPC’s June … Continue Reading
The wait is over: Only five CCPA amendments made it through the California legislature. The amendments are limited in scope, which means the CCPA will go into effect, largely intact, on January 1, 2020.
The California legislative session for 2019 ended on September 13 and the following five amendments to the California Consumer Privacy Act (CCPA) were passed: AB 25, 874, 1146, 1355, and 1564. They now move to the Governor’s desk, where he has 30 days to sign or veto them.… Continue Reading
We previously reported that Turkey’s data protection legislation (TDPL) requires data controllers to notify the Turkish DPA of their processing activities. Unless exempt from the requirement, all data controllers (individuals and legal entities) who process personal data in Turkey must be registered with the Turkish DPA’s Register of Data Controllers Information System (VERBİS), prior to processing any personal data.… Continue Reading
We are seeing companies use many different approaches to the California Consumer Privacy Act (“CCPA”) compliance, but the “wait and see” approach in particular is not advisable.
Companies who want to “wait and see” point to the pending amendments to CCPA that are currently working through the California Senate (as we have previously described—see links below). Others point to the California Attorney General regulations that will be released in draft form in the next few months, which should provide some guidance to implementing CCPA.
Those statements are indeed accurate, as far as they go. However, they neglect the fact that … Continue Reading
On 18 June 2019, Facebook announced plans to launch a new blockchain enabled cryptocurrency called Libra.… Continue Reading
On 4 July 2019, the CNIL published new guidelines on cookies and other similar technologies, repealing its 2013 cookie guidance in order to align its position with the GDPR’s new requirements on consent. These guidelines will be supplemented during the first quarter of 2020 by sectoral recommendations aimed at providing practical guidance to stakeholders on how to collect consent.… Continue Reading
On August 12, the California legislature returns after its summer recess. Starting with the Senate Appropriations Committee Hearing today, the legislature will now have approximately a month to continue the markups and send California Consumer Privacy Act (CCPA) amendments to the Governor’s desk for signature before the September 13 deadline. As previously reported, any amendment that passes from the Senate will likely need to go back to the Assembly since many of them have been marked up significantly by the Senate. Below is a summary of the seven amendments that are moving forward and what they mean for businesses who … Continue Reading
The U.S. Clarifying Lawful Overseas Use of Data Act (“CLOUD Act”) is apparently the Goldilocks of the privacy world, according to recent statements issued by two international jurisdictions. The CLOUD Act’s requirements are “too hard” for Australian law, according to the Law Council of Australia, but the privacy protections are “too soft” for the European Data Protection Board and European Data Protection Supervisor. The current lack of any executive agreements between the U.S. and another jurisdiction under the CLOUD Act seems to indicate that the U.S. has not yet found a jurisdiction that is “just right” for the CLOUD Act.… Continue Reading
Often questioned about online advertising targeting by both the public and professionals, the CNIL released its action plan for 2019-2020 with a view to providing further details about the applicable advertising rules and to support stakeholders in their compliance with them.… Continue Reading
The German data protection authorities, acting as the German data protection conference (Datenschutzkonferenz), recently published guidance on how to transfer customer data in an asset deal. The guidance runs through various scenarios. In most cases, a bulk transfer of all customer data is not permitted. Further, the guidance makes no mention of, or allowance for, the transfer of marketing permissions which – as these are generally on an opt-in consent basis in Germany – means a buyer cannot rely on the seller’s marketing consents in an asset sale. Therefore, the position in Germany remains that it is highly … Continue Reading
This is the Data Protection Report’s eleventh blog post in a series of CCPA blog posts. Stay tuned for additional posts on the CCPA.
As America prepares for the Fourth of July holiday weekend, the California legislature continues to work on amending the California Consumer Privacy Act (“CCPA”), as it races to get modifications passed through the state legislature before it adjourns for the 2019 calendar year. On June 28, one of those bills, AB 25, the “employee exception” bill was significantly amended by the Senate Judiciary Committee and appears to move forward, despite a recent political setback last month … Continue Reading
Cookies Are One Piece of a Larger Puzzle
There has been an odd preoccupation with cookies for some time now—to the exclusion of other forms of browser tracking, some of which are much more flexible and more robust in their data collection capabilities than cookies. Despite this fact, these other, non-cookie tracking technologies are often not referenced in privacy policies and cookie policies, even though they are used to “store information” and / or “gain access to information stored in the terminal equipment” for purposes of the ePrivacy Directive and will presumably qualify as personal information under the CCPA as … Continue Reading
On 20 June, the UK’s Information Commissioner (the ICO) published a report setting out its views on adtech, specifically the use of personal data in “real time bidding”, and the key privacy compliance challenges arising from it.… Continue Reading
The US privacy law landscape continues to shift and evolve as state and federal privacy legislative proposals continue to be debated and become enacted.
While CCPA-like bills in Washington and Texas failed to pass, Nevada passed its online privacy amendment and proposals in New York and Washington, DC appear to be gaining momentum.… Continue Reading
On May 16, 2019, the California Senate Appropriations Committee held a hearing that included S.B. 561, the “Attorney General amendment” to the California Consumer Privacy Act (“CCPA”). The bill is being held in committee and under submission, which means the bill has been blocked and is likely dead.… Continue Reading
In a significant recent decision, the Office of the Privacy Commissioner of Canada (OPC) altered the regulatory landscape when moving personal information between affiliated companies and across Canada’s border for data processing or storage purposes.
Any organization governed by the federal Personal Information Protection and Electronic Documents Act (PIPEDA) will have to re-evaluate and likely adjust its approach to such cross-border data transfers, possibly affecting its outsourcing and cloud computing relationships with vendors and related companies. The OPC has also initiated a two-month consultation period with stakeholders concerning this important policy change.… Continue Reading
Norton Rose Fulbright’s US Head of Data Protection, Privacy and Cybersecurity Jeewon Serrato and Partner Vic Domen write about the increased scrutiny that big data companies like Google and Facebook are now facing.
A number of state attorneys general are preparing to have discussions with the US Federal Trade Commission to discuss their concerns about the use of massive amounts of personal data in the digital ad marketplace.
There is a trend among federal and state enforcers to bring these online platforms and technology markets under higher scrutiny.
In March of this year, the UAE issued Law No. 2 of 2019 Concerning the Use of Information and Communication Technology in the Area of Health (the Healthcare Data Law), which governs the use of health data and information generated in the UAE. The law takes effect three months after issuance.… Continue Reading
The ICO has published a blog post on the role of “meaningful” human reviews in AI systems to prevent them from being categorised as “solely automated decision-making” under Article 22 of the GDPR. That Article imposes strict conditions on making decisions with legal or similarly significant effects based on personal data where there is no human input, or where there is limited human input (e.g. a decision is merely “rubber-stamped”).… Continue Reading
With significant enforcement activity and new laws being enacted or proposed since the start of the year, regulators in the EU and the US, several US states, and the US Congress are showing they mean business in terms of data privacy.
To help companies best protect consumer data and remediate enforcement risks, we provide below an overview of the following:
- two noteworthy recent EU and US