Topic: Compliance and risk management

Subscribe to Compliance and risk management RSS feed

OPC reconsiders its approach to cross-border data transfers with the Equifax decision

Tony A. Morris (CA)By Tony A. Morris (CA) on Posted in Compliance and risk management, Cybersecurity, Data breach
Data Protection Report - Norton Rose FulbrightIn a significant recent decision, the Office of the Privacy Commissioner of Canada (OPC) altered the regulatory landscape when moving personal information between affiliated companies and across Canada’s border for data processing or storage purposes. Any organization governed by the federal Personal Information Protection and Electronic Documents Act (PIPEDA) will have to re-evaluate and likely … Continue reading

ICO blog post on AI and solely automated decision-making

Lara White (UK)Marcus Evans (UK)Magdalene Lie (UK)By Lara White (UK), Marcus Evans (UK) and Magdalene Lie (UK) on Posted in Compliance and risk management
Data Protection Report - Norton Rose FulbrightThe ICO has published a blog post on the role of “meaningful” human reviews in AI systems to prevent them from being categorised as “solely automated decision-making” under Article 22 of the GDPR. That Article imposes strict conditions on making decisions with legal or similarly significant effects based on personal data where there is no … Continue reading

GDPR, CCPA and beyond: Changes in data privacy laws and enforcement risks to monitor in 2019

Jeewon Kim Serrato (US)Daniel Rosenzweig (US)By Jeewon Kim Serrato (US) and Daniel Rosenzweig (US) on Posted in Compliance and risk management, Enforcement
Norton Rose Fulbright - Data Protection Report blogThis is the Data Protection Report’s eighth blog post in series of CCPA blog posts that will break down the major elements of the CCPA. Stay tuned for additional posts on the CCPA. With significant enforcement activity and new laws being enacted or proposed since the start of the year, regulators in the EU and … Continue reading

EDPB issues new opinion on interplay between Clinical Trials Regulation and the GDPR

David Kessler (US)Christoph Ritzer (DE)Sven Jacobs (DE)Anna Rudawski (US)Max Kellogg (US)By David Kessler (US), Christoph Ritzer (DE), Sven Jacobs (DE), Anna Rudawski (US) and Max Kellogg (US) on Posted in Compliance and risk management, Enforcement, Regulatory response
Norton Rose Fulbright - Data Protection Report blogOn January 23, 2019, the European Data Protection Board (“EDPB”) issued an opinion on the interplay between the Clinical Trials Regulation (“CTR”) and the General Data Protection Regulation (“GDPR”).… Continue reading

Comments at CCPA public forum in Los Angeles highlight tensions between businesses and consumer rights groups

Jeewon Kim Serrato (US)Arleen Fernandez (US)By Jeewon Kim Serrato (US) and Arleen Fernandez (US) on Posted in Compliance and risk management
Norton Rose Fulbright - Data Protection Report blogOn January 25, 2019, the California Attorney General’s Office held a public forum in Los Angeles to solicit feedback on the California Consumer Privacy Act of 2018 (“CCPA”) as it prepares to draft regulations which must be adopted on or before July 1, 2020.… Continue reading

First multi-million Euro GDPR fine: Google LLC fined €50 million under GDPR for transparency and consent infringements in relation to use of personal data for personalized ads

Marcus Evans (UK)Lara White (UK)Cécile Auvieux (FR)By Marcus Evans (UK), Lara White (UK) and Cécile Auvieux (FR) on Posted in Compliance and risk management, Cybersecurity, Enforcement, Regulatory response
Norton Rose Fulbright - Data Protection Report blogOn January 21,2019 the French data protection authority (the CNIL) imposed a major fine on the U.S. Google entity, Google LLC.  It follows two complaints filed as soon as the GDPR came into force by two consumer rights associations, None of Your Business and La Quadrature du Net. We focus here on four key aspects … Continue reading

Parliament fails to approve the EU Withdrawal Agreement: Data protection implications

Lara White (UK)Marcus Evans (UK)Miranda Byrne Hill (UK)By Lara White (UK), Marcus Evans (UK) and Miranda Byrne Hill (UK) on Posted in Compliance and risk management
Data Protection Report - Norton Rose FulbrightOn 25 November 2018 the UK Government and the EU agreed a draft withdrawal agreement which set out the terms of the UK’s departure from the EU and made a political declaration on the framework for their future relationship, as provided for under Article 50(2) of the Treaty on European Union (Withdrawal Agreement). The purpose … Continue reading

California Attorney General’s Office begins CCPA rulemaking process with first public hearing while Congress debates new federal privacy law

Jeewon Kim Serrato (US)Arleen Fernandez (US)By Jeewon Kim Serrato (US) and Arleen Fernandez (US) on Posted in Compliance and risk management, Enforcement, Regulatory response
UK NIS Regulations impose new cybersecurity obligations (and a new penalties regime) on operators of essential services and digital service providers in the UK | Norton Rose FulbrightThis is the Data Protection Report’s sixth post in a series of CCPA blog posts that will break down the major elements of the CCPA. Stay tuned for additional CCPA posts. The California Consumer Privacy Act of 2018 (“CCPA”), California’s new privacy law which takes effect on January 1, 2020, requires the Attorney General to … Continue reading

Transition period under New York Cybersecurity Regulation ends March 1, 2019

Kathleen Scott (US)Susan Ross (US)Tristan Coughlin* (US)By Kathleen Scott (US), Susan Ross (US) and Tristan Coughlin* (US) on Posted in Compliance and risk management, Cybersecurity, Enforcement, Fintech, General, Vendor management and transactions
Data Protection Report - Norton Rose FulbrightThe two-year transitional period under the New York State Department of Financial Services (“DFS”) Cybersecurity Regulation, 23 NYCRR 500 (the “Regulation”), will expire on March 1, 2019, with the final remaining requirement becoming effective. Entities covered by the Regulation that utilize third party service providers, which include not only banks and insurers, but also other … Continue reading

Pennsylvania Supreme Court holds common law duty for employers extends to protecting sensitive employee information

Andrea D'Ambra (US)Max Kellogg (US)By Andrea D'Ambra (US) and Max Kellogg (US) on Posted in Compliance and risk management, Data breach, General, Regulatory response
Data Protection Report - Norton Rose FulbrightOn November 21, 2018, the Pennsylvania Supreme Court broke new ground by holding that employers have a legal duty to take reasonable care to safeguard its employees’ sensitive personal information from cyberattacks. … Continue reading

EDPB clarifies territorial scope of the GDPR

Marcus Evans (UK)Anna Rudawski (US)By Marcus Evans (UK) and Anna Rudawski (US) on Posted in Compliance and risk management, Data breach, Regulatory response
Norton Rose Fulbright - Data Protection Report blogOn November 23, 2018, the European Data Protection Board (“EDPB”) issued highly anticipated draft Guidelines (the “Guidelines”) on the territorial scope of the GDPR. See our previous blog posts on the GDPR here and here. The Guidelines provide some clarity around the scope and applicability of the GDPR to data Controllers and Processors both inside … Continue reading

New China Guideline for Internet Personal Information Security Protection

Barbara Li (CN)Bohua Yao (CN)By Barbara Li (CN) and Bohua Yao (CN) on Posted in Compliance and risk management, Data breach, Regulatory response
On November 30, 2018 the Cyber Security Protection Bureau, under the auspices of the PRC Ministry of Public Security (the “MPS”), issued a draft Guideline for Internet Personal Information Security Protection (the “Guideline”) along with a request for public comments.… Continue reading

Cybersecurity and the SEC

Susan Ross (US)Alexis Wilpon (US)By Susan Ross (US) and Alexis Wilpon (US) on Posted in Compliance and risk management, Cybercrime
Data Protection Report - Norton Rose FulbrightThe U.S. Securities and Exchange Commission (“SEC”) may not be the first agency that comes to mind with respect to cybersecurity, but the SEC has been in the headlines recently with respect to cyber fraud in particular. Earlier this month, the SEC promulgated a report urging companies to take preventive measures against cyber fraud.… Continue reading

If you don’t know why November 1 is a big day in Canada, read this!

By on Posted in Compliance and risk management, Data breach
Like many organizations in Canada, yours is probably not fully prepared for the mandatory breach reporting requirements coming into force under the federal Personal Information Protection and Electronic Documents Act (PIPEDA) November 1, 2018. Here are three measures your organization ought to take in preparation for mandatory breach reporting: 1. Implement internal breach reporting and … Continue reading

CCPA extends “right to deletion” to California residents

David Kessler (US)Anna Rudawski (US)By David Kessler (US) and Anna Rudawski (US) on Posted in Compliance and risk management, General
Data Protection Report - Norton Rose FulbrightThis is the Data Protection Report’s fifth post in a series of CCPA blog posts that will break down the major elements of the CCPA, which will culminate in a webinar on the CCPA in October. This blog focuses on covered entities. Stay tuned for additional blogs and information about our upcoming webinar on the … Continue reading

UK Government guidance on continued EU-UK data flows upon a no deal Brexit

Marcus Evans (UK)By Marcus Evans (UK) on Posted in Compliance and risk management
Data Protection Report - Norton Rose FulbrightOn 13 September 2018 the UK government’s Department for Digital, Culture, Media & Sport published a notice, Data Protection If There’s No Brexit Deal (the Notice). The Notice sets out the actions UK organisations should take to enable the continued flow of personal data between the UK and the EEA in the event that the … Continue reading

New law imposes disclosure requirements on software licensors

Susan Ross (US)By Susan Ross (US) on Posted in Compliance and risk management
UK NIS Regulations impose new cybersecurity obligations (and a new penalties regime) on operators of essential services and digital service providers in the UK | Norton Rose FulbrightAs a result of the 2019 National Defense Authorization Act, the Secretary of Defense implemented new disclosure obligations on software licensors whose software code has been reviewed or accessed by a foreign government. The Act was signed into law on August 13, 2018 and will significantly impact software licensors who engage with the federal government’s … Continue reading

California Consumer Privacy Act blog series: Covered entities

Jeewon Kim Serrato (US)Steve Roosa (US)Alexis Wilpon (US)By Jeewon Kim Serrato (US), Steve Roosa (US) and Alexis Wilpon (US) on Posted in Compliance and risk management, General, Regulatory response
Data Protection Report - Norton Rose FulbrightThis is the Data Protection Report’s second post in a series of blog posts that will break down the major elements of the CCPA which will culminate in a webinar on the CCPA in October. This blog focuses on covered entities. Stay tuned for additional posts and information about our upcoming webinar on the CCPA.… Continue reading

FERC issues notice of proposed rulemaking to extend reporting requirements for cyberattacks targeting the energy sector

Susan Ross (US)Alexis Wilpon (US)By Susan Ross (US) and Alexis Wilpon (US) on Posted in Compliance and risk management, Cybercrime, Data breach
Data Protection Report - Norton Rose FulbrightOn July 23 and 25, 2018, the U.S. Department of Homeland Security (DHS) held public briefings about an attempt by a state-sponsored Russian hacking group to target control systems for U.S. electrical grids and power plants. DHS’ webinar explained that the hackers obtained access to vendors providing computer services to electric utilities companies. This initial … Continue reading

US states pass data protection laws on the heels of the GDPR

Jeewon Kim Serrato (US)Chris Cwalina (US)Anna Rudawski (US)Tristan Coughlin* (US)By Jeewon Kim Serrato (US), Chris Cwalina (US), Anna Rudawski (US), Tristan Coughlin* (US) and Katey Fardelmann (US) on Posted in Compliance and risk management, Regulatory response
Data Protection Report - Norton Rose FulbrightSeveral U.S. states have recently introduced and passed legislation to expand data breach notification rules and to mirror some of the protections provided by Europe’s newly enacted General Data Protection Regulation (“GDPR”). See our previous blog posts on GDPR here and here.   Like their European counterparts, these state laws are intended to provide consumers with … Continue reading

California passes major legislation, expanding consumer privacy rights and legal exposure for US and global companies

Spencer Persson (US)Jeewon Kim Serrato (US)Steve Roosa (US)Arleen Fernandez (US)Anna Rudawski (US)By Spencer Persson (US), Jeewon Kim Serrato (US), Steve Roosa (US), Arleen Fernandez (US) and Anna Rudawski (US) on Posted in Compliance and risk management
Norton Rose Fulbright - Data Protection Report blogThis is the Data Protection Report’s first post in a series of blog posts that will break down the major elements of the CCPA. Stay tuned for additional CCPA posts. On June 28, 2018, California lawmakers enacted the California Consumer Privacy Act of 2018 (the “CCPA”) a sweeping, GDPR-like privacy law which is intended to … Continue reading
LexBlog