Topic: Compliance and risk management

Subscribe to Compliance and risk management RSS feed

NT Analyzer Blog Series: Why So Many Cookie Policies Are Broken, Part I – HTML5 LocalStorage

Cookies Are One Piece of a Larger Puzzle There has been an odd preoccupation with cookies for some time now—to the exclusion of other forms of browser tracking, some of which are much more flexible and more robust in their data collection capabilities than cookies. Despite this fact, these other, non-cookie tracking technologies are often … Continue reading

Nevada, New York and other states follow California’s CCPA

By Jeewon Kim Serrato (US) and Susan Ross (US) on June 6, 2019 Posted in CCPA, Compliance and risk management

Data Protection Report - digital privacy, CCPA and cybersecurity

The US privacy law landscape continues to shift and evolve as state and federal privacy legislative proposals continue to be debated and become enacted. While CCPA-like bills in Washington and Texas failed to pass, Nevada passed its online privacy amendment and proposals in New York and Washington, DC appear to be gaining momentum.… Continue reading

CCPA: “Attorney General Amendment” Likely Dead

By David Kessler (US), Spencer Persson (US), Steve Roosa (US), Jeewon Kim Serrato (US) and Susan Ross (US) on May 17, 2019 Posted in CCPA, Compliance and risk management

Norton Rose Fulbright - Data Protection Report blog

This is the Data Protection Report’s ninth blog post in a series of CCPA blog posts that will break down the major elements of the CCPA. Stay tuned for additional posts on the CCPA. On May 16, 2019, the California Senate Appropriations Committee held a hearing that included S.B. 561, the “Attorney General amendment” to the … Continue reading

OPC reconsiders its approach to cross-border data transfers with the Equifax decision

By Tony A. Morris (CA) on May 15, 2019 Posted in Compliance and risk management, Cybersecurity, Data breach

Data Protection Report - Norton Rose Fulbright

In a significant recent decision, the Office of the Privacy Commissioner of Canada (OPC) altered the regulatory landscape when moving personal information between affiliated companies and across Canada’s border for data processing or storage purposes. Any organization governed by the federal Personal Information Protection and Electronic Documents Act (PIPEDA) will have to re-evaluate and likely … Continue reading

Google and other big data companies face increased scrutiny

By Jeewon Kim Serrato (US) and Vic Domen (US) on April 25, 2019 Posted in Compliance and risk management, Enforcement

Big data companies like Google and Facebook are now facing increased scrutiny about the use of massive amounts of personal data in the digital ad marketplace.… Continue reading

UAE bans exporting health data and restricts domestic use

By Hani Ghattas on April 24, 2019 Posted in Compliance and risk management

In March of this year, the UAE issued Law No. 2 of 2019 Concerning the Use of Information and Communication Technology in the Area of Health (the Healthcare Data Law), which governs the use of health data and information generated in the UAE. The law takes effect three months after issuance.… Continue reading

GDPR, CCPA and beyond: Changes in data privacy laws and enforcement risks to monitor in 2019

By Jeewon Kim Serrato (US) and Daniel Rosenzweig (US) on February 27, 2019 Posted in CCPA, Compliance and risk management, Enforcement

This is the Data Protection Report’s eighth blog post in series of CCPA blog posts that will break down the major elements of the CCPA. Stay tuned for additional posts on the CCPA. With significant enforcement activity and new laws being enacted or proposed since the start of the year, regulators in the EU and … Continue reading

EDPB issues new opinion on interplay between Clinical Trials Regulation and the GDPR

By David Kessler (US), Christoph Ritzer (DE), Sven Jacobs (DE), Anna Rudawski (US) and Max Kellogg (US) on February 19, 2019 Posted in Compliance and risk management, Enforcement, Regulatory response

On January 23, 2019, the European Data Protection Board (“EDPB”) issued an opinion on the interplay between the Clinical Trials Regulation (“CTR”) and the General Data Protection Regulation (“GDPR”).… Continue reading

Companies’ right to privacy

By David Kessler (US) and Susan Ross (US) on February 13, 2019 Posted in Compliance and risk management, Dispute resolution and litigation

On January 3, 2019, the federal trial court in Manhattan issued a preliminary injunction, temporarily halting a new local law aimed at required disclosures by home-sharing platforms, such as Airbnb and HomeAway, to the city.… Continue reading

Comments at CCPA public forum in Los Angeles highlight tensions between businesses and consumer rights groups

By Jeewon Kim Serrato (US) and Arleen Fernandez (US) on January 31, 2019 Posted in CCPA, Compliance and risk management

On January 25, 2019, the California Attorney General’s Office held a public forum in Los Angeles to solicit feedback on the California Consumer Privacy Act of 2018 (“CCPA”) as it prepares to draft regulations which must be adopted on or before July 1, 2020.… Continue reading

First multi-million Euro GDPR fine: Google LLC fined €50 million under GDPR for transparency and consent infringements in relation to use of personal data for personalized ads

By Marcus Evans (UK), Lara White (UK) and Cécile Auvieux (FR) on January 25, 2019 Posted in Compliance and risk management, Cybersecurity, Enforcement, Regulatory response

On January 21,2019 the French data protection authority (the CNIL) imposed a major fine on the U.S. Google entity, Google LLC. It follows two complaints filed as soon as the GDPR came into force by two consumer rights associations, None of Your Business and La Quadrature du Net. We focus here on four key aspects … Continue reading

Parliament fails to approve the EU Withdrawal Agreement: Data protection implications

By Lara White (UK), Marcus Evans (UK) and Miranda Byrne Hill (UK) on January 16, 2019 Posted in Compliance and risk management

On 25 November 2018 the UK Government and the EU agreed a draft withdrawal agreement which set out the terms of the UK’s departure from the EU and made a political declaration on the framework for their future relationship, as provided for under Article 50(2) of the Treaty on European Union (Withdrawal Agreement). The purpose … Continue reading

California Attorney General’s Office begins CCPA rulemaking process with first public hearing while Congress debates new federal privacy law

By Jeewon Kim Serrato (US) and Arleen Fernandez (US) on January 14, 2019 Posted in CCPA, Compliance and risk management

This is the Data Protection Report’s sixth post in a series of CCPA blog posts that will break down the major elements of the CCPA. Stay tuned for additional CCPA posts. The California Consumer Privacy Act of 2018 (“CCPA”), California’s new privacy law which takes effect on January 1, 2020, requires the Attorney General to … Continue reading

Transition period under New York Cybersecurity Regulation ends March 1, 2019

By Kathleen Scott (US), Susan Ross (US) and Tristan Coughlin* (US) on January 7, 2019 Posted in Compliance and risk management, Cybersecurity, Enforcement, Fintech, General, Vendor management and transactions

The two-year transitional period under the New York State Department of Financial Services (“DFS”) Cybersecurity Regulation, 23 NYCRR 500 (the “Regulation”), will expire on March 1, 2019, with the final remaining requirement becoming effective. Entities covered by the Regulation that utilize third party service providers, which include not only banks and insurers, but also other … Continue reading

Pennsylvania Supreme Court holds common law duty for employers extends to protecting sensitive employee information

By Andrea D'Ambra (US) and Max Kellogg (US) on December 7, 2018 Posted in Compliance and risk management, Data breach, General, Regulatory response

On November 21, 2018, the Pennsylvania Supreme Court broke new ground by holding that employers have a legal duty to take reasonable care to safeguard its employees’ sensitive personal information from cyberattacks. … Continue reading

EDPB clarifies territorial scope of the GDPR

By Marcus Evans (UK) and Anna Rudawski (US) on December 6, 2018 Posted in Compliance and risk management, Data breach, Regulatory response

On November 23, 2018, the European Data Protection Board (“EDPB”) issued highly anticipated draft Guidelines (the “Guidelines”) on the territorial scope of the GDPR. See our previous blog posts on the GDPR here and here. The Guidelines provide some clarity around the scope and applicability of the GDPR to data Controllers and Processors both inside … Continue reading

New China Guideline for Internet Personal Information Security Protection

By Barbara Li (CN) and Bohua Yao (CN) on December 5, 2018 Posted in Compliance and risk management, Data breach, Regulatory response

On November 30, 2018 the Cyber Security Protection Bureau, under the auspices of the PRC Ministry of Public Security (the “MPS”), issued a draft Guideline for Internet Personal Information Security Protection (the “Guideline”) along with a request for public comments.… Continue reading

Cybersecurity and the SEC

By Susan Ross (US) and Alexis Wilpon (US) on October 31, 2018 Posted in Compliance and risk management, Cybercrime

The U.S. Securities and Exchange Commission (“SEC”) may not be the first agency that comes to mind with respect to cybersecurity, but the SEC has been in the headlines recently with respect to cyber fraud in particular. Earlier this month, the SEC promulgated a report urging companies to take preventive measures against cyber fraud.… Continue reading

If you don’t know why November 1 is a big day in Canada, read this!

By on October 15, 2018 Posted in Compliance and risk management, Data breach

Like many organizations in Canada, yours is probably not fully prepared for the mandatory breach reporting requirements coming into force under the federal Personal Information Protection and Electronic Documents Act (PIPEDA) November 1, 2018. Here are three measures your organization ought to take in preparation for mandatory breach reporting: 1. Implement internal breach reporting and … Continue reading

CCPA extends “right to deletion” to California residents

By David Kessler (US) and Anna Rudawski (US) on September 27, 2018 Posted in CCPA, Compliance and risk management

This is the Data Protection Report’s fifth post in a series of CCPA blog posts that will break down the major elements of the CCPA, which will culminate in a webinar on the CCPA in October. This blog focuses on covered entities. Stay tuned for additional blogs and information about our upcoming webinar on the … Continue reading

UK Government guidance on continued EU-UK data flows upon a no deal Brexit

By Marcus Evans (UK) on September 18, 2018 Posted in Compliance and risk management

On 13 September 2018 the UK government’s Department for Digital, Culture, Media & Sport published a notice, Data Protection If There’s No Brexit Deal (the Notice). The Notice sets out the actions UK organisations should take to enable the continued flow of personal data between the UK and the EEA in the event that the … Continue reading

New law imposes disclosure requirements on software licensors

By Susan Ross (US) on August 24, 2018 Posted in Compliance and risk management

As a result of the 2019 National Defense Authorization Act, the Secretary of Defense implemented new disclosure obligations on software licensors whose software code has been reviewed or accessed by a foreign government. The Act was signed into law on August 13, 2018 and will significantly impact software licensors who engage with the federal government’s … Continue reading