On March 10, 2020, the New York Department of Financial Services (NYDFS) issued guidance to all of its regulated institutions engaged in virtual currency business activity, requiring them to have plans for preparedness to manage the possible operational and financial risks posed by the COVID-19 pandemic. NYDFS requires the plans to be submitted by Thursday, April 9, 2020.
The fast-spreading coronavirus (Covid-19) has infected thousands of people in China and in over 20 other countries. This coronavirus outbreak, originating in Wuhan, a large city located in the central region of China, has been declared a Public Health Emergency of International Concern (PHEIC) by the World Health Organization.
Quebec’s minister of justice announced her intention to introduce a bill aimed at modernizing the privacy regime provided by the Act respecting the protection of personal information in the private sector.
Recent legal action by the Office of the Privacy Commissioner of Canada (OPC) will shed light on the Federal Court’s willingness to enforce and monitor compliance with the Personal Information Protection and Electronic Documents Act (PIPEDA). On February 6, the OPC filed a notice of application (the Application) in the Federal Court seeking a declaration that Facebook has contravened PIPEDA and various orders that would compel Facebook to bring itself into compliance. [1] Organizations governed by PIPEDA should keep a close eye on the Court’s inquiry as well as any eventual order enforcing compliance with the Act.
At the end of 2019, following a public consultation, the CNIL adopted its much-anticipated “standard” on whistleblowing systems. The “standard” is essentially a reference document which serves as guidance for those implementing whistleblowing systems.
The CNIL has published draft recommendations on how to obtain consent when placing cookies. This is following the publication of its revised “Guidelines on the implementation of cookies or similar tracking technologies” which was published in July 2019 (see our article here).
The objective of the recommendations is to provide stakeholders with practical guidance and illustrative examples. These recommendations are neither exhaustive nor binding and data controllers are free to consider other practical measures as long as they comply with the revised rules as provided by the CNIL in July 2019. The CNIL also provides a number of “good practices” that will enable businesses to go even further in their compliance process.
The discussion paper on the proposed changes to Hong Kong’s Personal Data (Privacy) Ordinance (Cap.486) (the PDPO) was debated by the Legislative Council’s Panel on Constitutional Affairs’ (the Panel) on 20 January. The proposals set out in LC Paper. No. CB(2) 512/19-20(03) (the Paper) are summarised in our earlier post.
2020 could well be a year of data export turmoil – so brace yourself.
The Court of Justice of the European Union (CJEU) will determine the validity of the EU Standard Contractual Clauses (SCCs) (Data Protection Commissioner v Facebook Ireland Limited, Maximillan Schrems) whilst the General Court of the EU will consider the future of Privacy Shield (La Quadrature du Net v Commission).
The Advocate General (AG) delivered his non-binding opinion on the SCCs just before Christmas (see our blog post). Although the AG’s view was that the SCCs are valid, he suggested that those using them would need to examine the national security laws of the data importer’s jurisdiction to determine whether they can in fact comply with the terms of the SCCs. He also raised serious doubts over the validity of the Privacy Shield. If the CJEU shares these doubts, it could influence the outcome of La Quadrature du Net.
Data localisation issues are also set to resurface during 2020. China’s requirements are tricky, the Russian Data Localisation law now has monetary penalties and the draft Indian data protection bill also imposes localisation requirements in certain circumstances.
This blogpost summarises our recent webinar: “An urgent message from Berlin: The importance of record retention in privacy and cybersecurity”.
Yesterday, the Advocate General (“AG”) concluded that, in his opinion, the EU Standard Contractual Clauses (“SCCs”) are a valid mechanism to transfer personal data outside of the European Economic Area (“EEA”). However, the AG suggested new obligations for those using SCCs. They need to examine the national security laws of the country of the data importer to determine whether they can in fact comply with the terms of SCCs.