Topic: Enforcement

US SEC announces three actions charging firms for cybersecurity deficiencies

By Kevin Harnisch (US), Chris Cwalina (US), Will Daugherty (US), Ashley Zatloukal (US) and Matthew Niss (US) on September 15, 2021 Posted in Cybersecurity, Enforcement

On August 30, 2021, the Securities and Exchange Commission (SEC) announced enforcement actions against three sets of broker-dealer and/or investment advisers for alleged failures in the entities’ cybersecurity policies and procedures with respect to email account compromises and the exposure of customer information in violation of Regulation S-P, known as the Safeguards Rule.

In a recent legal update, “US SEC announces three actions charging firms for cybersecurity deficiencies,” Kevin Harnisch, Chris Cwalina, Will Daugherty, Ashley Zatloukal and Matthew Niss discuss the SEC’s enforcement actions and provide further information on the Safeguards Rule.… Continue Reading

It must be as easy to reject cookies as it is to accept them: 40 additional organizations on the radar of the CNIL

By Lara White (UK) and Barbara Ghebali (FR) on July 27, 2021 Posted in Enforcement, Regulatory response

As part of its global strategy to ensure compliance with its new cookies mandatory guidelines, and as announced in its priority control themes for 2021, in May 2021 the CNIL issued formal notices to over twenty organizations (including international actors in the digital economy and some public bodies) for not enabling users to accept or refuse cookies using equally easy steps. These organizations all remedied the identified breaches within the month granted, but the CNIL has identified and sent formal enforcement notices regarding the same issue to a further 40 non-compliant organizations in the meantime.

Which industry sectors were impacted?

EU’s possible Data Act: What can we anticipate from the Inception Impact Assessment and the Consultation?

By Seiko Hidaka (UK) and Jay Modrall (BE) on July 5, 2021 Posted in Data Transfer, Enforcement, Regulatory response

The European Commission (EC) signalled plans for a new Data Act, to be published in late 2021, in its February 2020 Data Strategy Communication. The EC revealed more details in its 2021 Consultation and Inception Impact Assessment. The responses to the Consultation and Inception Impact Assessment are bound to shape the future of EU’s digital economy. The Data Act will complement other European Union (EU) measures to create a solid framework for digital trust, opening up public sector data, removing digital borders, encouraging trade in data, opening up competition and facilitating better security within the EU single market.… Continue Reading

Max Schrems’ NGO, noyb, submits mass cookie law compliance complaints

By Lara White (UK) on June 8, 2021 Posted in Enforcement

Introduction

Max Schrems’ privacy NGO, noyb, has sent hundreds of draft complaints to companies across Europe that it claims use unlawful cookie banners along with a guide of how to comply. noyb is giving these companies one month to make the changes to their cookie banners and consent management solutions before filing formal complaints with data protection authorities.

noyb’s stated aim is to move to a world where users are presented with simple and clear “accept”/”reject” options and companies do not design their cookie banners to try to “frustrate” users into accepting cookies or design their privacy settings to make … Continue Reading

Deutsche Wohnen fine now declared invalid by a German court

By Christoph Ritzer (DE) and Natalia Filkina (DE) on February 25, 2021 Posted in Data breach, Enforcement

Data Protection Report - Norton Rose Fulbright

There has been a big bang in the data protection world in Berlin as the first and most spectacular GDPR fine in Germany has just been declared invalid.

The Berlin Commissioner for Data Protection for Freedom of Information (Berliner Beauftragte für den Datenschutz und Informationsfreiheit, “Berlin DPA”) issued a EUR 14.5 million fine against a German real estate company, die Deutsche Wohnen SE (“Deutsche Wohnen”). The Regional Court (Landgericht) of Berlin has now declared this fine invalid and closed the proceedings. The Berlin DPA will ask the public prosecutor’s office to appeal the Court’s … Continue Reading

EU Commission draft UK Data Protection Adequacy Decision published

By Marcus Evans (UK) and Shiv Daddar (UK) on February 19, 2021 Posted in Enforcement, General, Regulatory response

Following nine months of assessment of the UK’s data protection laws (including the rules on access to data by public authorities), the European Commission has today published its draft decision on the adequate protection of personal data by the United Kingdom. The draft decision can be found here.

The draft decision is welcome news to the UK government, which has stressed that adequacy will provide certainty for businesses and enable continued cooperation between the UK and EU.

The European Commission’s statement highlights that EU law has shaped the UK’s data protection regime for decades; and that whilst the … Continue Reading

EU-UK Trade and Cooperation Agreement: Implications for data protection law

By Fiona Bundy-Clarke (UK) on January 4, 2021 Posted in Data Transfer, Enforcement

Norton Rose Fulbright - Data Protection Report blog

On Christmas Eve, the EU and UK announced that a Trade and Cooperation Agreement (TCA) had been finalised. With it, came a sigh of relief from data protection practitioners everywhere. This is because the TCA provides an extension period, of a sort, to allow the European Commission time to conclude its adequacy assessment of the UK. Without this, EEA-UK data transfers would otherwise have been restricted at the end of the Brexit transition period.

The main points of the TCA relating to data protection are set out below.

1.) Data transfers from the EEA to the UK…

Bill C-11: Canada proposes new data privacy legislation

By Colin Hyslop (CA) on November 20, 2020 Posted in Enforcement

On November 17, 2020, the Minister of Innovation, Science and Industry, Navdeep Bains, tabled proposed legislation in Parliament that aims to overhaul Canada’s data privacy law. Bill C-11, entitled An Act to enact the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act and to make consequential and related amendments to other Act, will create new data privacy obligations and new enforcement mechanisms for these obligations if it becomes law.… Continue Reading

German Court cuts multimillion GDPR fine by 90%

By Christoph Ritzer (DE) and Natalia Filkina (DE) on November 17, 2020 Posted in Data breach, Enforcement

In December 2019, the German Federal Commissioner for Data Protection and Freedom of Information (“Federal DPA”) levied a € 9.55m fine against 1&1 Telecom (“1&1”), a German telecom company. On 11 November 2020, the Regional Court (Landgericht) of Bonn (the “Court”) slashed the fine to just € 900,000, on the basis that it was disproportionate. The Court considered that too much emphasis had been given to the turnover of 1&1 at a group level in calculating the fine, calling the calculation model used by the German authorities into question.

The facts

The Federal … Continue Reading

Hong Kong introduces a contact tracing app

By Anna Gamvros (HK) and Edward Yau (HK) on November 15, 2020 Posted in Cybersecurity, Enforcement, Regulatory response

As countries around the globe continue to battle the COVID-19 pandemic, contact tracing apps continue to evolve and be developed.

On November 16, 2020, the Hong Kong government is launching a voluntary contact tracing app. The app, known as LeaveHomeSafe, will enable users to record the date and time they visited participating venues by scanning the venue QR code. It has been reported that over 6,000 public and private venues will support the app.

Also in the region, the Singapore government is aiming to make use of its contact tracing app mandatory by the end of 2020. It is proposed … Continue Reading

ICO provides guidance on calculating monetary penalties

By Marcus Evans (UK), Lara White (UK), Steven Hadwin (UK), Janine Regan (UK) and Ally Corbridge (UK) on October 7, 2020 Posted in Enforcement, Regulatory response

On 1 October 2020, the UK Information Commissioner’s Office (ICO) published draft statutory guidance, providing clarity about how it will regulate and enforce data protection legislation in the UK. The guidance, which sits alongside the ICO’s Regulatory Action Policy, covers the ICO’s range of enforcement powers, but of most interest is the section on how the ICO will calculate fines under the Data Protection Act 2018 and the EU General Data Protection Regulation (GDPR).

The ICO has launched a public consultation on its draft guidance which will remain open until 12 November 2020; as statutory guidance, the guidance … Continue Reading

Schrems II: recent developments – waiting is harder

By Marcus Evans (UK) and Janine Regan (UK) on September 9, 2020 Posted in Compliance and risk management, Data Transfer, Enforcement, Regulatory response

In the immediate aftermath of the Schrems II judgement, Bruno Gencarelli (Head of the International data flows and protection unit at the European Commission) said that “Schrems II is data transfers from theory to practice”. There have been several major developments over the last couple of weeks (explained below) which show this to be an accurate assessment. Companies can no longer “do nothing” in the hope that the difficult implications will go away. Regulators are starting to investigate. Complaints are being submitted. A taskforce has been set up. The Swiss data protection authority (DPA) also thinks Privacy … Continue Reading

An “enhanced” Privacy Shield is being negotiated – third time a charm?

By Lara White (UK) and Janine Regan (UK) on August 13, 2020 Posted in Compliance and risk management, Data Transfer, Enforcement, General

On 10 August, the European Commission and the US Department of Commerce confirmed that talks have begun between the EU and US for an “enhanced” Privacy Shield.

This will be the third attempt to revise this framework, following the invalidation of Safe Harbor in 2015 and Privacy Shield in July 2020. Third time a charm? We’re not so sure.

By way of recap, in Schrems II, the court made clear that Privacy Shield was invalid for three main reasons:

US surveillance rules are disproportionate
There is a lack of proper oversight over US surveillance programmes
EU individuals do not

Schrems II landmark ruling: Privacy Shield is invalid, Standard Contractual Clauses are valid but court puts obligations on parties and authorities

By Marcus Evans (UK), Christoph Ritzer (DE) and Janine Regan (UK) on July 16, 2020 Posted in Data breach, Enforcement, General, Regulatory response

The Court of Justice of the European Union (CJEU) has today published its decision in the landmark case, known as Schrems II. While Privacy Shield has been completely invalidated, the Standard Contractual Clauses (SCCs) remain valid, but the court has emphasised obligations on the parties to the SCCs and Data Protection Authorities which have the potential to restrict when they can be used.

Here is a very short first summary:

Privacy Shield is invalid. This is on the basis that the access and use of EU personal data by US authorities are not restricted in a way

NYDFS Requires COVID-19 Plans by April 9

By Susan Ross (US) and Kathleen Scott (US) on April 2, 2020 Posted in Compliance and risk management, Cybercrime, Cybersecurity, Dispute resolution and litigation, Enforcement, General

On March 10, 2020, the New York Department of Financial Services (NYDFS) issued guidance to all of its regulated institutions engaged in virtual currency business activity, requiring them to have plans for preparedness to manage the possible operational and financial risks posed by the COVID-19 pandemic. NYDFS requires the plans to be submitted by Thursday, April 9, 2020.… Continue Reading

Schrems II: AG deems SCCs valid but comes up with difficult new obligations and expresses “doubts” over privacy shield

By Marcus Evans (UK), Christoph Ritzer (DE), Janine Regan (UK) and David Kessler (US) on December 20, 2019 Posted in Compliance and risk management, Enforcement, General

What has happened?

Yesterday, the Advocate General (“AG”) concluded that, in his opinion, the EU Standard Contractual Clauses (“SCCs”) are a valid mechanism to transfer personal data outside of the European Economic Area (“EEA”). However, the AG suggested new obligations for those using SCCs. They need to examine the national security laws of the country of the data importer to determine whether they can in fact comply with the terms of SCCs.… Continue Reading

First multi-million GDPR fine in Germany: €14.5 million for not having a proper data retention schedule in place

By Christoph Ritzer (DE) and Natalia Filkina (DE) on November 12, 2019 Posted in Enforcement

On October 30, 2019 the Berlin Commissioner for Data Protection and Freedom of Information (Berliner Beauftragte für Datenschutz und Informationsfreiheit – Berlin DPA) issued a €14.5 million fine on a German real estate company, die Deutsche Wohnen SE (Deutsche Wohnen), the highest German GDPR fine to date. The infraction related to the over retention of personal data. For the first time, the Berlin DPA applied the new calculation method for GDPR fines issued by the German Datenschutzkonferenz recently (see our recent post).… Continue Reading

German Data Protection Authorities publishes a new GDPR model for fines

By Christoph Ritzer (DE) and Natalia Filkina (DE) on October 28, 2019 Posted in Enforcement

The German Datenschutzkonferenz (DSK), the joint body of the German data protection authorities, has just published the model which it intends to use to calculate fines pursuant to Article 83 of the GDPR.… Continue Reading

New York’s Breach Law Amendments and New Security Requirements

By David Kessler (US) and Susan Ross (US) on October 1, 2019 Posted in Compliance and risk management, Enforcement, General

Although California has recently captured the lion’s share of attention with respect to privacy and security, on October 23, 2019, New York’s amended security breach law goes into effect, and on March 1, 2020, new security safeguards go live (N.Y. S.B. 5575). Anyone with personal information about a New York resident is potentially affected by these far-reaching amendments.

Breach Law Changes

Readers may recall that New York’s security breach notification law (N.Y. Gen. Bus. Law § 899-aa) differs from most states’ law in several ways including (1) using separate definitions of “personal information” and “private information;” and (2) providing factors … Continue Reading

And then there were five: CCPA amendments pass legislature

By Jeewon Kim Serrato (US) and Susan Ross (US) on September 17, 2019 Posted in CCPA, Compliance and risk management, Enforcement

Executive Summary

The wait is over: Only five CCPA amendments made it through the California legislature. The amendments are limited in scope, which means the CCPA will go into effect, largely intact, on January 1, 2020.

The California legislative session for 2019 ended on September 13 and the following five amendments to the California Consumer Privacy Act (CCPA) were passed: AB 25, 874, 1146, 1355, and 1564. They now move to the Governor’s desk, where he has 30 days to sign or veto them.… Continue Reading

One-Month Countdown to Pass CCPA Amendments Begins

By Jeewon Kim Serrato (US) and Susan Ross (US) on August 12, 2019 Posted in CCPA, Compliance and risk management, Enforcement

On August 12, the California legislature returns after its summer recess. Starting with the Senate Appropriations Committee Hearing today, the legislature will now have approximately a month to continue the markups and send California Consumer Privacy Act (CCPA) amendments to the Governor’s desk for signature before the September 13 deadline. As previously reported, any amendment that passes from the Senate will likely need to go back to the Assembly since many of them have been marked up significantly by the Senate. Below is a summary of the seven amendments that are moving forward and what they mean for businesses who … Continue Reading

Website operators joint controllers with third-party plugin providers

By Lara White (UK), Natalia Filkina (DE) and Shiv Daddar (UK) on August 12, 2019 Posted in Enforcement

On 29 July 2019, the European Court of Justice (ECJ) issued its judgement on Case C-40/17 (the “Fashion-ID” case). In its ruling, the ECJ held that operators of websites embedding Facebook’s “Like” button act as data controllers jointly with Facebook in respect of the collection and transmission to Facebook of the personal data of visitors to the relevant websites. In relation to these processing activities, the website operators must inform their website visitors about the data processing activities for which they act as a joint controller with Facebook, must establish a lawful basis for these processing activities and, where applicable, … Continue Reading

US CLOUD Act and International Privacy

By Marcus Evans (UK), David Kessler (US), Jim Lennon (AU) and Susan Ross (US) on August 1, 2019 Posted in Compliance and risk management, Enforcement, General

The U.S. Clarifying Lawful Overseas Use of Data Act (“CLOUD Act”) is apparently the Goldilocks of the privacy world, according to recent statements issued by two international jurisdictions. The CLOUD Act’s requirements are “too hard” for Australian law, according to the Law Council of Australia, but the privacy protections are “too soft” for the European Data Protection Board and European Data Protection Supervisor. The current lack of any executive agreements between the U.S. and another jurisdiction under the CLOUD Act seems to indicate that the U.S. has not yet found a jurisdiction that is “just right” for the CLOUD Act.… Continue Reading

New CNIL €400,000 fine for data security breaches and non-compliance with data retention period under the GDPR

By Nadège Martin (FR) and Nilofar Moini Shabestari (FR) on July 8, 2019 Posted in Data breach, Enforcement

Following the now famous €50m fine imposed on Google LLC in January 2019,[1] the French Data Protection Authority (the CNIL) published a decision taken on 28 May 2019[2] imposing a fine of €400,000 on SERGIC, a company specialised in real estate development, purchase, sale, rental and property management.… Continue Reading