Topic: Enforcement

Subscribe to Enforcement RSS feed

US SEC announces three actions charging firms for cybersecurity deficiencies

On August 30, 2021, the Securities and Exchange Commission (SEC) announced enforcement actions against three sets of broker-dealer and/or investment advisers for alleged failures in the entities’ cybersecurity policies and procedures with respect to email account compromises and the exposure of customer information in violation of Regulation S-P, known as the Safeguards Rule.

In a recent legal update, “US SEC announces three actions charging firms for cybersecurity deficiencies,” Kevin Harnisch, Chris Cwalina, Will Daugherty, Ashley Zatloukal and Matthew Niss discuss the SEC’s enforcement actions and provide further information on the Safeguards Rule.… Continue Reading

It must be as easy to reject cookies as it is to accept them: 40 additional organizations on the radar of the CNIL

As part of its global strategy to ensure compliance with its new cookies mandatory guidelines, and as announced in its priority control themes for 2021, in May 2021 the CNIL issued formal notices to over twenty organizations (including international actors in the digital economy and some public bodies) for not enabling users to accept or refuse cookies using equally easy steps. These organizations all remedied the identified breaches within the month granted, but the CNIL has identified and sent formal enforcement notices regarding the same issue to a further 40 non-compliant organizations in the meantime.

Which industry sectors were impacted?

Continue Reading

EU’s possible Data Act: What can we anticipate from the Inception Impact Assessment and the Consultation?

The European Commission (EC) signalled plans for a new Data Act, to be published in late 2021, in its February 2020 Data Strategy Communication.  The EC revealed more details in its 2021 Consultation and Inception Impact Assessment. The responses to the Consultation and Inception Impact Assessment are bound to shape the future of EU’s digital economy.  The Data Act will complement other European Union (EU) measures to create a solid framework for digital trust, opening up public sector data, removing digital borders, encouraging trade in data, opening up competition and facilitating better security within the EU single market.… Continue Reading

Max Schrems’ NGO, noyb, submits mass cookie law compliance complaints

Introduction

Max Schrems’ privacy NGO, noyb, has sent hundreds of draft complaints to companies across Europe that it claims use unlawful cookie banners along with a guide of how to comply.  noyb is giving these companies one month to make the changes to their cookie banners and consent management solutions before filing formal complaints with data protection authorities.

noyb’s stated aim is to move to a world where users are presented with simple and clear “accept”/”reject” options and companies do not design their cookie banners to try to “frustrate” users into accepting cookies or design their privacy settings to make … Continue Reading

Deutsche Wohnen fine now declared invalid by a German court

Data Protection Report - Norton Rose Fulbright

There has been a big bang in the data protection world in Berlin as the first and most spectacular GDPR fine in Germany has just been declared invalid.

The Berlin Commissioner for Data Protection for Freedom of Information (Berliner Beauftragte für den Datenschutz und Informationsfreiheit, “Berlin DPA”) issued a EUR 14.5 million fine against a German real estate company, die Deutsche Wohnen SE (“Deutsche Wohnen”). The Regional Court (Landgericht) of Berlin has now declared this fine invalid and closed the proceedings. The Berlin DPA will ask the public prosecutor’s office to appeal the Court’s … Continue Reading

EU Commission draft UK Data Protection Adequacy Decision published

Data Protection Report - Norton Rose Fulbright

Following nine months of assessment of the UK’s data protection laws (including the rules on access to data by public authorities), the European Commission has today published its draft decision on the adequate protection of personal data by the United Kingdom. The draft decision can be found here.

The draft decision is welcome news to the UK government, which has stressed that adequacy will provide certainty for businesses and enable continued cooperation between the UK and EU.

The European Commission’s statement highlights that EU law has shaped the UK’s data protection regime for decades; and that whilst the … Continue Reading

EU-UK Trade and Cooperation Agreement: Implications for data protection law

Norton Rose Fulbright - Data Protection Report blog

On Christmas Eve, the EU and UK announced that a Trade and Cooperation Agreement (TCA) had been finalised. With it, came a sigh of relief from data protection practitioners everywhere. This is because the TCA provides an extension period, of a sort, to allow the European Commission time to conclude its adequacy assessment of the UK. Without this, EEA-UK data transfers would otherwise have been restricted at the end of the Brexit transition period.

The main points of the TCA relating to data protection are set out below.

1.) Data transfers from the EEA to the UK…

  • The
Continue Reading

Bill C-11: Canada proposes new data privacy legislation

Norton Rose Fulbright - Data Protection Report blog

On November 17, 2020, the Minister of Innovation, Science and Industry, Navdeep Bains, tabled proposed legislation in Parliament that aims to overhaul Canada’s data privacy law. Bill C-11, entitled An Act to enact the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act and to make consequential and related amendments to other Act, will create new data privacy obligations and new enforcement mechanisms for these obligations if it becomes law.… Continue Reading

German Court cuts multimillion GDPR fine by 90%

Norton Rose Fulbright - Data Protection Report blog

In December 2019,  the German Federal Commissioner for Data Protection and Freedom of Information (“Federal DPA”) levied a € 9.55m fine against 1&1 Telecom (“1&1”), a German telecom company.  On 11 November 2020, the Regional Court (Landgericht) of Bonn (the “Court”) slashed the fine to just € 900,000, on the basis that it was disproportionate.  The Court considered that too much emphasis had been given to the turnover of 1&1 at a group level in calculating the fine, calling the calculation model used by the German authorities into question.

The facts

The Federal … Continue Reading

Hong Kong introduces a contact tracing app

Norton Rose Fulbright - Data Protection Report blog

As countries around the globe continue to battle the COVID-19 pandemic, contact tracing apps continue to evolve and be developed.

On November 16, 2020, the Hong Kong government is launching a voluntary contact tracing app. The app, known as LeaveHomeSafe, will enable users to record the date and time they visited participating venues by scanning the venue QR code. It has been reported that over 6,000 public and private venues will support the app.

Also in the region, the Singapore government is aiming to make use of its contact tracing app mandatory by the end of 2020. It is proposed … Continue Reading

ICO provides guidance on calculating monetary penalties

Data Protection Report - Norton Rose Fulbright

On 1 October 2020, the UK Information Commissioner’s Office (ICO) published draft statutory guidance, providing clarity about how it will regulate and enforce data protection legislation in the UK. The guidance, which sits alongside the ICO’s Regulatory Action Policy, covers the ICO’s range of enforcement powers, but of most interest is the section on how the ICO will calculate fines under the Data Protection Act 2018 and the EU General Data Protection Regulation (GDPR).

The ICO has launched a public consultation on its draft guidance which will remain open until 12 November 2020; as statutory guidance, the guidance … Continue Reading

Schrems II: recent developments – waiting is harder

In the immediate aftermath of the Schrems II judgement, Bruno Gencarelli (Head of the International data flows and protection unit at the European Commission) said that “Schrems II is data transfers from theory to practice”.  There have been several major developments over the last couple of weeks (explained below) which show this to be an accurate assessment.  Companies can no longer “do nothing” in the hope that the difficult implications will go away.  Regulators are starting to investigate.  Complaints are being submitted. A taskforce has been set up. The Swiss data protection authority (DPA) also thinks Privacy … Continue Reading

An “enhanced” Privacy Shield is being negotiated – third time a charm?

On 10 August, the European Commission and the US Department of Commerce confirmed that talks have begun between the EU and US for an “enhanced” Privacy Shield.

This will be the third attempt to revise this framework, following the invalidation of Safe Harbor in 2015 and Privacy Shield in July 2020. Third time a charm? We’re not so sure.

By way of recap, in Schrems II, the court made clear that Privacy Shield was invalid for three main reasons:

  1. US surveillance rules are disproportionate
  2. There is a lack of proper oversight over US surveillance programmes
  3. EU individuals do not
Continue Reading

Schrems II landmark ruling: Privacy Shield is invalid, Standard Contractual Clauses are valid but court puts obligations on parties and authorities

The Court of Justice of the European Union (CJEU) has today published its decision in the landmark case, known as Schrems II. While Privacy Shield has been completely invalidated, the Standard Contractual Clauses (SCCs) remain valid, but the court has emphasised obligations on the parties to the SCCs  and Data Protection Authorities which have the potential to restrict when they can be used.

Here is a very short first summary:

  1. Privacy Shield is invalid.  This is on the basis that the access and use of EU personal data by US authorities are not restricted in a way
Continue Reading

NYDFS Requires COVID-19 Plans by April 9

Norton Rose Fulbright - Data Protection Report blog

On March 10, 2020, the New York Department of Financial Services (NYDFS) issued guidance to all of its regulated institutions engaged in virtual currency business activity, requiring them to have plans for preparedness to manage the possible operational and financial risks posed by the COVID-19 pandemic. NYDFS requires the plans to be submitted by Thursday, April 9, 2020.… Continue Reading

Schrems II: AG deems SCCs valid but comes up with difficult new obligations and expresses “doubts” over privacy shield

What has happened?

Yesterday, the Advocate General (“AG”) concluded that, in his opinion, the EU Standard Contractual Clauses (“SCCs”) are a valid mechanism to transfer personal data outside of the European Economic Area (“EEA”). However, the AG suggested new obligations for those using SCCs. They need to examine the national security laws of the country of the data importer to determine whether they can in fact comply with the terms of SCCs.… Continue Reading

First multi-million GDPR fine in Germany: €14.5 million for not having a proper data retention schedule in place

Data Protection Report - Norton Rose Fulbright

On October 30, 2019 the Berlin Commissioner for Data Protection and Freedom of Information (Berliner Beauftragte für Datenschutz und InformationsfreiheitBerlin DPA) issued a €14.5 million fine on a German real estate company, die Deutsche Wohnen SE (Deutsche Wohnen),  the highest German GDPR fine to date. The infraction related to the over retention of personal data. For the first time, the Berlin DPA applied the new calculation method for GDPR fines issued by the German Datenschutzkonferenz recently (see our recent post).… Continue Reading

New York’s Breach Law Amendments and New Security Requirements

Although California has recently captured the lion’s share of attention with respect to privacy and security, on October 23, 2019, New York’s amended security breach law goes into effect, and on March 1, 2020, new security safeguards go live (N.Y. S.B. 5575). Anyone with personal information about a New York resident is potentially affected by these far-reaching amendments.

Breach Law Changes

Readers may recall that New York’s security breach notification law (N.Y. Gen. Bus. Law § 899-aa) differs from most states’ law in several ways including (1) using separate definitions of “personal information” and “private information;” and (2) providing factors … Continue Reading

And then there were five: CCPA amendments pass legislature

Norton Rose Fulbright - Data Protection Report blog

Executive Summary

The wait is over:  Only five CCPA amendments made it through the California legislature.  The amendments are limited in scope, which means the CCPA will go into effect, largely intact, on January 1, 2020.

The California legislative session for 2019 ended on September 13 and the following five amendments to the California Consumer Privacy Act (CCPA) were passed: AB 25, 874, 1146, 1355, and 1564. They now move to the Governor’s desk, where he has 30 days to sign or veto them.… Continue Reading

One-Month Countdown to Pass CCPA Amendments Begins

Data Protection Report - Norton Rose Fulbright

On August 12, the California legislature returns after its summer recess. Starting with the Senate Appropriations Committee Hearing today, the legislature will now have approximately a month to continue the markups and send California Consumer Privacy Act (CCPA) amendments to the Governor’s desk for signature before the September 13 deadline.  As previously reported, any amendment that passes from the Senate will likely need to go back to the Assembly since many of them have been marked up significantly by the Senate. Below is a summary of the seven amendments that are moving forward and what they mean for businesses who … Continue Reading

Website operators joint controllers with third-party plugin providers

Norton Rose Fulbright - Data Protection Report blog

On 29 July 2019, the European Court of Justice (ECJ) issued its judgement on Case C-40/17 (the “Fashion-ID” case). In its ruling, the ECJ held that operators of websites embedding Facebook’s “Like” button act as data controllers jointly with Facebook in respect of the collection and transmission to Facebook of the personal data of visitors to the relevant websites. In relation to these processing activities, the website operators must inform their website visitors about the data processing activities for which they act as a joint controller with Facebook, must establish a lawful basis for these processing activities and, where applicable, … Continue Reading

US CLOUD Act and International Privacy

Norton Rose Fulbright - Data Protection Report blog

The U.S. Clarifying Lawful Overseas Use of Data Act (“CLOUD Act”) is apparently the Goldilocks of the privacy world, according to recent statements issued by two international jurisdictions. The CLOUD Act’s requirements are “too hard” for Australian law, according to the Law Council of Australia, but the privacy protections are “too soft” for the European Data Protection Board and European Data Protection Supervisor. The current lack of any executive agreements between the U.S. and another jurisdiction under the CLOUD Act seems to indicate that the U.S. has not yet found a jurisdiction that is “just right” for the CLOUD Act.… Continue Reading

New CNIL €400,000 fine for data security breaches and non-compliance with data retention period under the GDPR

Data Protection Report - Norton Rose Fulbright

Following the now famous €50m fine imposed on Google LLC in January 2019,[1] the French Data Protection Authority (the CNIL) published a decision taken on 28 May 2019[2] imposing a fine of €400,000 on SERGIC, a company specialised in real estate development, purchase, sale, rental and property management.… Continue Reading

LexBlog