On November 17, 2020, the Minister of Innovation, Science and Industry, Navdeep Bains, tabled proposed legislation in Parliament that aims to overhaul Canada’s data privacy law. Bill C-11, entitled An Act to enact the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act and to make consequential and related amendments to other Act, will create new data privacy obligations and new enforcement mechanisms for these obligations if it becomes law.… Continue Reading
In December 2019, the German Federal Commissioner for Data Protection and Freedom of Information (“Federal DPA”) levied a € 9.55m fine against 1&1 Telecom (“1&1”), a German telecom company. On 11 November 2020, the Regional Court (Landgericht) of Bonn (the “Court”) slashed the fine to just € 900,000, on the basis that it was disproportionate. The Court considered that too much emphasis had been given to the turnover of 1&1 at a group level in calculating the fine, calling the calculation model used by the German authorities into question.
The Federal … Continue Reading
As countries around the globe continue to battle the COVID-19 pandemic, contact tracing apps continue to evolve and be developed.
On November 16, 2020, the Hong Kong government is launching a voluntary contact tracing app. The app, known as LeaveHomeSafe, will enable users to record the date and time they visited participating venues by scanning the venue QR code. It has been reported that over 6,000 public and private venues will support the app.
Also in the region, the Singapore government is aiming to make use of its contact tracing app mandatory by the end of 2020. It is proposed … Continue Reading
On 1 October 2020, the UK Information Commissioner’s Office (ICO) published draft statutory guidance, providing clarity about how it will regulate and enforce data protection legislation in the UK. The guidance, which sits alongside the ICO’s Regulatory Action Policy, covers the ICO’s range of enforcement powers, but of most interest is the section on how the ICO will calculate fines under the Data Protection Act 2018 and the EU General Data Protection Regulation (GDPR).
The ICO has launched a public consultation on its draft guidance which will remain open until 12 November 2020; as statutory guidance, the guidance … Continue Reading
In the immediate aftermath of the Schrems II judgement, Bruno Gencarelli (Head of the International data flows and protection unit at the European Commission) said that “Schrems II is data transfers from theory to practice”. There have been several major developments over the last couple of weeks (explained below) which show this to be an accurate assessment. Companies can no longer “do nothing” in the hope that the difficult implications will go away. Regulators are starting to investigate. Complaints are being submitted. A taskforce has been set up. The Swiss data protection authority (DPA) also thinks Privacy … Continue Reading
On 10 August, the European Commission and the US Department of Commerce confirmed that talks have begun between the EU and US for an “enhanced” Privacy Shield.
This will be the third attempt to revise this framework, following the invalidation of Safe Harbor in 2015 and Privacy Shield in July 2020. Third time a charm? We’re not so sure.
By way of recap, in Schrems II, the court made clear that Privacy Shield was invalid for three main reasons:
- US surveillance rules are disproportionate
- There is a lack of proper oversight over US surveillance programmes
- EU individuals do not
The Court of Justice of the European Union (CJEU) has today published its decision in the landmark case, known as Schrems II. While Privacy Shield has been completely invalidated, the Standard Contractual Clauses (SCCs) remain valid, but the court has emphasised obligations on the parties to the SCCs and Data Protection Authorities which have the potential to restrict when they can be used.
Here is a very short first summary:
- Privacy Shield is invalid. This is on the basis that the access and use of EU personal data by US authorities are not restricted in a way
On March 10, 2020, the New York Department of Financial Services (NYDFS) issued guidance to all of its regulated institutions engaged in virtual currency business activity, requiring them to have plans for preparedness to manage the possible operational and financial risks posed by the COVID-19 pandemic. NYDFS requires the plans to be submitted by Thursday, April 9, 2020.… Continue Reading
What has happened?
Yesterday, the Advocate General (“AG”) concluded that, in his opinion, the EU Standard Contractual Clauses (“SCCs”) are a valid mechanism to transfer personal data outside of the European Economic Area (“EEA”). However, the AG suggested new obligations for those using SCCs. They need to examine the national security laws of the country of the data importer to determine whether they can in fact comply with the terms of SCCs.… Continue Reading
On October 30, 2019 the Berlin Commissioner for Data Protection and Freedom of Information (Berliner Beauftragte für Datenschutz und Informationsfreiheit – Berlin DPA) issued a €14.5 million fine on a German real estate company, die Deutsche Wohnen SE (Deutsche Wohnen), the highest German GDPR fine to date. The infraction related to the over retention of personal data. For the first time, the Berlin DPA applied the new calculation method for GDPR fines issued by the German Datenschutzkonferenz recently (see our recent post).… Continue Reading
The German Datenschutzkonferenz (DSK), the joint body of the German data protection authorities, has just published the model which it intends to use to calculate fines pursuant to Article 83 of the GDPR.… Continue Reading
Although California has recently captured the lion’s share of attention with respect to privacy and security, on October 23, 2019, New York’s amended security breach law goes into effect, and on March 1, 2020, new security safeguards go live (N.Y. S.B. 5575). Anyone with personal information about a New York resident is potentially affected by these far-reaching amendments.
Breach Law Changes
Readers may recall that New York’s security breach notification law (N.Y. Gen. Bus. Law § 899-aa) differs from most states’ law in several ways including (1) using separate definitions of “personal information” and “private information;” and (2) providing factors … Continue Reading
The wait is over: Only five CCPA amendments made it through the California legislature. The amendments are limited in scope, which means the CCPA will go into effect, largely intact, on January 1, 2020.
The California legislative session for 2019 ended on September 13 and the following five amendments to the California Consumer Privacy Act (CCPA) were passed: AB 25, 874, 1146, 1355, and 1564. They now move to the Governor’s desk, where he has 30 days to sign or veto them.… Continue Reading
On August 12, the California legislature returns after its summer recess. Starting with the Senate Appropriations Committee Hearing today, the legislature will now have approximately a month to continue the markups and send California Consumer Privacy Act (CCPA) amendments to the Governor’s desk for signature before the September 13 deadline. As previously reported, any amendment that passes from the Senate will likely need to go back to the Assembly since many of them have been marked up significantly by the Senate. Below is a summary of the seven amendments that are moving forward and what they mean for businesses who … Continue Reading
On 29 July 2019, the European Court of Justice (ECJ) issued its judgement on Case C-40/17 (the “Fashion-ID” case). In its ruling, the ECJ held that operators of websites embedding Facebook’s “Like” button act as data controllers jointly with Facebook in respect of the collection and transmission to Facebook of the personal data of visitors to the relevant websites. In relation to these processing activities, the website operators must inform their website visitors about the data processing activities for which they act as a joint controller with Facebook, must establish a lawful basis for these processing activities and, where applicable, … Continue Reading
The U.S. Clarifying Lawful Overseas Use of Data Act (“CLOUD Act”) is apparently the Goldilocks of the privacy world, according to recent statements issued by two international jurisdictions. The CLOUD Act’s requirements are “too hard” for Australian law, according to the Law Council of Australia, but the privacy protections are “too soft” for the European Data Protection Board and European Data Protection Supervisor. The current lack of any executive agreements between the U.S. and another jurisdiction under the CLOUD Act seems to indicate that the U.S. has not yet found a jurisdiction that is “just right” for the CLOUD Act.… Continue Reading
Following the now famous €50m fine imposed on Google LLC in January 2019, the French Data Protection Authority (the CNIL) published a decision taken on 28 May 2019 imposing a fine of €400,000 on SERGIC, a company specialised in real estate development, purchase, sale, rental and property management.… Continue Reading
Norton Rose Fulbright’s US Head of Data Protection, Privacy and Cybersecurity Jeewon Serrato and Partner Vic Domen write about the increased scrutiny that big data companies like Google and Facebook are now facing.
A number of state attorneys general are preparing to have discussions with the US Federal Trade Commission to discuss their concerns about the use of massive amounts of personal data in the digital ad marketplace.
There is a trend among federal and state enforcers to bring these online platforms and technology markets under higher scrutiny.
On 12 April, the Information Commissioners Office (ICO) fined Bounty, a pregnancy and parent support club, £400,000 for illegally sharing personal data belonging to more than 14 million people. As the contravention took place just before the General Data Protection Regulation (GDPR) came into force, the fine was issued under the Data Protection Act 1998 (DPA).… Continue Reading
A mid-level German employment court recently had to consider the scope of subject access requests under the EU General Data Protection Regulation (GDPR) in the context of compliance and whistle-blowing regimes. The Regional Labour Court (Landesarbeitsgericht) of Stuttgart decided that an employer was required not only to provide an employee with the records containing performance and behavioural data, but also to disclose information regarding internal investigations. This is the first reported successful enforcement of a data subject access right under Article 15 GDPR before a regional labour court in Germany. (The judgment was handed down on … Continue Reading
With significant enforcement activity and new laws being enacted or proposed since the start of the year, regulators in the EU and the US, several US states, and the US Congress are showing they mean business in terms of data privacy.
To help companies best protect consumer data and remediate enforcement risks, we provide below an overview of the following:
- two noteworthy recent EU and US
On January 23, 2019, the European Data Protection Board (“EDPB”) issued an opinion on the interplay between the Clinical Trials Regulation (“CTR”) and the General Data Protection Regulation (“GDPR”). See our previous blog posts on the GDPR here and here. The opinion also addresses GDPR requirements regarding (1) the legal basis for processing personal data in the course of a clinical trial protocol (primary use) and (2) the further use of clinical trial data for other scientific purposes (secondary use).
On January 21,2019 the French data protection authority (the CNIL) imposed a major fine on the U.S. Google entity, Google LLC. It follows two complaints filed as soon as the GDPR came into force by two consumer rights associations, None of Your Business and La Quadrature du Net.