Topic: Enforcement

Subscribe to Enforcement RSS feed

Schrems II: AG deems SCCs valid but comes up with difficult new obligations and expresses “doubts” over privacy shield

Marcus Evans (UK)Christoph Ritzer (DE)David Kessler (US)By Marcus Evans (UK), Christoph Ritzer (DE), Janine Regan (UK) and David Kessler (US) on Posted in Compliance and risk management, Enforcement, General
What has happened? Yesterday, the Advocate General (“AG”) concluded that, in his opinion, the EU Standard Contractual Clauses (“SCCs”) are a valid mechanism to transfer personal data outside of the European Economic Area (“EEA”). However, the AG suggested new obligations for those using SCCs. They need to examine the national security laws of the country … Continue reading

First multi-million GDPR fine in Germany: €14.5 million for not having a proper data retention schedule in place

Christoph Ritzer (DE)Natalia Filkina (DE)By Christoph Ritzer (DE) and Natalia Filkina (DE) on Posted in Enforcement
Data Protection Report - Norton Rose FulbrightOn October 30, 2019 the Berlin Commissioner for Data Protection and Freedom of Information (Berliner Beauftragte für Datenschutz und Informationsfreiheit – Berlin DPA) issued a €14.5 million fine on a German real estate company, die Deutsche Wohnen SE (Deutsche Wohnen),  the highest German GDPR fine to date. The infraction related to the over retention of personal … Continue reading

Mic Drop: California AG releases long-awaited CCPA Rulemaking

David Kessler (US)Jeewon Kim Serrato (US)Susan Ross (US)Anna Rudawski (US)Max Kellogg (US)By David Kessler (US), Jeewon Kim Serrato (US), Susan Ross (US), Anna Rudawski (US) and Max Kellogg (US) on Posted in Compliance and risk management, Cybersecurity, Enforcement, Regulatory response
On October 10, 2019, with just weeks to go until the law goes into effect, the California Attorney General released the long-awaited draft regulations for the California Consumer Privacy Act (CCPA).  The proposed rules shed light on how the California AG is interpreting and will be enforcing key sections of the CCPA.  In the press … Continue reading

New York’s Breach Law Amendments and New Security Requirements

David Kessler (US)Susan Ross (US)By David Kessler (US) and Susan Ross (US) on Posted in Compliance and risk management, Enforcement, General
Although California has recently captured the lion’s share of attention with respect to privacy and security, on October 23, 2019, New York’s amended security breach law goes into effect, and on March 1, 2020, new security safeguards go live (N.Y. S.B. 5575). Anyone with personal information about a New York resident is potentially affected by … Continue reading

CCPA: “Wait and see” is not the right approach

Chris Cwalina (US)David Kessler (US)Steve Roosa (US)Jeewon Kim Serrato (US)Susan Ross (US)By Chris Cwalina (US), David Kessler (US), Steve Roosa (US), Jeewon Kim Serrato (US) and Susan Ross (US) on Posted in Compliance and risk management, Cybersecurity, Enforcement, Regulatory response
Data Protection Report - Norton Rose FulbrightWe are seeing companies use many different approaches to the California Consumer Privacy Act (“CCPA”) compliance, but the “wait and see” approach in particular is not advisable. Companies who want to “wait and see” point to the pending amendments to CCPA that are currently working through the California Senate (as we have previously described—see links … Continue reading

One-Month Countdown to Pass CCPA Amendments Begins

Jeewon Kim Serrato (US)Susan Ross (US)By Jeewon Kim Serrato (US) and Susan Ross (US) on Posted in Compliance and risk management, Enforcement, General
Data Protection Report - Norton Rose FulbrightOn August 12, the California legislature returns after its summer recess. Starting with the Senate Appropriations Committee Hearing today, the legislature will now have approximately a month to continue the markups and send California Consumer Privacy Act (CCPA) amendments to the Governor’s desk for signature before the September 13 deadline.  As previously reported, any amendment … Continue reading

Website operators joint controllers with third-party plugin providers

Lara White (UK)Natalia Filkina (DE)Shiv Daddar (UK)By Lara White (UK), Natalia Filkina (DE) and Shiv Daddar (UK) on Posted in Enforcement
Norton Rose Fulbright - Data Protection Report blogOn 29 July 2019, the European Court of Justice (ECJ) issued its judgement on Case C-40/17 (the “Fashion-ID” case). In its ruling, the ECJ held that operators of websites embedding Facebook’s “Like” button act as data controllers jointly with Facebook in respect of the collection and transmission to Facebook of the personal data of visitors … Continue reading

US CLOUD Act and International Privacy

Marcus Evans (UK)David Kessler (US)Jim Lennon (AU)Susan Ross (US)By Marcus Evans (UK), David Kessler (US), Jim Lennon (AU) and Susan Ross (US) on Posted in Compliance and risk management, Enforcement, General
Norton Rose Fulbright - Data Protection Report blogThe U.S. Clarifying Lawful Overseas Use of Data Act (“CLOUD Act”) is apparently the Goldilocks of the privacy world, according to recent statements issued by two international jurisdictions. The CLOUD Act’s requirements are “too hard” for Australian law, according to the Law Council of Australia, but the privacy protections are “too soft” for the European … Continue reading

Back At The Negotiating Table: CCPA Amendments Debate Continues

David Kessler (US)Jeewon Kim Serrato (US)Susan Ross (US)Anna Rudawski (US)By David Kessler (US), Jeewon Kim Serrato (US), Susan Ross (US) and Anna Rudawski (US) on Posted in Compliance and risk management, Enforcement, General
UK NIS Regulations impose new cybersecurity obligations (and a new penalties regime) on operators of essential services and digital service providers in the UK | Norton Rose FulbrightIn a 12-hour marathon hearing, the California Senate Judiciary Committee on July 9, 2019, debated, struck down, scaled back and put back on the negotiating table key amendments to the California Consumer Privacy Act (“CCPA”). Read below to find out what happened to the much-anticipated “employee exception” bill, “customer loyalty program” bill, and the bill … Continue reading

New CNIL €400,000 fine for data security breaches and non-compliance with data retention period under the GDPR

Nadège Martin (FR)Nilofar Moini Shabestari (FR)By Nadège Martin (FR) and Nilofar Moini Shabestari (FR) on Posted in Data breach, Enforcement
Data Protection Report - Norton Rose FulbrightFollowing the now famous €50m fine imposed on Google LLC in January 2019,[1] the French Data Protection Authority (the CNIL) published a decision taken on 28 May 2019[2] imposing a fine of €400,000 on SERGIC, a company specialised in real estate development, purchase, sale, rental and property management.… Continue reading

Nevada, New York and other states follow California’s CCPA

Jeewon Kim Serrato (US)Susan Ross (US)By Jeewon Kim Serrato (US) and Susan Ross (US) on Posted in Compliance and risk management, Enforcement, General, Regulatory response
The US privacy law landscape continues to shift and evolve as state and federal privacy legislative proposals continue to be debated and become enacted. While CCPA-like bills in Washington and Texas failed to pass, Nevada passed its online privacy amendment and proposals in New York and Washington, DC appear to be gaining momentum.… Continue reading

CCPA: “Attorney General Amendment” Likely Dead

David Kessler (US)Spencer Persson (US)Steve Roosa (US)Jeewon Kim Serrato (US)Susan Ross (US)By David Kessler (US), Spencer Persson (US), Steve Roosa (US), Jeewon Kim Serrato (US) and Susan Ross (US) on Posted in Compliance and risk management, Enforcement, Regulatory response
Norton Rose Fulbright - Data Protection Report blogThis is the Data Protection Report’s ninth blog post in a series of CCPA blog posts that will break down the major elements of the CCPA. Stay tuned for additional posts on the CCPA. On May 16, 2019, the California Senate Appropriations Committee held a hearing that included S.B. 561, the “Attorney General amendment” to the … Continue reading

Parenting support club Bounty fined in ‘unprecedented’ data breach

Lara White (UK)By Lara White (UK) on Posted in Enforcement
Norton Rose Fulbright - Data Protection Report blogOn 12 April, the Information Commissioners Office (ICO) fined Bounty, a pregnancy and parent support club, £400,000 for illegally sharing personal data belonging to more than 14 million people. As the contravention took place just before the General Data Protection Regulation (GDPR) came into force, the fine was issued under the Data Protection Act 1998 … Continue reading

French court issues decision on legality of Privacy Rules and Terms of Use under data protection and consumer law

Cécile Auvieux (FR)Nadège Martin (FR)By Cécile Auvieux (FR) and Nadège Martin (FR) on Posted in Dispute resolution and litigation, Enforcement
Norton Rose Fulbright - Data Protection Report blogFive years after the commencement of legal proceedings against Google by leading French consumer association UFC Que Choisir, the Paris “Tribunal de Grande Instance” (TGI), in a decision dated 12 February 2019, issued its ruling on the legality of the Google+ Terms of Use and Privacy Rules, both with respect to consumer law and personal … Continue reading

German court ruled that protection of the whistle-blower confidentiality does not generally override the data subject access right

Christoph Ritzer (DE)Cornelia Marquardt (DE)Natalia Filkina (DE)By Christoph Ritzer (DE), Cornelia Marquardt (DE) and Natalia Filkina (DE) on Posted in Enforcement
Data Protection Report - Norton Rose FulbrightA mid-level German employment court recently had to consider the scope of subject access requests under the EU General Data Protection Regulation (GDPR) in the context of compliance and whistle-blowing regimes. The Regional Labour Court (Landesarbeitsgericht) of Stuttgart decided that an employer was required not only to provide an employee with the records containing performance … Continue reading

GDPR, CCPA and beyond: Changes in data privacy laws and enforcement risks to monitor in 2019

Jeewon Kim Serrato (US)Daniel Rosenzweig (US)By Jeewon Kim Serrato (US) and Daniel Rosenzweig (US) on Posted in Compliance and risk management, Enforcement
Norton Rose Fulbright - Data Protection Report blogThis is the Data Protection Report’s eighth blog post in series of CCPA blog posts that will break down the major elements of the CCPA. Stay tuned for additional posts on the CCPA. With significant enforcement activity and new laws being enacted or proposed since the start of the year, regulators in the EU and … Continue reading

EDPB issues new opinion on interplay between Clinical Trials Regulation and the GDPR

David Kessler (US)Christoph Ritzer (DE)Sven Jacobs (DE)Anna Rudawski (US)Max Kellogg (US)By David Kessler (US), Christoph Ritzer (DE), Sven Jacobs (DE), Anna Rudawski (US) and Max Kellogg (US) on Posted in Compliance and risk management, Enforcement, Regulatory response
Norton Rose Fulbright - Data Protection Report blogOn January 23, 2019, the European Data Protection Board (“EDPB”) issued an opinion on the interplay between the Clinical Trials Regulation (“CTR”) and the General Data Protection Regulation (“GDPR”).… Continue reading

First multi-million Euro GDPR fine: Google LLC fined €50 million under GDPR for transparency and consent infringements in relation to use of personal data for personalized ads

Marcus Evans (UK)Lara White (UK)Cécile Auvieux (FR)By Marcus Evans (UK), Lara White (UK) and Cécile Auvieux (FR) on Posted in Compliance and risk management, Cybersecurity, Enforcement, Regulatory response
Norton Rose Fulbright - Data Protection Report blogOn January 21,2019 the French data protection authority (the CNIL) imposed a major fine on the U.S. Google entity, Google LLC.  It follows two complaints filed as soon as the GDPR came into force by two consumer rights associations, None of Your Business and La Quadrature du Net. We focus here on four key aspects … Continue reading

California Attorney General’s Office begins CCPA rulemaking process with first public hearing while Congress debates new federal privacy law

Jeewon Kim Serrato (US)Arleen Fernandez (US)By Jeewon Kim Serrato (US) and Arleen Fernandez (US) on Posted in Compliance and risk management, Enforcement, Regulatory response
UK NIS Regulations impose new cybersecurity obligations (and a new penalties regime) on operators of essential services and digital service providers in the UK | Norton Rose FulbrightThis is the Data Protection Report’s sixth post in a series of CCPA blog posts that will break down the major elements of the CCPA. Stay tuned for additional CCPA posts. The California Consumer Privacy Act of 2018 (“CCPA”), California’s new privacy law which takes effect on January 1, 2020, requires the Attorney General to … Continue reading

Transition period under New York Cybersecurity Regulation ends March 1, 2019

Kathleen Scott (US)Susan Ross (US)Tristan Coughlin* (US)By Kathleen Scott (US), Susan Ross (US) and Tristan Coughlin* (US) on Posted in Compliance and risk management, Cybersecurity, Enforcement, Fintech, General, Vendor management and transactions
Data Protection Report - Norton Rose FulbrightThe two-year transitional period under the New York State Department of Financial Services (“DFS”) Cybersecurity Regulation, 23 NYCRR 500 (the “Regulation”), will expire on March 1, 2019, with the final remaining requirement becoming effective. Entities covered by the Regulation that utilize third party service providers, which include not only banks and insurers, but also other … Continue reading
LexBlog