Topic: General

UK proposes rules to protect against anonymous online trolls

By Kerri Gevers (SG) on March 24, 2022 Posted in General

Data Protection Report - Norton Rose Fulbright

The UK Government has added two new duties to the proposed Online Safety Bill (the Bill) that are aimed at protecting people against anonymous online abuse. These measures would give users of “main social media firms” more control over who can interact with them and the type of content users see (see the Government’s press … Continue reading

SMO v TikTok: representative actions post Lloyd v Google

By Charlie Weston-Simons (UK) and Matt Williams on March 22, 2022 Posted in General

In SMO (A Child) v Tiktok Inc. & Ors [2022] EWHC 489, the High Court considered an alternative basis for bringing a representative claim for loss of control under the GDPR and the Data Protection Act 2018 (DPA 2018) following the Supreme Court’s decision in Lloyd v Google. This case is a pre-Lloyd decision representative … Continue reading

The EU’s Data Act: Capstone of the EU Data Strategy

By Jay Modrall (BE) on March 16, 2022 Posted in General

On 23 February 2022 the EU Commission published its long-awaited Data Act, the last major building block of the Commission’s February 2020 Data Strategy. The Data Act: Is an ambitious piece of legislation with implications for consumers and businesses across the economy, not limited to the technology sector. Aims to facilitate access to data by … Continue reading

Privacy in a Parallel Digital Universe: The Metaverse

By Imran Ahmad (CA) and Tiana Corovic (CA) on January 25, 2022 Posted in General, Metaverse, PIPEDA, Privacy law

For many years, the immersive three-dimensional digital world has been left to the cinematic experience. However, the emergence of the metaverse presents an opportunity to translate everyday activities – working, attending a concert, travelling, shopping, socializing – into a parallel digital universe. The metaverse is an abstract concept that uses a digital environment to permeate … Continue reading

Where data meets IP – Derivative data in M&A transactions

By Imran Ahmad (CA), Nikita Stepin, Patrick Chou (CA) and Suzie Suliman (CA) on January 19, 2022 Posted in Data Transfer, General, Intellectual Property

Norton Rose Fulbright - Data Protection Report blog

With the growth of the high-tech industry worldwide, it is no surprise that more and more transactions involve the transfer of rights to access or control data and derivative data. In our previous update we discussed protecting business data in a commercial context. In the M&A context, this valuable information is either the driving force of … Continue reading

Are you critical? Amendments to the Security of Critical Infrastructure Act (2018) dramatically expand its scope and impact across Australian industry

By Ross Phillipson, Ming Kalanon and Anna Gamvros (HK) on December 6, 2021 Posted in General

Introduction Significant changes to the law with respect to security of critical infrastructure in Australia, including enhanced cybersecurity incident reporting requirements and the inclusion of further asset classes have been passed. On 22 November 2021, the Security Legislation Amendment (Critical Infrastructure) Bill 2021 (Bill) passed both houses of the federal parliament of Australia and will … Continue reading

Transfer data outside of China: New security review regulation companies should know

By Anna Gamvros (HK) and Lianying Wang (CN) on November 11, 2021 Posted in General

The Cyberspace Administration of China (CAC) released the draft Security Review Measures for Cross-Border Data Transfer (the Draft Security Review Measures) for public comments on 29 October 2021 – shortly before the effective date of the Personal Information Protection Law (PIPL), 1 November 2021. The three pillars of China’s cyber security and data legislation – … Continue reading

Good news for data controllers: Lloyd v Google Supreme Court decision

By Dominic Hennessy, Harriet Jones-Fenleigh and Georgina Fernando on November 10, 2021 Posted in General

Data Protection Report - digital privacy, CCPA and cybersecurity

On 10 November 2021, the UK Supreme Court handed down the much anticipated judgment in Lloyd v Google LLC [2021] UKSC 50, unanimously allowing Google’s appeal and reversing the decision of the Court of Appeal. In summary, the Supreme Court ruled that damages for “loss of control” are not available for breach of the Data … Continue reading

A Tale of Two Cities: The Right of Private Action in Data Protection in Singapore and Hong Kong

By Wilson Ang (SG), Anna Gamvros (HK), Jeremy Lua (SG) and Edward Yau (HK) on November 2, 2021 Posted in Dispute resolution and litigation, General, PDPA, Privacy law

The Singapore High Court and the Hong Kong District Court have both considered the right to compensation for injury to feelings in two recent cases involving misuse of personal data but arrived at different conclusions. Singapore: In Bellingham, Alex v. Reed, Michael, Mr. Bellingham obtained the email addresses of his former employers’ customers without their … Continue reading

Where data meets IP – protecting business data in a commercial context

By Imran Ahmad (CA), Nikita Stepin, Patrick Chou (CA) and Suzie Suliman (CA) on October 18, 2021 Posted in Data Transfer, General, Intellectual Property

In our previous publication, we discussed how a business’ data can be protected by characterizing it as intellectual property and protecting it as such. One of the most common ways to protect business data in a commercial context is through license agreements that impose contractual controls on the scope of protection of such data, as … Continue reading

US Senate considers mandating 24-hour reporting requirement for ransom payments

By David Kitchen (US) and Kate Nelson (US) on October 5, 2021 Posted in Cybercrime, Cybersecurity, General, Ransomware

On September 28, 2021, the US Senate Homeland Security and Governmental Affairs Committee released a draft bill that would, among other things, require nearly all entities that make a ransom payment as the result of a ransomware attack against the entity to report the payment to the Director of the Cybersecurity and Infrastructure Security Agency … Continue reading

The UK National AI Strategy: Regulation, Data Protection and IPR in the Mix

By Marcus Evans (UK), Michael Sinclair (UK) and Peter McBurney on September 30, 2021 Posted in General

The UK Government has published its National AI Strategy. Click here to read more about what the National AI Strategy says about AI regulation, and its implications for data protection in the UK. In this detailed blog we examine three discrete issues addressed in it (AI regulation, data protection and intellectual property rights) and we … Continue reading

UK Government sets out proposals to shake up UK data protection laws

By Marcus Evans (UK), Lara White (UK) and Sahar Bhaimia on September 28, 2021 Posted in Compliance and risk management, General

On 10 September 2021, the UK Government published its consultation paper on proposals to reform the UK’s data protection regime. The deadline for responding to the consultation is 19 November 2021. In August, the Government announced that it intended to “seize the opportunity” afforded by the UK’s exit from the European Union to makes some … Continue reading

Where Data Meets IP

By Imran Ahmad (CA), Nikita Stepin, Patrick Chou (CA) and Suzie Suliman (CA) on September 27, 2021 Posted in Data Transfer, General, Intellectual Property

How do you balance sharing and protecting your business’ data? Unlike tangible assets, which can be protected primarily through physical means, intangible assets such as data require additional considerations. One key strategy to protect your business’ data is to characterize, and protect, that data as intellectual property. Data as IP Copyright Original compilations of data … Continue reading

The UK Government unveils its post-Brexit plans to shake up data protection laws

By Lara White (UK), Marcus Evans (UK) and Isabella Martinez-Sistac Orozco on August 27, 2021 Posted in General, Privacy law, Regulatory response

On 26 August 2021, in a move that puts it on a potential collision course with the EU, the UK Government made a number of announcements relating to the future of the UK’s data protection regime, with the stated intention of “seizing the opportunity” by “developing a world leading data policy that will deliver a … Continue reading

Ontario moves towards introducing new privacy law

By Imran Ahmad (CA) and Liana Di Giorgio (CA) on August 24, 2021 Posted in General, PHIPA, PIPEDA, Privacy law

Given global trends in the development of privacy laws and enforcement, Canada and several provinces are looking at modernizing their respective privacy regimes. Ontario’s new proposed privacy law, which would govern commercial activities more broadly than current legislation (i.e., our federal legislation, the Personal Information Protection and Electronic Documents Act (PIPEDA), and Ontario’s health privacy … Continue reading

China’s evolving data laws: PIPL likely to be passed soon

By Anna Gamvros (HK) and Lianying Wang (CN) on August 5, 2021 Posted in Cybersecurity, General

China’s much anticipated Personal Information Protection Law (PIPL) is very likely to pass this month after the conclusion of the 30th meeting of the Standing Committee of the National People’s Congress, which is to be held in Beijing on 17-20 August. This follows the enactment earlier this year of the Data Security Law (DSL), which … Continue reading

Subject Access Request: Germany’s highest court widens the scope of data subject access requests in Germany

By Christoph Ritzer (DE) and Natalia Filkina (DE) on July 28, 2021 Posted in General, Regulatory response

Germany’s highest civil court, the Federal Court Of Justice (Bundesgerichtshof, the FCJ), has just published a decision specifying the scope of data subject access requests (DSARs). The FCJ held that Article 15 of the EU General Data Protection Regulation (GDPR) has a broader scope than previously understood in Germany. Pursuant to the court’s decision, Article 15 … Continue reading

Hong Kong: Bill to amend the Personal Data (Privacy) Ordinance to combat doxxing acts was gazetted today

By Anna Gamvros (HK), Ruby Kwok (HK) and Edward Yau (HK) on July 15, 2021 Posted in General

The Personal Data (Privacy) (Amendment) Bill 2021 (the Bill) was gazetted today, 16 July 2021. The Bill aims to combat doxxing acts through (i) criminalisation of doxxing acts; (ii) empowering the Privacy Commissioner for Personal Data to conduct criminal investigation and institute prosecution for doxxing cases; and (iii) conferring on the Commissioner statutory powers to … Continue reading

EDPB cautiously welcomes UK adequacy finding

By Lara White (UK) and Janine Regan (UK) on April 16, 2021 Posted in General, Regulatory response

Yesterday, the European Data Protection Board (EDPB) published its opinion on the European Commission’s draft Decision that the UK ensures an adequate level of protection for personal data (the Opinion). The Opinion was adopted by the EDPB on 13 April 2021, a couple of days before the Opinion’s official publication on 15 April 2021. The … Continue reading

EU Commission draft UK Data Protection Adequacy Decision published

By Marcus Evans (UK) and Shiv Daddar (UK) on February 19, 2021 Posted in Enforcement, General, Regulatory response

Following nine months of assessment of the UK’s data protection laws (including the rules on access to data by public authorities), the European Commission has today published its draft decision on the adequate protection of personal data by the United Kingdom. The draft decision can be found here. The draft decision is welcome news to … Continue reading

101 Problems and Schrems Ain’t One

By Steve Roosa (US) and Daniel Rosenzweig (US) on September 29, 2020 Posted in General

Eureka! After burning the midnight oil, we’ve built an automated scanner to identify and sort the Schrems II risk of data flows for further legal handling. The scanner uses more than 20 different data points derived from network metadata to scan and classify data flows based on mass surveillance risk under the NSA’s so-called “Upstream” … Continue reading

Algorithmic Decision-making and the UK ICO’s Guidance on AI

By Magdalene Lie (UK) on September 8, 2020 Posted in General, Regulatory response

Algorithmic decision-making has been in the news of late. From Ofqual’s downgrading of students’ A-level results[1] to the complaint lodged by None of Your Business’ against the credit rating agency CRIF for failing (amongst other things) to be transparent about the reasons why a particular applicant had been given a negative rating[2]. We have been … Continue reading

Key takeaways for the private sector from The Bridges v South Wales police facial recognition case

By Lara White (UK) and Janine Regan (UK) on August 27, 2020 Posted in General

On 11 August 2020, the Court of Appeal (CA) handed down its judgement in the case of R (on the application of Edward BRIDGES) v The Chief Constable of South Wales Police. The court found that the use of automated facial recognition technology (AFT) by South Wales Police (SWP) was unlawful and did not comply … Continue reading