Topic: General

Subscribe to General RSS feed

101 Problems and Schrems Ain’t One

Steve Roosa (US)Daniel Rosenzweig (US)By Steve Roosa (US) and Daniel Rosenzweig (US) on Posted in General
NT Analyzer blog series, cookie

Eureka! After burning the midnight oil, we’ve built an automated scanner to identify and sort the Schrems II risk of data flows for further legal handling. The scanner uses more than 20 different data points derived from network metadata to scan and classify data flows based on mass surveillance risk under the NSA’s so-called “Upstream” and “Downstream” data collection programs. This is important to do because not all endpoints are created equal in this regard.

The main questions facing companies at this point are:

  • Do my websites and mobile apps, when used in the EU, transmit data to the US,
Continue Reading

Algorithmic Decision-making and the UK ICO’s Guidance on AI

Magdalene Lie (UK)By Magdalene Lie (UK) on Posted in General, Regulatory response

Algorithmic decision-making has been in the news of late. From Ofqual’s downgrading of students’ A-level results[1] to the complaint lodged by None of Your Business’ against the credit rating agency CRIF for failing (amongst other things) to be transparent about the reasons why a particular applicant had been given a negative rating[2]. We have been reminded of the potential backlash that could result from decisions that are perceived as incorrect or unfair by algorithms where the workings of which are largely unknown to the individuals they affect. This presents challenges for organisations which are increasingly adopting Artificial … Continue Reading

Key takeaways for the private sector from The Bridges v South Wales police facial recognition case

Lara White (UK)By Lara White (UK) and Janine Regan (UK) on Posted in General

On 11 August 2020, the Court of Appeal (CA) handed down its judgement in the case of R (on the application of Edward BRIDGES) v The Chief Constable of South Wales Police.  The court found that the use of automated facial recognition technology (AFT) by South Wales Police (SWP) was unlawful and did not comply with Article 8 of the European Convention on Human Rights (the right to respect for private and family life) (the Convention).

Whilst this judgement concerned the use of AFT in the public sector, the case provides interesting  … Continue Reading

An “enhanced” Privacy Shield is being negotiated – third time a charm?

Lara White (UK)By Lara White (UK) and Janine Regan (UK) on Posted in Compliance and risk management, Data Transfer, Enforcement, General

On 10 August, the European Commission and the US Department of Commerce confirmed that talks have begun between the EU and US for an “enhanced” Privacy Shield.

This will be the third attempt to revise this framework, following the invalidation of Safe Harbor in 2015 and Privacy Shield in July 2020. Third time a charm? We’re not so sure.

By way of recap, in Schrems II, the court made clear that Privacy Shield was invalid for three main reasons:

  1. US surveillance rules are disproportionate
  2. There is a lack of proper oversight over US surveillance programmes
  3. EU individuals do not
Continue Reading

Schrems II landmark ruling: Privacy Shield is invalid, Standard Contractual Clauses are valid but court puts obligations on parties and authorities

Marcus Evans (UK)Christoph Ritzer (DE)By Marcus Evans (UK), Christoph Ritzer (DE) and Janine Regan (UK) on Posted in Data breach, Enforcement, General, Regulatory response

The Court of Justice of the European Union (CJEU) has today published its decision in the landmark case, known as Schrems II. While Privacy Shield has been completely invalidated, the Standard Contractual Clauses (SCCs) remain valid, but the court has emphasised obligations on the parties to the SCCs  and Data Protection Authorities which have the potential to restrict when they can be used.

Here is a very short first summary:

  1. Privacy Shield is invalid.  This is on the basis that the access and use of EU personal data by US authorities are not restricted in a way
Continue Reading

Singapore’s Public Consultation on proposed changes to the Singapore Personal Data Protection Act

Wilson Ang (SG)Stella Cramer (SG)Jessica Paulin (SG)Jeremy Lua (SG)By Wilson Ang (SG), Stella Cramer (SG), Jessica Paulin (SG) and Jeremy Lua (SG) on Posted in General

On 14 May 2020, the Singapore Ministry of Communications and Information (MCI) and the Personal Data Protection Commission of Singapore (PDPC) announced a public consultation (the Public Consultation) on the draft Personal Data Protection (Amendment) Bill (the Draft Bill) and related amendments to the Spam Control Act (SCA). The Public Consultation will take place from 14 May 2020 to 28 May 2020.

The Draft Bill is the culmination of a series of consultations between the MCI, PDPC and public and industry stakeholders over the past three years. In this post, we briefly … Continue Reading

Contact tracing apps: A new world for data privacy

Anna Gamvros (HK)Steven Hadwin (UK)By Anna Gamvros (HK) and Steven Hadwin (UK) on Posted in General

May 12, 2020

Norton Rose Fulbright today launched its survey analysing regulatory and policy issues applicable to COVID-19 contact tracing and related tracking technology across 18 jurisdictions.

The global survey explores key issues across Australia, Canada, China, France, Germany, Hong Kong, Italy, Indonesia, Russia, Poland, Singapore, South Africa, Thailand, The Netherlands, Turkey, UAE, UK and US, including:

  • How are governments using technology to monitor and control the spread of COVID-19?
  • What are the major privacy concerns in relation to the utilisation of apps by both governments and private sector organisations?
  • How will the apps collect data and how is the
Continue Reading

How contact tracing apps in Asia are being used to fight COVID-19 – is the reward worth the risk?

Anna Gamvros (HK)By Anna Gamvros (HK) and Libby Ryan (HK) on Posted in General
Data Protection Report - Norton Rose Fulbright

The COVID-19 pandemic has seen governments across the world restricting civil liberties and movement to unprecedented levels. To aid the safe lifting of current public health restrictions, new technologies are being developed and rolled out to automate labour intensive tasks critical to containing the spread of the virus, such as contact tracing.

Contact tracing applications essentially work using either Bluetooth technology or GPS to log every time two or more users are close to each other for a certain period of time. If a person is diagnosed with COVID-19, other users who were close to that person can then be … Continue Reading

NYDFS Requires COVID-19 Plans by April 9

Susan Ross (US)Kathleen Scott (US)By Susan Ross (US) and Kathleen Scott (US) on Posted in Compliance and risk management, Cybercrime, Cybersecurity, Dispute resolution and litigation, Enforcement, General
Norton Rose Fulbright - Data Protection Report blog

On March 10, 2020, the New York Department of Financial Services (NYDFS) issued guidance to all of its regulated institutions engaged in virtual currency business activity, requiring them to have plans for preparedness to manage the possible operational and financial risks posed by the COVID-19 pandemic. NYDFS requires the plans to be submitted by Thursday, April 9, 2020.… Continue Reading

Reflecting on APAC Data Protection and Cyber-security Highlights for 2019 (and what lies ahead!)

Anna Gamvros (HK)By Anna Gamvros (HK) and Libby Ryan (HK) on Posted in General
Norton Rose Fulbright - Data Protection Report blog

2019 saw continued growth and change in data protection and cyber-security across the Asia-Pacific. Following the implementation of the GDPR in May, 2018, many jurisdictions moved to review and strengthen existing data privacy and cyber-security laws. In addition, 2019 saw regulators publishing findings in respect of some of the largest data incidents of 2018. We have set out below the key highlights of the year and what to look out for in 2020.… Continue Reading

Schrems II: AG deems SCCs valid but comes up with difficult new obligations and expresses “doubts” over privacy shield

Marcus Evans (UK)Christoph Ritzer (DE)David Kessler (US)By Marcus Evans (UK), Christoph Ritzer (DE), Janine Regan (UK) and David Kessler (US) on Posted in Compliance and risk management, Enforcement, General

What has happened?

Yesterday, the Advocate General (“AG”) concluded that, in his opinion, the EU Standard Contractual Clauses (“SCCs”) are a valid mechanism to transfer personal data outside of the European Economic Area (“EEA”). However, the AG suggested new obligations for those using SCCs. They need to examine the national security laws of the country of the data importer to determine whether they can in fact comply with the terms of SCCs.… Continue Reading

New York’s Breach Law Amendments and New Security Requirements

David Kessler (US)Susan Ross (US)By David Kessler (US) and Susan Ross (US) on Posted in Compliance and risk management, Enforcement, General

Although California has recently captured the lion’s share of attention with respect to privacy and security, on October 23, 2019, New York’s amended security breach law goes into effect, and on March 1, 2020, new security safeguards go live (N.Y. S.B. 5575). Anyone with personal information about a New York resident is potentially affected by these far-reaching amendments.

Breach Law Changes

Readers may recall that New York’s security breach notification law (N.Y. Gen. Bus. Law § 899-aa) differs from most states’ law in several ways including (1) using separate definitions of “personal information” and “private information;” and (2) providing factors … Continue Reading

Office of Privacy Commissioner Says It’s Status Quo on Consent Requirements for Data Processing Transfers

Ann Henderson (CA)Julie Himo (CA)John Cassell (CA)Alexis Kerr (CA)By Ann Henderson (CA), Julie Himo (CA), John Cassell (CA) and Alexis Kerr (CA) on Posted in Compliance and risk management, Data breach, General

On September 23, the Office of the Privacy Commissioner of Canada (OPC) announced, following consultation with stakeholders, that it will maintain the position set out in its 2009 guidelines that an organization’s transfer of personal information to a third party for processing, including a transfer across the Canadian border, is a “use” of that personal information, and not a disclosure that requires separate consent.

This announcement brings at least temporary clarity to an issue that resulted in a tumultuous summer for organizations and the OPC alike as everyone grappled with the potential consequences of the OPC’s June … Continue Reading

Data protection and cyber risk issues in arbitration – dealing with regulation, cyber attacks and hacked evidence

Pierre Bienvenu (CA)Ben Grant (UK)By Pierre Bienvenu (CA) and Ben Grant (UK) on Posted in Cybercrime, Cybersecurity, Data breach, Dispute resolution and litigation, General

The GDPR has significantly altered the landscape of data protection. Its broad scope and potentially severe penalties have forced those who hold and process data to take note of its provisions. In certain instances, that will include many in the international arbitration community, such as arbitral institutions. In parallel, cyber attacks and instances of hacking in the arbitration context have brought cyber security issues to the fore.

As a result, data protection and cyber security are now hot topics in international arbitration. A majority of respondents in the 2018 Queen Mary International Arbitration Survey listed “security of electronic communications and … Continue Reading

US CLOUD Act and International Privacy

Marcus Evans (UK)David Kessler (US)Jim Lennon (AU)Susan Ross (US)By Marcus Evans (UK), David Kessler (US), Jim Lennon (AU) and Susan Ross (US) on Posted in Compliance and risk management, Enforcement, General
Norton Rose Fulbright - Data Protection Report blog

The U.S. Clarifying Lawful Overseas Use of Data Act (“CLOUD Act”) is apparently the Goldilocks of the privacy world, according to recent statements issued by two international jurisdictions. The CLOUD Act’s requirements are “too hard” for Australian law, according to the Law Council of Australia, but the privacy protections are “too soft” for the European Data Protection Board and European Data Protection Supervisor. The current lack of any executive agreements between the U.S. and another jurisdiction under the CLOUD Act seems to indicate that the U.S. has not yet found a jurisdiction that is “just right” for the CLOUD Act.… Continue Reading

Cyber law firm of the year nomination

Chris Cwalina (US)Ffion Flockhart (UK)Steven Hadwin (UK)By Chris Cwalina (US), Ffion Flockhart (UK) and Steven Hadwin (UK) on Posted in General
Norton Rose Fulbright - Data Protection Report blog

We are pleased to report that Norton Rose Fulbright has been shortlisted for cyber law firm of the year at the 2019 Insurance Insider Cyber Rankings Awards. Many thanks to everyone who has voted for us so far. The winner will be determined from the results of a wide-ranging survey of insurers and brokers and will be announced on 20 September 2019. We encourage our insurer and broker clients and contacts to respond to the survey if they have not already done so.… Continue Reading

German antitrust authority prohibits Facebook from combining users’ personal data

Christoph Ritzer (DE)Maxim Kleine (DE)Natalia Filkina (DE)By Christoph Ritzer (DE), Maxim Kleine (DE) and Natalia Filkina (DE) on Posted in General
Data Protection Report - Norton Rose Fulbright

On 7 February 2019, the German antitrust authority (Bundeskartellamt, the FCO) ruled against Facebook combining user personal data from different sources, saying it was exploiting its position as a dominant social media company in violation of the EU data protection laws.

The FCO said that Facebook abused its market dominance in:

  • collecting, merging and using personal data; and
  • failing to provide a choice to its customers to prevent collection of their data.

Consequences of the German antitrust authority’s decision

Facebook can no longer combine the personal data gathered from its own website, Facebook-owned services (like WhatsApp and … Continue Reading

Transition period under New York Cybersecurity Regulation ends March 1, 2019

Kathleen Scott (US)Susan Ross (US)Tristan Coughlin* (US)By Kathleen Scott (US), Susan Ross (US) and Tristan Coughlin* (US) on Posted in Compliance and risk management, Cybersecurity, Enforcement, Fintech, General, Vendor management and transactions
Data Protection Report - Norton Rose Fulbright

The two-year transitional period under the New York State Department of Financial Services (“DFS”) Cybersecurity Regulation, 23 NYCRR 500 (the “Regulation”), will expire on March 1, 2019, with the final remaining requirement becoming effective. Entities covered by the Regulation that utilize third party service providers, which include not only banks and insurers, but also other financial services institutions and licensees regulated by the DFS, will be required to implement third-party risk management programs by March 1.… Continue Reading

Pennsylvania Supreme Court holds common law duty for employers extends to protecting sensitive employee information

Andrea D'Ambra (US)Max Kellogg (US)By Andrea D'Ambra (US) and Max Kellogg (US) on Posted in Compliance and risk management, Data breach, General, Regulatory response
Data Protection Report - Norton Rose Fulbright

On November 21, 2018, the Pennsylvania Supreme Court broke new ground by holding that employers have a legal duty to take reasonable care to safeguard its employees’ sensitive personal information from cyberattacks. Dittman v. UPMC, 2018 Pa. LEXIS 6072199 (Pa. Nov. 21, 2018).… Continue Reading

Browsewrap agreements: Are you covered?

Spencer Persson (US)By Spencer Persson (US) on Posted in Dispute resolution and litigation, General
Norton Rose Fulbright - Data Protection Report blog

In a recent decision, a California federal court held that an arbitration provision contained in Viacom, Inc.’s browsewrap agreement was unenforceable and denied Viacom’s request to stay the case pending arbitration.[1] The court’s decision in Rushing v. Viacom, Inc. is consistent with “courts’ traditional reluctance to enforce browsewrap agreements against individual consumers.”[2]Continue Reading

LexBlog