Topic: Privacy law

Subscribe to Privacy law RSS feed

Singapore Releases Proposed Advisory Guidelines on Use of Personal Data in AI Recommendation and Decision Systems

On 18 July 2023, Singapore’s Personal Data Protection Commission (PDPC) issued its Proposed Advisory Guidelines on Use of Personal Data In AI Recommendation and Decision Systems (the Proposed AI Advisory Guidelines) for public consultation. The Proposed AI Advisory Guidelines address the following: The Proposed AI Advisory Guidelines may be accessed here. A brief summary of, … Continue reading

OCR and FTC Issue a Joint Letter Suggesting Enforcement Actions May Be in the Pipeline

On July 20, 2023 HHS and the Federal Trade Commission (“FTC”) issued a joint letter to approximately 130 companies regarding their online data collection processes.  The letter follows the much discussed December 1, 2022, Bulletin that expanded the kinds of websites and applications governed by HIPAA (you can read about our analysis of the bulletin … Continue reading

European Commission and ASEAN releases Guide to ASEAN Model Contractual Clauses and EU Standard Contractual Clauses

Introduction To enable international businesses to comply with cross-border personal data transfers and the relevant laws across the European Union (EU) and South-East Asia, on 24 May 2023 the European Commission and the Association of Southeast Asian Nations (ASEAN) published a Reference Guide to ASEAN Model Contractual Clauses (ASEAN MCCs) and EU Standard Contractual Clauses … Continue reading

The ICO urges organisations to start using privacy enhancing technologies to share personal data safely, securely and anonymously

On 19 June 2023, the UK Information Commissioner’s Office (the ICO) published guidance on privacy enhancing technologies (or PETs) (the Guidance). The Guidance sits alongside the ICO’s recommendation that organisations should, if they haven’t already, start using PETs to share personal data safely, securely and anonymously. Structure of the Guidance The Guidance is split into … Continue reading

Texas enacts comprehensive privacy law

On June 13, 2023, the Texas Governor signed HB4, making Texas the tenth state to have a comprehensive privacy law, joining California, Colorado, Connecticut, Montana, Virginia, and Utah (all in effect or going into effect in 2023), Montana and Tennessee (which, like Texas, go into effect in 2024), Iowa (effective 2025) and Indiana (effective 2026).  … Continue reading

Practical steps for businesses to comply with Bill C-27: part 2

In our previous update, we summarized key operational elements that businesses should be aware of under the proposed Consumer Privacy Protection Act (CPPA), and provided practical tips to help businesses comply with these new requirements. As currently drafted, the CPPA codifies a number of best practices and recommendations issued by the Office of the Privacy Commissioner of Canada … Continue reading

Privacy Act Review report

Norton Rose Fulbright - Data Protection Report blogThe Attorney General’s Department released its Privacy Act Review report on 16 February 2023, that includes the broad suite of reforms you would expect to bring Australia’s privacy laws in to line with both international standards and the reality of our data-based economy. These include enhanced data subject rights and increased accountability requirements for organisations collecting and … Continue reading

Autonomous Vehicles – Canada’s Current Legal Framework: Privacy (Part 4)

Across the globe, the race is already underway among vehicle manufacturers to develop fully autonomous vehicles (AVs). AVs currently under development make sense of their surroundings and control vehicle operation through data gathered about the outside world.  Like other connected vehicles, AVs can also collect and use specific personal information about a driver (e.g., through … Continue reading

Bring-Your-Own-Device Programs: A Balance Between Privacy and Cybersecurity

A ”bring your own device” (BYOD) program is a popular arrangement used by employers, whereby employees use their personal devices (e.g., smartphones, laptops, or tablets) for both personal and business purposes. Last year, about two-thirds of Canadian private sector employers had at least one employee using personal devices for business-related activities.[1] While the BYOD approach … Continue reading

Ontario Court of Appeal Limits Application of Tort of Intrusion Upon Seclusion for Cyberattacks

Data Protection Report - Norton Rose FulbrightIn three recent cases, the Court of Appeal for Ontario effectively curtailed the ability of privacy breach victims to advance claims under the tort of intrusion upon seclusion against organizations for failing to prevent unauthorized access to personal information by third parties. However, while these cases should provide some reassurance that a cyberattack may not … Continue reading

New guidance on direct marketing

Introduction On 5 December 2022, the Information Commissioner’s office (ICO) published its new guidance on direct marketing (the Direct Marketing Guidance). The Direct Marketing Guidance is accompanied by various resources, including checklists, FAQs, an online training module, specific guidance relating to SMEs, B2B marketing, data brokers, political campaigning and direct marketing in the public sector. … Continue reading

Draft European Commission EU-US Data Privacy Framework adequacy decision published

On 13 December, the European Commission launched the process to adopt an adequacy decision for the EU-US Data Privacy Framework (EU-US DPF).  The draft decision – available here – addresses the concerns raised by the Court of Justice  of the European Union (CJEU) in its Schrems II decision of July 2020.  These concerns centred around … Continue reading

What you should do now in light of the Privacy Reform bill

Major privacy law reform in Australia gathered pace this week, with newly tabled legislation proposing to significantly increase penalties for privacy breaches, among other reforms. Now is the time to start asking questions In preparation for these reforms, companies that collect and process personal information should be asking the following questions: Do we know what … Continue reading

Privacy and Cybersecurity Due Diligence Considerations in M&A Transactions

Data Protection Report - Norton Rose FulbrightPrivacy and cybersecurity practices of target companies are being increasingly scrutinized throughout the due diligence process in M&A transactions. Particularly, buyers want to understand the risk and value inherent in sellers’ data assets and sellers want to manage transactional and post-closing risks. In the course of their privacy and cybersecurity due diligence, buyers should consider … Continue reading

Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities: Paving the way toward adequacy

As reported in our previous blogpost, on 7 October 2022, the US White House published an Executive Order on enhancing safeguards for United States signals intelligence activities (EO). In this blogpost, we set out the key points to note, including the background to the EO, what it does and does not do and what organisations … Continue reading

OSFI’s Technology and Cyber Risk Management Guideline: Part 2

In July of this year, the Office of the Superintendent of Financial Institutions (OSFI) released the final version of its Guideline B-13 (the Guideline), setting out technology and cyber risk management expectations for all federally regulated financial institutions (FRFIs), such as banks, insurance and trust companies. FRFIs will need to ensure that they have taken steps to … Continue reading

Autonomous Vehicles – Canada’s Current Legal Framework: A Primer (Part 1)

In recent years, autonomous vehicle (AV) technology has undergone rapid development and it is predicted that AVs may soon be in a state to displace human driving altogether. In Ontario, the Automated Vehicle Pilot Program is currently in place to permit the testing of certain AVs by vehicle manufacturers. As AV technology continues to develop, however, … Continue reading

California Age-Appropriate Design Code Act

On September 15, 2022, California’s Governor Newsom signed A.B. 2273, known as the California Age-Appropriate Design Code Act (“CADC”).  The law, to be codified at Cal. Civ. §§ 1798.99.28 – 1798.99.40, will go into effect on July 1, 2024, but businesses that will be affected by it will need to be in compliance by that … Continue reading

Another Day, another large BIPA Settlement

It appears Snap has become the most recent company to pay a settlement for alleged violations of Illinois Biometric Information Privacy Act (“BIPA”).  The law, which gives consumers a private right of action, has become a popular class action and source of significant penalties.  Indeed, Snap joins a string of other companies that have already … Continue reading

Practical steps for businesses to comply with Bill C-27: Part 1

The House of Commons recently introduced Bill C-27, the successor to Bill C-11, which died on the docket when Parliament was dissolved in the fall of 2021. Bill C-27 introduces three new acts: the Consumer Privacy Protection Act (“CPPA”), the Personal Information and Data Protection Tribunal Act, and the Artificial Intelligence and Data Act (“AIDA”), which … Continue reading

Maybe This Time : Federal Government Proposes the American Data Privacy and Protection Act

On Friday, June 3, 2022, the Senate and House released a draft of the American Data Privacy and Protection Act, (ADPPA), a watershed privacy bill that would introduce a federal standard.  Currently, a hodgepodge of industry-specific and state laws make up the backbone of American privacy regulations and rights, so a national framework for privacy … Continue reading
LexBlog