Topic: Privacy law

Singapore Releases Proposed Advisory Guidelines on Use of Personal Data in AI Recommendation and Decision Systems

On 18 July 2023, Singapore’s Personal Data Protection Commission (PDPC) issued its Proposed Advisory Guidelines on Use of Personal Data In AI Recommendation and Decision Systems (the Proposed AI Advisory Guidelines) for public consultation. The Proposed AI Advisory Guidelines address the following: The Proposed AI Advisory Guidelines may be accessed here. A brief summary of, … Continue reading

OCR and FTC Issue a Joint Letter Suggesting Enforcement Actions May Be in the Pipeline

By Anna Rudawski (US) and Alexis Wilpon (US) on July 21, 2023 Posted in Compliance and risk management, Data Protection, Privacy law

On July 20, 2023 HHS and the Federal Trade Commission (“FTC”) issued a joint letter to approximately 130 companies regarding their online data collection processes. The letter follows the much discussed December 1, 2022, Bulletin that expanded the kinds of websites and applications governed by HIPAA (you can read about our analysis of the bulletin … Continue reading

European Commission and ASEAN releases Guide to ASEAN Model Contractual Clauses and EU Standard Contractual Clauses

By Marcus Evans (UK), Anna Gamvros, Wilson Ang and Jeremy Lua (SG) on June 26, 2023 Posted in Data Protection, Data Transfer, PDPA, Privacy law

Introduction To enable international businesses to comply with cross-border personal data transfers and the relevant laws across the European Union (EU) and South-East Asia, on 24 May 2023 the European Commission and the Association of Southeast Asian Nations (ASEAN) published a Reference Guide to ASEAN Model Contractual Clauses (ASEAN MCCs) and EU Standard Contractual Clauses … Continue reading

The ICO urges organisations to start using privacy enhancing technologies to share personal data safely, securely and anonymously

By Olivia Wint and Lara White (UK) on June 26, 2023 Posted in General, Privacy law

On 19 June 2023, the UK Information Commissioner’s Office (the ICO) published guidance on privacy enhancing technologies (or PETs) (the Guidance). The Guidance sits alongside the ICO’s recommendation that organisations should, if they haven’t already, start using PETs to share personal data safely, securely and anonymously. Structure of the Guidance The Guidance is split into … Continue reading

Texas enacts comprehensive privacy law

By David Kessler (US), Susan Ross (US) and Seth Allen (US) on June 21, 2023 Posted in Privacy law

On June 13, 2023, the Texas Governor signed HB4, making Texas the tenth state to have a comprehensive privacy law, joining California, Colorado, Connecticut, Montana, Virginia, and Utah (all in effect or going into effect in 2023), Montana and Tennessee (which, like Texas, go into effect in 2024), Iowa (effective 2025) and Indiana (effective 2026). … Continue reading

Validating State Privacy Law Opt-Out Signals

By Steve Roosa (US) and Daniel Rosenzweig (US) on March 29, 2023 Posted in CCPA, Data Protection, Privacy law

State privacy laws, such as the California Consumer Privacy Act (CCPA), require companies to implement opt-out solutions and honor applicable privacy requests. But if you have implemented an opt-out, how do you know it actually works? Read the full NT Analyzer blog, “Validating State Privacy Law Opt-Out Signals.”… Continue reading

Privacy law is becoming more technically sophisticated. So should you.

By Steve Roosa (US), Daniel Rosenzweig (US) and Susan Ross (US) on March 22, 2023 Posted in Compliance and risk management, Privacy law

As privacy laws and requirements become more technically sophisticated, businesses may want to consider how they can follow suit.… Continue reading

Practical steps for businesses to comply with Bill C-27: part 2

By Imran Ahmad (CA), Shreya Gupta and Jeremie Wyatt (CA) on March 7, 2023 Posted in Cybersecurity, Data Protection, Data Transfer, Intellectual Property, Privacy law

In our previous update, we summarized key operational elements that businesses should be aware of under the proposed Consumer Privacy Protection Act (CPPA), and provided practical tips to help businesses comply with these new requirements. As currently drafted, the CPPA codifies a number of best practices and recommendations issued by the Office of the Privacy Commissioner of Canada … Continue reading

Privacy Act Review report

By Ka-Chi Cheung, Anna Gamvros, Jim Lennon (AU) and Ross Phillipson on February 23, 2023 Posted in Privacy law

Norton Rose Fulbright - Data Protection Report blog

The Attorney General’s Department released its Privacy Act Review report on 16 February 2023, that includes the broad suite of reforms you would expect to bring Australia’s privacy laws in to line with both international standards and the reality of our data-based economy. These include enhanced data subject rights and increased accountability requirements for organisations collecting and … Continue reading

Autonomous Vehicles – Canada’s Current Legal Framework: Privacy (Part 4)

By Imran Ahmad (CA) and Admin on February 23, 2023 Posted in Cybersecurity, Data Protection, Privacy law

Across the globe, the race is already underway among vehicle manufacturers to develop fully autonomous vehicles (AVs). AVs currently under development make sense of their surroundings and control vehicle operation through data gathered about the outside world. Like other connected vehicles, AVs can also collect and use specific personal information about a driver (e.g., through … Continue reading

Bring-Your-Own-Device Programs: A Balance Between Privacy and Cybersecurity

By Marisa Kwan, Joseph Cohen-Lyons, Curtis Armstrong and Admin on February 16, 2023 Posted in Cybersecurity, Privacy law

A ”bring your own device” (BYOD) program is a popular arrangement used by employers, whereby employees use their personal devices (e.g., smartphones, laptops, or tablets) for both personal and business purposes. Last year, about two-thirds of Canadian private sector employers had at least one employee using personal devices for business-related activities.[1] While the BYOD approach … Continue reading

ICYMI – Late December in privacy and cybersecurity

By David Kessler (US) and Susan Ross (US) on January 30, 2023 Posted in Cybersecurity, Privacy law

Late December and early January tend to be a busy time for everyone, so you may have missed a privacy update or two during that time. We have set out some updates in the form of questions, with some links where you can find more information. Answers are below. 1. Colorado issued a revised draft … Continue reading

Ontario Court of Appeal Limits Application of Tort of Intrusion Upon Seclusion for Cyberattacks

By Travis Walker and Imran Ahmad (CA) on January 16, 2023 Posted in Cybersecurity, Data breach, Data Protection, Privacy law

Data Protection Report - Norton Rose Fulbright

In three recent cases, the Court of Appeal for Ontario effectively curtailed the ability of privacy breach victims to advance claims under the tort of intrusion upon seclusion against organizations for failing to prevent unauthorized access to personal information by third parties. However, while these cases should provide some reassurance that a cyberattack may not … Continue reading

New guidance on direct marketing

By Ali Fazeli-Nia, Lara White (UK) and Janine Regan (UK) on January 10, 2023 Posted in Data Protection, Privacy law

Introduction On 5 December 2022, the Information Commissioner’s office (ICO) published its new guidance on direct marketing (the Direct Marketing Guidance). The Direct Marketing Guidance is accompanied by various resources, including checklists, FAQs, an online training module, specific guidance relating to SMEs, B2B marketing, data brokers, political campaigning and direct marketing in the public sector. … Continue reading

Draft European Commission EU-US Data Privacy Framework adequacy decision published

By Marcus Evans (UK), Lara White (UK), Shiv Daddar (UK) and Janine Regan (UK) on December 13, 2022 Posted in Data Protection, Privacy law

On 13 December, the European Commission launched the process to adopt an adequacy decision for the EU-US Data Privacy Framework (EU-US DPF). The draft decision – available here – addresses the concerns raised by the Court of Justice of the European Union (CJEU) in its Schrems II decision of July 2020. These concerns centred around … Continue reading

What you should do now in light of the Privacy Reform bill

By Ross Phillipson and Anna Gamvros on October 26, 2022 Posted in Cybersecurity, Privacy law

Major privacy law reform in Australia gathered pace this week, with newly tabled legislation proposing to significantly increase penalties for privacy breaches, among other reforms. Now is the time to start asking questions In preparation for these reforms, companies that collect and process personal information should be asking the following questions: Do we know what … Continue reading

Privacy and Cybersecurity Due Diligence Considerations in M&A Transactions

By Admin on October 24, 2022 Posted in Cybersecurity, Data Protection, M&A Transactions, Privacy law

Privacy and cybersecurity practices of target companies are being increasingly scrutinized throughout the due diligence process in M&A transactions. Particularly, buyers want to understand the risk and value inherent in sellers’ data assets and sellers want to manage transactional and post-closing risks. In the course of their privacy and cybersecurity due diligence, buyers should consider … Continue reading

Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities: Paving the way toward adequacy

By Shiv Daddar (UK), Marcus Evans (UK) and Lara White (UK) on October 18, 2022 Posted in Privacy law

As reported in our previous blogpost, on 7 October 2022, the US White House published an Executive Order on enhancing safeguards for United States signals intelligence activities (EO). In this blogpost, we set out the key points to note, including the background to the EO, what it does and does not do and what organisations … Continue reading

OSFI’s Technology and Cyber Risk Management Guideline: Part 2

By Imran Ahmad (CA), Shreya Gupta and Suzie Suliman (CA) on October 17, 2022 Posted in Cybersecurity, Privacy law

In July of this year, the Office of the Superintendent of Financial Institutions (OSFI) released the final version of its Guideline B-13 (the Guideline), setting out technology and cyber risk management expectations for all federally regulated financial institutions (FRFIs), such as banks, insurance and trust companies. FRFIs will need to ensure that they have taken steps to … Continue reading

Autonomous Vehicles – Canada’s Current Legal Framework: A Primer (Part 1)

By Imran Ahmad (CA) and Admin on October 5, 2022 Posted in Cybersecurity, Privacy law

In recent years, autonomous vehicle (AV) technology has undergone rapid development and it is predicted that AVs may soon be in a state to displace human driving altogether. In Ontario, the Automated Vehicle Pilot Program is currently in place to permit the testing of certain AVs by vehicle manufacturers. As AV technology continues to develop, however, … Continue reading

California Age-Appropriate Design Code Act

By David Kessler (US), Susan Ross (US) and Daniel Rosenzweig (US) on September 23, 2022 Posted in Privacy law

On September 15, 2022, California’s Governor Newsom signed A.B. 2273, known as the California Age-Appropriate Design Code Act (“CADC”). The law, to be codified at Cal. Civ. §§ 1798.99.28 – 1798.99.40, will go into effect on July 1, 2024, but businesses that will be affected by it will need to be in compliance by that … Continue reading

Another Day, another large BIPA Settlement

By Alexis Wilpon (US), David Kessler (US) and Anna Rudawski (US) on August 30, 2022 Posted in BIPA, Compliance and risk management, Privacy law

It appears Snap has become the most recent company to pay a settlement for alleged violations of Illinois Biometric Information Privacy Act (“BIPA”). The law, which gives consumers a private right of action, has become a popular class action and source of significant penalties. Indeed, Snap joins a string of other companies that have already … Continue reading

Practical steps for businesses to comply with Bill C-27: Part 1

By Jeremie Wyatt (CA), Imran Ahmad (CA) and Shreya Gupta on August 22, 2022 Posted in Compliance and risk management, Privacy law

The House of Commons recently introduced Bill C-27, the successor to Bill C-11, which died on the docket when Parliament was dissolved in the fall of 2021. Bill C-27 introduces three new acts: the Consumer Privacy Protection Act (“CPPA”), the Personal Information and Data Protection Tribunal Act, and the Artificial Intelligence and Data Act (“AIDA”), which … Continue reading

Maybe This Time : Federal Government Proposes the American Data Privacy and Protection Act

By Anna Rudawski (US), Chris Cwalina (US) and David Kessler (US) on June 8, 2022 Posted in CCPA, Compliance and risk management, Privacy law

On Friday, June 3, 2022, the Senate and House released a draft of the American Data Privacy and Protection Act, (ADPPA), a watershed privacy bill that would introduce a federal standard. Currently, a hodgepodge of industry-specific and state laws make up the backbone of American privacy regulations and rights, so a national framework for privacy … Continue reading