Topic: Regulatory response

Subscribe to Regulatory response RSS feed

EDPB issues new opinion on interplay between Clinical Trials Regulation and the GDPR

Norton Rose Fulbright - Data Protection Report blog

On January 23, 2019, the European Data Protection Board (“EDPB”) issued an opinion on the interplay between the Clinical Trials Regulation (“CTR”) and the General Data Protection Regulation (“GDPR”).… Continue reading

First multi-million Euro GDPR fine: Google LLC fined €50 million under GDPR for transparency and consent infringements in relation to use of personal data for personalized ads

By Marcus Evans (UK), Lara White (UK) and Cécile Auvieux (FR) on January 25, 2019 Posted in Compliance and risk management, Cybersecurity, Enforcement, Regulatory response

On January 21,2019 the French data protection authority (the CNIL) imposed a major fine on the U.S. Google entity, Google LLC. It follows two complaints filed as soon as the GDPR came into force by two consumer rights associations, None of Your Business and La Quadrature du Net. We focus here on four key aspects … Continue reading

European Commission adopts adequacy decision on Japan

By Lara White (UK) and Shiv Daddar (UK) on January 24, 2019 Posted in Regulatory response

Data Protection Report - Norton Rose Fulbright

On January 23rd 2019, the European Commission adopted its adequacy decision in relation to the export of personal data from the European Union (EU) to Japan. Concurrently, Japan has adopted an equivalent decision in relation to the export of personal data from Japan to the EU. Such mutual decision is the result of two-years of … Continue reading

California Attorney General’s Office begins CCPA rulemaking process with first public hearing while Congress debates new federal privacy law

By Jeewon Kim Serrato (US) and Arleen Fernandez (US) on January 14, 2019 Posted in Compliance and risk management, Enforcement, Regulatory response

The California Consumer Privacy Act of 2018 (“CCPA”), California’s new privacy law which takes effect on January 1, 2020, requires the Attorney General to adopt implementing regulations that further the objectives of the CCPA. Much concern has been raised about the law as currently written, including by Attorney General Xavier Becerra himself. With regulations set … Continue reading

Pennsylvania Supreme Court holds common law duty for employers extends to protecting sensitive employee information

By Andrea D'Ambra (US) and Max Kellogg (US) on December 7, 2018 Posted in Compliance and risk management, Data breach, General, Regulatory response

On November 21, 2018, the Pennsylvania Supreme Court broke new ground by holding that employers have a legal duty to take reasonable care to safeguard its employees’ sensitive personal information from cyberattacks. … Continue reading

EDPB clarifies territorial scope of the GDPR

By Marcus Evans (UK) and Anna Rudawski (US) on December 6, 2018 Posted in Compliance and risk management, Data breach, Regulatory response

On November 23, 2018, the European Data Protection Board (“EDPB”) issued highly anticipated draft Guidelines (the “Guidelines”) on the territorial scope of the GDPR. See our previous blog posts on the GDPR here and here. The Guidelines provide some clarity around the scope and applicability of the GDPR to data Controllers and Processors both inside … Continue reading

New China Guideline for Internet Personal Information Security Protection

By Barbara Li (CN) and Bohua Yao (CN) on December 5, 2018 Posted in Compliance and risk management, Data breach, Regulatory response

On November 30, 2018 the Cyber Security Protection Bureau, under the auspices of the PRC Ministry of Public Security (the “MPS”), issued a draft Guideline for Internet Personal Information Security Protection (the “Guideline”) along with a request for public comments.… Continue reading

California Consumer Privacy Act blog series: Covered entities

By Jeewon Kim Serrato (US), Steve Roosa (US) and Alexis Wilpon (US) on August 16, 2018 Posted in Compliance and risk management, General, Regulatory response

This is the Data Protection Report’s second blog in a series of blogs that will break down the major elements of the CCPA which will culminate in a webinar on the CCPA in October. This blog focuses on covered entities. Stay tuned for additional blogs and information about our upcoming webinar on the CCPA.… Continue reading

Overview of Thailand Draft Personal Data Protection Act

By Natpakal Rerknithi (TH), Anna Gamvros (HK) and Ruby Kwok (HK) on August 6, 2018 Posted in Regulatory response

Data protection laws in Asia continue to be introduced and updated. One of the most recent developments in South East Asia is in Thailand. On 22 May 2018, the Thai Cabinet approved in principle a revised draft of Thailand’s first personal data protection act (Draft Act). This Draft Act is currently under consideration by the … Continue reading

The European Parliament asks for the suspension of the privacy shield

By Chris Cwalina (US), Jeewon Kim Serrato (US), Susan Ross (US) and Tristan Coughlin* (US) on July 17, 2018 Posted in Regulatory response

On July 5, the European Parliament passed a non-binding resolution, asking the European Commission, the EU’s executive body, to suspend the Privacy Shield framework. The EU-US Privacy Shield, designed by the US Department of Commerce and the European Commission, provides a mechanism for companies to transfer personal data between the EU and the US while … Continue reading

US states pass data protection laws on the heels of the GDPR

By Jeewon Kim Serrato (US), Chris Cwalina (US), Anna Rudawski (US), Tristan Coughlin* (US) and Katey Fardelmann (US) on July 9, 2018 Posted in Compliance and risk management, Regulatory response

Several U.S. states have recently introduced and passed legislation to expand data breach notification rules and to mirror some of the protections provided by Europe’s newly enacted General Data Protection Regulation (“GDPR”). See our previous blog posts on GDPR here and here. Like their European counterparts, these state laws are intended to provide consumers with … Continue reading

GDPR is upon us: are you ready for what comes next?

By Jeewon Kim Serrato (US), Steven Hadwin (UK) and Marcus Evans (UK) on May 23, 2018 Posted in Compliance and risk management, Regulatory response

The wait is finally over—this Friday the European Union General Data Protection Regulation (GDPR) will come into force. For many readers of this post, a huge amount of work will have been done in recent months in building up to compliance with the new regime. However, the challenges of GDPR certainly don’t end on the … Continue reading

UK NIS Regulations impose new cybersecurity obligations (and a new penalties regime) on operators of essential services and digital service providers in the UK

By Steven Hadwin (UK) on May 10, 2018 Posted in Compliance and risk management, Regulatory response

The UK NIS Regulations (implementing the NIS Directive) come into force in the UK today (10 May 2018). These Regulations have received limited press attention, in part due to the emphasis that has been placed on GDPR implementation. However, the NIS Regulations represent a significant change in the legal environment relating to cybersecurity in the … Continue reading

FTC, privacy, vendor due diligence and opt-in consent

By Susan Ross (US) on May 10, 2018 Posted in Regulatory response

On April 30, 2018, the U.S. Federal Trade Commission (FTC) released for public comment an administrative complaint and proposed consent agreement with mobile phone manufacturer BLU Products Inc. and its owner and president. Although the FTC has entered into many settlements relating to privacy and data security, this proposed settlement is particularly noteworthy for two … Continue reading

Singapore PDPC responds to feedback on public consultation on approaches to managing personal data

By Stella Cramer (SG), Wilson Ang (SG), Jessica Paulin (SG), David Olds (SG) and Jeremy Lua (SG) on March 11, 2018 Posted in Compliance and risk management, Data breach, Regulatory response

On 1 February 2018, Singapore Personal Data Protection Commission (PDPC) released its response to feedback on its public consultation on approaches to managing personal data in the digital economy, which took place in Q3 2017 (the Public Consultation). The purpose of the Public Consultation, was to seek public feedback on proposed changes to Singapore’s data … Continue reading

WP29 brings Binding Corporate Rules in line with the GDPR

By Lara White (UK) and Anna Rudawski (US) on February 28, 2018 Posted in Regulatory response

On February 6, 2018, the Article 29 Working Party (WP29) adopted updated guidelines on Binding Corporate Rules (“BCRs“), which replace the previous WP29 working documents 153 and 195 on BCRs and Processor BCRs.… Continue reading

Amended Colorado bill aims to enhance data privacy laws

By on February 21, 2018 Posted in Regulatory response

As Data Protection Report posted on January 29, 2018, lawmakers in Colorado are considering legislation that, if enacted, would significantly strengthen Colorado’s data privacy protections. On Wednesday, February 14, 2018, an amended bill passed unanimously in Colorado’s House Committee on State, Veterans and Military Affairs.… Continue reading

Connecticut case finds health care privacy cause of action

By Susan Ross (US) on February 15, 2018 Posted in Regulatory response

On January 16, 2018, in Byrne v. Avery, the Connecticut Supreme Court unilaterally created a new state law cause of action for violation of a patient’s health care privacy.… Continue reading

Blocking illegal or fraudulent ‘robocalls’: FCC rulemaking, with FTC comments

By Allison Lange Garrison (US) and Susan Ross (US) on February 13, 2018 Posted in Regulatory response

Illegal robocalls are a “scourge.” So says FCC Chairman Ajit Pai, and most consumers likely agree. Both the FCC and the FTC (each of which has jurisdiction over some aspects of telemarketing regulation) are actively pursuing ways to curb illegal and fraudulent robocalls. The FCC issued a report and order in November 2017 authorizing telecommunications … Continue reading

February 15 deadline looms for first DFS Cybersecurity Certification

By Kathleen Scott (US) and Susan Ross (US) on February 8, 2018 Posted in Regulatory response

February 15, 2018, is quickly approaching and any entity subject to New York’s cybersecurity regulation (23 NYCRR Part 500) must file its first annual certification of compliance with the New York State Department of Financial Services (DFS) by that date. New York imposes cybersecurity requirements on all entities (covered entities) subject to the jurisdiction of … Continue reading

Data breach notification to become mandatory in Australia from 22 February 2018

By Jim Lennon (AU) and Edward Odendaal (AU) on February 7, 2018 Posted in Regulatory response

Privacy compliance will become even more important for all companies in Australia now that the mandatory data breach notification scheme has been enacted. From 22 February 2018, certain data breaches (known as “eligible data breaches”) will need to be notified to the Australian Privacy Commissioner and affected individuals. Previously, notification of data breaches was optional.… Continue reading

China issues Personal Information Security Specification

By Barbara Li (CN) on February 5, 2018 Posted in Regulatory response

The Standardization Administration of China issued an Information Security Technology – Personal Information Security Specification, which will come into effect on 1 May 2018.… Continue reading

US HHS OCR issues cyber extortion newsletter

By Alexis Wilpon (US) on February 1, 2018 Posted in Regulatory response

This week, the US Department of Health and Human Services HHS Office for Civil Rights published a January 2018 newsletter focusing on cyber extortion.… Continue reading