Topic: Regulatory response

Subscribe to Regulatory response RSS feed

GDPR is upon us: are you ready for what comes next?

By Jeewon Kim Serrato (US), Steven Hadwin (UK) and Marcus Evans (UK) on May 23, 2018 Posted in Compliance and risk management, Regulatory response

Norton Rose Fulbright - Data Protection Report blog

The wait is finally over—this Friday the European Union General Data Protection Regulation (GDPR) will come into force. For many readers of this post, a huge amount of work will have been done in recent months in building up to compliance with the new regime. However, the challenges of GDPR certainly don’t end on the … Continue reading

UK NIS Regulations impose new cybersecurity obligations (and a new penalties regime) on operators of essential services and digital service providers in the UK

By Steven Hadwin (UK) on May 10, 2018 Posted in Compliance and risk management, Regulatory response

Data Protection Report - Norton Rose Fulbright

The UK NIS Regulations (implementing the NIS Directive) come into force in the UK today (10 May 2018). These Regulations have received limited press attention, in part due to the emphasis that has been placed on GDPR implementation. However, the NIS Regulations represent a significant change in the legal environment relating to cybersecurity in the … Continue reading

FTC, privacy, vendor due diligence and opt-in consent

By Susan Ross (US) on May 10, 2018 Posted in Regulatory response

On April 30, 2018, the U.S. Federal Trade Commission (FTC) released for public comment an administrative complaint and proposed consent agreement with mobile phone manufacturer BLU Products Inc. and its owner and president. Although the FTC has entered into many settlements relating to privacy and data security, this proposed settlement is particularly noteworthy for two … Continue reading

Singapore PDPC responds to feedback on public consultation on approaches to managing personal data

By Stella Cramer (SG), Wilson Ang, Jessica Paulin, David Olds and Jeremy Lua on March 11, 2018 Posted in Compliance and risk management, Data breach, Regulatory response

On 1 February 2018, Singapore Personal Data Protection Commission (PDPC) released its response to feedback on its public consultation on approaches to managing personal data in the digital economy, which took place in Q3 2017 (the Public Consultation). The purpose of the Public Consultation, was to seek public feedback on proposed changes to Singapore’s data … Continue reading

WP29 brings Binding Corporate Rules in line with the GDPR

By Lara White and Anna Rudawski (US) on February 28, 2018 Posted in Regulatory response

On February 6, 2018, the Article 29 Working Party (WP29) adopted updated guidelines on Binding Corporate Rules (“BCRs“), which replace the previous WP29 working documents 153 and 195 on BCRs and Processor BCRs.… Continue reading

Amended Colorado bill aims to enhance data privacy laws

By Kim Gold (US) on February 21, 2018 Posted in Regulatory response

As Data Protection Report posted on January 29, 2018, lawmakers in Colorado are considering legislation that, if enacted, would significantly strengthen Colorado’s data privacy protections. On Wednesday, February 14, 2018, an amended bill passed unanimously in Colorado’s House Committee on State, Veterans and Military Affairs.… Continue reading

Connecticut case finds health care privacy cause of action

By Susan Ross (US) and Kim Gold (US) on February 15, 2018 Posted in Regulatory response

On January 16, 2018, in Byrne v. Avery, the Connecticut Supreme Court unilaterally created a new state law cause of action for violation of a patient’s health care privacy.… Continue reading

Blocking illegal or fraudulent ‘robocalls’: FCC rulemaking, with FTC comments

By Allison Lange Garrison (US) and Susan Ross (US) on February 13, 2018 Posted in Regulatory response

Illegal robocalls are a “scourge.” So says FCC Chairman Ajit Pai, and most consumers likely agree. Both the FCC and the FTC (each of which has jurisdiction over some aspects of telemarketing regulation) are actively pursuing ways to curb illegal and fraudulent robocalls. The FCC issued a report and order in November 2017 authorizing telecommunications … Continue reading

February 15 deadline looms for first DFS Cybersecurity Certification

By Kathleen Scott (US) and Susan Ross (US) on February 8, 2018 Posted in Regulatory response

February 15, 2018, is quickly approaching and any entity subject to New York’s cybersecurity regulation (23 NYCRR Part 500) must file its first annual certification of compliance with the New York State Department of Financial Services (DFS) by that date. New York imposes cybersecurity requirements on all entities (covered entities) subject to the jurisdiction of … Continue reading

Data breach notification to become mandatory in Australia from 22 February 2018

By Jim Lennon (AU) and Edward Odendaal (AU) on February 7, 2018 Posted in Regulatory response

Privacy compliance will become even more important for all companies in Australia now that the mandatory data breach notification scheme has been enacted. From 22 February 2018, certain data breaches (known as “eligible data breaches”) will need to be notified to the Australian Privacy Commissioner and affected individuals. Previously, notification of data breaches was optional.… Continue reading

China issues Personal Information Security Specification

By Barbara Li (CI) and Jane Wang (CI) on February 5, 2018 Posted in Regulatory response

The Standardization Administration of China issued an Information Security Technology – Personal Information Security Specification, which will come into effect on 1 May 2018.… Continue reading

US HHS OCR issues cyber extortion newsletter

By Kim Gold (US) and Alexis Wilpon (US) on February 1, 2018 Posted in Regulatory response

This week, the US Department of Health and Human Services HHS Office for Civil Rights published a January 2018 newsletter focusing on cyber extortion.… Continue reading

New California “sanctuary” law restricts access to workers and their records

By Kim Gold (US) and Allison Lange Garrison (US) on January 30, 2018 Posted in Regulatory response

A new state law places California businesses on the front line in responding to federal immigration enforcement actions. Effective January 1, 2018, AB 450 requires California employers to protect employees and their private information from warrantless “workplace raids” and I-9 form demands, and to warn employees who become targets of an immigration investigation.… Continue reading

New U.S. defense bill targets drones, raises potential privacy and security concerns

By Susan Ross (US) on January 30, 2018 Posted in Regulatory response

The National Defense Authorization Act of 2018 (NDAA),[1] signed into law in December 2017, did not only authorize United States defense spending for the 2018 fiscal year – it also contained a section devoted to unmanned aerial systems.… Continue reading

South Dakota and Colorado strengthen data breach protections

By Kim Gold (US) on January 29, 2018 Posted in Regulatory response

Last week, South Dakota moved closer to implementing a data breach notification law, while Colorado legislators introduced a new bill requiring “reasonable security procedures,” imposing data disposal rules and shortening the time frame in which to alert authorities regarding a breach. South Dakota and Colorado are the latest states taking steps in cybersecurity lawmaking in … Continue reading

New security requirements issued for credit card payments on mobile devices

By Susan Ross (US) on January 25, 2018 Posted in Regulatory response

On January 24, 2018, the governing body for credit and debit cards, known as the Payment Card Industry (PCI) Security Standards Council, announced a new set of security requirements designed to address an increasingly popular way that merchants offer to consumers to pay for purchases: smartphones and tablets. … Continue reading

Data privacy in Turkey

By Ekin Inal on December 6, 2017 Posted in Regulatory response

This article was written by Ekin Inal and Cansu Kahya, lawyers of Bilgiç Attorney Partnership, a partnership registered with the Istanbul Bar Association, with which Norton Rose Fulbright has a professional association. Turkey continues to further develop its data protection regime. Recent developments include publication of a regulation and a guideline focusing on deletion, destruction … Continue reading

UK data protection after Brexit – UK government Statement of Intent contains few surprises

By Marcus Evans (UK) and Shiv Daddar on August 16, 2017 Posted in Compliance and risk management, Regulatory response

On the 7th August 2017, the UK’s Government Department for Digital, Culture, Media and Sport issued a Statement of Intent (the Statement) outlining its planned reforms of the UK’s data protection laws which are to be implemented by the Data Protection Bill (the Bill). The Statement anticipates the UK’s departure from the EU and makes … Continue reading

US Senators introduce IoT cybersecurity bill

By Anna Rudawski (US) on August 3, 2017 Posted in Compliance and risk management, Regulatory response, Vendor management and transactions

On August 1, 2017, US Senators unveiled a bipartisan bill to mandate baseline cybersecurity requirements for internet connected devices purchased by the federal government. Recent attacks demonstrate that connected devices, which make up the Internet of Things (“IoT”), can paralyze websites, networks, and even components of critical infrastructure. The draft bill, introduced by a bipartisan … Continue reading

US Coast Guard Releases Draft Cybersecurity Guidelines

By Anna Rudawski (US) on July 26, 2017 Posted in Compliance and risk management, Regulatory response

On July 11, 2017, the US Coast Guard (USCG) and the Department of Homeland Security (DHS) proposed new cybersecurity draft guidelines for Maritime Transportation Security Act (MTSA) regulated facilities. The guidelines follow the White House’s May 2017 Executive Order to strengthen the cybersecurity of critical infrastructure. The draft guidelines are open for public comment until … Continue reading

Hong Kong Company Director Convicted Under Personal Data (Privacy) Ordinance

By Anna Gamvros and Ruby Kwok (HK) on July 19, 2017 Posted in Compliance and risk management, Regulatory response

A director of a Hong Kong company has been convicted of an offence under the Personal Data (Privacy) Ordinance (“PDPO”). This is the first conviction of its type under the PDPO since the law came into effect in 1996, confirming the potential for directors’ liability under the law.… Continue reading

China Seeks Comment on Draft Regulation on Critical Information Infrastructure

By Barbara Li (CI), Anna Gamvros, Tom Wong and Ruby Kwok (HK) on July 17, 2017 Posted in Compliance and risk management, Regulatory response

On 10 July 2017 the Cyberspace Administration of China (CAC) issued a draft Regulation on the Protection of Critical Information Infrastructure (CII Regulation) for public comment. The comment period ends on 10 August 2017. This long-anticipated regulation, formulated pursuant to Article 31 of the Cyber Security Law of China (Cyber Security Law), is a key … Continue reading

The Privacy Implications of Autonomous Vehicles

By Norton Rose Fulbright on July 17, 2017 Posted in Compliance and risk management, Regulatory response

This is the first of a two-part series discussing the privacy and security issues associated with the widespread use of automated vehicle technology. This first post focuses on potential privacy issues, while the second post – coming soon – will address security issues. Background As the development and testing of self-driving car technology has progressed, the … Continue reading