Topic: Regulatory response

Subscribe to Regulatory response RSS feed

EU’s possible Data Act: What can we anticipate from the Inception Impact Assessment and the Consultation?

The European Commission (EC) signalled plans for a new Data Act, to be published in late 2021, in its February 2020 Data Strategy Communication. The EC revealed more details in its 2021 Consultation and Inception Impact Assessment. The responses to the Consultation and Inception Impact Assessment are bound to shape the future of EU’s digital economy. The Data Act will complement other European Union (EU) measures to create a solid framework for digital trust, opening up public sector data, removing digital borders, encouraging trade in data, opening up competition and facilitating better security within the EU single market.… Continue Reading

EU – UK data transfers can continue: UK receives much welcome adequacy decision

By Marcus Evans (UK) and Janine Regan (UK) on June 28, 2021 Posted in Data Transfer, Regulatory response

Norton Rose Fulbright - Data Protection Report blog

The European Commission has today published a positive adequacy finding in respect of the UK’s data protection regime (the Decision). This means that personal data can continue to flow freely from the EU to the UK without the need for organisations to take further measures.

For the time-being, however, the Decision does not concern personal data transferred for United Kingdom immigration control purposes or which otherwise falls within the scope of the exemption from certain data subject rights for purposes of the maintenance of effective immigration control (the Immigration Exemption). The Immigration Exemption has been widely criticised by … Continue Reading

The EDPB publishes its finalised version of the Recommendations on supplementary measures

By Marcus Evans (UK), Lara White (UK) and Christoph Ritzer (DE) on June 22, 2021 Posted in Data Transfer, Regulatory response

On 21 June 2021, the European Data Protection Board (EDPB) published its finalised version of the Recommendations on supplementary measures (the Recommendations) to assist companies comply with the Schrems II judgement.

This comes just a couple of weeks after the European Commission (the Commission) published new, revised Standard Contractual Clauses (New SCCs) (read our blog post for more information). Like the Recommendations, the New SCCs also aim to assist organisations with the complex Schrems II requirements.

The new SCCs and the Recommendations show that compromise between the Commission and the EDPB has been … Continue Reading

A deeper dive into the new Standard Contractual Clauses

By Janine Regan (UK), Marcus Evans (UK), Lara White (UK) and Christoph Ritzer (DE) on June 7, 2021 Posted in Data Transfer, Regulatory response

On Friday 4 June, the European Commission published the finalised version of the new Standard Contractual Clauses for transferring personal data from the EU to third countries (the New SCCs). Privacy professionals have been waiting for the New SCCs for several years and have been particularly interested to know if the New SCCs will help address the complex requirements of the Schrems II case.

The good news is that the New SCCs allow companies to take a risk-based approach when making assessments on whether a third country’s access laws and practices provide adequate protection for personal data. This approach was … Continue Reading

European Commission publishes much anticipated finalised Standard Contractual Clauses

By Marcus Evans (UK), Lara White (UK), Christoph Ritzer (DE) and Janine Regan (UK) on June 4, 2021 Posted in Data Transfer, Regulatory response

The European Commission has today published the finalised version of the new Standard Contractual Clauses (the new SCCs). The purpose of the new SCCs are to help companies legalise transfers of personal data from outside of the EEA. They will also be a lawful mechanism for UK companies to use too.

The new SCCs were updated to:

allow for various types of transfers (in particular those between a processor and a sub-processor);
give the clauses a GDPR ‘face lift’; and
address the requirements of the Schrems II judgement.

Organisations may continue to use the current SCCs until 27 September … Continue Reading

Proposed amendments to the Personal Data (Privacy) Ordinance to combat doxxing acts

By Anna Gamvros (HK), Ruby Kwok (HK) and Edward Yau (HK) on June 3, 2021 Posted in Regulatory response

The Hong Kong Government is proposing amendments to the Personal Data (Privacy) Ordinance (the “PDPO”) to combat doxxing acts. On 17 May 2021, the Constitutional and Mainland Affairs Bureau (the “CMAB”) published a discussion paper on the proposed amendments to the Personal Data (Privacy) Ordinance to combat doxxing acts (LC Paper No. CB(4)974/20-21(03)) (the “Paper”).

Doxxing is the act of publishing private or identifying information about an individual on the Internet, typically for malicious purposes, and has become more common in Hong Kong in recent years.

The Paper came more than a … Continue Reading

NYDFS settles cybersecurity regulation matter for $3 million

By David Kessler (US) and Susan Ross (US) on April 22, 2021 Posted in Cybersecurity, Data breach, Regulatory response

Data Protection Report - Norton Rose Fulbright

On April 14, 2021, the New York Department of Financial Services (NYDFS) announced a $3 million settlement with insurance company National Securities Corp. (NSC), relating to violations of three different requirements of the NYDFS cybersecurity regulation during the period 2018 to 2020.… Continue Reading

EDPB cautiously welcomes UK adequacy finding

By Lara White (UK) and Janine Regan (UK) on April 16, 2021 Posted in General, Regulatory response

Yesterday, the European Data Protection Board (EDPB) published its opinion on the European Commission’s draft Decision that the UK ensures an adequate level of protection for personal data (the Opinion). The Opinion was adopted by the EDPB on 13 April 2021, a couple of days before the Opinion’s official publication on 15 April 2021.

The EDPB recognises that the UK’s adequacy assessment is unique given it was an EU Member State until very recently and therefore acknowledges there are many areas of convergence between the UK and EU regimes. However, much of the Opinion examines a number of “challenges” with … Continue Reading

EU Commission draft UK Data Protection Adequacy Decision published

By Marcus Evans (UK) and Shiv Daddar (UK) on February 19, 2021 Posted in Enforcement, General, Regulatory response

Following nine months of assessment of the UK’s data protection laws (including the rules on access to data by public authorities), the European Commission has today published its draft decision on the adequate protection of personal data by the United Kingdom. The draft decision can be found here.

The draft decision is welcome news to the UK government, which has stressed that adequacy will provide certainty for businesses and enable continued cooperation between the UK and EU.

The European Commission’s statement highlights that EU law has shaped the UK’s data protection regime for decades; and that whilst the … Continue Reading

Germany: Data protection authorities announce closer monitoring of data transfers to the US after Schrems II

By Ingemar Kartheuser and Natalia Filkina (DE) on February 18, 2021 Posted in Data Transfer, Regulatory response

Following the CJEU’s Schrems II ruling (case C-311/18 of July 16, 2020), transfers of personal data to the US are coming under close scrutiny by the German data protection authorities. Some German data protection authorities have announced that they will be taking a stricter approach against companies that fail to comply with the Schrems II requirements. The Hamburg data protection authority which is leading a working group focusing on cloud providers is reported to be considering regulatory sanctions should companies not be able to explain the legal grounds on which they rely to transfer personal data to the US. The … Continue Reading

Tentative further steps towards an agreed ePrivacy Regulation

By Lara White (UK) and Fiona Bundy-Clarke (UK) on February 15, 2021 Posted in Regulatory response

It has been some months since we wrote about the ePrivacy Regulation and some years since the first draft was proposed. Since then, we have seen numerous delays in achieving an agreed form of legislation, caused in part by strong views on how privacy and confidentiality shape the development of electronic communications services and passionate industry lobbying by both the AdTech industry and privacy organisations.

On 10 February 2021, the Council of the EU’s Permanent Representatives Committee (COREPER) finally adopted an agreed position on the ePrivacy Regulation, allowing the legislation to progress to the next stage of negotiation, namely the … Continue Reading

EU data governance regulation – A wave of digital, regulatory and antitrust reform begins – Part Three

By Marcus Evans (UK), Jay Modrall (BE) and Michael Sinclair (UK) on December 17, 2020 Posted in Regulatory response

On 25 November 2020, the European Commission (EC) published its proposed Data Governance Regulation (the DGR), which will create a new legal framework to encourage the development of a European single market for data.

This is part three of a series of three blog posts. In this blog post, we consider the DGR’s relationship to competition law rules.

The DGR’s relationship to competition law rules

The DGR specifies that:

It does not affect the application of EU competition rules – in particular rules on the exchange of competitively sensitive information between actual or potential competitors through data

EU data governance regulation – A wave of digital, regulatory and antitrust reform begins – Part Two

By Marcus Evans (UK), Jay Modrall (BE) and Michael Sinclair (UK) on December 17, 2020 Posted in Regulatory response

This is part two of a series of three blog posts. In this blog post, we outline the new regimes for data sharing service providers and data altruism under the DGR, and consider the potential impact on businesses.

New regime for data sharing service providers

The EC anticipates that providers of data sharing services, or data intermediaries, will play a key role in … Continue Reading

EU data governance regulation – a wave of digital, regulatory and antitrust reform begins – Part 1

By Marcus Evans (UK), Jay Modrall (BE) and Michael Sinclair (UK) on December 17, 2020 Posted in Regulatory response

This is part one of a series of three blog posts. In this first blog post, we outline key aspects of the DGR, set it in the context of other reforms proposed by the EC, consider public-sector data sharing under the DGR, and look at its potential impact on businesses.

The DGR, proposed in the EC’s February 2020 Digital Strategy, is the … Continue Reading

Hong Kong introduces a contact tracing app

By Anna Gamvros (HK) and Edward Yau (HK) on November 15, 2020 Posted in Cybersecurity, Enforcement, Regulatory response

As countries around the globe continue to battle the COVID-19 pandemic, contact tracing apps continue to evolve and be developed.

On November 16, 2020, the Hong Kong government is launching a voluntary contact tracing app. The app, known as LeaveHomeSafe, will enable users to record the date and time they visited participating venues by scanning the venue QR code. It has been reported that over 6,000 public and private venues will support the app.

Also in the region, the Singapore government is aiming to make use of its contact tracing app mandatory by the end of 2020. It is proposed … Continue Reading

European data export bonanza: revised SCCs and EDPB Schrems II guidance published

By Marcus Evans (UK), Lara White (UK), Christoph Ritzer (DE) and Janine Regan (UK) on November 13, 2020 Posted in Data Transfer, Regulatory response

On 12 November, the European Commission published revised Standard Contractual Clauses (SCCs) and a draft implementing decision. A feedback period on the draft documents will run until 10 December. Therefore, it is not possible to give a precise date for when the draft SCCs will become final but it could be by the end of the year.

The new SCCs aim to modernise the clauses in line with the GDPR and to cover a multitude of different types of transfers to cater for “the complexity of modern processing chains”. The clauses also aim to “provide for … Continue Reading

Two new CJEU judgments further tighten limits of government surveillance – significant for impending UK adequacy decision and “Schrems II country assessments”

By Marcus Evans (UK) and Janine Regan (UK) on October 15, 2020 Posted in Data breach, Data Transfer, Regulatory response

On 6 October 2020, the Court of Justice of the European Union (CJEU) published two decisions that further define the permitted scope of governmental access to personal data.

These decisions are relevant in two key areas:

Complying with the Schrems II judgement: The judgment provides some guidance on how organisations should undertake the “case-by-case assessments” of third countries to which they are transferring personal data using the European Commission approved Standard Contractual Clauses (SCCs); and
Brexit: The judgement also gives some clues as to the standard to which the UK will be held as it

ICO provides guidance on calculating monetary penalties

By Marcus Evans (UK), Lara White (UK), Steven Hadwin (UK), Janine Regan (UK) and Ally Corbridge (UK) on October 7, 2020 Posted in Enforcement, Regulatory response

On 1 October 2020, the UK Information Commissioner’s Office (ICO) published draft statutory guidance, providing clarity about how it will regulate and enforce data protection legislation in the UK. The guidance, which sits alongside the ICO’s Regulatory Action Policy, covers the ICO’s range of enforcement powers, but of most interest is the section on how the ICO will calculate fines under the Data Protection Act 2018 and the EU General Data Protection Regulation (GDPR).

The ICO has launched a public consultation on its draft guidance which will remain open until 12 November 2020; as statutory guidance, the guidance … Continue Reading

Schrems II: recent developments – waiting is harder

By Marcus Evans (UK) and Janine Regan (UK) on September 9, 2020 Posted in Compliance and risk management, Data Transfer, Enforcement, Regulatory response

In the immediate aftermath of the Schrems II judgement, Bruno Gencarelli (Head of the International data flows and protection unit at the European Commission) said that “Schrems II is data transfers from theory to practice”. There have been several major developments over the last couple of weeks (explained below) which show this to be an accurate assessment. Companies can no longer “do nothing” in the hope that the difficult implications will go away. Regulators are starting to investigate. Complaints are being submitted. A taskforce has been set up. The Swiss data protection authority (DPA) also thinks Privacy … Continue Reading

Algorithmic Decision-making and the UK ICO’s Guidance on AI

By Magdalene Lie (UK) on September 8, 2020 Posted in General, Regulatory response

Algorithmic decision-making has been in the news of late. From Ofqual’s downgrading of students’ A-level results[1] to the complaint lodged by None of Your Business’ against the credit rating agency CRIF for failing (amongst other things) to be transparent about the reasons why a particular applicant had been given a negative rating[2]. We have been reminded of the potential backlash that could result from decisions that are perceived as incorrect or unfair by algorithms where the workings of which are largely unknown to the individuals they affect. This presents challenges for organisations which are increasingly adopting Artificial … Continue Reading

Schrems II landmark ruling: Privacy Shield is invalid, Standard Contractual Clauses are valid but court puts obligations on parties and authorities

By Marcus Evans (UK), Christoph Ritzer (DE) and Janine Regan (UK) on July 16, 2020 Posted in Data breach, Enforcement, General, Regulatory response

The Court of Justice of the European Union (CJEU) has today published its decision in the landmark case, known as Schrems II. While Privacy Shield has been completely invalidated, the Standard Contractual Clauses (SCCs) remain valid, but the court has emphasised obligations on the parties to the SCCs and Data Protection Authorities which have the potential to restrict when they can be used.

Here is a very short first summary:

Privacy Shield is invalid. This is on the basis that the access and use of EU personal data by US authorities are not restricted in a way

Cell phones, robocalls, and text messages – two pronouncements

By David Kessler (US) and Susan Ross (US) on July 7, 2020 Posted in Compliance and risk management, Cybersecurity, Regulatory response

On July 6, 2020, the U.S. Supreme Court upheld most of the federal law that prohibits “robocalls” to cell phones but struck down the exception for collection of debts owed to the federal government. (Barr v. American Association of Political Consultants, No. 19–631 (July 6, 2020) (2020 WL 3633780).) Previously, on June 25, a Bureau of the Federal Communications Commission issued some guidance on what constitutes an “autodialer” (or “automatic telephone dialing system“—“ATDS”) relating to that law’s prohibition on text messages. (In re Rules and Regulations Implementing the Telephone Consumer Protection Act of 1991, P2P Alliance Petition … Continue Reading

Thailand Personal Data Protection Law

By Tassanai Kiratisountorn, Pimchanok Eianleng, Anna Gamvros (HK) and Ruby Kwok (HK) on February 28, 2020 Posted in Regulatory response

Background

The Personal Data Protection Act B.E. 2562 (2019) (PDPA) was published on 27 May 2019 in Thailand’s Government Gazette and became effective the following day. However, most of the operational provisions, including provisions relating to the rights of a data subject, the obligations of a data controller and the penalties for non-compliance, will become effective on 27 May 2020, 1 year after the PDPA is published.

The PDPA is under the supervision of the Ministry of Digital Economy and Society and the main supervising authority of the PDPA is the Office of Data Protection Committee (Office… Continue Reading

Application by Privacy Commissioner To Shed Light on Judicial Enforcement of PIPEDA

By Jean-Simon Schoenholz on February 24, 2020 Posted in Compliance and risk management, Cybersecurity, Dispute resolution and litigation, Regulatory response

Recent legal action by the Office of the Privacy Commissioner of Canada (OPC) will shed light on the Federal Court’s willingness to enforce and monitor compliance with the Personal Information Protection and Electronic Documents Act (PIPEDA). On February 6, the OPC filed a notice of application (the Application) in the Federal Court seeking a declaration that Facebook has contravened PIPEDA and various orders that would compel Facebook to bring itself into compliance. [1] Organizations governed by PIPEDA should keep a close eye on the Court’s inquiry as well as any eventual order enforcing compliance with the Act.… Continue Reading