Topic: Regulatory response

Subscribe to Regulatory response RSS feed

EU data governance regulation – A wave of digital, regulatory and antitrust reform begins – Part Three

Marcus Evans (UK)Jay Modrall (BE)Michael Sinclair (UK)By Marcus Evans (UK), Jay Modrall (BE) and Michael Sinclair (UK) on Posted in Regulatory response
Norton Rose Fulbright - Data Protection Report blog

On 25 November 2020, the European Commission (EC) published its proposed Data Governance Regulation (the DGR), which will create a new legal framework to encourage the development of a European single market for data.

This is part three of a series of three blog posts.  In this blog post, we consider the DGR’s relationship to competition law rules.

The DGR’s relationship to competition law rules

The DGR specifies that:

  • It does not affect the application of EU competition rules – in particular rules on the exchange of competitively sensitive information between actual or potential competitors through data
Continue Reading

EU data governance regulation – A wave of digital, regulatory and antitrust reform begins – Part Two

Marcus Evans (UK)Jay Modrall (BE)Michael Sinclair (UK)By Marcus Evans (UK), Jay Modrall (BE) and Michael Sinclair (UK) on Posted in Regulatory response
Norton Rose Fulbright - Data Protection Report blog

On 25 November 2020, the European Commission (EC) published its proposed Data Governance Regulation (the DGR), which will create a new legal framework to encourage the development of a European single market for data.

This is part two of a series of three blog posts.  In this blog post, we outline the new regimes for data sharing service providers and data altruism under the DGR, and consider the potential impact on businesses.

New regime for data sharing service providers

The EC anticipates that providers of data sharing services, or data intermediaries, will play a key role in … Continue Reading

EU data governance regulation – a wave of digital, regulatory and antitrust reform begins – Part 1

Marcus Evans (UK)Jay Modrall (BE)Michael Sinclair (UK)By Marcus Evans (UK), Jay Modrall (BE) and Michael Sinclair (UK) on Posted in Regulatory response
Norton Rose Fulbright - Data Protection Report blog

On 25 November 2020, the European Commission (EC) published its proposed Data Governance Regulation (the DGR), which will create a new legal framework to encourage the development of a European single market for data.

This is part one of a series of three blog posts.  In this first blog post, we outline key aspects of the DGR, set it in the context of other reforms proposed by the EC, consider public-sector data sharing under the DGR, and look at its potential impact on businesses.

The DGR, proposed in the EC’s February 2020 Digital Strategy, is the … Continue Reading

Hong Kong introduces a contact tracing app

Anna Gamvros (HK)Edward Yau (HK)By Anna Gamvros (HK) and Edward Yau (HK) on Posted in Cybersecurity, Enforcement, Regulatory response
Norton Rose Fulbright - Data Protection Report blog

As countries around the globe continue to battle the COVID-19 pandemic, contact tracing apps continue to evolve and be developed.

On November 16, 2020, the Hong Kong government is launching a voluntary contact tracing app. The app, known as LeaveHomeSafe, will enable users to record the date and time they visited participating venues by scanning the venue QR code. It has been reported that over 6,000 public and private venues will support the app.

Also in the region, the Singapore government is aiming to make use of its contact tracing app mandatory by the end of 2020. It is proposed … Continue Reading

European data export bonanza: revised SCCs and EDPB Schrems II guidance published

Marcus Evans (UK)Lara White (UK)Christoph Ritzer (DE)By Marcus Evans (UK), Lara White (UK), Christoph Ritzer (DE) and Janine Regan (UK) on Posted in Data Transfer, Regulatory response
Data Protection Report - Norton Rose Fulbright

On 12 November, the European Commission published revised Standard Contractual Clauses (SCCs) and a draft implementing decision.  A feedback period on the draft documents will run until 10 December.  Therefore, it is not possible to give a precise date for when the draft SCCs will become final but it could be by the end of the year.

The new SCCs aim to modernise the clauses in line with the GDPR and to cover a multitude of different types of transfers to cater for “the complexity of modern processing chains”.  The clauses also aim to “provide for Continue Reading

Two new CJEU judgments further tighten limits of government surveillance – significant for impending UK adequacy decision and “Schrems II country assessments”

Marcus Evans (UK)By Marcus Evans (UK) and Janine Regan (UK) on Posted in Data breach, Data Transfer, Regulatory response

On 6 October 2020, the Court of Justice of the European Union (CJEU) published two decisions that further define the permitted scope of governmental access to personal data.

These decisions are relevant in two key areas:

  1. Complying with the Schrems II judgement: The judgment provides some guidance on how organisations should undertake the “case-by-case assessments” of third countries to which they are transferring personal data using the European Commission approved Standard Contractual Clauses (SCCs); and
  2. Brexit: The judgement also gives some clues as to the standard to which the UK will be held as it
Continue Reading

ICO provides guidance on calculating monetary penalties

Marcus Evans (UK)Lara White (UK)Steven Hadwin (UK)Ally Corbridge (UK)By Marcus Evans (UK), Lara White (UK), Steven Hadwin (UK), Janine Regan (UK) and Ally Corbridge (UK) on Posted in Enforcement, Regulatory response
Data Protection Report - Norton Rose Fulbright

On 1 October 2020, the UK Information Commissioner’s Office (ICO) published draft statutory guidance, providing clarity about how it will regulate and enforce data protection legislation in the UK. The guidance, which sits alongside the ICO’s Regulatory Action Policy, covers the ICO’s range of enforcement powers, but of most interest is the section on how the ICO will calculate fines under the Data Protection Act 2018 and the EU General Data Protection Regulation (GDPR).

The ICO has launched a public consultation on its draft guidance which will remain open until 12 November 2020; as statutory guidance, the guidance … Continue Reading

Schrems II: recent developments – waiting is harder

Marcus Evans (UK)By Marcus Evans (UK) and Janine Regan (UK) on Posted in Compliance and risk management, Data Transfer, Enforcement, Regulatory response

In the immediate aftermath of the Schrems II judgement, Bruno Gencarelli (Head of the International data flows and protection unit at the European Commission) said that “Schrems II is data transfers from theory to practice”.  There have been several major developments over the last couple of weeks (explained below) which show this to be an accurate assessment.  Companies can no longer “do nothing” in the hope that the difficult implications will go away.  Regulators are starting to investigate.  Complaints are being submitted. A taskforce has been set up. The Swiss data protection authority (DPA) also thinks Privacy … Continue Reading

Algorithmic Decision-making and the UK ICO’s Guidance on AI

Magdalene Lie (UK)By Magdalene Lie (UK) on Posted in General, Regulatory response

Algorithmic decision-making has been in the news of late. From Ofqual’s downgrading of students’ A-level results[1] to the complaint lodged by None of Your Business’ against the credit rating agency CRIF for failing (amongst other things) to be transparent about the reasons why a particular applicant had been given a negative rating[2]. We have been reminded of the potential backlash that could result from decisions that are perceived as incorrect or unfair by algorithms where the workings of which are largely unknown to the individuals they affect. This presents challenges for organisations which are increasingly adopting Artificial … Continue Reading

Schrems II landmark ruling: Privacy Shield is invalid, Standard Contractual Clauses are valid but court puts obligations on parties and authorities

Marcus Evans (UK)Christoph Ritzer (DE)By Marcus Evans (UK), Christoph Ritzer (DE) and Janine Regan (UK) on Posted in Data breach, Enforcement, General, Regulatory response

The Court of Justice of the European Union (CJEU) has today published its decision in the landmark case, known as Schrems II. While Privacy Shield has been completely invalidated, the Standard Contractual Clauses (SCCs) remain valid, but the court has emphasised obligations on the parties to the SCCs  and Data Protection Authorities which have the potential to restrict when they can be used.

Here is a very short first summary:

  1. Privacy Shield is invalid.  This is on the basis that the access and use of EU personal data by US authorities are not restricted in a way
Continue Reading

Cell phones, robocalls, and text messages – two pronouncements

David Kessler (US)Susan Ross (US)By David Kessler (US) and Susan Ross (US) on Posted in Compliance and risk management, Cybersecurity, Regulatory response

On July 6, 2020, the U.S. Supreme Court upheld most of the federal law that prohibits “robocalls” to cell phones but struck down the exception for collection of debts owed to the federal government.  (Barr v. American Association of Political Consultants, No. 19–631 (July 6, 2020) (2020 WL 3633780).)  Previously, on June 25, a Bureau of the Federal Communications Commission issued some guidance on what constitutes an “autodialer” (or “automatic telephone dialing system“—“ATDS”) relating to that law’s prohibition on text messages.  (In re Rules and Regulations Implementing the Telephone Consumer Protection Act of 1991, P2P Alliance Petition Continue Reading

Thailand Personal Data Protection Law

Tassanai KiratisountornPimchanok EianlengAnna Gamvros (HK)Ruby Kwok (HK)By Tassanai Kiratisountorn, Pimchanok Eianleng, Anna Gamvros (HK) and Ruby Kwok (HK) on Posted in Regulatory response
Norton Rose Fulbright - Data Protection Report blog

Background

The Personal Data Protection Act B.E. 2562 (2019) (PDPA) was published on 27 May 2019 in Thailand’s Government Gazette and became effective the following day. However, most of the operational provisions, including provisions relating to the rights of a data subject, the obligations of a data controller and the penalties for non-compliance, will become effective on 27 May 2020, 1 year after the PDPA is published.

The PDPA is under the supervision of the Ministry of Digital Economy and Society and the main supervising authority of the PDPA is the Office of Data Protection Committee (OfficeContinue Reading

Application by Privacy Commissioner To Shed Light on Judicial Enforcement of PIPEDA

Jean-Simon SchoenholzBy Jean-Simon Schoenholz on Posted in Compliance and risk management, Cybersecurity, Dispute resolution and litigation, Regulatory response
Data Protection Report - Norton Rose Fulbright

Recent legal action by the Office of the Privacy Commissioner of Canada (OPC) will shed light on the Federal Court’s willingness to enforce and monitor compliance with the Personal Information Protection and Electronic Documents Act (PIPEDA). On February 6, the OPC filed a notice of application (the Application) in the Federal Court seeking a declaration that Facebook has contravened PIPEDA and various orders that would compel Facebook to bring itself into compliance. [1] Organizations governed by PIPEDA should keep a close eye on the Court’s inquiry as well as any eventual order enforcing compliance with the Act.… Continue Reading

Changes to Hong Kong’s data protection law discussed by government panel

Anna Gamvros (HK)By Anna Gamvros (HK) and Libby Ryan (HK) on Posted in Compliance and risk management, Regulatory response
Data Protection Report - Norton Rose Fulbright

The discussion paper on the proposed changes to Hong Kong’s Personal Data (Privacy) Ordinance (Cap.486) (the PDPO) was debated by the  Legislative Council’s Panel on Constitutional Affairs’ (the Panel) on 20 January. The proposals set out in LC Paper. No. CB(2) 512/19-20(03) (the Paper) are summarised in our earlier post.Continue Reading

Discussion paper published on Hong Kong’s data protection law

Anna Gamvros (HK)By Anna Gamvros (HK) on Posted in Regulatory response

Written by Partner Anna Gamvros and Associate Libby Ryan, both based in the Hong Kong office.

Earlier this week, the Constitutional and Mainland Affairs Bureau (the CMAB)  released its discussion paper (LC Paper. No. CB(2) 512/19-20(03) (the Paper) seeking the Legislative Council’s Panel on Constitutional Affairs’ (the Panel) views on proposed changes to the Personal Data (Privacy) Ordinance (Cap.486) (the PDPO). The Paper was released on Monday 13th January, as part of an agenda for the Panel meeting which was held on Monday, 20th January, and follows proposals by the Privacy Commissioner for Personal Data (the Commissioner) to … Continue Reading

Turkish Data Protection Board announces extension of VERBİS registration deadline – once again

Ekin Inal (TR)Ece Sürmen (TR)Ecem Naz Boyacıoğlu (TR)By Ekin Inal (TR), Ece Sürmen (TR) and Ecem Naz Boyacıoğlu (TR) on Posted in Regulatory response

The Turkish Data Protection Board (“Board”) announced the extension of VERBİS registration deadline until June 30, 2020 for:

  • Turkish data controllers with more than 50 employees annually or whose annual total financial statement exceeds TL 25,000,000 (approx. USD 4.2 million), and
  • Data controllers located abroad.
Continue Reading

Turkey’s data protection legislation on data controller registry to impact data controllers outside of Turkey

Ekin Inal (TR)By Ekin Inal (TR) on Posted in Regulatory response
Norton Rose Fulbright - Data Protection Report blog

Obligations

Turkey’s data protection legislation (TDPL) requires data controllers to notify the Turkish DPA of their processing activities. Unless exempt from the requirement, all data controllers (individuals and legal entities) who process personal data in Turkey must be registered with the Turkish DPA’s Register of Data Controllers Information System (VERBİS), prior to processing any personal data.

Data controllers which fail to fulfil this obligation may be subject to an administrative fine of an amount between TL 20,000–1,000,000 (approximately USD 3,600-180,000). Such fines will be issued at the discretion of the Data Protection Board and will be determined based on the … Continue Reading

FTC to levy unprecedented $US5bn fine against Facebook

Andrea D'Ambra (US)Max Kellogg (US)By Andrea D'Ambra (US) and Max Kellogg (US) on Posted in Data breach, Regulatory response
Data Protection Report - Norton Rose Fulbright

On Friday, July 12, 2019, the Wall Street Journal reported that Federal Trade Commission and Facebook reached a settlement to resolve Facebook’s privacy issues surrounding the Cambridge Analytica disclosure discovered last year. The settlement imposes a US$5 billion dollars on the tech giant, which represents roughly 9% of Facebook’s total yearly revenue and is the largest civil and privacy fine ever imposed by the FTC. The fine largely surpasses the FTC’s previous imposed fine in a privacy action, when the FTC fined Google US$22.5 million to settle claims it misrepresented privacy assurances to Safari users.… Continue Reading

ICO’s draft Age Appropriate Design Code could seriously impact processing of under 18’s personal data

Fiona Bundy-Clarke (UK)By Fiona Bundy-Clarke (UK) on Posted in Regulatory response
Data Protection Report - digital privacy, CCPA and cybersecurity

On 15 April 2019, the ICO opened a public consultation on a draft code of practice titled Age Appropriate Design (the “Code”).  The Code will remain open for public consultation until 31 May 2019.

The consultation document is described as a “code of practice for online services likely to be accessed by children.”  However, its potential impact is in fact wider, and is perhaps better described as applying to all online services that are not demonstrably unlikely to be accessed by children, which it controversially defines as individuals under 18.  For this reason, the Code in its current form … Continue Reading

EDPB issues new opinion on interplay between Clinical Trials Regulation and the GDPR

David Kessler (US)Christoph Ritzer (DE)Sven Jacobs (DE)Anna Rudawski (US)Max Kellogg (US)By David Kessler (US), Christoph Ritzer (DE), Sven Jacobs (DE), Anna Rudawski (US) and Max Kellogg (US) on Posted in Compliance and risk management, Enforcement, Regulatory response
Norton Rose Fulbright - Data Protection Report blog

On January 23, 2019, the European Data Protection Board (“EDPB”) issued an opinion on the interplay between the Clinical Trials Regulation (“CTR”) and the General Data Protection Regulation (“GDPR”). See our previous blog posts on the GDPR here and here. The opinion also addresses GDPR requirements regarding (1) the legal basis for processing personal data in the course of a clinical trial protocol (primary use) and (2) the further use of clinical trial data for other scientific purposes (secondary use).

Even though the CTR already entered into force on June 16, 2014, the regulation’s application depends on the … Continue Reading

First multi-million Euro GDPR fine: Google LLC fined €50 million under GDPR for transparency and consent infringements in relation to use of personal data for personalized ads

Marcus Evans (UK)Lara White (UK)Cécile Auvieux (FR)By Marcus Evans (UK), Lara White (UK) and Cécile Auvieux (FR) on Posted in Compliance and risk management, Cybersecurity, Enforcement, Regulatory response
Norton Rose Fulbright - Data Protection Report blog

On January 21,2019 the French data protection authority (the CNIL) imposed a major fine on the U.S. Google entity, Google LLC.  It follows two complaints filed as soon as the GDPR came into force by two consumer rights associations, None of Your Business and La Quadrature du Net.

We focus here on four key aspects of the decision: (a) why the Irish Data Protection Commission (Irish DPC) did not take the case; (b) the consent mechanism failings; (c) the privacy policy failings; and (d) the amount of the fine.… Continue Reading

European Commission adopts adequacy decision on Japan

Lara White (UK)Shiv Daddar (UK)By Lara White (UK) and Shiv Daddar (UK) on Posted in Regulatory response
Data Protection Report - Norton Rose Fulbright

On January 23rd 2019, the European Commission adopted its adequacy decision in relation to the export of personal data from the European Union (EU) to Japan. Concurrently, Japan has adopted an equivalent decision in relation to the export of personal data from Japan to the EU. Such mutual decision is the result of two-years of dialogue and negotiations between both parties.

According to a joint statement issued by  Věra Jourová (Commissioner for Justice, Consumers and Gender Equality) and Haruhi Kumazawa (Commissioner of the Personal Information Protection Commission of Japan), “these mutual adequacy findings create the world’s largest Continue Reading

Pennsylvania Supreme Court holds common law duty for employers extends to protecting sensitive employee information

Andrea D'Ambra (US)Max Kellogg (US)By Andrea D'Ambra (US) and Max Kellogg (US) on Posted in Compliance and risk management, Data breach, General, Regulatory response
Data Protection Report - Norton Rose Fulbright

On November 21, 2018, the Pennsylvania Supreme Court broke new ground by holding that employers have a legal duty to take reasonable care to safeguard its employees’ sensitive personal information from cyberattacks. Dittman v. UPMC, 2018 Pa. LEXIS 6072199 (Pa. Nov. 21, 2018).… Continue Reading

EDPB clarifies territorial scope of the GDPR

Marcus Evans (UK)Anna Rudawski (US)By Marcus Evans (UK) and Anna Rudawski (US) on Posted in Compliance and risk management, Data breach, Regulatory response
Norton Rose Fulbright - Data Protection Report blog

On November 23, 2018, the European Data Protection Board (“EDPB”) issued highly anticipated draft Guidelines (the “Guidelines”) on the territorial scope of the GDPR. See our previous blog posts on the GDPR here and here. The Guidelines provide some clarity around the scope and applicability of the GDPR to data Controllers and Processors both inside and outside the EU.… Continue Reading

LexBlog