On November 30, 2018 the Cyber Security Protection Bureau, under the auspices of the PRC Ministry of Public Security (the “MPS”), issued a draft Guideline for Internet Personal Information Security Protection (the “Guideline”) along with a request for public comments.… Continue Reading
Topic: Regulatory response
Subscribe to Regulatory response RSS feedCalifornia Consumer Privacy Act blog series: Covered entities
This is the Data Protection Report’s second post in a series of blog posts that will break down the major elements of the CCPA which will culminate in a webinar on the CCPA in October. This blog focuses on covered entities. Stay tuned for additional posts and information about our upcoming webinar on the CCPA.
California’s new privacy law, the California Consumer Privacy Act (CCPA) grants California residents extensive new privacy rights. One of the more significant aspects of the law however, is the number of business entities to which it applies. Companies around the world must comply with the … Continue Reading
Overview of Thailand Draft Personal Data Protection Act
Posted in Regulatory response
Data protection laws in Asia continue to be introduced and updated. One of the most recent developments in South East Asia is in Thailand. On 22 May 2018, the Thai Cabinet approved in principle a revised draft of Thailand’s first personal data protection act (Draft Act). This Draft Act is currently under consideration by the Council of State.
Thailand currently does not have any specific law regulating data protection. The Office of the Prime Minister first published the Draft Act in 2014. The Draft Act has undergone several rounds of changes and this article aims to give a high level … Continue Reading
The European Parliament asks for the suspension of the privacy shield
Posted in Regulatory response
On July 5, the European Parliament passed a non-binding resolution, asking the European Commission, the EU’s executive body, to suspend the Privacy Shield framework. The EU-US Privacy Shield, designed by the US Department of Commerce and the European Commission, provides a mechanism for companies to transfer personal data between the EU and the US while remaining compliant with EU data protection laws.
The European Commission passed the data-sharing privacy framework on July 12, 2016, after its precursor, Safe Harbor, was struck down by the European Court of Justice on October 6, 2015.
Since the European Parliament’s resolution is … Continue Reading
US states pass data protection laws on the heels of the GDPR
Several U.S. states have recently introduced and passed legislation to expand data breach notification rules and to mirror some of the protections provided by Europe’s newly enacted General Data Protection Regulation (“GDPR”). See our previous blog posts on GDPR here and here. Like their European counterparts, these state laws are intended to provide consumers with greater transparency and control over their personal data. The California and Vermont laws, in particular, go beyond breach notification and require companies to make significant changes in their data processing operations. See our earlier post on the California Consumer Privacy Act (“CCPA”) here.… Continue Reading
GDPR is upon us: are you ready for what comes next?
The wait is finally over—this Friday the European Union General Data Protection Regulation (GDPR) will come into force. For many readers of this post, a huge amount of work will have been done in recent months in building up to compliance with the new regime. However, the challenges of GDPR certainly don’t end on the date this law goes into implementation. We have shared below some interesting points that we’ve seen arising recently, all of which relate to how things are likely to develop from today onwards, including enforcement predictions, challenges related to operationalizing data subject access procedures, and how … Continue Reading
UK NIS Regulations impose new cybersecurity obligations (and a new penalties regime) on operators of essential services and digital service providers in the UK
The UK NIS Regulations (implementing the NIS Directive) come into force in the UK today (10 May 2018). These Regulations have received limited press attention, in part due to the emphasis that has been placed on GDPR implementation. However, the NIS Regulations represent a significant change in the legal environment relating to cybersecurity in the UK.… Continue Reading
FTC, privacy, vendor due diligence and opt-in consent
Posted in Regulatory response
On April 30, 2018, the U.S. Federal Trade Commission (FTC) released for public comment an administrative complaint and proposed consent agreement with mobile phone manufacturer BLU Products Inc. and its owner and president. Although the FTC has entered into many settlements relating to privacy and data security, this proposed settlement is particularly noteworthy for two reasons: (1) the FTC allegation that a company’s failure to implement appropriate security procedures to oversee a vendor’s security practices (including a lack of vendor due diligence) can violate Section 5 of the Federal Trade Commission Act; and (2) the proposed remedy includes a separate … Continue Reading
Singapore PDPC responds to feedback on public consultation on approaches to managing personal data
On 1 February 2018, Singapore Personal Data Protection Commission (PDPC) released its response to feedback on its public consultation on approaches to managing personal data in the digital economy, which took place in Q3 2017 (the Public Consultation). The purpose of the Public Consultation, was to seek public feedback on proposed changes to Singapore’s data protection regime, the Personal Data Protection Act (PDPA). The key proposed changes to the PDPA include the relaxation of the consent requirement to collect, use and disclose personal data in Singapore and the introduction of a mandatory data breach notification regime.
We set out below … Continue Reading
WP29 brings Binding Corporate Rules in line with the GDPR
Posted in Regulatory responseOn February 6, 2018, the Article 29 Working Party (WP29) adopted updated guidelines on Binding Corporate Rules (“BCRs“), which replace the previous WP29 working documents 153 and 195 on BCRs and Processor BCRs.… Continue Reading
Amended Colorado bill aims to enhance data privacy laws
As Data Protection Report posted on January 29, 2018, lawmakers in Colorado are considering legislation that, if enacted, would significantly strengthen Colorado’s data privacy protections. On Wednesday, February 14, 2018, an amended bill passed unanimously in Colorado’s House Committee on State, Veterans and Military Affairs.… Continue Reading
New York permits discovery of “private” social media posts
Posted in Regulatory response
On February 13, 2018, in Forman v. Henkin, 2018 NY Slip Op 01015, New York’s highest state court unanimously ruled that “private” social media posts may be subject to discovery in civil lawsuits.… Continue Reading
Connecticut case finds health care privacy cause of action
Posted in Regulatory response
On January 16, 2018, in Byrne v. Avery, the Connecticut Supreme Court unilaterally created a new state law cause of action for violation of a patient’s health care privacy. (Byrne v. Avery Center for Obstetrics & Gynecology, P.C., 327 Conn. 540, __ A.3d __ (Jan. 16, 2018)). Particularly noteworthy is the new standard for a physician’s level of care: compliance with HIPAA. In other words, violation of HIPAA can lead to a state law claim in Connecticut, but the decision does NOT create a private right of action under HIPAA.… Continue Reading
Blocking illegal or fraudulent ‘robocalls’: FCC rulemaking, with FTC comments
Posted in Regulatory responseIllegal robocalls are a “scourge.” So says FCC Chairman Ajit Pai, and most consumers likely agree. Both the FCC and the FTC (each of which has jurisdiction over some aspects of telemarketing regulation) are actively pursuing ways to curb illegal and fraudulent robocalls. The FCC issued a report and order in November 2017 authorizing telecommunications providers to block certain types of calls considered “highly likely to be illegitimate.” In late January 2018, the FTC responded with a staff letter expressing support for the FCC’s efforts and offering suggestions for addressing erroneously blocked calls. … Continue Reading
February 15 deadline looms for first DFS Cybersecurity Certification
Posted in Regulatory response
February 15, 2018, is quickly approaching and any entity subject to New York’s cybersecurity regulation (23 NYCRR Part 500) must file its first annual certification of compliance with the New York State Department of Financial Services (DFS) by that date. New York imposes cybersecurity requirements on all entities (covered entities) subject to the jurisdiction of the DFS, which include not only banks and insurers, but also any persons regulated by the DFS, including the newest DFS licensees, those engaged in virtual currency business activity.… Continue Reading
Data breach notification to become mandatory in Australia from 22 February 2018
Posted in Regulatory response
Privacy compliance will become even more important for all companies in Australia now that the mandatory data breach notification scheme has been enacted.
From 22 February 2018, certain data breaches (known as “eligible data breaches”) will need to be notified to the Australian Privacy Commissioner and affected individuals. Previously, notification of data breaches was optional.… Continue Reading
China issues Personal Information Security Specification
Posted in Regulatory response
On 29 December 2017 the Standardization Administration of China issued an Information Security Technology – Personal Information Security Specification(GB/T 35273-2017)(the “Specification”), which will come into effect on 1 May 2018. … Continue Reading
US HHS OCR issues cyber extortion newsletter
Posted in Regulatory response
This week, the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) published a January 2018 newsletter focusing on “cyber extortion.” Cyber extortion often involves an attacker gaining access to an organization’s computer system, stealing sensitive information, and threatening to publish the information. Healthcare and public health organizations are often the targets of these attacks, so affected data frequently includes protected health information, or PHI. The OCR newsletter indicates that incidents of cyber extortion have been steadily increasing over the past several years and will continue to disrupt many organizations.… Continue Reading
New California “sanctuary” law restricts access to workers and their records
Posted in Regulatory response
A new state law places California businesses on the front line in responding to federal immigration enforcement actions. Effective January 1, 2018, AB 450 requires California employers to protect employees and their private information from warrantless “workplace raids” and I-9 form demands, and to warn employees who become targets of an immigration investigation.… Continue Reading
New U.S. defense bill targets drones, raises potential privacy and security concerns
Posted in Regulatory responseThe National Defense Authorization Act of 2018 (NDAA),[1] signed into law in December 2017, did not only authorize United States defense spending for the 2018 fiscal year – it also contained a section devoted to unmanned aerial systems.… Continue Reading
South Dakota and Colorado strengthen data breach protections
Last week, South Dakota moved closer to implementing a data breach notification law, while Colorado legislators introduced a new bill requiring “reasonable security procedures,” imposing data disposal rules and shortening the time frame in which to alert authorities regarding a breach. South Dakota and Colorado are the latest states taking steps in cybersecurity lawmaking in light of Congress’s inaction regarding data breach legislation.… Continue Reading
New security requirements issued for credit card payments on mobile devices
Posted in Regulatory responseOn January 24, 2018, the governing body for credit and debit cards, known as the Payment Card Industry (PCI) Security Standards Council, announced a new set of security requirements designed to address an increasingly popular way that merchants offer to consumers to pay for purchases: smartphones and tablets. … Continue Reading
Data privacy in Turkey
Posted in Regulatory response
Turkey continues to further develop its data protection regime. Recent developments include publication of a regulation and a guideline focusing on deletion, destruction and anonymization of personal data. These new pieces of legislation provide guidance on the methods to be used to remove personal data, which was previously processed and is no longer needed. Data controllers are now required to maintain an inventory of processed data and issue a policy on the retention and destruction of such data. Turkey’s efforts mark an important step in the development of a strong personal data protection scheme.
UK data protection after Brexit – UK government Statement of Intent contains few surprises
On the 7th August 2017, the UK’s Government Department for Digital, Culture, Media and Sport issued a Statement of Intent (the Statement) outlining its planned reforms of the UK’s data protection laws which are to be implemented by the Data Protection Bill (the Bill). The Statement anticipates the UK’s departure from the EU and makes it clear that following this, the Bill will transpose the General Data Protection Regulation (the GDPR) into domestic law, stressing the importance of continued efficiency of data flow between the UK and the EU in a post-Brexit world.… Continue Reading
