Another Day, another large BIPA Settlement

It appears Snap has become the most recent company to pay a settlement for alleged violations of Illinois Biometric Information Privacy Act (“BIPA”). The law, which gives consumers a private right of action, has become a popular class action and source of significant penalties. Indeed, Snap joins a string of other companies that have already … Continue reading

OSFI’s Technology and Cyber Risk Management Guideline: Part 1

By Suzie Suliman (CA), Shreya Gupta and Imran Ahmad (CA) on August 29, 2022 Posted in Compliance and risk management, Cybersecurity

On July 13, 2022, the Office of the Superintendent of Financial Institutions (OSFI) released its final Guideline B-13 (the Guideline), setting out technology and cyber risk management expectations for all federally regulated financial institutions (FRFIs), such as banks, insurance and trust companies. FRFIs will need ensure that they have taken steps to comply with the requirements … Continue reading

Practical steps for businesses to comply with Bill C-27: Part 1

By Jeremie Wyatt (CA), Imran Ahmad (CA) and Shreya Gupta on August 22, 2022 Posted in Compliance and risk management, Privacy law

The House of Commons recently introduced Bill C-27, the successor to Bill C-11, which died on the docket when Parliament was dissolved in the fall of 2021. Bill C-27 introduces three new acts: the Consumer Privacy Protection Act (“CPPA”), the Personal Information and Data Protection Tribunal Act, and the Artificial Intelligence and Data Act (“AIDA”), which … Continue reading

The aftermath of an incident – business considerations surrounding record-keeping

By Jeremie Wyatt (CA), John Cassell (CA) and Sara A. Levine, QC (CA) on August 2, 2022 Posted in Compliance and risk management, Data breach, Vendor management and transactions

In our previous publication, we discussed the legal obligations and procedural considerations surrounding maintaining records of privacy incidents. While the specific obligations vary by jurisdiction, maintaining some form of a record that tracks privacy incidents is a statutory obligation for private-sector organizations subject to Quebec, Alberta, or federal laws. Organizations should also be aware of … Continue reading

Google Data Safety Forms must be submitted by July 20, 2022

By Steve Roosa (US) and Daniel Rosenzweig (US) on July 15, 2022 Posted in NT Analyzer Blog Series

Google’s Data Safety Forms must be submitted by July 20, 2022. According to Google, failing to post by July 20, 2022 can result in the rejection of new Google Play app submissions. After July 20,200, non-compliant apps could face removal from the Google Play. It’s the business’s job to take ownership over the accuracy of … Continue reading

Was RI Advice a watershed for cybersecurity law in Australia or a damp squib?

By Ehsan Ghavidel on May 25, 2022 Posted in Cybersecurity

Data Protection Report - Norton Rose Fulbright

In this article we distil critical lessons from the Federal Court’s recent decision in Australian Securities and Investments Commission v RI Advice Group Pty Ltd[1] and practical actions to be taken by Boards and executive management. Boards and organisations should assess their cybersecurity risk management activities in light of the decision and ask whether current … Continue reading

New PCI DSS v4.0 – Flexibility added

By Chris Cwalina (US), Will Daugherty (US) and Susan Ross (US) on May 16, 2022 Posted in Cybersecurity

On March 31, 2022, the PCI Security Standards Council released the new version of the Payment Card Industry Data Security Standards (version 4.0), which represents an update almost four years in the making. In addition to some clarifications and rearrangements, the new PCI DSS 4.0 includes 51 new requirements for all entities, and 13 new … Continue reading

“Dark patterns?” EDPB draft guidance sets out its expectations on subliminal privacy eroding practices

By Polina Maloshchinskaia on May 3, 2022 Posted in Privacy law

Norton Rose Fulbright - Data Protection Report blog

The EDPB has published draft guidance on “dark patterns” in social media (the Guidelines) for consultation. The Guidelines consider in detail common social media interfaces that present the content of privacy policies and collect consent in ways which substantively violate the GDPR requirements, while still pretending to formally comply with them (these methods now termed … Continue reading

Another fine for over-retention of data

By David Kessler (US) and Susan Ross (US) on April 7, 2022 Posted in Compliance and risk management

A third regulator has recently entered into a proposed consent that includes a $500,000 fine based in part on a company’s over-retention of personal data for longer than it was needed. The first regulator was the French data protection authority, the CNIL, in 2021, which we wrote about here. The second regulator was the New … Continue reading

Nascent EU/ US Trans-Atlantic Data Privacy Framework: some points to note

By Marcus Evans (UK) and Shiv Daddar (UK) on April 1, 2022 Posted in Privacy law

On 25 March the EU Commission (Commission) and United States (US) announced that they had agreed in principle on a new “Trans-Atlantic Data Privacy Framework” (TADPF) to foster trans-Atlantic data flows and address the concerns raised by Schrems II. We briefly discuss the implications below. The announcement was very high level and short on detail. … Continue reading

UK proposes rules to protect against anonymous online trolls

By Kerri Gevers (SG) on March 24, 2022 Posted in General

The UK Government has added two new duties to the proposed Online Safety Bill (the Bill) that are aimed at protecting people against anonymous online abuse. These measures would give users of “main social media firms” more control over who can interact with them and the type of content users see (see the Government’s press … Continue reading

Congress Agrees – 72-Hour Cyber Incident Reporting Requirement to Take Effect

By Chris Cwalina (US), Ashley Zatloukal (US), Anna Rudawski (US), Will Daugherty (US) and Alexis Wilpon (US) on March 16, 2022 Posted in Cybersecurity, Data breach, Ransomware

US banking regulators propose a rule for 36-hour notice of breach

On March 15, 2022, President Biden signed an omnibus spending bill into law, which, in part, requires companies to report cyber incidents and ransom payments. The relevant portions of the law, titled the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“Act”) proposes reporting requirements for incidents, establishes new programs to curtail ransomware attacks … Continue reading

The EU’s Data Act: Capstone of the EU Data Strategy

By Jay Modrall (BE) on March 16, 2022 Posted in General

On 23 February 2022 the EU Commission published its long-awaited Data Act, the last major building block of the Commission’s February 2020 Data Strategy. The Data Act: Is an ambitious piece of legislation with implications for consumers and businesses across the economy, not limited to the technology sector. Aims to facilitate access to data by … Continue reading

Proposed cybersecurity rules for SEC registered advisers and funds

By Will Daugherty (US) and Kate Nelson (US) on March 4, 2022 Posted in Cybersecurity

On February 9, 2022, the U.S. Securities and Exchange Commission (“SEC”) released a proposal aimed at enhancing cybersecurity risk management programs, including cybersecurity preparedness and response, for registered investment advisers (“advisers”), investment companies and business development companies (“funds”). Overall, the proposal addresses the following rule amendments and additions: 1. Cybersecurity Policies and Procedures Under the … Continue reading

Google’s Data Safety Form: Timeline Extended and Key Considerations

By Steve Roosa (US) and Daniel Rosenzweig (US) on February 28, 2022 Posted in NT Analyzer Blog Series

Google’s Data Safety Form: Timeline Extended and Key Considerations

Google recently announced several key changes to the upcoming “Data safety form” for Google Play. Learn more about these updates on our NT Analyzer blog. … Continue reading

CPRA Rulemaking Delayed – California Privacy Protection Agency Meets and Previews CPRA Rulemaking Timeline

By Anna Rudawski (US) and David Kessler (US) on February 17, 2022 Posted in CCPA, Compliance and risk management, Privacy law

On February 17, 2022 the California Privacy Protection Agency’s Board (“Board”) met to discuss their progress launching the new agency. They also shared their projected timeline for rulemaking. The California Privacy Protection Agency (CPPA) is the new agency charged with enforcing the California Privacy Rights Act (CPRA). The big news is that the Board … Continue reading

European rulings on the use of Google Analytics and how it may affect your business

By Steve Roosa (US), Christoph Ritzer (DE), Nadège Martin (FR), Jurriaan Jansen, Daniel Rosenzweig (US), Naomi Schuitema, Natalia Filkina (DE) and Barbara Ghebali (FR) on February 14, 2022 Posted in Cybersecurity, NT Analyzer Blog Series, Privacy law

European rulings on the use of Google Analytics and how it may affect your business

Recent decisions out of the EU will impact the use of Google Analytics and similar non-European analytics services when targeting EU individuals, with the potential to put many organizations at risk of receiving GDPR fines. At issue was the transfer of personal data from the EU to the US through the use of Google Analytics. … Continue reading

Belgian DPA fines IAB Europe over its consent framework’s GDPR violations

By Wil Kim and Lara White (UK) on February 11, 2022 Posted in Compliance and risk management

On 2 February 2022, the Belgian Data Protection Authority (the BDPA) fined IAB Europe for various infringements in relation to the IAB Transparency and Consent Framework. This decision could have a huge impact on the majority of players in the online adtech ecosystem who rely on the framework. Background The Interactive Advertising Bureau Europe’s (IAB) … Continue reading

Illinois Supreme Court Rules that Compensation Act is not a bar to BIPA Damages

By David Kessler (US), Anna Rudawski (US) and Alexis Wilpon (US) on February 10, 2022 Posted in Compliance and risk management, Dispute resolution and litigation, Privacy law

Illinois’ Biometric Information Privacy Act (“BIPA”) is considered the most comprehensive law governing the processing of biometric data. Passed in 2008, BIPA sets out requirements for private entities, including employers, that collect, use, store, and share biometric information. It’s also one of the most popular class action suits today – hundreds, if not thousands of … Continue reading

New York SHIELD Act $600,000 settlement

By David Kessler (US) and Susan Ross (US) on February 8, 2022 Posted in Cybersecurity

On January 24, 2022, the New York Attorney General (AG) announced a settlement with vision-benefits-provider EyeMed Vision Care, Inc., relating to a 2020 security incident where a threat actor obtained access to an email account that enabled the threat actor to get access to personal information of consumers including, but not limited to, , dates … Continue reading

UK finally publishes revised standard form international data transfer agreements and conversion addendum for the use of revised EU SCCs

By Lara White (UK) and Marcus Evans (UK) on January 31, 2022 Posted in Data Transfer

The UK government has finally published the UK’s own standard form international data transfer agreement (UK IDTA) for transferring personal data outside the UK to countries not deemed to have adequate data protection regimes. It has also published a standard form international data transfer addendum to the revised EU SCCs (EU SCC UK Conversion Addendum) … Continue reading

Data Privacy Concerns: 2022 and beyond

By Steve Roosa (US) and Daniel Rosenzweig (US) on January 31, 2022 Posted in NT Analyzer Blog Series

Data Privacy Concerns in 2022 and Beyond

We may be a tad late to Data Privacy Day but we are looking ahead: 2022 will be a big year for privacy. See our timeline on our NT Analyzer blog for some of the privacy events on the horizon that are on our radar. Read the NT Analyzer blog… Continue reading

Privacy in a Parallel Digital Universe: The Metaverse

By Imran Ahmad (CA) and Tiana Corovic (CA) on January 25, 2022 Posted in General, Metaverse, PIPEDA, Privacy law

For many years, the immersive three-dimensional digital world has been left to the cinematic experience. However, the emergence of the metaverse presents an opportunity to translate everyday activities – working, attending a concert, travelling, shopping, socializing – into a parallel digital universe. The metaverse is an abstract concept that uses a digital environment to permeate … Continue reading

Where data meets IP – Derivative data in M&A transactions

By Imran Ahmad (CA), Nikita Stepin, Patrick Chou (CA) and Suzie Suliman (CA) on January 19, 2022 Posted in Data Transfer, General, Intellectual Property

With the growth of the high-tech industry worldwide, it is no surprise that more and more transactions involve the transfer of rights to access or control data and derivative data. In our previous update we discussed protecting business data in a commercial context. In the M&A context, this valuable information is either the driving force of … Continue reading