Virginia’s new Consumer Data Protection Act

Photo of David Kessler (US)Photo of Susan Ross (US)By David Kessler (US) and Susan Ross (US) on Posted in Compliance and risk management

On March 2, 2021, the Governor of the Commonwealth of Virginia signed into law the Consumer Data Protection Act, which contains many elements of California’s Consumer Privacy Act (CCPA) and Europe’s General Data Protection Regulation (GDPR). The new law goes into effect on January 1, 2023.

But first, you need to determine whether the law applies to your business. The law begins:

This chapter applies to persons that conduct business in the Commonwealth or produce products or services that are targeted to residents of the Commonwealth and that (i) during a calendar year, control or process personal data of … Continue Reading

Deutsche Wohnen fine now declared invalid by a German court

Photo of Christoph Ritzer (DE)Photo of Natalia Filkina (DE)By Christoph Ritzer (DE) and Natalia Filkina (DE) on Posted in Data breach, Enforcement
Data Protection Report - Norton Rose Fulbright

There has been a big bang in the data protection world in Berlin as the first and most spectacular GDPR fine in Germany has just been declared invalid.

The Berlin Commissioner for Data Protection for Freedom of Information (Berliner Beauftragte für den Datenschutz und Informationsfreiheit, “Berlin DPA”) issued a EUR 14.5 million fine against a German real estate company, die Deutsche Wohnen SE (“Deutsche Wohnen”). The Regional Court (Landgericht) of Berlin has now declared this fine invalid and closed the proceedings. The Berlin DPA will ask the public prosecutor’s office to appeal the Court’s … Continue Reading

EU Commission draft UK Data Protection Adequacy Decision published

Photo of Marcus Evans (UK)Photo of Shiv Daddar (UK)By Marcus Evans (UK) and Shiv Daddar (UK) on Posted in Enforcement, General, Regulatory response
Data Protection Report - Norton Rose Fulbright

Following nine months of assessment of the UK’s data protection laws (including the rules on access to data by public authorities), the European Commission has today published its draft decision on the adequate protection of personal data by the United Kingdom. The draft decision can be found here.

The draft decision is welcome news to the UK government, which has stressed that adequacy will provide certainty for businesses and enable continued cooperation between the UK and EU.

The European Commission’s statement highlights that EU law has shaped the UK’s data protection regime for decades; and that whilst the … Continue Reading

Germany: Data protection authorities announce closer monitoring of data transfers to the US after Schrems II

Photo of Natalia Filkina (DE)By Ingemar Kartheuser and Natalia Filkina (DE) on Posted in Data Transfer, Regulatory response
Norton Rose Fulbright - Data Protection Report blog

Following the CJEU’s Schrems II ruling (case C-311/18 of July 16, 2020), transfers of personal data to the US are coming under close scrutiny by the German data protection authorities. Some German data protection authorities have announced that they will be taking a stricter approach against companies that fail to comply with the Schrems II requirements. The Hamburg data protection authority which is leading a working group focusing on cloud providers is reported to be considering regulatory sanctions should companies not be able to explain the legal grounds on which they rely to transfer personal data to the US. The … Continue Reading

Tentative further steps towards an agreed ePrivacy Regulation

Photo of Lara White (UK)Photo of Fiona Bundy-Clarke (UK)By Lara White (UK) and Fiona Bundy-Clarke (UK) on Posted in Regulatory response

It has been some months since we wrote about the ePrivacy Regulation and some years since the first draft was proposed.  Since then, we have seen numerous delays in achieving an agreed form of legislation, caused in part by strong views on how privacy and confidentiality shape the development of electronic communications services and passionate industry lobbying by both the AdTech industry and privacy organisations.

On 10 February 2021, the Council of the EU’s Permanent Representatives Committee (COREPER) finally adopted an agreed position on the ePrivacy Regulation, allowing the legislation to progress to the next stage of negotiation, namely the … Continue Reading

Incentivizing public utilities to enhance cybersecurity: FERC’s proposed regulation

Photo of Will Daugherty (US)Photo of Susan Ross (US)By Will Daugherty (US) and Susan Ross (US) on Posted in Cybersecurity
Norton Rose Fulbright - Data Protection Report blog

On February 5, 2021, the Federal Energy Regulatory Commission (“FERC”) published proposed regulations in the Federal Register that would provide federal financial incentives to utilities that voluntarily increase certain cybersecurity measures above those required by the Critical Infrastructure Protection Reliability Standards (“CIP Reliability Standards”) or by the NIST, Framework for Improving Critical Infrastructure Cybersecurity (“NIST Framework”). (86 Fed. Reg. 8309-8325 (Feb. 5, 2021).)

To obtain the incentive, these voluntary measures must “materially enhance the cybersecurity posture of the bulk-power system by enhancing the applicants’ cybersecurity posture substantially above levels required by CIP Reliability Standards, to the benefit of ratepayers.”   The … Continue Reading

Amendments to the Personal Data Protection Act In Force

Photo of Stella Cramer (SG)Photo of Wilson Ang (SG)Photo of Jeremy Lua (SG)By Stella Cramer (SG), Wilson Ang (SG), Jeremy Lua (SG) and Crystal Wong on Posted in Data breach, Data Transfer, PDPA
Data Protection Report - Norton Rose Fulbright

On 29 January 2021, the Personal Data Protection Commission (PDPC) announced that certain sections of the Personal Data Protection (Amendment) Act 2020 (the PDPA Amendments) will take effect from 1 February 2021 – please see PDPC’s announcement; the gazetted Commencement Notification.  This legal update provides a high-level summary of the PDPA Amendments that have taken effect.

The changes introduced by the PDPA Amendments to the Personal Data Protection Act 2012 (the PDPA) are the most significant since the PDPA first came into force on 1 July 2014.  Please see our earlier blog post, … Continue Reading

New German fine: EUR 10.4 million for unlawful CCTV

Photo of Christoph Ritzer (DE)Photo of Natalia Filkina (DE)By Christoph Ritzer (DE) and Natalia Filkina (DE) on Posted in Compliance and risk management, Data breach

A German state data protection authority has issued a fine of EUR 10.4m against a mid-size online retailer who allegedly violated the EU General Data Protection Regulation (GDPR) by monitoring their employees using CCTV.

The State Commissioner for Data Protection and Freedom of Information (Landesbeauftragte für Datenschutz und Informationsfreiheit) of Lower Saxony (the State Commissioner) imposed the fine on the electronics retailer “notebooksbilliger.de AG” (the Retailer) at the end of 2020.

The Retailer used CCTV in its premises to prevent and investigate criminal offences and to track the flow of goods in the warehouses over a period of at least … Continue Reading

Post-Brexit Personal Data Breach Reporting – An End to the ICO’s Role as One-Stop-Shop Lead Supervisory Authority

Photo of Ffion Flockhart (UK)Photo of Steven Hadwin (UK)By Ffion Flockhart (UK) and Steven Hadwin (UK) on Posted in Cybersecurity, Data breach
Data Protection Report - Norton Rose Fulbright

The end of the Brexit implementation period on 31 December 2020 has brought with it significant changes to the data protection landscape for UK-based businesses. Amid headlines about data transfer issues and a potential adequacy decision for the UK in the coming months, businesses also need to be aware of significant changes to the way in which cross-border personal data breaches with a UK angle will need to be notified to data protection authorities (DPAs) in future.

The GDPR established a “one-stop-shop” principle, allowing companies to notify cross-border personal data breaches to a lead supervisory authority (LSA) in the EU … Continue Reading

US banking regulators propose a rule for 36-hour notice of breach

Photo of David Kessler (US)Photo of Susan Ross (US)By David Kessler (US) and Susan Ross (US) on Posted in Data breach
US banking regulators propose a rule for 36-hour notice of breach

On December 18, 2020, the US Department of the Treasury (Office of the Comptroller of the Currency), Federal Reserve and Federal Deposit Insurance Corporation (FDIC) jointly announced a 53-page proposed rule that would require banks to notify their regulators within 36 hours of a “computer-security incident” that rises to the level of a “notification incident.” The proposed rule would also affect companies that provide certain services to those banks, including data processing. Those service providers would be required to notify “at least two individuals at affected banking organization customers immediately after the bank service provider experiences a computer-security incident that … Continue Reading

LexBlog