Singapore tables changes to the Personal Data Protection Act in Parliament

Wilson Ang (SG)Stella Cramer (SG)Jessica Paulin (SG)Jeremy Lua (SG)By Wilson Ang (SG), Stella Cramer (SG), Jessica Paulin (SG) and Jeremy Lua (SG) on Posted in Cybersecurity, Data breach
Norton Rose Fulbright - Data Protection Report blog

Following the Singapore Ministry of Communications and Information (MCI) and the Personal Data Protection Commission of Singapore (PDPC) public consultation in May this year (Public Consultation), the Personal Data Protection (Amendment) Bill (Bill) was introduced and had its first reading in Parliament on 5 October 2020.

The Bill introduces five key changes to the Personal Data Protection Act 2012:

  • Increased financial penalties: Up to 10% of annual turnover in Singapore (if the organisation’s annual turnover in Singapore exceeds SGD 10 million), or S$ 1 million, whichever is higher.
  • Mandatory data breach notification: Organisations must notify the PDPC of any
Continue Reading

Thermal cameras and COVID-19 – The German DPAs have spoken

Christoph Ritzer (DE)Natalia Filkina (DE)By Christoph Ritzer (DE) and Natalia Filkina (DE) on Posted in Compliance and risk management
Norton Rose Fulbright - Data Protection Report blog

On September 11, 2020, the German Datenschutzkonferenz (DSK), the joint body of the German data protection authorities, published its position on the use of thermal cameras and electronic temperature checks in the context of the COVID-19 pandemic.

Despite voicing general criticisms of body temperature checking in the context of COVID-19, the DSK stated that it considers the use of thermal cameras in the work place to be admissible, provided that the requirements of data protection by design laid down in Art. 25 GDPR and security of data processing in to Art. 32 GDPR are complied with.

In detail:

  • German
Continue Reading

ICO provides guidance on calculating monetary penalties

Marcus Evans (UK)Lara White (UK)Steven Hadwin (UK)Ally Corbridge (UK)By Marcus Evans (UK), Lara White (UK), Steven Hadwin (UK), Janine Regan (UK) and Ally Corbridge (UK) on Posted in Enforcement, Regulatory response
Data Protection Report - Norton Rose Fulbright

On 1 October 2020, the UK Information Commissioner’s Office (ICO) published draft statutory guidance, providing clarity about how it will regulate and enforce data protection legislation in the UK. The guidance, which sits alongside the ICO’s Regulatory Action Policy, covers the ICO’s range of enforcement powers, but of most interest is the section on how the ICO will calculate fines under the Data Protection Act 2018 and the EU General Data Protection Regulation (GDPR).

The ICO has launched a public consultation on its draft guidance which will remain open until 12 November 2020; as statutory guidance, the guidance … Continue Reading

Germany: New 35 million fine for breaching employee privacy

Christoph Ritzer (DE)Natalia Filkina (DE)By Christoph Ritzer (DE) and Natalia Filkina (DE) on Posted in Data breach
Data Protection Report - Norton Rose Fulbright

On 1 October 2020, the State Commissioner for Data Protection and Freedom of Information (Landesbeauftragte für Datenschutz und Informationsfreiheit) of Hamburg (the DPA) imposed a fine of EUR 35.3 million under the GDPR against the German subsidiary of the fashion retailer H&M.

The German subsidiary operates a central service centre in Nuremberg. The DPA found that the company had collected extensive records relating to the private lives of several hundred employees, which included health data and sensitive data.  Apparently some of the records went back as far as 2014.

The DPA also expressed concerns over personal data collected in relation … Continue Reading

101 Problems and Schrems Ain’t One

Steve Roosa (US)Daniel Rosenzweig (US)By Steve Roosa (US) and Daniel Rosenzweig (US) on Posted in General
NT Analyzer blog series, cookie

Eureka! After burning the midnight oil, we’ve built an automated scanner to identify and sort the Schrems II risk of data flows for further legal handling. The scanner uses more than 20 different data points derived from network metadata to scan and classify data flows based on mass surveillance risk under the NSA’s so-called “Upstream” and “Downstream” data collection programs. This is important to do because not all endpoints are created equal in this regard.

The main questions facing companies at this point are:

  • Do my websites and mobile apps, when used in the EU, transmit data to the US,
Continue Reading

NYAG Proposed Settlement for Credential Stuffing Attacks with 3-Business-Day Access Request Response

David Kessler (US)Susan Ross (US)By David Kessler (US) and Susan Ross (US) on Posted in Compliance and risk management, Cybersecurity, Data breach
Norton Rose Fulbright - Data Protection Report blog

On September 15, 2020, the New York Attorney General (NYAG) announced a proposed settlement with Dunkin’ Brands, relating to brute force and credential stuffing attacks against members’ online accounts (including stored value cards). Dunkin’ does not admit or deny any of the NYAG’s allegations in the complaint. (New York v. Dunkin’ Brands, No. 451787/2019 (N.Y. Sup. Sept. 5, 2020).

2019 Complaint

According to the NYAG’s 2019 complaint, Dunkin’ had been the subject of hacker attacks attempting to breach its members’ online accounts and steal money from the stored value cards that members registered to those accounts. The … Continue Reading

CCPA – Health Research Bill Passes Legislature

David Kessler (US)Susan Ross (US)Anna Rudawski (US)By David Kessler (US), Susan Ross (US) and Anna Rudawski (US) on Posted in CCPA
Norton Rose Fulbright - Data Protection Report blog

Although the bill to amend the California Consumer Privacy Act (CCPA) to extend the so-called “B-to-B” and “employee” exceptions for one more year has garnered many headlines, the California legislature passed a second CCPA amendment (AB 713) that will be of interest to anyone involved in medical research as the new bill would ease some CCPA restrictions on research. The changes pertaining to healthcare data are expected to pass and are clearly responsive to additional needs to share information and conduct research on potential treatments and vaccines for the ongoing COVID pandemic. The bill has been sent to … Continue Reading

Schrems II: recent developments – waiting is harder

Marcus Evans (UK)By Marcus Evans (UK) and Janine Regan (UK) on Posted in Compliance and risk management, Data Transfer, Enforcement, Regulatory response

In the immediate aftermath of the Schrems II judgement, Bruno Gencarelli (Head of the International data flows and protection unit at the European Commission) said that “Schrems II is data transfers from theory to practice”.  There have been several major developments over the last couple of weeks (explained below) which show this to be an accurate assessment.  Companies can no longer “do nothing” in the hope that the difficult implications will go away.  Regulators are starting to investigate.  Complaints are being submitted. A taskforce has been set up. The Swiss data protection authority (DPA) also thinks Privacy … Continue Reading

Algorithmic Decision-making and the UK ICO’s Guidance on AI

Magdalene Lie (UK)By Magdalene Lie (UK) on Posted in General, Regulatory response

Algorithmic decision-making has been in the news of late. From Ofqual’s downgrading of students’ A-level results[1] to the complaint lodged by None of Your Business’ against the credit rating agency CRIF for failing (amongst other things) to be transparent about the reasons why a particular applicant had been given a negative rating[2]. We have been reminded of the potential backlash that could result from decisions that are perceived as incorrect or unfair by algorithms where the workings of which are largely unknown to the individuals they affect. This presents challenges for organisations which are increasingly adopting Artificial … Continue Reading

Key takeaways for the private sector from The Bridges v South Wales police facial recognition case

Lara White (UK)By Lara White (UK) and Janine Regan (UK) on Posted in General

On 11 August 2020, the Court of Appeal (CA) handed down its judgement in the case of R (on the application of Edward BRIDGES) v The Chief Constable of South Wales Police.  The court found that the use of automated facial recognition technology (AFT) by South Wales Police (SWP) was unlawful and did not comply with Article 8 of the European Convention on Human Rights (the right to respect for private and family life) (the Convention).

Whilst this judgement concerned the use of AFT in the public sector, the case provides interesting  … Continue Reading

LexBlog