FERC issues notice of proposed rulemaking to extend reporting requirements for cyberattacks targeting the energy sector

Data Protection Report - Norton Rose Fulbright

On July 23 and 25, 2018, the U.S. Department of Homeland Security (DHS) held public briefings about an attempt by a state-sponsored Russian hacking group to target control systems for U.S. electrical grids and power plants. DHS’ webinar explained that the hackers obtained access to vendors providing computer services to electric utilities companies. This initial access enabled the hackers to gain entry to power company control systems through a complex series of security compromises lasting quite some time. Continue reading

Overview of Thailand Draft Personal Data Protection Act

Data Protection Report - Norton Rose Fulbright

Data protection laws in Asia continue to be introduced and updated. One of the most recent developments in South East Asia is in Thailand. On 22 May 2018, the Thai Cabinet approved in principle a revised draft of Thailand’s first personal data protection act (Draft Act). This Draft Act is currently under consideration by the Council of State.

Thailand currently does not have any specific law regulating data protection. The Office of the Prime Minister first published the Draft Act in 2014. The Draft Act has undergone several rounds of changes and this article aims to give a high level overview of the recently approved version of the Draft Act.

The Draft Act has been revised to replicate many of the concepts and obligations which are common across global data protection laws and in particular the GDPR. We have highlighted some of those key obligations below.

Key definitions

The new law has some key definitions which are similar to data protection laws elsewhere:

  • Personal data” is broadly defined as information that is able to directly or indirectly identify a living individual.
  • Data controller” is a person (whether a natural or legal person) who has authority to make decisions on collection, usage or disclosure of Personal Data.
  • Data processor” is a person (whether a natural or legal person) who collects, uses or discloses Personal Data in compliance with the orders of data controller.

Extraterritorial application

The Draft Act regulates both data controllers and data processors, whether or not they are in Thailand, who collect, use or disclose Personal Data collected from individuals in Thailand (whether or not those individuals are Thai citizens). This means that organizations outside of Thailand may be subject to the Draft Act.

General protections

Specific consent is required from the data subject, in writing or via electronic means, prior to or at the time of collection, use or disclosure of personal data, unless one of the prescribed exceptions applies. A data subject may at any time revoke his/her consent, unless there is a restriction under the law or contract on revoking such consent.

Collection of personal data

Collection of personal data must be for a lawful purpose and be directly relevant to, and necessary for, the activities of the data controller. The data controller must inform the data subject of the following, prior to or at the time personal data is collected:

  1. the purpose of the collection;
  2. the personal data to be collected;
  3. to whom the personal data might be disclosed;
  4. contact information of the data controller; and
  5. the rights of the data subject.

This information would usually be provided by way of a collection notice.

Except under limited circumstances prescribed under the Draft Act, personal data must be collected directly from the data subject. Also, the collection of sensitive personal data, such as religious belief, political preference, sexual behaviour or medical records, is prohibited except under limited circumstances prescribed under the Draft Act or ministerial regulation. Examples of the permitted circumstances for collection of sensitive data include where sensitive data is collected to protect or prevent harm to a person’s life, body or health, or to comply with any legal requirement on the data controller.

Cross-border transfer of personal data

Personal data can only be transferred to a country with rigorous data protection measures and in accordance with guidelines to be prescribed by the Personal Data Protection Committee, unless:

  1. the transfer is made pursuant to any applicable law;
  2. consent is obtained from the data subject;
  3. the transfer is in compliance with the contract entered into between the data subject and the data controller;
  4. the transfer is in the interests of a data subject who is incapable of giving consent; or
  5. as otherwise prescribed by ministerial regulation.

Rights of data subject

A data subject is entitled to access his/her own personal data which is held by the data controller, or to request the data controller to disclose the sources of information where such personal data is collected without his/her consent. In the event that the data controller fails to comply with any provision of the Draft Act, a data subject is entitled to request the data controller to delete, destroy, temporarily suspend the use of or anonymize personal data.

Fines and penalties

Both civil and criminal penalties can be imposed on the data controller for violation of the provisions of the Draft Act.

Grandfathering provisions

The data controller may continue to use personal data collected prior to the date that the Draft Act comes into force, provided that:

  1. such personal data is only used for the purpose for which it was originally collected; and
  2. a mechanism is made available and publicised by the data controller for the data subject easily to request deletion of his/her personal data.

Next steps

If the council of state approves the Draft Act, the Draft Act will be forwarded to the Thai cabinet and subsequently to the national legislative assembly for approval before coming into force. No official time frame for this process has been announced so it is difficult at this stage to anticipate the enactment date of the Draft Act.


The Draft Act means that companies doing business in Thailand or handling the data of Thai citizens will need to reconsider their policies and procedures for handling personal data in accordance with the new law once passed. Fortunately, it seems that the approach taken under the Draft Act is not inconsistent with many major data protection laws around the world, so companies with a robust data protection regime in place may not have to make too many changes to accommodate the new law.

The European Parliament asks for the suspension of the privacy shield

Norton Rose Fulbright - Data Protection Report blog

On July 5, the European Parliament passed a non-binding resolution, asking the European Commission, the EU’s executive body, to suspend the Privacy Shield framework. The EU-US Privacy Shield, designed by the US Department of Commerce and the European Commission, provides a mechanism for companies to transfer personal data between the EU and the US while remaining compliant with EU data protection laws.

The European Commission passed the data-sharing privacy framework on July 12, 2016, after its precursor, Safe Harbor, was struck down by the European Court of Justice on October 6, 2015.

Since the European Parliament’s resolution is non-binding, the European Commission could choose to ignore it.  However, the Commission will no doubt take the Parliament members’ concerns into consideration in its annual review of the Shield which is due in September.

Further discussions on whether to renegotiate the Privacy Shield is also on the table since the Shield is based on the now defunct EU directive 95/46, which the European Union General Data Protection Regulation replaced when it went into effect on May 25, 2018.

Continue reading

US states pass data protection laws on the heels of the GDPR

Data Protection Report - Norton Rose Fulbright

Several U.S. states have recently introduced and passed legislation to expand data breach notification rules and to mirror some of the protections provided by Europe’s newly enacted General Data Protection Regulation (“GDPR”). See our previous blog posts on GDPR here and here.   Like their European counterparts, these state laws are intended to provide consumers with greater transparency and control over their personal data.  The California and Vermont laws, in particular, go beyond breach notification and require companies to make significant changes in their data processing operations. See our earlier post on the  California Consumer Privacy Act (“CCPA”) here. Continue reading

California passes major legislation, expanding consumer privacy rights and legal exposure for US and global companies

Norton Rose Fulbright - Data Protection Report blog

On June 28, 2018, California lawmakers enacted the California Consumer Privacy Act of 2018 (the “CCPA”) a sweeping, GDPR-like privacy law which is intended to give California consumers more control over how businesses collect and use their data.

The new law is set to take effect on January 1, 2020 which means the California legislature may still consider changes to the new law in the coming months and years. Lawmakers moved swiftly to pass the bill to preempt a November ballot initiative that would have codified more stringent rules.

Many industry players preferred this legislative approach over the now-abandoned ballot initiative because, under California law, approved ballot initiatives can only be changed through another ballot initiative. Now that the law has passed—some critics argue, without adequate public debate because of this rush to avoid a costly and contentious battle over the ballot initiative in November—we can expect a fuller review of the law’s impact and more conversations about consumer protection and privacy rights in the US.

For companies that have implemented a compliance plan for European Union data subjects under the EU General Data Protection Regulation (“GDPR”), this law means many of the similar protections will now need to be extended to California residents. Read more below for a summary of what was included in the law that was passed yesterday.

Continue reading

US Supreme Court expands digital privacy rights in Carpenter v. United States

US Supreme Court expands digital privacy rights in Carpenter v. United States

On June 22, 2018, the US Supreme Court issued a 5-4 decision in Carpenter v. United States,  holding that the federal government needs a warrant to access cellphone location records.

In the decision, the Court agreed that there should be a higher standard for accessing location records due to their intrusive nature. Continue reading

Retailers must upgrade online credit card processing security by June 30

Data Protection Report - Norton Rose Fulbright

By June 30, 2018, retailers accepting digital (online) credit card transactions must cease using encryption protocols known as SSL or TLS 1.0. Retailers must transition to TLS 1.1 or higher (such as the popular TLS 1.2) or else lose the ability to accept credit card payments. Continue reading

One week into GDPR – what you need to know

Norton Rose Fulbright - Data Protection Report blog

Websites go dark, complaints are filed within an hour, European Commission suffers an embarrassing data leak, and the US Commerce Secretary warns about the unintended trade impact of the law – all in the first week of the GDPR

The European Union’s far-reaching General Data Protection Regulation (GDPR) went into effect on 25 May amid much anticipation.  Although the date itself was seen as a watershed moment, what comes after will reveal the full impact of the law.  Even for those businesses that have declared that their GDPR compliance efforts have completed, the work of maintaining and updating their privacy and data protection framework will need to continue well after 25 May.  We have also yet to see how 28 EU member states and the Court of Justice of the European Union will interpret the law.

In the days leading up to 25 May, millions of inboxes were filled with updated privacy notices and requests for marketing consent and pop-up notices for cookies were added to websites across the globe, as many businesses contemplated if and how the new law applies to them.  Just in the first week, we are seeing glimpses of what lays ahead.  Certain American news publications decided to shut themselves off to European users on their websites, a first series of complaints were filed against US tech giants and their subsidiaries, and the European Commission, in an embarrassing turn of events, was found to have had a data leak on one of its websites, Europa.eu.  Just five days after the law has gone into effect, Wilbur Ross, the US Commerce Secretary, published an opinion piece in the Financial Times, that warns: “EU data privacy laws are likely to create barriers to trade.” 

We take a look at the initial reactions and events that occurred in the first week following the implementation of the  GDPR, provide some insight into the GDPR’s impact on the digital economy and trade and provide, as we always do, some practical tips for how to manage privacy and cybersecurity risks in this ‘new era’.

Continue reading

GDPR is upon us: are you ready for what comes next?

Norton Rose Fulbright - Data Protection Report blog

The wait is finally over—this Friday the European Union General Data Protection Regulation (GDPR) will come into force. For many readers of this post, a huge amount of work will have been done in recent months in building up to compliance with the new regime. However, the challenges of GDPR certainly don’t end on the date this law goes into implementation. We have shared below some interesting points that we’ve seen arising recently, all of which relate to how things are likely to develop from today onwards, including enforcement predictions, challenges related to operationalizing data subject access procedures, and how the GDPR may change the data privacy litigation landscape in Europe.

For many organizations that are based outside the EU and took the “wait and see” approach, our checklist may come in handy, which gives an illustrative overview of the requirements likely to impact most types of businesses and the practical steps that organizations need to take to meet those requirements.  We also have a chatbot powered by artificial intelligence that helps clients to determine whether the GDPR applies to their business.

Continue reading