California Consumer Privacy Act: Disclosure requirements

Data Protection Report - Norton Rose Fulbright

This is the Data Protection Report’s fourth blog in a series of blogs that will break down the major elements of the CCPA which will culminate in a webinar on the CCPA in October. Stay tuned for additional blogs and information about our upcoming webinar on the CCPA.

The California Consumer Privacy Act (the “CCPA” or “Act”) includes significant and new disclosure requirements for businesses that collect and or sell or disclose California residents’ personal information. Below we have outlined: (1) disclosures businesses must make in their privacy policy; (2) disclosures businesses must make upon receipt of a “verifiable consumer request”; and (3) Norton Rose Fulbright’s takeaways.

Continue reading

Singapore’s new Cybersecurity Act comes into force: Here’s what you need to know

The much discussed Cybersecurity Act 2018 (Act. 9 of 2018) (the Act), which was passed by the Singapore Parliament on 5 February 2018, came into force on 31 August 2018 [1]. The new law creates a regulatory framework for the monitoring and reporting of cybersecurity threats to essential services in Singapore through the appointment of the Commissioner of Cybersecurity.  It also creates a licensing regime that will require certain data security service providers in Singapore to be registered.

Continue reading

Norton Rose Fulbright – cyber law firm of the year nomination

Data Protection Report - Norton Rose Fulbright

We are grateful to our clients and industry contacts for nominating us as cyber law firm of the year at the 2018 Insurance Insider Cyber Rankings Awards. The winner will be determined from the results of a wide-ranging survey of insurers and brokers and will be announced on September 21, 2018.

California Consumer Privacy Act: GDPR-like definition of personal information

Data Protection Report - Norton Rose Fulbright

This is the Data Protection Report’s third blog in a series of blogs that will break down the major elements of the CCPA which will culminate in a webinar on the CCPA in October. This blog focuses on the CCPA’s broad definition of Personal Information. Stay tuned for additional blogs and information about our upcoming webinar on the CCPA.

Continue reading

New law imposes disclosure requirements on software licensors

UK NIS Regulations impose new cybersecurity obligations (and a new penalties regime) on operators of essential services and digital service providers in the UK | Norton Rose Fulbright

As a result of the 2019 National Defense Authorization Act, the Secretary of Defense implemented new disclosure obligations on software licensors whose software code has been reviewed or accessed by a foreign government. The Act was signed into law on August 13, 2018 and will significantly impact software licensors who engage with the federal government’s defense agencies relating to “obligations to foreign governments.” Continue reading

California Consumer Privacy Act blog series: Covered entities

Data Protection Report - Norton Rose Fulbright

This is the Data Protection Report’s second blog in a series of blogs that will break down the major elements of the CCPA which will culminate in a webinar on the CCPA in October. This blog focuses on covered entities. Stay tuned for additional blogs and information about our upcoming webinar on the CCPA. Continue reading

FERC issues notice of proposed rulemaking to extend reporting requirements for cyberattacks targeting the energy sector

Data Protection Report - Norton Rose Fulbright

On July 23 and 25, 2018, the U.S. Department of Homeland Security (DHS) held public briefings about an attempt by a state-sponsored Russian hacking group to target control systems for U.S. electrical grids and power plants. DHS’ webinar explained that the hackers obtained access to vendors providing computer services to electric utilities companies. This initial access enabled the hackers to gain entry to power company control systems through a complex series of security compromises lasting quite some time. Continue reading

Overview of Thailand Draft Personal Data Protection Act

Data Protection Report - Norton Rose Fulbright

Data protection laws in Asia continue to be introduced and updated. One of the most recent developments in South East Asia is in Thailand. On 22 May 2018, the Thai Cabinet approved in principle a revised draft of Thailand’s first personal data protection act (Draft Act). This Draft Act is currently under consideration by the Council of State.

Thailand currently does not have any specific law regulating data protection. The Office of the Prime Minister first published the Draft Act in 2014. The Draft Act has undergone several rounds of changes and this article aims to give a high level overview of the recently approved version of the Draft Act.

The Draft Act has been revised to replicate many of the concepts and obligations which are common across global data protection laws and in particular the GDPR. We have highlighted some of those key obligations below.

Key definitions

The new law has some key definitions which are similar to data protection laws elsewhere:

  • Personal data” is broadly defined as information that is able to directly or indirectly identify a living individual.
  • Data controller” is a person (whether a natural or legal person) who has authority to make decisions on collection, usage or disclosure of Personal Data.
  • Data processor” is a person (whether a natural or legal person) who collects, uses or discloses Personal Data in compliance with the orders of data controller.

Extraterritorial application

The Draft Act regulates both data controllers and data processors, whether or not they are in Thailand, who collect, use or disclose Personal Data collected from individuals in Thailand (whether or not those individuals are Thai citizens). This means that organizations outside of Thailand may be subject to the Draft Act.

General protections

Specific consent is required from the data subject, in writing or via electronic means, prior to or at the time of collection, use or disclosure of personal data, unless one of the prescribed exceptions applies. A data subject may at any time revoke his/her consent, unless there is a restriction under the law or contract on revoking such consent.

Collection of personal data

Collection of personal data must be for a lawful purpose and be directly relevant to, and necessary for, the activities of the data controller. The data controller must inform the data subject of the following, prior to or at the time personal data is collected:

  1. the purpose of the collection;
  2. the personal data to be collected;
  3. to whom the personal data might be disclosed;
  4. contact information of the data controller; and
  5. the rights of the data subject.

This information would usually be provided by way of a collection notice.

Except under limited circumstances prescribed under the Draft Act, personal data must be collected directly from the data subject. Also, the collection of sensitive personal data, such as religious belief, political preference, sexual behaviour or medical records, is prohibited except under limited circumstances prescribed under the Draft Act or ministerial regulation. Examples of the permitted circumstances for collection of sensitive data include where sensitive data is collected to protect or prevent harm to a person’s life, body or health, or to comply with any legal requirement on the data controller.

Cross-border transfer of personal data

Personal data can only be transferred to a country with rigorous data protection measures and in accordance with guidelines to be prescribed by the Personal Data Protection Committee, unless:

  1. the transfer is made pursuant to any applicable law;
  2. consent is obtained from the data subject;
  3. the transfer is in compliance with the contract entered into between the data subject and the data controller;
  4. the transfer is in the interests of a data subject who is incapable of giving consent; or
  5. as otherwise prescribed by ministerial regulation.

Rights of data subject

A data subject is entitled to access his/her own personal data which is held by the data controller, or to request the data controller to disclose the sources of information where such personal data is collected without his/her consent. In the event that the data controller fails to comply with any provision of the Draft Act, a data subject is entitled to request the data controller to delete, destroy, temporarily suspend the use of or anonymize personal data.

Fines and penalties

Both civil and criminal penalties can be imposed on the data controller for violation of the provisions of the Draft Act.

Grandfathering provisions

The data controller may continue to use personal data collected prior to the date that the Draft Act comes into force, provided that:

  1. such personal data is only used for the purpose for which it was originally collected; and
  2. a mechanism is made available and publicised by the data controller for the data subject easily to request deletion of his/her personal data.

Next steps

If the council of state approves the Draft Act, the Draft Act will be forwarded to the Thai cabinet and subsequently to the national legislative assembly for approval before coming into force. No official time frame for this process has been announced so it is difficult at this stage to anticipate the enactment date of the Draft Act.


The Draft Act means that companies doing business in Thailand or handling the data of Thai citizens will need to reconsider their policies and procedures for handling personal data in accordance with the new law once passed. Fortunately, it seems that the approach taken under the Draft Act is not inconsistent with many major data protection laws around the world, so companies with a robust data protection regime in place may not have to make too many changes to accommodate the new law.

The European Parliament asks for the suspension of the privacy shield

Norton Rose Fulbright - Data Protection Report blog

On July 5, the European Parliament passed a non-binding resolution, asking the European Commission, the EU’s executive body, to suspend the Privacy Shield framework. The EU-US Privacy Shield, designed by the US Department of Commerce and the European Commission, provides a mechanism for companies to transfer personal data between the EU and the US while remaining compliant with EU data protection laws.

The European Commission passed the data-sharing privacy framework on July 12, 2016, after its precursor, Safe Harbor, was struck down by the European Court of Justice on October 6, 2015.

Since the European Parliament’s resolution is non-binding, the European Commission could choose to ignore it.  However, the Commission will no doubt take the Parliament members’ concerns into consideration in its annual review of the Shield which is due in September.

Further discussions on whether to renegotiate the Privacy Shield is also on the table since the Shield is based on the now defunct EU directive 95/46, which the European Union General Data Protection Regulation replaced when it went into effect on May 25, 2018.

Continue reading

US states pass data protection laws on the heels of the GDPR

Data Protection Report - Norton Rose Fulbright

Several U.S. states have recently introduced and passed legislation to expand data breach notification rules and to mirror some of the protections provided by Europe’s newly enacted General Data Protection Regulation (“GDPR”). See our previous blog posts on GDPR here and here.   Like their European counterparts, these state laws are intended to provide consumers with greater transparency and control over their personal data.  The California and Vermont laws, in particular, go beyond breach notification and require companies to make significant changes in their data processing operations. See our earlier post on the  California Consumer Privacy Act (“CCPA”) here. Continue reading