China’s evolving data laws: PIPL likely to be passed soon

Norton Rose Fulbright - Data Protection Report blog

China’s much anticipated Personal Information Protection Law (PIPL) is very likely to pass this month after the conclusion of the 30th meeting of the Standing Committee of the National People’s Congress, which is to be held in Beijing on 17-20 August. This follows the enactment earlier this year of the Data Security Law (DSL), which will take effect on 1 September 2021.

The PIPL – which will add another layer of compliance obligations on processors of personal information – will supplement and further strengthen the developing regulatory regime, which consists of the 2017 Cyber Security LawContinue Reading

Subject Access Request: Germany’s highest court widens the scope of data subject access requests in Germany

Germany’s highest civil court, the Federal Court Of Justice (Bundesgerichtshof, the FCJ), has just published a decision specifying the scope of data subject access requests (DSARs). The FCJ held that Article 15 of the EU General Data Protection Regulation (GDPR) has a broader scope than previously understood in Germany. Pursuant to the court’s decision, Article 15 GDPR also covers information already known about the data subject, previous correspondence and notes of internal processes or internal communications related to the data subject.

The facts

The defendant was a life insurance company and  the claimant their insured. At first … Continue Reading

Another One Bites the Dust: Court once again finds data breach forensic report isn’t protected by privilege

Norton Rose Fulbright - Data Protection Report blog

On July 22, 2021, a federal court in Pennsylvania held that an investigative report created by Kroll (the “Kroll Report”), the defendant’s third party cybersecurity consultant, and related communications were not protected by privilege. The court found that the Kroll Report was not protected by the work-product doctrine or attorney-client privilege. The decision comes after the widely publicized Capital One decision, where plaintiffs were also forced to turn over a forensic report.

Work-Product Doctrine

With respect to defendant’s work-product arguments, the court found that the doctrine did not apply.  First, in the opinion of the court, the Kroll Report was … Continue Reading

It must be as easy to reject cookies as it is to accept them: 40 additional organizations on the radar of the CNIL

As part of its global strategy to ensure compliance with its new cookies mandatory guidelines, and as announced in its priority control themes for 2021, in May 2021 the CNIL issued formal notices to over twenty organizations (including international actors in the digital economy and some public bodies) for not enabling users to accept or refuse cookies using equally easy steps. These organizations all remedied the identified breaches within the month granted, but the CNIL has identified and sent formal enforcement notices regarding the same issue to a further 40 non-compliant organizations in the meantime.

Which industry sectors were impacted?

Continue Reading

Global Privacy Control Opt-Out of “Sale” – A Technical and Legal Viewpoint

Global Privacy Control Opt-Out of “Sale” – A Technical and Legal Viewpoint

According to the California Attorney General, consumers may now utilize a new technology called the Global Privacy Control (“GPC”) in order to opt out of a “sale” of personal information under the California Consumer Privacy Act (“CCPA”).

The GPC, according to its website, was developed by “various stakeholders including technologists, web publishers, technology companies, browser vendors, extension developers, academics, and civil rights organizations.”

Unlike the IAB Tech Lab U.S. Privacy String, which is controlled and operated by the adopting Business via JavaScript, the GPC is controlled by the browser software either natively (as in the case of Firefox) … Continue Reading

Hong Kong: Bill to amend the Personal Data (Privacy) Ordinance to combat doxxing acts was gazetted today

The Personal Data (Privacy) (Amendment) Bill 2021 (the Bill) was gazetted today, 16 July 2021.

The Bill aims to combat doxxing acts through (i) criminalisation of doxxing acts; (ii) empowering the Privacy Commissioner for Personal Data to conduct criminal investigation and institute prosecution for doxxing cases; and (iii) conferring on the Commissioner statutory powers to demand the rectification of doxxing content. The details of the Bill are summarized in our earlier post.

The government has submitted the brief on the Bill to the Legislative Counsel on 14 July 2021. It is expected that the Bill would be introduced into … Continue Reading

EU’s possible Data Act: What can we anticipate from the Inception Impact Assessment and the Consultation?

The European Commission (EC) signalled plans for a new Data Act, to be published in late 2021, in its February 2020 Data Strategy Communication.  The EC revealed more details in its 2021 Consultation and Inception Impact Assessment. The responses to the Consultation and Inception Impact Assessment are bound to shape the future of EU’s digital economy.  The Data Act will complement other European Union (EU) measures to create a solid framework for digital trust, opening up public sector data, removing digital borders, encouraging trade in data, opening up competition and facilitating better security within the EU single market.… Continue Reading

EU – UK data transfers can continue: UK receives much welcome adequacy decision

Norton Rose Fulbright - Data Protection Report blog

The European Commission has today published a positive adequacy finding in respect of the UK’s data protection regime (the Decision).  This means that personal data can continue to flow freely from the EU to the UK without the need for organisations to take further measures.

For the time-being, however, the Decision does not concern personal data transferred for United Kingdom immigration control purposes or which otherwise falls within the scope of the exemption from certain data subject rights for purposes of the maintenance of effective immigration control (the Immigration Exemption).  The Immigration Exemption has been widely criticised by … Continue Reading

The EDPB publishes its finalised version of the Recommendations on supplementary measures

On 21 June 2021, the European Data Protection Board (EDPB) published its finalised version of the Recommendations on supplementary measures (the Recommendations) to assist companies comply with the Schrems II judgement.

This comes just a couple of weeks after the European Commission (the Commission) published new, revised Standard Contractual Clauses (New SCCs) (read our blog post for more information).  Like the Recommendations, the New SCCs also aim to assist organisations with the complex Schrems II requirements.

The new SCCs and the Recommendations show that compromise between the Commission and the EDPB has been … Continue Reading