On March 10, 2020, the New York Department of Financial Services (NYDFS) issued guidance to all of its regulated institutions engaged in virtual currency business activity, requiring them to have plans for preparedness to manage the possible operational and financial risks posed by the COVID-19 pandemic. NYDFS requires the plans to be submitted by Thursday, April 9, 2020.… Continue Reading
A few weeks ago, we blogged about the decision of the English High court in AA v. Persons Unknown & Ors.
Given the level of interest in the case, we have prepared a deeper-dive into the facts and the implications of the decision, with a focus on the important role played in the case by cyber insurance. This is set out below.… Continue Reading
The CNIL has published draft recommendations on how to obtain consent when placing cookies. This is following the publication of its revised “Guidelines on the implementation of cookies or similar tracking technologies” which was published in July 2019 (see our article here).
The objective of the recommendations is to provide stakeholders with practical guidance and illustrative examples. These recommendations are neither exhaustive nor binding and data controllers are free to consider other practical measures as long as they comply with the revised rules as provided by the CNIL in July 2019. The CNIL also provides a number of “good … Continue Reading
An interim proprietary injunction has been granted by the English High Court over a bitcoin ransom payment paid to a third-party wallet.… Continue Reading
2019 saw continued growth and change in data protection and cyber-security across the Asia-Pacific. Following the implementation of the GDPR in May, 2018, many jurisdictions moved to review and strengthen existing data privacy and cyber-security laws. In addition, 2019 saw regulators publishing findings in respect of some of the largest data incidents of 2018. We have set out below the key highlights of the year and what to look out for in 2020.… Continue Reading
1. Brace yourself (for export turbulence)
2020 could well be a year of data export turmoil – so brace yourself.
The Court of Justice of the European Union (CJEU) will determine the validity of the EU Standard Contractual Clauses (SCCs) (Data Protection Commissioner v Facebook Ireland Limited, Maximillan Schrems) whilst the General Court of the EU will consider the future of Privacy Shield (La Quadrature du Net v Commission).
The Turkish Data Protection Board (“Board”) announced the extension of VERBİS registration deadline until June 30, 2020 for:
- Turkish data controllers with more than 50 employees annually or whose annual total financial statement exceeds TL 25,000,000 (approx. USD 4.2 million), and
- Data controllers located abroad.
This blogpost summarises our recent webinar: “An urgent message from Berlin: The importance of record retention in privacy and cybersecurity”.… Continue Reading
On October 30, 2019 the Berlin Commissioner for Data Protection and Freedom of Information (Berliner Beauftragte für Datenschutz und Informationsfreiheit – Berlin DPA) issued a €14.5 million fine on a German real estate company, die Deutsche Wohnen SE (Deutsche Wohnen), the highest German GDPR fine to date. The infraction related to the over retention of personal data. For the first time, the Berlin DPA applied the new calculation method for GDPR fines issued by the German Datenschutzkonferenz recently (see our recent post).… Continue Reading
BoE publish high level findings of the financial sector (“sector”) cyber simulation exercise.… Continue Reading
Turkey’s data protection legislation (TDPL) requires data controllers to notify the Turkish DPA of their processing activities. Unless exempt from the requirement, all data controllers (individuals and legal entities) who process personal data in Turkey must be registered with the Turkish DPA’s Register of Data Controllers Information System (VERBİS), prior to processing any personal data.
Data controllers which fail to fulfil this obligation may be subject to an administrative fine of an amount between TL 20,000–1,000,000 (approximately USD 3,600-180,000). Such fines will be issued at the discretion of the Data Protection Board and will be determined based on the … Continue Reading
On 4 July 2019, the CNIL published new guidelines on cookies and other similar technologies, repealing its 2013 cookie guidance in order to align its position with the GDPR’s new requirements on consent. These guidelines will be supplemented during the first quarter of 2020 by sectoral recommendations aimed at providing practical guidance to stakeholders on how to collect consent.… Continue Reading
We are pleased to report that Norton Rose Fulbright has been shortlisted for cyber law firm of the year at the 2019 Insurance Insider Cyber Rankings Awards. Many thanks to everyone who has voted for us so far. The winner will be determined from the results of a wide-ranging survey of insurers and brokers and will be announced on 20 September 2019. We encourage our insurer and broker clients and contacts to respond to the survey if they have not already done so.… Continue Reading
On Friday, July 12, 2019, the Wall Street Journal reported that Federal Trade Commission and Facebook reached a settlement to resolve Facebook’s privacy issues surrounding the Cambridge Analytica disclosure discovered last year. The settlement imposes a US$5 billion dollars on the tech giant, which represents roughly 9% of Facebook’s total yearly revenue and is the largest civil and privacy fine ever imposed by the FTC. The fine largely surpasses the FTC’s previous imposed fine in a privacy action, when the FTC fined Google US$22.5 million to settle claims it misrepresented privacy assurances to Safari users.… Continue Reading
On June 13, 2019 Measures for Personal Data Cross-Border Transfer Security Assessments (Draft for Comment) (Measures) were issued by the Cyberspace Administration of China, along with an invitation for submissions to be made as part of a public consultation. The Measures lay down stricter requirements in relation to cross-border transfers of personal data with the intention to better safeguard internet users’ rights, public interests and national security.
The Measures set out a number of general requirements and implementing provisions for aspects of a network operator’s assessment obligation, assessment standards and reporting procedures. They also introduce specific requirements for contracts … Continue Reading
The UK Supreme Court has confirmed that permission has been granted to Morrisons for it to appeal against the judgment of the Court of Appeal in Morrison Supermarkets PLC v Various Claimants  EWCA Civ 2338.… Continue Reading
The two-year transitional period under the New York State Department of Financial Services (“DFS”) Cybersecurity Regulation, 23 NYCRR 500 (the “Regulation”), will expire on March 1, 2019, with the final remaining requirement becoming effective. Entities covered by the Regulation that utilize third party service providers, which include not only banks and insurers, but also other financial services institutions and licensees regulated by the DFS, will be required to implement third-party risk management programs by March 1.… Continue Reading
On November 21, 2018, the Pennsylvania Supreme Court broke new ground by holding that employers have a legal duty to take reasonable care to safeguard its employees’ sensitive personal information from cyberattacks. Dittman v. UPMC, 2018 Pa. LEXIS 6072199 (Pa. Nov. 21, 2018).… Continue Reading
The U.S. Securities and Exchange Commission (“SEC”) may not be the first agency that comes to mind with respect to cybersecurity, but the SEC has been in the headlines recently with respect to cyber fraud in particular. Earlier this month, the SEC promulgated a report urging companies to take preventive measures against cyber fraud.… Continue Reading
The Court of Appeal has upheld a decision of the High Court holding that an employer can be vicariously liable for data breaches caused by the actions of an employee, even where the employee’s actions were specifically intended to harm the employer. This decision is significant as it means a company can be held liable to compensate affected data subjects for loss caused by a data breach, even where the company has committed no wrongdoing and regardless of the employee’s motive.… Continue Reading
We are grateful to our clients and industry contacts for nominating us as cyber law firm of the year at the 2018 Insurance Insider Cyber Rankings Awards. The winner will be determined from the results of a wide-ranging survey of insurers and brokers and will be announced on September 21, 2018.… Continue Reading
This is the Data Protection Report’s third blog post in a series of CCPA blog posts that will break down the major elements of the CCPA which will culminate in a webinar on the CCPA in October. This blog focuses on the CCPA’s broad definition of Personal Information. Stay tuned for additional blogs and information about our upcoming webinar on the CCPA.
The California Consumer Privacy Act (“CCPA” or the “Act”) sets a new precedent with its sweeping definition of Personal Information (“PI”). The CCPA defines “[p]ersonal information” as any information that “identifies, relates to, describes, is capable of being … Continue Reading
Data protection laws in Asia continue to be introduced and updated. One of the most recent developments in South East Asia is in Thailand. On 22 May 2018, the Thai Cabinet approved in principle a revised draft of Thailand’s first personal data protection act (Draft Act). This Draft Act is currently under consideration by the Council of State.
Thailand currently does not have any specific law regulating data protection. The Office of the Prime Minister first published the Draft Act in 2014. The Draft Act has undergone several rounds of changes and this article aims to give a high level … Continue Reading
The wait is finally over—this Friday the European Union General Data Protection Regulation (GDPR) will come into force. For many readers of this post, a huge amount of work will have been done in recent months in building up to compliance with the new regime. However, the challenges of GDPR certainly don’t end on the date this law goes into implementation. We have shared below some interesting points that we’ve seen arising recently, all of which relate to how things are likely to develop from today onwards, including enforcement predictions, challenges related to operationalizing data subject access procedures, and how … Continue Reading