Tag archives: data privacy

Texas enacts comprehensive privacy law

By David Kessler (US), Susan Ross (US) and Seth Allen (US) on June 21, 2023 Posted in Privacy law

On June 13, 2023, the Texas Governor signed HB4, making Texas the tenth state to have a comprehensive privacy law, joining California, Colorado, Connecticut, Montana, Virginia, and Utah (all in effect or going into effect in 2023), Montana and Tennessee (which, like Texas, go into effect in 2024), Iowa (effective 2025) and Indiana (effective 2026). … Continue reading

Building Cyber Resiliency In the Energy Sector

By Imran Ahmad (CA) and John Cassell (CA) on April 5, 2023 Posted in Cybersecurity, Data Protection

For the energy sector, cybersecurity has been a top-of-mind issue for some time. This is particularly true given some of the high-profile cyber-attacks seen in recent years that have grabbed not only media headlines but also resulted in operational disruption, financial losses and legal exposure. The challenge with cybersecurity is attacker tactics are constantly evolving … Continue reading

Privacy law is becoming more technically sophisticated. So should you.

By Steve Roosa (US), Daniel Rosenzweig (US) and Susan Ross (US) on March 22, 2023 Posted in Compliance and risk management, Privacy law

As privacy laws and requirements become more technically sophisticated, businesses may want to consider how they can follow suit.… Continue reading

Autonomous Vehicles – Canada’s Current Legal Framework: Privacy (Part 4)

By Imran Ahmad (CA) and Admin on February 23, 2023 Posted in Cybersecurity, Data Protection, Privacy law

Across the globe, the race is already underway among vehicle manufacturers to develop fully autonomous vehicles (AVs). AVs currently under development make sense of their surroundings and control vehicle operation through data gathered about the outside world. Like other connected vehicles, AVs can also collect and use specific personal information about a driver (e.g., through … Continue reading

Bring-Your-Own-Device Programs: A Balance Between Privacy and Cybersecurity

By Marisa Kwan, Joseph Cohen-Lyons, Curtis Armstrong and Admin on February 16, 2023 Posted in Cybersecurity, Privacy law

A ”bring your own device” (BYOD) program is a popular arrangement used by employers, whereby employees use their personal devices (e.g., smartphones, laptops, or tablets) for both personal and business purposes. Last year, about two-thirds of Canadian private sector employers had at least one employee using personal devices for business-related activities.[1] While the BYOD approach … Continue reading

Ontario Court of Appeal Limits Application of Tort of Intrusion Upon Seclusion for Cyberattacks

By Travis Walker and Imran Ahmad (CA) on January 16, 2023 Posted in Cybersecurity, Data breach, Data Protection, Privacy law

Data Protection Report - Norton Rose Fulbright

In three recent cases, the Court of Appeal for Ontario effectively curtailed the ability of privacy breach victims to advance claims under the tort of intrusion upon seclusion against organizations for failing to prevent unauthorized access to personal information by third parties. However, while these cases should provide some reassurance that a cyberattack may not … Continue reading

Draft European Commission EU-US Data Privacy Framework adequacy decision published

By Marcus Evans (UK), Lara White (UK), Shiv Daddar (UK) and Janine Regan (UK) on December 13, 2022 Posted in Data Protection, Privacy law

On 13 December, the European Commission launched the process to adopt an adequacy decision for the EU-US Data Privacy Framework (EU-US DPF). The draft decision – available here – addresses the concerns raised by the Court of Justice of the European Union (CJEU) in its Schrems II decision of July 2020. These concerns centred around … Continue reading

Rare recovery in a complex ransomware case: Major NetWalker arrest leads to significant asset seizure

By Andrew McCoomb on December 8, 2022 Posted in Cybercrime, Cybersecurity, Data breach, Data Protection, Ransomware

Norton Rose Fulbright Canada’s cyber litigation team recently obtained an order in favour of an insurer, granting it relief from forfeiture in respect of more than 11 bitcoins from the assets seized from a prolific ransomware gang.[1] This case was the first of its kind and confirms an insurer’s ability to seek recovery for losses … Continue reading

Privacy and Cybersecurity Due Diligence Considerations in M&A Transactions

By Admin on October 24, 2022 Posted in Cybersecurity, Data Protection, M&A Transactions, Privacy law

Privacy and cybersecurity practices of target companies are being increasingly scrutinized throughout the due diligence process in M&A transactions. Particularly, buyers want to understand the risk and value inherent in sellers’ data assets and sellers want to manage transactional and post-closing risks. In the course of their privacy and cybersecurity due diligence, buyers should consider … Continue reading

OSFI’s Technology and Cyber Risk Management Guideline: Part 2

By Imran Ahmad (CA), Shreya Gupta and Suzie Suliman (CA) on October 17, 2022 Posted in Cybersecurity, Privacy law

In July of this year, the Office of the Superintendent of Financial Institutions (OSFI) released the final version of its Guideline B-13 (the Guideline), setting out technology and cyber risk management expectations for all federally regulated financial institutions (FRFIs), such as banks, insurance and trust companies. FRFIs will need to ensure that they have taken steps to … Continue reading

Practical steps for businesses to comply with Bill C-27: Part 1

By Jeremie Wyatt (CA), Imran Ahmad (CA) and Shreya Gupta on August 22, 2022 Posted in Compliance and risk management, Privacy law

The House of Commons recently introduced Bill C-27, the successor to Bill C-11, which died on the docket when Parliament was dissolved in the fall of 2021. Bill C-27 introduces three new acts: the Consumer Privacy Protection Act (“CPPA”), the Personal Information and Data Protection Tribunal Act, and the Artificial Intelligence and Data Act (“AIDA”), which … Continue reading

Alberta OIPC’s 2022 PIPA Breach Report – Trends and Key Takeaways

By John Cassell (CA), Imran Ahmad (CA) and Miranda Sharpe on August 16, 2022 Posted in Cybersecurity, Data breach

On July 27, 2022, the Office of the Information and Privacy Commissioner of Alberta (OIPC) released its 2022 PIPA Breach Report.[1] The report analyzes the nearly 2,000 breach reports[2] received by the OIPC during the ten year period since reporting was mandated in Alberta under the Personal Information Protection Act (PIPA)[3]. The PIPA Breach … Continue reading

European rulings on the use of Google Analytics and how it may affect your business

By Steve Roosa (US), Christoph Ritzer (DE), Nadège Martin (FR), Jurriaan Jansen, Daniel Rosenzweig (US), Naomi Schuitema, Natalia Filkina (DE) and Barbara Ghebali (FR) on February 14, 2022 Posted in Cybersecurity, NT Analyzer Blog Series, Privacy law

European rulings on the use of Google Analytics and how it may affect your business

Recent decisions out of the EU will impact the use of Google Analytics and similar non-European analytics services when targeting EU individuals, with the potential to put many organizations at risk of receiving GDPR fines. At issue was the transfer of personal data from the EU to the US through the use of Google Analytics. … Continue reading

Google Play Store Releases Data Safety Form

By Steve Roosa (US) and Daniel Rosenzweig (US) on November 19, 2021 Posted in NT Analyzer Blog Series

Android will adopt iOS-like privacy nutrition labels, called the “Data safety form,” starting April 2022. And according to Google, apps that fail to comply with this upcoming requirement may be “subject to policy enforcement, like blocked updates or removal from Google Play.” While it may be tempting to just repurpose the iOS nutrition labels, Google notes … Continue reading

Privacy legislation reform: Bill 64 has now been passed

By Imran Ahmad (CA), Veronique Barry (CA) and Jeremie Wyatt (CA) on November 17, 2021 Posted in Compliance and risk management, Cybersecurity, Privacy law

Bill 64, which purports to modernise Québec’s privacy legislation, was recently passed. This sweeping reform of the province’s framework for processing personal information hinges on three main axes: increased obligations for enterprises that collect or otherwise process personal information, the creation of new rights for persons whose information is collected, and the imposition of far … Continue reading

US SEC announces three actions charging firms for cybersecurity deficiencies

By Kevin J. Harnisch (US), Chris Cwalina (US), Will Daugherty (US), Ashley Zatloukal (US) and Matthew Niss (US) on September 15, 2021 Posted in Cybersecurity, Enforcement

The SEC announced enforcement actions against three sets of advisers for alleged failures in cybersecurity policies that violate the Safeguards Rule.… Continue reading

PIPL: A game changer for companies in China

By Anna Gamvros and Lianying Wang (CN) on August 24, 2021 Posted in Compliance and risk management, Cybersecurity

China passed its Personal Information Protection Law (PIPL) on 20 August 2021. This is China’s first omnibus data protection law, and will take effect from 1 November 2021 allowing companies just over two months to prepare themselves. The PIPL is a game changer for any company with data or business in China. It will add … Continue reading

China passes the Personal Information Protection Law

By Anna Gamvros and Lianying Wang (CN) on August 20, 2021 Posted in Compliance and risk management, Cybersecurity

China passed its Personal Information Protection Law (PIPL) on 20 August 2021. The new law will take effect from 1 November 2021 allowing companies just over 2 months to prepare themselves. The full text has not been made public yet. In addition, China published the Provisions on the Administration of Security of Automobile Data (For … Continue reading

Google/Android announces privacy requirements

By Daniel Rosenzweig (US) and Wenda Tang (US) on May 12, 2021 Posted in NT Analyzer Blog Series

NT Analyzer | Google Announces App Privacy Requirements

Google announced that it will follow industry standards with respect to privacy obligations.… Continue reading

Navigating Virginia’s new privacy law

By Steve Roosa (US) and Daniel Rosenzweig (US) on April 8, 2021 Posted in NT Analyzer Blog Series

Virginia recently enacted its own data protection/privacy law and like its European and Californian predecessors, the technical piece is key. Like the GDPR and CCPA, the Consumer Data Protection Act (“CDPA”), which goes into effect on January 1, 2023, broadly defines “personal data” as “any information that is linked or reasonably linkable to an identified … Continue reading

Virginia’s new Consumer Data Protection Act

By David Kessler (US) and Susan Ross (US) on March 8, 2021 Posted in Compliance and risk management

On March 2, 2021, the Governor of the Commonwealth of Virginia signed into law the Consumer Data Protection Act, which contains many elements of California’s Consumer Privacy Act (CCPA) and Europe’s General Data Protection Regulation (GDPR). The new law goes into effect on January 1, 2023. But first, you need to determine whether the law … Continue reading

CCPA regulations: perhaps the fourth time is the charm

By David Kessler (US) and Susan Ross (US) on December 14, 2020 Posted in CCPA

Norton Rose Fulbright - Data Protection Report blog

On December 10, 2020, the California Attorney General proposed a fourth set of modifications to the California Consumer Privacy Act (CCPA) regulations, in response to comments received regarding the October proposed modifications. (We had written about the October proposals here.)… Continue reading

Bill C-11: Canada proposes new data privacy legislation

By Admin on November 20, 2020 Posted in Enforcement

On November 17, 2020, the Minister of Innovation, Science and Industry, Navdeep Bains, tabled proposed legislation in Parliament that aims to overhaul Canada’s data privacy law. Bill C-11, entitled An Act to enact the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act and to make consequential and related amendments to … Continue reading

COVID tracing & AI: Physically distant, socially together

By Daniel Daniele (CA) on November 18, 2020 Posted in Compliance and risk management, Data Transfer

As the second wave of COVID-19 spreads across Canada, the use of COVID-19 tracing apps is on the rise. For example, the Government of Canada released COVID Alert–an app using Bluetooth technology to help people report positive diagnoses, and control the spread of the virus. The success of the app depends on a high quantity … Continue reading