Tag archives: data privacy

How to process employees’ health data in France after lockdown: dos and don’ts for employers

Norton Rose Fulbright - Data Protection Report blog

A few weeks ago, we provided you with a summary of the rights and obligations of employers with regard to the personal data of their employees during lockdown.

On 11 May, many employees will return to their workplaces. Below you will find answers to the main questions you may have ahead as the end of the lockdown approaches.

Could an employer require its employees to use StopCovid or a similar private app and require to see the results?

No.  The CNIL stated in its opinion of 24 April 2020, that the “voluntary” mode of the app implied that no negative … Continue Reading

StopCovid: the French contact-tracing app

Norton Rose Fulbright - Data Protection Report blog

Following the example of many European countries, the French government plans to introduce a contact tracing app, known as “StopCovid”.  The app is designed to be used by people once they leave the confinement of their homes with the aim of preventing the spread of COVID-19. StopCovid is being developed within the INRIA, the French national research institute for digital sciences and technologies.

This blog post summarises the status of the project and the discussions from legal, political, scientific and technological perspectives.

How will StopCovid work?

For each smartphone on which the app is downloaded, temporary crypto-identifiers will be generated … Continue Reading

How contact tracing apps in Asia are being used to fight COVID-19 – is the reward worth the risk?

Data Protection Report - Norton Rose Fulbright

The COVID-19 pandemic has seen governments across the world restricting civil liberties and movement to unprecedented levels. To aid the safe lifting of current public health restrictions, new technologies are being developed and rolled out to automate labour intensive tasks critical to containing the spread of the virus, such as contact tracing.

Contact tracing applications essentially work using either Bluetooth technology or GPS to log every time two or more users are close to each other for a certain period of time. If a person is diagnosed with COVID-19, other users who were close to that person can then be … Continue Reading

Irish data protection authority launches new cookie guidance and indicates cookie investigations are on the horizon

Norton Rose Fulbright - Data Protection Report blog

Last week, the Irish Data Protection Commission (“DPC”) published its much anticipated guidance note on cookies and similar tracking technologies (the “Guidance”).  It also published a report following a “cookie sweep” that took place between August 2019 and December 2019 of 38 data controllers (the “Report”).  The cookie sweep requested information from the data controllers and examined the deployment of cookies on their websites to understand how and whether they were complying with the cookie rules. It is clear the Report significantly influenced the Guidance and, as such, the Report provides an indication of … Continue Reading

Obtaining and sharing employee health status information in a pandemic

Norton Rose Fulbright - Data Protection Report blog

Employers across the world are facing extremely difficult challenges in keeping their workplaces safe for their employees, contractors and visitors during the COVID-19 pandemic.

Although the prevailing instinct is likely to be to protect and to prevent the spread of the virus at all costs, under data protection laws this still needs to be weighed against the privacy rights of employees. Depending on where their employees are located, employers may have to favor privacy over virus detection. This blog sets out a few of the key issues and a snapshot of how they are dealt with across five European jurisdictions … Continue Reading

Changes to Hong Kong’s data protection law discussed by government panel

Data Protection Report - Norton Rose Fulbright

The discussion paper on the proposed changes to Hong Kong’s Personal Data (Privacy) Ordinance (Cap.486) (the PDPO) was debated by the  Legislative Council’s Panel on Constitutional Affairs’ (the Panel) on 20 January. The proposals set out in LC Paper. No. CB(2) 512/19-20(03) (the Paper) are summarised in our earlier post.Continue Reading

Turkish Data Protection Board announces extension of VERBİS registration deadline – once again

The Turkish Data Protection Board (“Board”) announced the extension of VERBİS registration deadline until June 30, 2020 for:

  • Turkish data controllers with more than 50 employees annually or whose annual total financial statement exceeds TL 25,000,000 (approx. USD 4.2 million), and
  • Data controllers located abroad.
Continue Reading

First multi-million GDPR fine in Germany: €14.5 million for not having a proper data retention schedule in place

Data Protection Report - Norton Rose Fulbright

On October 30, 2019 the Berlin Commissioner for Data Protection and Freedom of Information (Berliner Beauftragte für Datenschutz und InformationsfreiheitBerlin DPA) issued a €14.5 million fine on a German real estate company, die Deutsche Wohnen SE (Deutsche Wohnen),  the highest German GDPR fine to date. The infraction related to the over retention of personal data. For the first time, the Berlin DPA applied the new calculation method for GDPR fines issued by the German Datenschutzkonferenz recently (see our recent post).… Continue Reading

The right to be forgotten: the CJEU sides with Google in two landmark cases

Norton Rose Fulbright - Data Protection Report blog

On 24 September 2019 the Court of Justice of the European Union (CJEU) gave two judgments (Cases C-507/17 and C-136/17) ruling that: (i) de-referencing by Google should be limited to EU Member States’ versions of its search engine with some important qualifications; and (ii) when Google receives a request for de-referencing relating to a link to a web page on which sensitive data are published, a balance must be sought between the fundamental rights of the person requesting such de-referencing and those of internet users potentially interested in that information.

Google has already faced the issue … Continue Reading

Turkey’s data protection legislation on data controller registry to impact data controllers outside of Turkey

Norton Rose Fulbright - Data Protection Report blog

Obligations

Turkey’s data protection legislation (TDPL) requires data controllers to notify the Turkish DPA of their processing activities. Unless exempt from the requirement, all data controllers (individuals and legal entities) who process personal data in Turkey must be registered with the Turkish DPA’s Register of Data Controllers Information System (VERBİS), prior to processing any personal data.

Data controllers which fail to fulfil this obligation may be subject to an administrative fine of an amount between TL 20,000–1,000,000 (approximately USD 3,600-180,000). Such fines will be issued at the discretion of the Data Protection Board and will be determined based on the … Continue Reading

The CNIL publishes new guidelines on cookies and other similar technologies

Data Protection Report - digital privacy, CCPA and cybersecurity

On 4 July 2019, the CNIL published new guidelines on cookies and other similar technologies, repealing its 2013 cookie guidance in order to align its position with the GDPR’s new requirements on consent. These guidelines will be supplemented during the first quarter of 2020 by sectoral recommendations aimed at providing practical guidance to stakeholders on how to collect consent.… Continue Reading

Cyber law firm of the year nomination

Norton Rose Fulbright - Data Protection Report blog

We are pleased to report that Norton Rose Fulbright has been shortlisted for cyber law firm of the year at the 2019 Insurance Insider Cyber Rankings Awards. Many thanks to everyone who has voted for us so far. The winner will be determined from the results of a wide-ranging survey of insurers and brokers and will be announced on 20 September 2019. We encourage our insurer and broker clients and contacts to respond to the survey if they have not already done so.… Continue Reading

“What’s cooking” in Sacramento: CCPA’s “employee exception” bill is amended; “publicly available information” exception is broadened, and consumer access rights are clarified

UK NIS Regulations impose new cybersecurity obligations (and a new penalties regime) on operators of essential services and digital service providers in the UK | Norton Rose Fulbright

This is the Data Protection Report’s eleventh blog post in a series of CCPA blog posts. Stay tuned for additional posts on the CCPA.

As America prepares for the Fourth of July holiday weekend, the California legislature continues to work on amending the California Consumer Privacy Act (“CCPA”), as it races to get modifications passed through the state legislature before it adjourns for the 2019 calendar year. On June 28, one of those bills, AB 25, the “employee exception” bill was significantly amended by the Senate Judiciary Committee and appears to move forward, despite a recent political setback last month … Continue Reading

New Chinese Measures for Personal Data Cross-Border Transfer Security Assessments

Introduction

On June 13, 2019 Measures for Personal Data Cross-Border Transfer Security Assessments (Draft for Comment) (Measures) were issued by the Cyberspace Administration of China, along with an invitation for submissions to be made as part of a public consultation. The Measures lay down stricter requirements in relation to cross-border transfers of personal data with the intention to better safeguard internet users’ rights, public interests and national security.

The Measures set out a number of general requirements and implementing provisions for aspects of a network operator’s assessment obligation, assessment standards and reporting procedures. They also introduce specific requirements for contracts … Continue Reading

Google and other big data companies face increased scrutiny

Data Protection Report - Norton Rose Fulbright

Norton Rose Fulbright’s US Head of Data Protection, Privacy and Cybersecurity Jeewon Serrato and Partner Vic Domen write about the increased scrutiny that big data companies like Google and Facebook are now facing.

A number of state attorneys general are preparing to have discussions with the US Federal Trade Commission to discuss their concerns about the use of massive amounts of personal data in the digital ad marketplace.

There is a trend among federal and state enforcers to bring these online platforms and technology markets under higher scrutiny.

Get all the details at the full legal update, “Big data Continue Reading

Parenting support club Bounty fined in ‘unprecedented’ data breach

Norton Rose Fulbright - Data Protection Report blog

On 12 April, the Information Commissioners Office (ICO) fined Bounty, a pregnancy and parent support club, £400,000 for illegally sharing personal data belonging to more than 14 million people. As the contravention took place just before the General Data Protection Regulation (GDPR) came into force, the fine was issued under the Data Protection Act 1998 (DPA).… Continue Reading

French court issues decision on legality of Privacy Rules and Terms of Use under data protection and consumer law

Norton Rose Fulbright - Data Protection Report blog

Five years after the commencement of legal proceedings against Google by leading French consumer association UFC Que Choisir, the Paris “Tribunal de Grande Instance” (TGI), in a decision dated 12 February 2019, issued its ruling on the legality of the Google+ Terms of Use and Privacy Rules, both with respect to consumer law and personal data protection regulations.… Continue Reading

EU Advocate General issues opinion on consent for cookies and intersection between ePrivacy-Directive and GDPR

Norton Rose Fulbright - Data Protection Report blog

On March 21, 2019, Advocate General Szpunar released his opinion on the use of consent for the processing of personal data and for the use of cookies pursuant to the ePrivacy-Directive and the General Data Protection Regulation (GDPR).

The opinion includes several key points on whether consent is ‘freely given’ pursuant to the ePrivacy-Directive and the GDPR and also gives insight on what constitutes ‘informed consent.’… Continue Reading

German court ruled that protection of the whistle-blower confidentiality does not generally override the data subject access right

Data Protection Report - Norton Rose Fulbright

A mid-level German employment court recently had to consider the scope of subject access requests under the EU General Data Protection Regulation (GDPR) in the context of compliance and whistle-blowing regimes. The Regional Labour Court (Landesarbeitsgericht) of Stuttgart decided that an employer was required not only to provide an employee with the records containing performance and behavioural data, but also to disclose information regarding internal investigations. This is the first reported successful enforcement of a data subject access right under Article 15 GDPR before a regional labour court in Germany. (The judgment was handed down on … Continue Reading

LexBlog