On December 10, 2020, the California Attorney General proposed a fourth set of modifications to the California Consumer Privacy Act (CCPA) regulations, in response to comments received regarding the October proposed modifications. (We had written about the October proposals here.)… Continue Reading
On November 17, 2020, the Minister of Innovation, Science and Industry, Navdeep Bains, tabled proposed legislation in Parliament that aims to overhaul Canada’s data privacy law. Bill C-11, entitled An Act to enact the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act and to make consequential and related amendments to other Act, will create new data privacy obligations and new enforcement mechanisms for these obligations if it becomes law.… Continue Reading
As the second wave of COVID-19 spreads across Canada, the use of COVID-19 tracing apps is on the rise. For example, the Government of Canada released COVID Alert–an app using Bluetooth technology to help people report positive diagnoses, and control the spread of the virus. The success of the app depends on a high quantity of users, but concerns over privacy and the use of artificial intelligence (AI) in analyzing the data may hinder that objective.
COVID tracing apps
Please join us for an NT Analyzer Webinar, Solving Apple’s new app privacy requirement. Head of NRF Digital Analytics and Technology Assessment Platform for the US Steven Roosa and Associate Dan Rosenzweig as they walk through the upcoming Apple requirements, and showcase the NT Analyzer Apple dashboard solution.… Continue Reading
The US elections on November 3, 2020 included three states with privacy-related ballot initiatives: California, Massachusetts, and Michigan. Voters supported all three initiatives.… Continue Reading
Apple recently announced that it will require app developers to provide extensive, granular information about their app’s privacy practices on App Store Connect, such as the type of data collected from users as well as the identity of third parties and the specific purpose of the collection. (See https://developer.apple.com/support/app-privacy-on-the-app-store/.)
NT Analyzer is equipped to provide organizations with a digestible and readily available report to meet this requirement. Read more about the requirements and our solution on our NT Analyzer website.… Continue Reading
A few weeks ago, we provided you with a summary of the rights and obligations of employers with regard to the personal data of their employees during lockdown.
On 11 May, many employees will return to their workplaces. Below you will find answers to the main questions you may have ahead as the end of the lockdown approaches.
Could an employer require its employees to use StopCovid or a similar private app and require to see the results?
No. The CNIL stated in its opinion of 24 April 2020, that the “voluntary” mode of the app implied that no negative … Continue Reading
Following the example of many European countries, the French government plans to introduce a contact tracing app, known as “StopCovid”. The app is designed to be used by people once they leave the confinement of their homes with the aim of preventing the spread of COVID-19. StopCovid is being developed within the INRIA, the French national research institute for digital sciences and technologies.
This blog post summarises the status of the project and the discussions from legal, political, scientific and technological perspectives.
How will StopCovid work?
For each smartphone on which the app is downloaded, temporary crypto-identifiers will be generated … Continue Reading
The COVID-19 pandemic has seen governments across the world restricting civil liberties and movement to unprecedented levels. To aid the safe lifting of current public health restrictions, new technologies are being developed and rolled out to automate labour intensive tasks critical to containing the spread of the virus, such as contact tracing.
Contact tracing applications essentially work using either Bluetooth technology or GPS to log every time two or more users are close to each other for a certain period of time. If a person is diagnosed with COVID-19, other users who were close to that person can then be … Continue Reading
Last week, the Irish Data Protection Commission (“DPC”) published its much anticipated guidance note on cookies and similar tracking technologies (the “Guidance”). It also published a report following a “cookie sweep” that took place between August 2019 and December 2019 of 38 data controllers (the “Report”). The cookie sweep requested information from the data controllers and examined the deployment of cookies on their websites to understand how and whether they were complying with the cookie rules. It is clear the Report significantly influenced the Guidance and, as such, the Report provides an indication of … Continue Reading
Employers across the world are facing extremely difficult challenges in keeping their workplaces safe for their employees, contractors and visitors during the COVID-19 pandemic.
Although the prevailing instinct is likely to be to protect and to prevent the spread of the virus at all costs, under data protection laws this still needs to be weighed against the privacy rights of employees. Depending on where their employees are located, employers may have to favor privacy over virus detection. This blog sets out a few of the key issues and a snapshot of how they are dealt with across five European jurisdictions … Continue Reading
At the end of 2019, following a public consultation, the CNIL adopted its much-anticipated “standard” on whistleblowing systems. The “standard” is essentially a reference document which serves as guidance for those implementing whistleblowing systems.… Continue Reading
The discussion paper on the proposed changes to Hong Kong’s Personal Data (Privacy) Ordinance (Cap.486) (the PDPO) was debated by the Legislative Council’s Panel on Constitutional Affairs’ (the Panel) on 20 January. The proposals set out in LC Paper. No. CB(2) 512/19-20(03) (the Paper) are summarised in our earlier post.… Continue Reading
The Turkish Data Protection Board (“Board”) announced the extension of VERBİS registration deadline until June 30, 2020 for:
- Turkish data controllers with more than 50 employees annually or whose annual total financial statement exceeds TL 25,000,000 (approx. USD 4.2 million), and
- Data controllers located abroad.
This blogpost summarises our recent webinar: “An urgent message from Berlin: The importance of record retention in privacy and cybersecurity”.… Continue Reading
On October 30, 2019 the Berlin Commissioner for Data Protection and Freedom of Information (Berliner Beauftragte für Datenschutz und Informationsfreiheit – Berlin DPA) issued a €14.5 million fine on a German real estate company, die Deutsche Wohnen SE (Deutsche Wohnen), the highest German GDPR fine to date. The infraction related to the over retention of personal data. For the first time, the Berlin DPA applied the new calculation method for GDPR fines issued by the German Datenschutzkonferenz recently (see our recent post).… Continue Reading
On 24 September 2019 the Court of Justice of the European Union (CJEU) gave two judgments (Cases C-507/17 and C-136/17) ruling that: (i) de-referencing by Google should be limited to EU Member States’ versions of its search engine with some important qualifications; and (ii) when Google receives a request for de-referencing relating to a link to a web page on which sensitive data are published, a balance must be sought between the fundamental rights of the person requesting such de-referencing and those of internet users potentially interested in that information.
Google has already faced the issue … Continue Reading
On 18 June 2019, Facebook announced plans to launch a new blockchain enabled cryptocurrency called Libra.… Continue Reading
Turkey’s data protection legislation (TDPL) requires data controllers to notify the Turkish DPA of their processing activities. Unless exempt from the requirement, all data controllers (individuals and legal entities) who process personal data in Turkey must be registered with the Turkish DPA’s Register of Data Controllers Information System (VERBİS), prior to processing any personal data.
Data controllers which fail to fulfil this obligation may be subject to an administrative fine of an amount between TL 20,000–1,000,000 (approximately USD 3,600-180,000). Such fines will be issued at the discretion of the Data Protection Board and will be determined based on the … Continue Reading
On 4 July 2019, the CNIL published new guidelines on cookies and other similar technologies, repealing its 2013 cookie guidance in order to align its position with the GDPR’s new requirements on consent. These guidelines will be supplemented during the first quarter of 2020 by sectoral recommendations aimed at providing practical guidance to stakeholders on how to collect consent.… Continue Reading
We are pleased to report that Norton Rose Fulbright has been shortlisted for cyber law firm of the year at the 2019 Insurance Insider Cyber Rankings Awards. Many thanks to everyone who has voted for us so far. The winner will be determined from the results of a wide-ranging survey of insurers and brokers and will be announced on 20 September 2019. We encourage our insurer and broker clients and contacts to respond to the survey if they have not already done so.… Continue Reading
Often questioned about online advertising targeting by both the public and professionals, the CNIL released its action plan for 2019-2020 with a view to providing further details about the applicable advertising rules and to support stakeholders in their compliance with them.… Continue Reading
This is the Data Protection Report’s eleventh blog post in a series of CCPA blog posts. Stay tuned for additional posts on the CCPA.
As America prepares for the Fourth of July holiday weekend, the California legislature continues to work on amending the California Consumer Privacy Act (“CCPA”), as it races to get modifications passed through the state legislature before it adjourns for the 2019 calendar year. On June 28, one of those bills, AB 25, the “employee exception” bill was significantly amended by the Senate Judiciary Committee and appears to move forward, despite a recent political setback last month … Continue Reading
On June 13, 2019 Measures for Personal Data Cross-Border Transfer Security Assessments (Draft for Comment) (Measures) were issued by the Cyberspace Administration of China, along with an invitation for submissions to be made as part of a public consultation. The Measures lay down stricter requirements in relation to cross-border transfers of personal data with the intention to better safeguard internet users’ rights, public interests and national security.
The Measures set out a number of general requirements and implementing provisions for aspects of a network operator’s assessment obligation, assessment standards and reporting procedures. They also introduce specific requirements for contracts … Continue Reading