Tag archives: data protection

Navigating Virginia’s new privacy law

Photo of Steve Roosa (US)Photo of Daniel Rosenzweig (US)By Steve Roosa (US) and Daniel Rosenzweig (US) on Posted in NT Analyzer Blog Series

Virginia recently enacted its own data protection/privacy law and like its European and Californian predecessors, the technical piece is key.

Like the GDPR and CCPA, the Consumer Data Protection Act (“CDPA”), which goes into effect on January 1, 2023, broadly defines “personal data” as “any information that is linked or reasonably linkable to an identified or identifiable natural person.” The law also requires controllers to conduct a data protection assessment and implement technical data security practices.

NT Analyzer is equipped to provide organizations with a solution to meet this requirement. Read more about this new law and our solution on Continue Reading

US banking regulators propose a rule for 36-hour notice of breach

Photo of David Kessler (US)Photo of Susan Ross (US)By David Kessler (US) and Susan Ross (US) on Posted in Data breach
US banking regulators propose a rule for 36-hour notice of breach

On December 18, 2020, the US Department of the Treasury (Office of the Comptroller of the Currency), Federal Reserve and Federal Deposit Insurance Corporation (FDIC) jointly announced a 53-page proposed rule that would require banks to notify their regulators within 36 hours of a “computer-security incident” that rises to the level of a “notification incident.” The proposed rule would also affect companies that provide certain services to those banks, including data processing. Those service providers would be required to notify “at least two individuals at affected banking organization customers immediately after the bank service provider experiences a computer-security incident that … Continue Reading

Singapore’s Public Consultation on proposed changes to the Singapore Personal Data Protection Act

Photo of Wilson Ang (SG)Photo of Stella Cramer (SG)Photo of Jessica Paulin (SG)Photo of Jeremy Lua (SG)By Wilson Ang (SG), Stella Cramer (SG), Jessica Paulin (SG) and Jeremy Lua (SG) on Posted in General

On 14 May 2020, the Singapore Ministry of Communications and Information (MCI) and the Personal Data Protection Commission of Singapore (PDPC) announced a public consultation (the Public Consultation) on the draft Personal Data Protection (Amendment) Bill (the Draft Bill) and related amendments to the Spam Control Act (SCA). The Public Consultation will take place from 14 May 2020 to 28 May 2020.

The Draft Bill is the culmination of a series of consultations between the MCI, PDPC and public and industry stakeholders over the past three years. In this post, we briefly … Continue Reading

California AG Issues Significant Changes to Draft CCPA Regulations as of March 2020

Photo of Jeewon Kim Serrato (US)Photo of Susan Ross (US)By Jeewon Kim Serrato (US) and Susan Ross (US) on Posted in CCPA
Data Protection Report - Norton Rose Fulbright

On February 7, 2020, and again on March 11, 2020, the Office of the Attorney General (OAG) issued revisions to the proposed California Consumer Privacy Act (CCPA) regulations, and there are some surprises in both the additions and in the deletions.  For the CCPA regulations to become effective on July 1, the final regulation text must be filed with the Secretary of State by May 29.

Click here for the text of modified regulations.  Our white paper with a summary of the changes is available for download here.… Continue Reading

NYDFS Requires COVID-19 Plans by April 9

Photo of Susan Ross (US)Photo of Kathleen Scott (US)By Susan Ross (US) and Kathleen Scott (US) on Posted in Compliance and risk management, Cybercrime, Cybersecurity, Dispute resolution and litigation, Enforcement, General
Norton Rose Fulbright - Data Protection Report blog

On March 10, 2020, the New York Department of Financial Services (NYDFS) issued guidance to all of its regulated institutions engaged in virtual currency business activity, requiring them to have plans for preparedness to manage the possible operational and financial risks posed by the COVID-19 pandemic. NYDFS requires the plans to be submitted by Thursday, April 9, 2020.… Continue Reading

Adventures in cyber litigation: Frozen crypto-assets and the role of cyber insurance

Photo of Charlie Weston-Simons (UK)Photo of Rahul Mansigani (UK)Photo of Steven Hadwin (UK)By Charlie Weston-Simons (UK), Rahul Mansigani (UK) and Steven Hadwin (UK) on Posted in Cybersecurity
Norton Rose Fulbright - Data Protection Report blog

A few weeks ago, we blogged about the decision of the English High court in AA v. Persons Unknown & Ors.

Given the level of interest in the case, we have prepared a deeper-dive into the facts and the implications of the decision, with a focus on the important role played in the case by cyber insurance. This is set out below.… Continue Reading

Personal data protection in the time of coronavirus (Covid-19)

Photo of Barbara Li (CN)Photo of Bohua Yao (CN)By Barbara Li (CN) and Bohua Yao (CN) on Posted in Compliance and risk management
Norton Rose Fulbright - Data Protection Report blog

Outbreak of the coronavirus and personal data privacy

The fast-spreading coronavirus (Covid-19) has infected thousands of people in China and in over 20 other countries. This coronavirus outbreak, originating in Wuhan, a large city located in the central region of China, has been declared a Public Health Emergency of International Concern (PHEIC) by the World Health Organization.… Continue Reading

The CNIL releases draft practical guidance on cookies consent

Photo of Nadège Martin (FR)Photo of Cécile Auvieux (FR)By Nadège Martin (FR) and Cécile Auvieux (FR) on Posted in Compliance and risk management
Data Protection Report - Norton Rose Fulbright

The CNIL has published draft recommendations on how to obtain consent when placing cookies. This is following the publication of its revised “Guidelines on the implementation of cookies or similar tracking technologies” which was published in July 2019 (see our article here).

The objective of the recommendations is to provide stakeholders with practical guidance and illustrative examples. These recommendations are neither exhaustive nor binding and data controllers are free to consider other practical measures as long as they comply with the revised rules as provided by the CNIL in July 2019. The CNIL also provides a number of “good … Continue Reading

Turkish Data Protection Board announces extension of VERBİS registration deadline – once again

Photo of Ekin Inal (TR)Photo of Ece Sürmen (TR)Photo of Ecem Naz Boyacıoğlu (TR)By Ekin Inal (TR), Ece Sürmen (TR) and Ecem Naz Boyacıoğlu (TR) on Posted in Regulatory response

The Turkish Data Protection Board (“Board”) announced the extension of VERBİS registration deadline until June 30, 2020 for:

  • Turkish data controllers with more than 50 employees annually or whose annual total financial statement exceeds TL 25,000,000 (approx. USD 4.2 million), and
  • Data controllers located abroad.
Continue Reading

First multi-million GDPR fine in Germany: €14.5 million for not having a proper data retention schedule in place

Photo of Christoph Ritzer (DE)Photo of Natalia Filkina (DE)By Christoph Ritzer (DE) and Natalia Filkina (DE) on Posted in Enforcement
Data Protection Report - Norton Rose Fulbright

On October 30, 2019 the Berlin Commissioner for Data Protection and Freedom of Information (Berliner Beauftragte für Datenschutz und InformationsfreiheitBerlin DPA) issued a €14.5 million fine on a German real estate company, die Deutsche Wohnen SE (Deutsche Wohnen),  the highest German GDPR fine to date. The infraction related to the over retention of personal data. For the first time, the Berlin DPA applied the new calculation method for GDPR fines issued by the German Datenschutzkonferenz recently (see our recent post).… Continue Reading

No surprises in the recent Planet49 European Court of Justice judgment

Photo of Christoph Ritzer (DE)Photo of Natalia Filkina (DE)Photo of Lara White (UK)By Christoph Ritzer (DE), Natalia Filkina (DE) and Lara White (UK) on Posted in Dispute resolution and litigation
Data Protection Report - Norton Rose Fulbright

On 1 October 2019, the European Court of Justice (ECJ) delivered its judgement on Case C – 673/17 (the “Planet49” case), which relates to the consent and transparency requirements for the use of cookies and similar technologies. The ECJ largely followed the March 2019 Opinion of Advocate General Szpunar and the judgment is generally consistent with the recent regulatory guidance issued by the UK and French data protection authorities in this area.… Continue Reading

Data protection and cyber risk issues in arbitration – dealing with regulation, cyber attacks and hacked evidence

Photo of Pierre Bienvenu (CA)Photo of Ben Grant (UK)By Pierre Bienvenu (CA) and Ben Grant (UK) on Posted in Cybercrime, Cybersecurity, Data breach, Dispute resolution and litigation, General

The GDPR has significantly altered the landscape of data protection. Its broad scope and potentially severe penalties have forced those who hold and process data to take note of its provisions. In certain instances, that will include many in the international arbitration community, such as arbitral institutions. In parallel, cyber attacks and instances of hacking in the arbitration context have brought cyber security issues to the fore.

As a result, data protection and cyber security are now hot topics in international arbitration. A majority of respondents in the 2018 Queen Mary International Arbitration Survey listed “security of electronic communications and … Continue Reading

Deadline extended for compulsory registration on Data Controller registry

Photo of Ekin Inal (TR)By Ekin Inal (TR) on Posted in Compliance and risk management
Norton Rose Fulbright - Data Protection Report blog

Obligations

We previously reported that Turkey’s data protection legislation (TDPL) requires data controllers to notify the Turkish DPA of their processing activities. Unless exempt from the requirement, all data controllers (individuals and legal entities) who process personal data in Turkey must be registered with the Turkish DPA’s Register of Data Controllers Information System (VERBİS), prior to processing any personal data.

Continue Reading

Turkey’s data protection legislation on data controller registry to impact data controllers outside of Turkey

Photo of Ekin Inal (TR)By Ekin Inal (TR) on Posted in Regulatory response
Norton Rose Fulbright - Data Protection Report blog

Obligations

Turkey’s data protection legislation (TDPL) requires data controllers to notify the Turkish DPA of their processing activities. Unless exempt from the requirement, all data controllers (individuals and legal entities) who process personal data in Turkey must be registered with the Turkish DPA’s Register of Data Controllers Information System (VERBİS), prior to processing any personal data.

Data controllers which fail to fulfil this obligation may be subject to an administrative fine of an amount between TL 20,000–1,000,000 (approximately USD 3,600-180,000). Such fines will be issued at the discretion of the Data Protection Board and will be determined based on the … Continue Reading

The CNIL publishes new guidelines on cookies and other similar technologies

Photo of Nilofar Moini Shabestari (FR)Photo of Nadège Martin (FR)By Nilofar Moini Shabestari (FR) and Nadège Martin (FR) on Posted in Compliance and risk management
Data Protection Report - digital privacy, CCPA and cybersecurity

On 4 July 2019, the CNIL published new guidelines on cookies and other similar technologies, repealing its 2013 cookie guidance in order to align its position with the GDPR’s new requirements on consent. These guidelines will be supplemented during the first quarter of 2020 by sectoral recommendations aimed at providing practical guidance to stakeholders on how to collect consent.… Continue Reading

Website operators joint controllers with third-party plugin providers

Photo of Lara White (UK)Photo of Natalia Filkina (DE)Photo of Shiv Daddar (UK)By Lara White (UK), Natalia Filkina (DE) and Shiv Daddar (UK) on Posted in Enforcement
Norton Rose Fulbright - Data Protection Report blog

On 29 July 2019, the European Court of Justice (ECJ) issued its judgement on Case C-40/17 (the “Fashion-ID” case). In its ruling, the ECJ held that operators of websites embedding Facebook’s “Like” button act as data controllers jointly with Facebook in respect of the collection and transmission to Facebook of the personal data of visitors to the relevant websites. In relation to these processing activities, the website operators must inform their website visitors about the data processing activities for which they act as a joint controller with Facebook, must establish a lawful basis for these processing activities and, where applicable, … Continue Reading

Cyber law firm of the year nomination

Photo of Chris Cwalina (US)Photo of Ffion Flockhart (UK)Photo of Steven Hadwin (UK)By Chris Cwalina (US), Ffion Flockhart (UK) and Steven Hadwin (UK) on Posted in General
Norton Rose Fulbright - Data Protection Report blog

We are pleased to report that Norton Rose Fulbright has been shortlisted for cyber law firm of the year at the 2019 Insurance Insider Cyber Rankings Awards. Many thanks to everyone who has voted for us so far. The winner will be determined from the results of a wide-ranging survey of insurers and brokers and will be announced on 20 September 2019. We encourage our insurer and broker clients and contacts to respond to the survey if they have not already done so.… Continue Reading

FTC to levy unprecedented $US5bn fine against Facebook

Photo of Andrea D'Ambra (US)Photo of Max Kellogg (US)By Andrea D'Ambra (US) and Max Kellogg (US) on Posted in Data breach, Regulatory response
Data Protection Report - Norton Rose Fulbright

On Friday, July 12, 2019, the Wall Street Journal reported that Federal Trade Commission and Facebook reached a settlement to resolve Facebook’s privacy issues surrounding the Cambridge Analytica disclosure discovered last year. The settlement imposes a US$5 billion dollars on the tech giant, which represents roughly 9% of Facebook’s total yearly revenue and is the largest civil and privacy fine ever imposed by the FTC. The fine largely surpasses the FTC’s previous imposed fine in a privacy action, when the FTC fined Google US$22.5 million to settle claims it misrepresented privacy assurances to Safari users.… Continue Reading

German M&A Deals: Share Deals Remain the Only Secure Way to Transfer All Customer Data

Photo of Christoph Ritzer (DE)By Christoph Ritzer (DE) on Posted in Compliance and risk management
Data Protection Report - Norton Rose Fulbright

The German data protection authorities, acting as the German data protection conference (Datenschutzkonferenz), recently published guidance on how to transfer customer data in an asset deal. The guidance runs through various scenarios. In most cases, a bulk transfer of all customer data is not permitted. Further, the guidance makes no mention of, or allowance for, the transfer of marketing permissions which – as these are generally on an opt-in consent basis in Germany – means a buyer cannot rely on the seller’s marketing consents in an asset sale. Therefore, the position in Germany remains that it is highly … Continue Reading

New CNIL €400,000 fine for data security breaches and non-compliance with data retention period under the GDPR

Photo of Nadège Martin (FR)Photo of Nilofar Moini Shabestari (FR)By Nadège Martin (FR) and Nilofar Moini Shabestari (FR) on Posted in Data breach, Enforcement
Data Protection Report - Norton Rose Fulbright

Following the now famous €50m fine imposed on Google LLC in January 2019,[1] the French Data Protection Authority (the CNIL) published a decision taken on 28 May 2019[2] imposing a fine of €400,000 on SERGIC, a company specialised in real estate development, purchase, sale, rental and property management.… Continue Reading

LexBlog