Tag archives: data protection

ICO blog post on AI and solely automated decision-making

Lara White (UK)Marcus Evans (UK)Magdalene Lie (UK)By Lara White (UK), Marcus Evans (UK) and Magdalene Lie (UK) on Posted in Compliance and risk management
Data Protection Report - Norton Rose FulbrightThe ICO has published a blog post on the role of “meaningful” human reviews in AI systems to prevent them from being categorised as “solely automated decision-making” under Article 22 of the GDPR. That Article imposes strict conditions on making decisions with legal or similarly significant effects based on personal data where there is no … Continue reading

Parenting support club Bounty fined in ‘unprecedented’ data breach

Lara White (UK)By Lara White (UK) on Posted in Enforcement
Norton Rose Fulbright - Data Protection Report blogOn 12 April, the Information Commissioners Office (ICO) fined Bounty, a pregnancy and parent support club, £400,000 for illegally sharing personal data belonging to more than 14 million people. As the contravention took place just before the General Data Protection Regulation (GDPR) came into force, the fine was issued under the Data Protection Act 1998 … Continue reading

Comments at CCPA public forum in Los Angeles highlight tensions between businesses and consumer rights groups

Jeewon Kim Serrato (US)Arleen Fernandez (US)By Jeewon Kim Serrato (US) and Arleen Fernandez (US) on Posted in Compliance and risk management
Norton Rose Fulbright - Data Protection Report blogOn January 25, 2019, the California Attorney General’s Office held a public forum in Los Angeles to solicit feedback on the California Consumer Privacy Act of 2018 (“CCPA”) as it prepares to draft regulations which must be adopted on or before July 1, 2020.… Continue reading

First multi-million Euro GDPR fine: Google LLC fined €50 million under GDPR for transparency and consent infringements in relation to use of personal data for personalized ads

Marcus Evans (UK)Lara White (UK)Cécile Auvieux (FR)By Marcus Evans (UK), Lara White (UK) and Cécile Auvieux (FR) on Posted in Compliance and risk management, Cybersecurity, Enforcement, Regulatory response
Norton Rose Fulbright - Data Protection Report blogOn January 21,2019 the French data protection authority (the CNIL) imposed a major fine on the U.S. Google entity, Google LLC.  It follows two complaints filed as soon as the GDPR came into force by two consumer rights associations, None of Your Business and La Quadrature du Net. We focus here on four key aspects … Continue reading

Parliament fails to approve the EU Withdrawal Agreement: Data protection implications

Lara White (UK)Marcus Evans (UK)Miranda Byrne Hill (UK)By Lara White (UK), Marcus Evans (UK) and Miranda Byrne Hill (UK) on Posted in Compliance and risk management
Data Protection Report - Norton Rose FulbrightOn 25 November 2018 the UK Government and the EU agreed a draft withdrawal agreement which set out the terms of the UK’s departure from the EU and made a political declaration on the framework for their future relationship, as provided for under Article 50(2) of the Treaty on European Union (Withdrawal Agreement). The purpose … Continue reading

Pennsylvania Supreme Court holds common law duty for employers extends to protecting sensitive employee information

Andrea D'Ambra (US)Max Kellogg (US)By Andrea D'Ambra (US) and Max Kellogg (US) on Posted in Compliance and risk management, Data breach, General, Regulatory response
Data Protection Report - Norton Rose FulbrightOn November 21, 2018, the Pennsylvania Supreme Court broke new ground by holding that employers have a legal duty to take reasonable care to safeguard its employees’ sensitive personal information from cyberattacks. … Continue reading

Vicarious liability in the data breach context – bad news for UK employers?

Steven Hadwin (UK)Mya Joel (UK)Marcus Evans (UK)Catrina Smith (UK)Amanda Sanders (UK)By Steven Hadwin (UK), Mya Joel (UK), Marcus Evans (UK), Catrina Smith (UK) and Amanda Sanders (UK) on Posted in Data breach
Data Protection Report - Norton Rose FulbrightThe Court of Appeal has upheld a decision of the High Court  holding that an employer can be vicariously liable for data breaches caused by the actions of an employee, even where the employee’s actions were specifically intended to harm the employer. This decision is significant as it means a company can be held liable … Continue reading

California Consumer Privacy Act: GDPR-like definition of personal information

Chris Cwalina (US)Jeewon Kim Serrato (US)Steve Roosa (US)Tristan Coughlin* (US)By Chris Cwalina (US), Jeewon Kim Serrato (US), Steve Roosa (US) and Tristan Coughlin* (US) on Posted in General
Data Protection Report - Norton Rose FulbrightThis is the Data Protection Report’s third blog post in a series of CCPA blog posts that will break down the major elements of the CCPA which will culminate in a webinar on the CCPA in October. This blog focuses on the CCPA’s broad definition of Personal Information. Stay tuned for additional blogs and information … Continue reading

California Consumer Privacy Act blog series: Covered entities

Jeewon Kim Serrato (US)Steve Roosa (US)Alexis Wilpon (US)By Jeewon Kim Serrato (US), Steve Roosa (US) and Alexis Wilpon (US) on Posted in Compliance and risk management, General, Regulatory response
Data Protection Report - Norton Rose FulbrightThis is the Data Protection Report’s second post in a series of blog posts that will break down the major elements of the CCPA which will culminate in a webinar on the CCPA in October. This blog focuses on covered entities. Stay tuned for additional posts and information about our upcoming webinar on the CCPA.… Continue reading

Overview of Thailand Draft Personal Data Protection Act

Natpakal Rerknithi (TH)Anna Gamvros (HK)Ruby Kwok (HK)By Natpakal Rerknithi (TH), Anna Gamvros (HK) and Ruby Kwok (HK) on Posted in Regulatory response
Data Protection Report - Norton Rose FulbrightData protection laws in Asia continue to be introduced and updated. One of the most recent developments in South East Asia is in Thailand. On 22 May 2018, the Thai Cabinet approved in principle a revised draft of Thailand’s first personal data protection act (Draft Act). This Draft Act is currently under consideration by the … Continue reading

US states pass data protection laws on the heels of the GDPR

Jeewon Kim Serrato (US)Chris Cwalina (US)Anna Rudawski (US)Tristan Coughlin* (US)By Jeewon Kim Serrato (US), Chris Cwalina (US), Anna Rudawski (US), Tristan Coughlin* (US) and Katey Fardelmann (US) on Posted in Compliance and risk management, Regulatory response
Data Protection Report - Norton Rose FulbrightSeveral U.S. states have recently introduced and passed legislation to expand data breach notification rules and to mirror some of the protections provided by Europe’s newly enacted General Data Protection Regulation (“GDPR”). See our previous blog posts on GDPR here and here.   Like their European counterparts, these state laws are intended to provide consumers with … Continue reading

GDPR is upon us: are you ready for what comes next?

Jeewon Kim Serrato (US)Steven Hadwin (UK)Marcus Evans (UK)By Jeewon Kim Serrato (US), Steven Hadwin (UK) and Marcus Evans (UK) on Posted in Compliance and risk management, Regulatory response
Norton Rose Fulbright - Data Protection Report blogThe wait is finally over—this Friday the European Union General Data Protection Regulation (GDPR) will come into force. For many readers of this post, a huge amount of work will have been done in recent months in building up to compliance with the new regime. However, the challenges of GDPR certainly don’t end on the … Continue reading

UK NIS Regulations impose new cybersecurity obligations (and a new penalties regime) on operators of essential services and digital service providers in the UK

Steven Hadwin (UK)By Steven Hadwin (UK) on Posted in Compliance and risk management, Regulatory response
Data Protection Report - Norton Rose FulbrightThe UK NIS Regulations (implementing the NIS Directive) come into force in the UK today (10 May 2018). These Regulations have received limited press attention, in part due to the emphasis that has been placed on GDPR implementation. However, the NIS Regulations represent a significant change in the legal environment relating to cybersecurity in the … Continue reading

Ninth Circuit further entrenches circuit split over standing in data breach cases

Spencer Persson (US)By Spencer Persson (US) on Posted in Data breach, Dispute resolution and litigation
Norton Rose Fulbright - Data Protection Report blogOn March 8, 2018, the Ninth Circuit issued its highly anticipated decision in In re Zappos.com, Inc., finding that allegations of future risk of identity theft from a data breach are sufficient to confer standing. This decision fuels an ongoing circuit split, pitting the D.C., Sixth, Seventh and now Ninth Circuits against the Second, Fourth, … Continue reading

German DPAs publish templates and guidance on records of processing activities pursuant to Art. 30 GDPR

Christoph Ritzer (DE)By Christoph Ritzer (DE) on Posted in Compliance and risk management
Data Protection Report - Norton Rose FulbrightThe German Data Protection Authorities (DPAs, acting as the German Data Privacy Conference, Konferenz der unabhängigen Datenschutzbehörden des Bundes und der Länder) recently published templates for the records of processing activities for controllers (Art. 30 para. 1 GDPR) and processors (Art. 30 para. 2 GDPR) together with a corresponding guidance document. This guidance was expected to be released earlier … Continue reading

UK Information Commissioner Updates Paper on Big Data, Artificial Intelligence, Machine Learning, and Data Protection

Marcus Evans (UK)By Marcus Evans (UK) on Posted in Compliance and risk management, Regulatory response
Data Protection Report - Norton Rose FulbrightOn 1 March 2017, the UK Information Commissioner’s Office (ICO) published a paper on big data, artificial intelligence, machine learning and data protection (replacing its early paper published in 2014). Although the paper is described as a “discussion paper”, it makes a number of recommendations that those involved in big data projects would be well … Continue reading

EU Data Package Highlights Connections between Data Protection and the Digital Single Market

Jay Modrall (BE)By Jay Modrall (BE) on Posted in Data breach, General, Regulatory response
Data Protection Report - Norton Rose FulbrightOn January 10, 2017, the EU Commission published a package of documents on the EU’s data economy strategy, including e-privacy, data protection and the “European Data Economy.” The Commission documents,  published in the context of the Commission’s digital single market (“DSM”) initiative announced in May 2015, illustrate again the strong links between the EU’s digital … Continue reading

FTC Enforcement Possible for Failing to Guard Against Ransomware

Norton Rose FulbrightBy Norton Rose Fulbright on Posted in Compliance and risk management, Cybercrime, Regulatory response
Data Protection Report - Norton Rose FulbrightRecent comments by FTC Chairwoman Edith Ramirez suggest that a company’s failure to take preventative measures to address ransomware could result in an enforcement action by the FTC, even if a company is never actually subject to a ransomware attack. The Chairwoman’s comments reflect a growing concern among US government agencies regarding ransomware and may … Continue reading
LexBlog