Tag archives: data protection

ASEAN releases Joint Guide to ASEAN Model Contractual Clauses and EU Standard Contractual Clauses and AI Governance Guide 

On 1 and 2 February 2024, at the fourth 4th ASEAN Digital Ministers Meeting (ADGMIN) in Singapore, ASEAN[1] unveiled: We summarise and discuss both the Joint Guide and the ASEAN AI Governance Guide below. Joint MCC – SCC Guide To recap, the first part of the Joint MCC – SCC Guide (the Reference Guide) was … Continue reading

How to Effectively Draft Data Processing Agreements to Protect Information Shared with Service Providers – Part 2

PadlockIn our previous post, we discussed specific considerations for common boilerplate provisions in data processing agreements (DPAs). Due to the sensitivity of data transfers and privacy laws, DPAs require careful drafting to ensure the data processor complies with appropriate privacy obligations and is responsible for any non-compliance. This post takes a closer look at DPA-specific … Continue reading

How to Effectively Draft Data Processing Agreements to Protect Information Shared with Service Providers – Part 1

PadlockModern businesses collect and process personal information about their customers and employees for the benefit of their business – these benefits include identifying opportunities to enhance their products or services, streamlining operations, reducing costs or maximizing profits. Processing such data is often outsourced to a third-party data processing service provider. For example, third parties may … Continue reading

UK Information Commissioner’s Office Publishes Final Guidance On Employee Monitoring

The UK Information Commissioner’s Office (ICO) published its final guidance on monitoring workers on 3 October 2023 (the Guidance).  The Guidance is aimed at employers across both the private and public sector.  Responding to the rise of remote working and new technologies available to monitor employees, the ICO has looked to provide clear direction on … Continue reading

Act 25 – Demystifying privacy impact assessments with the CAI’s new tools

With most provisions of the Act to modernize legislative provisions as regards the protection of personal information (Act 25) having just come into effect on September 22, public bodies and enterprises (organizations) will now need to conduct privacy impact assessments (PIA) during various projects that involve personal information. A PIA is an impact analysis that takes all … Continue reading

Deal-maker or deal-breaker: the legal ins and outs of using AI in M&A

Deals involving AI bring about specific and unique issues for consideration during the due diligence process. Understanding the specific challenges created by AI is important for companies to ensure that the AI technology holds genuine value and would not raise red flags during the course of a transaction. Some important advice for companies looking to … Continue reading

Building Cyber Resiliency In the Energy Sector

For the energy sector, cybersecurity has been a top-of-mind issue for some time. This is particularly true given some of the high-profile cyber-attacks seen in recent years that have grabbed not only media headlines but also resulted in operational disruption, financial losses and legal exposure. The challenge with cybersecurity is attacker tactics are constantly evolving … Continue reading

Practical steps for businesses to comply with Bill C-27: part 2

In our previous update, we summarized key operational elements that businesses should be aware of under the proposed Consumer Privacy Protection Act (CPPA), and provided practical tips to help businesses comply with these new requirements. As currently drafted, the CPPA codifies a number of best practices and recommendations issued by the Office of the Privacy Commissioner of Canada … Continue reading

Ontario Court of Appeal Limits Application of Tort of Intrusion Upon Seclusion for Cyberattacks

Data Protection Report - Norton Rose FulbrightIn three recent cases, the Court of Appeal for Ontario effectively curtailed the ability of privacy breach victims to advance claims under the tort of intrusion upon seclusion against organizations for failing to prevent unauthorized access to personal information by third parties. However, while these cases should provide some reassurance that a cyberattack may not … Continue reading

Autonomous Vehicles – Canada’s Current Legal Framework: Liability in Motor Vehicle Accidents (Part 3)

As autonomous vehicle (AV) technology continues to grow in functionality and sophistication, it is only a matter of time before AVs become commercially available across Canada. The arrival of autonomous vehicles in Canada will raise a number of liability-related questions that touch on the areas of owner liability, product liability, and auto insurance. In this … Continue reading

Draft European Commission EU-US Data Privacy Framework adequacy decision published

On 13 December, the European Commission launched the process to adopt an adequacy decision for the EU-US Data Privacy Framework (EU-US DPF).  The draft decision – available here – addresses the concerns raised by the Court of Justice  of the European Union (CJEU) in its Schrems II decision of July 2020.  These concerns centred around … Continue reading

Rare recovery in a complex ransomware case: Major NetWalker arrest leads to significant asset seizure

Data Protection Report - Norton Rose FulbrightNorton Rose Fulbright Canada’s cyber litigation team recently obtained an order in favour of an insurer, granting it relief from forfeiture in respect of more than 11 bitcoins from the assets seized from a prolific ransomware gang.[1] This case was the first of its kind and confirms an insurer’s ability to seek recovery for losses … Continue reading

Autonomous Vehicles – Canada’s Current Legal Framework: Cybersecurity Considerations (Part 2)

Norton Rose Fulbright - Data Protection Report blogThe emergence of autonomous vehicles (AVs) in Canada will present a number of cybersecurity challenges and risks.  AV manufacturers will need to consider these risks and address them early in the design and development process of their products. In this post, we discuss some of the key cybersecurity risks associated with AVs, strategies to mitigate … Continue reading

Contracting for Cybersecurity Risks: Mitigating Weak Links

Data Protection Report - Norton Rose FulbrightManaging vendor risks includes putting pen to paper. Organizations are increasingly susceptible to risks outside their controlled IT infrastructure as they engage third-party vendors to manage online platforms and process data. Even though an organization may have little to no control over a vendor’s security practices, it bears the ultimate responsibility for safeguarding its own … Continue reading

Privacy and Cybersecurity Due Diligence Considerations in M&A Transactions

Data Protection Report - Norton Rose FulbrightPrivacy and cybersecurity practices of target companies are being increasingly scrutinized throughout the due diligence process in M&A transactions. Particularly, buyers want to understand the risk and value inherent in sellers’ data assets and sellers want to manage transactional and post-closing risks. In the course of their privacy and cybersecurity due diligence, buyers should consider … Continue reading

Autonomous Vehicles – Canada’s Current Legal Framework: A Primer (Part 1)

In recent years, autonomous vehicle (AV) technology has undergone rapid development and it is predicted that AVs may soon be in a state to displace human driving altogether. In Ontario, the Automated Vehicle Pilot Program is currently in place to permit the testing of certain AVs by vehicle manufacturers. As AV technology continues to develop, however, … Continue reading

Alberta OIPC’s 2022 PIPA Breach Report – Trends and Key Takeaways

On July 27, 2022, the Office of the Information and Privacy Commissioner of Alberta (OIPC) released its 2022 PIPA Breach Report.[1] The report analyzes the nearly 2,000 breach reports[2] received by the OIPC during   the ten year period since reporting was mandated in Alberta under the Personal Information Protection Act (PIPA)[3]. The PIPA Breach … Continue reading

Canada’s artificial intelligence legislation is here

On 16 June 2022 the Canadian federal government introduced Bill C-27, also known as the Digital Charter Implementation Act 2022. If passed, this package of laws will: Implement Canada’s first artificial intelligence (AI) legislation, the Artificial Intelligence and Data Act (AIDA). Reform Canadian privacy law, replacing the Personal Information Protection and Electronic Documents Act with … Continue reading

European rulings on the use of Google Analytics and how it may affect your business

European rulings on the use of Google Analytics and how it may affect your businessRecent decisions out of the EU will impact the use of Google Analytics and similar non-European analytics services when targeting EU individuals, with the potential to put many organizations at risk of receiving GDPR fines. At issue was the transfer of personal data from the EU to the US through the use of Google Analytics. … Continue reading

Privacy in a Parallel Digital Universe: The Metaverse

Data Protection Report - Norton Rose FulbrightFor many years, the immersive three-dimensional digital world has been left to the cinematic experience. However, the emergence of the metaverse presents an opportunity to translate everyday activities – working, attending a concert, travelling, shopping, socializing – into a parallel digital universe. The metaverse is an abstract concept that uses a digital environment to permeate … Continue reading

Privacy legislation reform: Bill 64 has now been passed

Bill 64, which purports to modernise Québec’s privacy legislation, was recently passed. This sweeping reform of the province’s framework for processing personal information hinges on three main axes: increased obligations for enterprises that collect or otherwise process personal information, the creation of new rights for persons whose information is collected, and the imposition of far … Continue reading

UK Government sets out proposals to shake up UK data protection laws

Data Protection Report - Norton Rose FulbrightOn 10 September 2021, the UK Government published its consultation paper on proposals to reform the UK’s data protection regime.  The deadline for responding to the consultation is 19 November 2021. In August, the Government announced that it intended to “seize the opportunity” afforded by the UK’s exit from the European Union to makes some … Continue reading
LexBlog