Tag archives: data protection

GDPR is upon us: are you ready for what comes next?

Jeewon Kim Serrato (US)Steven Hadwin (UK)Marcus Evans (UK)By Jeewon Kim Serrato (US), Steven Hadwin (UK) and Marcus Evans (UK) on Posted in Compliance and risk management, Regulatory response
Norton Rose Fulbright - Data Protection Report blogThe wait is finally over—this Friday the European Union General Data Protection Regulation (GDPR) will come into force. For many readers of this post, a huge amount of work will have been done in recent months in building up to compliance with the new regime. However, the challenges of GDPR certainly don’t end on the … Continue reading

UK NIS Regulations impose new cybersecurity obligations (and a new penalties regime) on operators of essential services and digital service providers in the UK

Steven Hadwin (UK)By Steven Hadwin (UK) on Posted in Compliance and risk management, Regulatory response
Data Protection Report - Norton Rose FulbrightThe UK NIS Regulations (implementing the NIS Directive) come into force in the UK today (10 May 2018). These Regulations have received limited press attention, in part due to the emphasis that has been placed on GDPR implementation. However, the NIS Regulations represent a significant change in the legal environment relating to cybersecurity in the … Continue reading

Ninth Circuit further entrenches circuit split over standing in data breach cases

Sarah MosesSpencer PerssonBy Sarah Moses and Spencer Persson on Posted in Data breach, Dispute resolution and litigation
Norton Rose Fulbright - Data Protection Report blogOn March 8, 2018, the Ninth Circuit issued its highly anticipated decision in In re Zappos.com, Inc., finding that allegations of future risk of identity theft from a data breach are sufficient to confer standing. This decision fuels an ongoing circuit split, pitting the D.C., Sixth, Seventh and now Ninth Circuits against the Second, Fourth, … Continue reading

German DPAs publish templates and guidance on records of processing activities pursuant to Art. 30 GDPR

Christoph Ritzer (DE)By Christoph Ritzer (DE) and Thorben Schläfer (DE) on Posted in Compliance and risk management
Data Protection Report - Norton Rose FulbrightThe German Data Protection Authorities (DPAs, acting as the German Data Privacy Conference, Konferenz der unabhängigen Datenschutzbehörden des Bundes und der Länder) recently published templates for the records of processing activities for controllers (Art. 30 para. 1 GDPR) and processors (Art. 30 para. 2 GDPR) together with a corresponding guidance document. This guidance was expected to be released earlier … Continue reading

European Commission issues new GDPR guidance

Kim Gold (US)Alexis Wilpon (US)By Kim Gold (US) and Alexis Wilpon (US) on Posted in Compliance and risk management
Norton Rose Fulbright - Data Protection Report blogThe GDPR will come into force exactly four months from Thursday.  In preparation, the European Commission has released a new website with extensive guidance on GDPR implementation, together with a Fact Sheet containing Q&As on the GDPR.  While much of the guidance is already known to privacy professionals, there are new insights as well.… Continue reading

UK Information Commissioner Updates Paper on Big Data, Artificial Intelligence, Machine Learning, and Data Protection

Marcus Evans (UK)By Marcus Evans (UK) on Posted in Compliance and risk management, Regulatory response
Data Protection Report - Norton Rose FulbrightOn 1 March 2017, the UK Information Commissioner’s Office (ICO) published a paper on big data, artificial intelligence, machine learning and data protection (replacing its early paper published in 2014). Although the paper is described as a “discussion paper”, it makes a number of recommendations that those involved in big data projects would be well … Continue reading

EU Data Package Highlights Connections between Data Protection and the Digital Single Market

Jay Modrall (BE)By Jay Modrall (BE) on Posted in Data breach, General, Regulatory response
Data Protection Report - Norton Rose FulbrightOn January 10, 2017, the EU Commission published a package of documents on the EU’s data economy strategy, including e-privacy, data protection and the “European Data Economy.” The Commission documents,  published in the context of the Commission’s digital single market (“DSM”) initiative announced in May 2015, illustrate again the strong links between the EU’s digital … Continue reading

FTC Enforcement Possible for Failing to Guard Against Ransomware

Norton Rose FulbrightBy Norton Rose Fulbright on Posted in Compliance and risk management, cybercrime, Regulatory response
Data Protection Report - Norton Rose FulbrightRecent comments by FTC Chairwoman Edith Ramirez suggest that a company’s failure to take preventative measures to address ransomware could result in an enforcement action by the FTC, even if a company is never actually subject to a ransomware attack. The Chairwoman’s comments reflect a growing concern among US government agencies regarding ransomware and may … Continue reading

NIS Directive Published: EU Member States Have Just Under Two Years to Implement

Lara WhiteMarcus Evans (UK)By Lara White and Marcus Evans (UK) on Posted in Regulatory response
Data Protection Report - Norton Rose FulbrightThe Directive on Security of Network and Information Systems (known as the NIS Directive) was published in the Official Journal of the European Union on July 19, 2016. Member States will have until May 9, 2018 to implement this Directive into national laws and a further six months to identify “operators of essential services.” Summary … Continue reading

Hamburg DPA’s Safe Harbor Fines Spell Further Uncertainty and Risk for Global Companies

Christoph Ritzer (DE)By Christoph Ritzer (DE) on Posted in Compliance and risk management, Regulatory response
Data Protection Report - Norton Rose FulbrightOn June 6, 2016, Johannes Caspar – the Hamburg Commissioner for Data Protection – announced that the Hamburg Data Protection Authority (“DPA”) fined three companies for relying on the invalidated Safe Harbor framework to transfer data from the European Union to the companies’ operations in the United States. The DPA imposed the fines on Adobe, Punica … Continue reading

Big data: French and German authorities explore antitrust issues

Jay Modrall (BE)By Jay Modrall (BE) on Posted in Compliance and risk management, Data breach, General
Data Protection Report - Norton Rose FulbrightOn May 10, 2016, the French and German antitrust authorities published a joint study on competition law and the collection and use of data, particularly so-called big data (the Big Data Study). Data protection as such is outside the scope of EU competition laws, but antitrust authorities have considered the significance of data on a … Continue reading

EU Article 29 Working Party prepares for General Data Protection Regulation and responsibilities as European Data Protection Board

Marcus Evans (UK)Jay Modrall (BE)By Marcus Evans (UK) and Jay Modrall (BE) on Posted in Compliance and risk management, Data breach, General, Regulatory response
Data Protection Report - Norton Rose FulbrightOn February 11, 2016, the Article 29 Working Party (WP29) issued a statement setting out its 2016 action plan for implementation of the General Data Protection Regulation (GDPR) and its work programme for 2016-2018. WP29 will have 8 working groups leading the implementation of the 2016-2018 work programme. The statement highlights the following points: WP29 … Continue reading

Political agreement on EU Data protection reforms: the real count-down to compliance has started

Marcus Evans (UK)Jay Modrall (BE)By Marcus Evans (UK) and Jay Modrall (BE) on Posted in Data breach, Regulatory response
Data Protection Report - Norton Rose FulbrightOn December 15, the Civil Liberties Committee (LIBE) of the European Parliament issued a press release announcing a provisional political agreement between the European Parliament and Council negotiators on the texts of both the General Data Protection Regulation and the Police & Judicial Cooperation Data Protection Directive.  Formal approval by the Council is expected shortly and … Continue reading

Council and European Parliament reach agreement on NIS Directive

Jay Modrall (BE)Marcus Evans (UK)By Jay Modrall (BE) and Marcus Evans (UK) on Posted in cybercrime, Regulatory response
Data Protection Report - Norton Rose FulbrightOn December 7, 2015, the Council of the European Union (the Council) reached an informal agreement with the European Parliament on a new EU directive on network and information security (NISD). The agreement marks the conclusion of two years of work, since the European Commission (the Commission) and the High Representative of the European Union … Continue reading

Belgian court orders Facebook to stop tracking non-members, rejects FB’s assertion of lack of jurisdiction

Marcus Evans (UK)Jay Modrall (BE)By Marcus Evans (UK) and Jay Modrall (BE) on Posted in Compliance and risk management, Dispute resolution and litigation
On November 9, 2015, the President of the Brussels Court of First Instance ordered Facebook to stop tracking non-members in Belgium without their consent. The court imposed a penalty of EUR 250,000 per day for non-compliance. The proceeding is the result of a formal recommendation that the Belgian Privacy Commission (BPC) issued in May 2015 … Continue reading

Reports suggest US-EU agreement on cross-border data transfers near, but will it stick?

Norton Rose FulbrightBy Norton Rose Fulbright on Posted in Regulatory response
Data Protection Report - Norton Rose FulbrightIt is being reported that the EU and the US have reached an agreement in principle on the revised cross-border data transfer framework, commonly referred to as Safe Harbor 2.0. Both sides expect further progress on the specifics in November of this year. Some of the thornier issues, however,regarding US surveillance activities, that are critical to addressing the concerns … Continue reading

Schrems Counterpoint: ECJ has good reasons to reject Safe Harbor invalidation

Jay Modrall (BE)Marcus Evans (UK)By Jay Modrall (BE) and Marcus Evans (UK) on Posted in Regulatory response
Data Protection Report - Norton Rose FulbrightThe European Court of Justice (ECJ) is expected to rule on Case C-362/14 (the “Schrems” case) on October 6, 2015.  In deciding whether to reject or adopt its Advocate General’s recommendation to invalidate the US-EU Safe Harbor, the ECJ finds itself between the proverbial rock and a hard place. Rejecting the Safe Harbor would lead to uncertainty in the ongoing … Continue reading

European Court of Justice Advocate General’s Advisory Opinion in Schrems case questions validity of personal data transfers under EU/US Safe Harbor framework

Marcus Evans (UK)Daniel Ashkar (GER)Adam Smith (UK)By Marcus Evans (UK), Daniel Ashkar (GER) and Adam Smith (UK) on Posted in Compliance and risk management, General
Data Protection Report - Norton Rose FulbrightOn September 22, 2015,  the European Court of Justice (“ECJ”) Advocate General issued an advisory Opinion in Case C-362/14 (the “Schrems” case). A key recommendation was for the ECJ to declare the EU/US Safe Harbor Agreement invalid. It remains to be seen whether the ECJ will follow this recommendation. The controversial nature of the Safe … Continue reading

Dutch Data Protection Authority publishes consultation version of guidelines on breach notice law

Floortje Nagelkerke (NL)Nikolai de Koning (NL)By Floortje Nagelkerke (NL) and Nikolai de Koning (NL) on Posted in Compliance and risk management, Data breach
Data Protection Report - Norton Rose FulbrightOn the heels of the enactment of the Dutch breach notice law, the Dutch Data Protection Authority (CBP) published a consultation document with draft guidelines on the breach notice obligation of data controllers in the Netherlands. Under the law, data controllers are required to provide notice of data breaches to the CBP and, under certain circumstances, to … Continue reading
LexBlog