Tag archives: data protection

Parenting support club Bounty fined in ‘unprecedented’ data breach

By Lara White (UK) on April 18, 2019 Posted in Enforcement

Norton Rose Fulbright - Data Protection Report blog

On 12 April, the Information Commissioners Office (ICO) fined Bounty, a pregnancy and parent support club, £400,000 for illegally sharing personal data belonging to more than 14 million people. As the contravention took place just before the General Data Protection Regulation (GDPR) came into force, the fine was issued under the Data Protection Act 1998 … Continue reading

UK Supreme Court grant Morrisons permission to appeal vicarious liability finding

By Ffion Flockhart (UK), Marcus Evans (UK), Lara White (UK) and Steven Hadwin (UK) on April 17, 2019 Posted in Data breach

The Supreme Court has granted Morrisons to appeal against the judgment of the Court of Appeal in Morrison Supermarkets PLC v Various Claimants.… Continue reading

EU Advocate General issues opinion on consent for cookies and intersection between ePrivacy-Directive and GDPR

By Lara White (UK), Marcus Evans (UK) and Sven Jacobs (DE) on March 27, 2019 Posted in Dispute resolution and litigation

The opinion includes whether consent is ‘freely given’ pursuant to the ePrivacy-Directive and GDPR and insight on what constitutes ‘informed consent.'… Continue reading

Comments at CCPA public forum in Los Angeles highlight tensions between businesses and consumer rights groups

By Jeewon Kim Serrato (US) and Arleen Fernandez (US) on January 31, 2019 Posted in Compliance and risk management

On January 25, 2019, the California Attorney General’s Office held a public forum in Los Angeles to solicit feedback on the California Consumer Privacy Act of 2018 (“CCPA”) as it prepares to draft regulations which must be adopted on or before July 1, 2020.… Continue reading

First multi-million Euro GDPR fine: Google LLC fined €50 million under GDPR for transparency and consent infringements in relation to use of personal data for personalized ads

By Marcus Evans (UK), Lara White (UK) and Cécile Auvieux (FR) on January 25, 2019 Posted in Compliance and risk management, Cybersecurity, Enforcement, Regulatory response

On January 21,2019 the French data protection authority (the CNIL) imposed a major fine on the U.S. Google entity, Google LLC. It follows two complaints filed as soon as the GDPR came into force by two consumer rights associations, None of Your Business and La Quadrature du Net. We focus here on four key aspects … Continue reading

European Commission adopts adequacy decision on Japan

By Lara White (UK) and Shiv Daddar (UK) on January 24, 2019 Posted in Regulatory response

Data Protection Report - Norton Rose Fulbright

On January 23rd 2019, the European Commission adopted its adequacy decision in relation to the export of personal data from the European Union (EU) to Japan. Concurrently, Japan has adopted an equivalent decision in relation to the export of personal data from Japan to the EU. Such mutual decision is the result of two-years of … Continue reading

Parliament fails to approve the EU Withdrawal Agreement: Data protection implications

By Lara White (UK), Marcus Evans (UK) and Miranda Byrne Hill (UK) on January 16, 2019 Posted in Compliance and risk management

On 25 November 2018 the UK Government and the EU agreed a draft withdrawal agreement which set out the terms of the UK’s departure from the EU and made a political declaration on the framework for their future relationship, as provided for under Article 50(2) of the Treaty on European Union (Withdrawal Agreement). The purpose … Continue reading

Pennsylvania Supreme Court holds common law duty for employers extends to protecting sensitive employee information

By Andrea D'Ambra (US) and Max Kellogg (US) on December 7, 2018 Posted in Compliance and risk management, Data breach, General, Regulatory response

On November 21, 2018, the Pennsylvania Supreme Court broke new ground by holding that employers have a legal duty to take reasonable care to safeguard its employees’ sensitive personal information from cyberattacks. … Continue reading

Vicarious liability in the data breach context – bad news for UK employers?

By Steven Hadwin (UK), Mya Joel (UK), Marcus Evans (UK), Catrina Smith (UK) and Amanda Sanders (UK) on October 29, 2018 Posted in Data breach

The Court of Appeal has upheld a decision of the High Court holding that an employer can be vicariously liable for data breaches caused by the actions of an employee, even where the employee’s actions were specifically intended to harm the employer. This decision is significant as it means a company can be held liable … Continue reading

Norton Rose Fulbright – cyber law firm of the year nomination

By Chris Cwalina (US), Ffion Flockhart (UK) and Steven Hadwin (UK) on August 29, 2018 Posted in General

We are grateful to our clients and industry contacts for nominating us as cyber law firm of the year at the 2018 Insurance Insider Cyber Rankings Awards. The winner will be determined from the results of a wide-ranging survey of insurers and brokers and will be announced on September 21, 2018.… Continue reading

California Consumer Privacy Act: GDPR-like definition of personal information

By Chris Cwalina (US), Jeewon Kim Serrato (US), Steve Roosa (US) and Tristan Coughlin* (US) on August 27, 2018 Posted in General

This is the Data Protection Report’s third blog in a series of blogs that will break down the major elements of the CCPA which will culminate in a webinar on the CCPA in October. This blog focuses on the CCPA’s broad definition of Personal Information. Stay tuned for additional blogs and information about our upcoming … Continue reading

California Consumer Privacy Act blog series: Covered entities

By Jeewon Kim Serrato (US), Steve Roosa (US) and Alexis Wilpon (US) on August 16, 2018 Posted in Compliance and risk management, General, Regulatory response

This is the Data Protection Report’s second blog in a series of blogs that will break down the major elements of the CCPA which will culminate in a webinar on the CCPA in October. This blog focuses on covered entities. Stay tuned for additional blogs and information about our upcoming webinar on the CCPA.… Continue reading

Overview of Thailand Draft Personal Data Protection Act

By Natpakal Rerknithi (TH), Anna Gamvros (HK) and Ruby Kwok (HK) on August 6, 2018 Posted in Regulatory response

Data protection laws in Asia continue to be introduced and updated. One of the most recent developments in South East Asia is in Thailand. On 22 May 2018, the Thai Cabinet approved in principle a revised draft of Thailand’s first personal data protection act (Draft Act). This Draft Act is currently under consideration by the … Continue reading

US states pass data protection laws on the heels of the GDPR

By Jeewon Kim Serrato (US), Chris Cwalina (US), Anna Rudawski (US), Tristan Coughlin* (US) and Katey Fardelmann (US) on July 9, 2018 Posted in Compliance and risk management, Regulatory response

Several U.S. states have recently introduced and passed legislation to expand data breach notification rules and to mirror some of the protections provided by Europe’s newly enacted General Data Protection Regulation (“GDPR”). See our previous blog posts on GDPR here and here. Like their European counterparts, these state laws are intended to provide consumers with … Continue reading

GDPR is upon us: are you ready for what comes next?

By Jeewon Kim Serrato (US), Steven Hadwin (UK) and Marcus Evans (UK) on May 23, 2018 Posted in Compliance and risk management, Regulatory response

The wait is finally over—this Friday the European Union General Data Protection Regulation (GDPR) will come into force. For many readers of this post, a huge amount of work will have been done in recent months in building up to compliance with the new regime. However, the challenges of GDPR certainly don’t end on the … Continue reading

OCR proposes to share HIPAA data breach settlements with victims

By on May 22, 2018 Posted in Data breach

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) plans to issue an advance notice of proposed rulemaking this November on potentially sharing HIPAA breach settlements with victims.… Continue reading

UK NIS Regulations impose new cybersecurity obligations (and a new penalties regime) on operators of essential services and digital service providers in the UK

By Steven Hadwin (UK) on May 10, 2018 Posted in Compliance and risk management, Regulatory response

The UK NIS Regulations (implementing the NIS Directive) come into force in the UK today (10 May 2018). These Regulations have received limited press attention, in part due to the emphasis that has been placed on GDPR implementation. However, the NIS Regulations represent a significant change in the legal environment relating to cybersecurity in the … Continue reading

Ninth Circuit further entrenches circuit split over standing in data breach cases

By Spencer Persson (US) on March 20, 2018 Posted in Data breach, Dispute resolution and litigation

On March 8, 2018, the Ninth Circuit issued its highly anticipated decision in In re Zappos.com, Inc., finding that allegations of future risk of identity theft from a data breach are sufficient to confer standing. This decision fuels an ongoing circuit split, pitting the D.C., Sixth, Seventh and now Ninth Circuits against the Second, Fourth, … Continue reading

German DPAs publish templates and guidance on records of processing activities pursuant to Art. 30 GDPR

By Christoph Ritzer (DE) on March 5, 2018 Posted in Compliance and risk management

The German Data Protection Authorities (DPAs, acting as the German Data Privacy Conference, Konferenz der unabhängigen Datenschutzbehörden des Bundes und der Länder) recently published templates for the records of processing activities for controllers (Art. 30 para. 1 GDPR) and processors (Art. 30 para. 2 GDPR) together with a corresponding guidance document. This guidance was expected to be released earlier … Continue reading

European Commission issues new GDPR guidance

By Alexis Wilpon (US) on January 24, 2018 Posted in Compliance and risk management

The GDPR will come into force exactly four months from Thursday. In preparation, the European Commission has released a new website with extensive guidance on GDPR implementation, together with a Fact Sheet containing Q&As on the GDPR. While much of the guidance is already known to privacy professionals, there are new insights as well.… Continue reading

UK Information Commissioner Updates Paper on Big Data, Artificial Intelligence, Machine Learning, and Data Protection

By Marcus Evans (UK) on March 15, 2017 Posted in Compliance and risk management, Regulatory response

On 1 March 2017, the UK Information Commissioner’s Office (ICO) published a paper on big data, artificial intelligence, machine learning and data protection (replacing its early paper published in 2014). Although the paper is described as a “discussion paper”, it makes a number of recommendations that those involved in big data projects would be well … Continue reading

EU Data Package Highlights Connections between Data Protection and the Digital Single Market

By Jay Modrall (BE) on January 16, 2017 Posted in Data breach, General, Regulatory response

On January 10, 2017, the EU Commission published a package of documents on the EU’s data economy strategy, including e-privacy, data protection and the “European Data Economy.” The Commission documents, published in the context of the Commission’s digital single market (“DSM”) initiative announced in May 2015, illustrate again the strong links between the EU’s digital … Continue reading

FTC Enforcement Possible for Failing to Guard Against Ransomware

By Norton Rose Fulbright on October 6, 2016 Posted in Compliance and risk management, cybercrime, Regulatory response

Recent comments by FTC Chairwoman Edith Ramirez suggest that a company’s failure to take preventative measures to address ransomware could result in an enforcement action by the FTC, even if a company is never actually subject to a ransomware attack. The Chairwoman’s comments reflect a growing concern among US government agencies regarding ransomware and may … Continue reading