Tag archives: data protection
Reports suggest US-EU agreement on cross-border data transfers near, but will it stick?
Posted in Regulatory response
It is being reported that the EU and the US have reached an agreement in principle on the revised cross-border data transfer framework, commonly referred to as Safe Harbor 2.0. Both sides expect further progress on the specifics in November of this year. Some of the thornier issues, however,regarding US surveillance activities, that are critical to addressing the concerns … Continue reading
WP29 Issues Post-Safe Harbor Guidance
Posted in General
The following is the statement of WP29 on the Schrems decision. It is a short opinion that we replicated here in full. We note that WP29 appears to suggest that model clauses and BCRs remain viable through at least January 2016, which is when WP29 would like to see the US and EU agree to a … Continue reading
A German data protection authority questions model clauses
Posted in Regulatory response
The German data protection authority from the northern state Schleswig-Holstein has released guidance in connection with the ECJ’s decision on Safe Harbor.… Continue reading
Schrems: ECJ invalidates the Commission’s Safe Harbor Decision
Posted in Compliance and risk management
The European Court of Justice (ECJ) ruled on Case C-362/14 (the Schrems case) earlier today, 6 October 2015. In its ruling, the ECJ – among other things – held that the EU Commission’s “US Safe Harbor” decision is invalid.… Continue reading
Schrems Counterpoint: ECJ has good reasons to reject Safe Harbor invalidation
Posted in Regulatory responseThe European Court of Justice (ECJ) is expected to rule on Case C-362/14 (the “Schrems” case) on October 6, 2015. In deciding whether to reject or adopt its Advocate General’s recommendation to invalidate the US-EU Safe Harbor, the ECJ finds itself between the proverbial rock and a hard place. Rejecting the Safe Harbor would lead to uncertainty in the ongoing … Continue reading
European Court of Justice Advocate General’s Advisory Opinion in Schrems case questions validity of personal data transfers under EU/US Safe Harbor framework
Posted in Compliance and risk management, General
On September 22, 2015, the European Court of Justice (“ECJ”) Advocate General issued an advisory Opinion in Case C-362/14 (the “Schrems” case). A key recommendation was for the ECJ to declare the EU/US Safe Harbor Agreement invalid. It remains to be seen whether the ECJ will follow this recommendation. The controversial nature of the Safe … Continue reading
Dutch Data Protection Authority publishes consultation version of guidelines on breach notice law
Posted in Compliance and risk management, Data breachOn the heels of the enactment of the Dutch breach notice law, the Dutch Data Protection Authority (CBP) published a consultation document with draft guidelines on the breach notice obligation of data controllers in the Netherlands. Under the law, data controllers are required to provide notice of data breaches to the CBP and, under certain circumstances, to … Continue reading
Former Privacy Commissioner of Canada Jennifer Stoddard to headline a privacy event at Norton Rose Fulbright’s Montreal office
Posted in GeneralOn September 25, 2015, Jennifer Stoddard will visit Norton Rose Fulbright in Montreal to discuss the proposed sweeping reforms to Quebec’s legislation governing access to information and protection of personal information in the public sector. These reforms include proactive publication of government information at all levels, including studies and statistics in health and education and … Continue reading
European Union data protection regime reform: What should businesses be doing now to get ready? – web seminar
On Wednesday, July 29, 2015, Norton Rose Fulbright partners Boris Segalis and Marcus Evans will present a web seminar on European Union (EU) General Data Protection Regulation reform.… Continue reading
NLRB asserts employers must bargain with unions on breach response
The U.S. National Labor Relations Board (NLRB) recently filed complaints against the United States Postal Service (USPS), alleging that the USPS violated the National Labor Relations Act (NLRA) by failing to collectively bargain with its employees’ union regarding the postal service’s response to a 2014 data breach that reportedly affected over 800,000 current and former … Continue reading
NAIC adopts cybersecurity guidance for insurance regulators and the insurance industry
Posted in Regulatory response
The National Association of Insurance Commissioners (“NAIC”), a standards-setting organization comprised of insurance regulators from across all U.S. jurisdictions, has recently adopted twelve Principles for Effective Cybersecurity Insurance Regulatory Guidance (the “Principles”). The Principles arrive in in the wake of the prominent Anthem data breach, highlighting the importance of protecting sensitive personal data in the … Continue reading
Dispute resolution mechanisms for SAs and individuals are key part of proposed EU regulation
Posted in Regulatory responseThis is Part 5 — the final part — of a five-part series on the “One Stop Shop” mechanism in the proposed new European data protection regulation. In Part 1 we examined why there is a need for a One Stop Shop, and what it is. In Part 2 we examined the concept of main establishment and the position of entities without … Continue reading
EU regulation proposal seeks to encourage consistency in data protection enforcement
Posted in Regulatory response
This is Part 4 of a five-part series on the “One Stop Shop” mechanism in the proposed new European data protection regulation. In Part 1 we examined why there is a need for a One Stop Shop, and what it is. In Part 2 we examined the concept of main establishment and the position of entities without an EU establishment. In Part … Continue reading
EU focuses on authority of SAs to enforce “One Stop Shop,” proposes a replacement for WP29
Posted in Regulatory responseThis is Part 3 of a five-part series on the “One Stop Shop” mechanism in the proposed new European data protection regulation. In Part 1 we examined why there is a need for a One Stop Shop, and what it is. In Part 2 we examined the concept of main establishment and the position of entities without … Continue reading
EU’s “One Stop Shop” Proposal Focuses on “Main Establishment” as Nexus of DPA Enforcement Authority
Posted in Regulatory response
This is Part 2 of a five-part series on the “One Stop Shop” mechanism in the proposed new European data protection regulation. In Part 1 we examined why there is a need for a One Stop Shop, and what it is. In this Part we examine the concept of main establishment and the position of entities without … Continue reading
UK Court of Appeal Establishes Data Protection Rights in Privacy Case
Posted in Dispute resolution and litigation
A recent English Court of Appeal judgment could significantly broaden the circumstances in which data protection litigation can be brought – and damages can be awarded – under English law. Background Vidal-Hall et al v Google ([2015] EWCA Civ 311) involves claims brought by three individual users against Google. The users alleged that Google collected private … Continue reading
Ontario Court of Appeal finds patients’ common law privacy rights not preempted by statute; allows class action to proceed
Posted in Dispute resolution and litigation, General
In a recent case involving a breach of patients’ privacy rights — Hopkins v Kay,[i] — the Ontario Court of Appeal ruled that a proposed class action could proceed based on allegations of violation of patients’ common law privacy rights, concluding that those rights were not preempted by the Personal Health Information Protection Act (PHIPA). … Continue reading
German draft bill to authorize privacy “class actions”
Posted in Compliance and risk managementThe German government recently released a draft bill seeking to grant authority to the country’s consumer and business associations to enforce compliance with data protection laws. Because the proposed draft bill appears to have received support from the governing parties, we believe there is a high probability of the bill being enacted in the near … Continue reading
White House presses for robust sharing of cyber-threat information
Posted in Compliance and risk management, General
On February 13, 2015, President Obama spoke forcefully on cybersecurity threats at the Cybersecurity and Consumer Protection Summit, and signed an Executive Order designed to encourage the sharing of cyber-threat information through the formation of “hubs” – Information Sharing and Analysis Organizations (ISAOs). The President observed that much of the United States’ critical infrastructure runs … Continue reading
Privacy action in Russia indicates enforcement focus on Western companies
Posted in General, Regulatory responseAccording to news reports in Russia, the Russian Federation’s data protection authority – Roscomnadzor – may be targeting Western companies for enforcement action. What appears to be the first enforcement action of this kind is directed at Twitter. At the heart of the action is an assertion by the head of Roscomnadzor that, while Twitter … Continue reading
Anthem breach poses significant cybersecurity risks for Anthem’s customers; may trigger legal obligations
Posted in Compliance and risk management, Data breachOrganizations whose employees are insured by Anthem or whose self-insured health plans are administered by Anthem should consider steps to mitigate the cybersecurity and legal risk arising from the breach recently reported by Anthem. The hackers who perpetrated the Anthem breach are likely to use the personal information they took for further cyberattacks against affected … Continue reading
China requires providers to enforce real-name registration and ban on “harmful” usernames
The Cyberspace Administration of China announced on February 4, 2015 new regulations requiring Internet users to register accounts under their real names for social network sites like blogs, discussion forums, comment sections, instant messaging, and related services. The rules impose the obligation to enforce the restrictions on affected businesses, including Western companies operating in China. The new regulations come … Continue reading
Cybersecurity incident notification bill introduced in the Netherlands
On January 22, 2015, the Netherlands proposed legislation introducing breach notification requirements for critical infrastructure industries, including utilities (electricity, gas and drinking water), telecom, financial services, government (surface-water management bodies) and transport (main ports Rotterdam and Schiphol airport). The proposed law would require notification in the event of a breach of security or loss of … Continue reading
