Tag archives: data protection

Parenting support club Bounty fined in ‘unprecedented’ data breach

Norton Rose Fulbright - Data Protection Report blog

On 12 April, the Information Commissioners Office (ICO) fined Bounty, a pregnancy and parent support club, £400,000 for illegally sharing personal data belonging to more than 14 million people. As the contravention took place just before the General Data Protection Regulation (GDPR) came into force, the fine was issued under the Data Protection Act 1998 (DPA).… Continue Reading

EU Advocate General issues opinion on consent for cookies and intersection between ePrivacy-Directive and GDPR

Norton Rose Fulbright - Data Protection Report blog

On March 21, 2019, Advocate General Szpunar released his opinion on the use of consent for the processing of personal data and for the use of cookies pursuant to the ePrivacy-Directive and the General Data Protection Regulation (GDPR).

The opinion includes several key points on whether consent is ‘freely given’ pursuant to the ePrivacy-Directive and the GDPR and also gives insight on what constitutes ‘informed consent.’… Continue Reading

Comments at CCPA public forum in Los Angeles highlight tensions between businesses and consumer rights groups

Norton Rose Fulbright - Data Protection Report blog

This is the Data Protection Report’s seventh blog post in series of CCPA blog posts that will break down the major elements of the CCPA. Stay tuned for additional posts on the CCPA.

On January 25, 2019, the California Attorney General’s Office held a public forum in Los Angeles to solicit feedback on the California Consumer Privacy Act of 2018 (“CCPA”) as it prepares to draft regulations which must be adopted on or before July 1, 2020. CCPA provides new rights to California consumers with respect to the collection and use of their personal information. The CCPA authorizes the Attorney … Continue Reading

First multi-million Euro GDPR fine: Google LLC fined €50 million under GDPR for transparency and consent infringements in relation to use of personal data for personalized ads

Norton Rose Fulbright - Data Protection Report blog

On January 21,2019 the French data protection authority (the CNIL) imposed a major fine on the U.S. Google entity, Google LLC.  It follows two complaints filed as soon as the GDPR came into force by two consumer rights associations, None of Your Business and La Quadrature du Net.

We focus here on four key aspects of the decision: (a) why the Irish Data Protection Commission (Irish DPC) did not take the case; (b) the consent mechanism failings; (c) the privacy policy failings; and (d) the amount of the fine.… Continue Reading

European Commission adopts adequacy decision on Japan

Data Protection Report - Norton Rose Fulbright

On January 23rd 2019, the European Commission adopted its adequacy decision in relation to the export of personal data from the European Union (EU) to Japan. Concurrently, Japan has adopted an equivalent decision in relation to the export of personal data from Japan to the EU. Such mutual decision is the result of two-years of dialogue and negotiations between both parties.

According to a joint statement issued by  Věra Jourová (Commissioner for Justice, Consumers and Gender Equality) and Haruhi Kumazawa (Commissioner of the Personal Information Protection Commission of Japan), “these mutual adequacy findings create the world’s largest Continue Reading

Parliament fails to approve the EU Withdrawal Agreement: Data protection implications

Data Protection Report - Norton Rose Fulbright

On 25 November 2018 the UK Government and the EU agreed a draft withdrawal agreement which set out the terms of the UK’s departure from the EU and made a political declaration on the framework for their future relationship, as provided for under Article 50(2) of the Treaty on European Union (Withdrawal Agreement). The purpose of the Withdrawal Agreement is to set out the terms of the UK’s departure from the EU and provide a transition period during which a more nuanced and ambitious future relationship can be agreed.

Had the UK Parliament approved the Withdrawal Agreement, it … Continue Reading

Pennsylvania Supreme Court holds common law duty for employers extends to protecting sensitive employee information

Data Protection Report - Norton Rose Fulbright

On November 21, 2018, the Pennsylvania Supreme Court broke new ground by holding that employers have a legal duty to take reasonable care to safeguard its employees’ sensitive personal information from cyberattacks. Dittman v. UPMC, 2018 Pa. LEXIS 6072199 (Pa. Nov. 21, 2018).… Continue Reading

Vicarious liability in the data breach context – bad news for UK employers?

Data Protection Report - Norton Rose Fulbright

The Court of Appeal has upheld a decision of the High Court  holding that an employer can be vicariously liable for data breaches caused by the actions of an employee, even where the employee’s actions were specifically intended to harm the employer. This decision is significant as it means a company can be held liable to compensate affected data subjects for loss caused by a data breach, even where the company has committed no wrongdoing and regardless of the employee’s motive.… Continue Reading

California Consumer Privacy Act: GDPR-like definition of personal information

Data Protection Report - Norton Rose Fulbright

This is the Data Protection Report’s third blog post in a series of CCPA blog posts that will break down the major elements of the CCPA which will culminate in a webinar on the CCPA in October. This blog focuses on the CCPA’s broad definition of Personal Information. Stay tuned for additional blogs and information about our upcoming webinar on the CCPA.

The California Consumer Privacy Act (“CCPA” or the “Act”) sets a new precedent with its sweeping definition of  Personal Information (“PI”).   The CCPA defines “[p]ersonal information” as any information that “identifies, relates to, describes, is capable of being … Continue Reading

California Consumer Privacy Act blog series: Covered entities

Data Protection Report - Norton Rose Fulbright

This is the Data Protection Report’s second post in a series of blog posts that will break down the major elements of the CCPA which will culminate in a webinar on the CCPA in October. This blog focuses on covered entities. Stay tuned for additional posts and information about our upcoming webinar on the CCPA.

California’s new privacy law, the California Consumer Privacy Act (CCPA) grants California residents extensive new privacy rights. One of the more significant aspects of the law however, is the number of business entities to which it applies. Companies around the world must comply with the … Continue Reading

Overview of Thailand Draft Personal Data Protection Act

Data Protection Report - Norton Rose Fulbright

Data protection laws in Asia continue to be introduced and updated. One of the most recent developments in South East Asia is in Thailand. On 22 May 2018, the Thai Cabinet approved in principle a revised draft of Thailand’s first personal data protection act (Draft Act). This Draft Act is currently under consideration by the Council of State.

Thailand currently does not have any specific law regulating data protection. The Office of the Prime Minister first published the Draft Act in 2014. The Draft Act has undergone several rounds of changes and this article aims to give a high level … Continue Reading

US states pass data protection laws on the heels of the GDPR

Data Protection Report - Norton Rose Fulbright

Several U.S. states have recently introduced and passed legislation to expand data breach notification rules and to mirror some of the protections provided by Europe’s newly enacted General Data Protection Regulation (“GDPR”). See our previous blog posts on GDPR here and here.   Like their European counterparts, these state laws are intended to provide consumers with greater transparency and control over their personal data.  The California and Vermont laws, in particular, go beyond breach notification and require companies to make significant changes in their data processing operations. See our earlier post on the  California Consumer Privacy Act (“CCPA”) here.… Continue Reading

GDPR is upon us: are you ready for what comes next?

Norton Rose Fulbright - Data Protection Report blog

The wait is finally over—this Friday the European Union General Data Protection Regulation (GDPR) will come into force. For many readers of this post, a huge amount of work will have been done in recent months in building up to compliance with the new regime. However, the challenges of GDPR certainly don’t end on the date this law goes into implementation. We have shared below some interesting points that we’ve seen arising recently, all of which relate to how things are likely to develop from today onwards, including enforcement predictions, challenges related to operationalizing data subject access procedures, and how … Continue Reading

UK NIS Regulations impose new cybersecurity obligations (and a new penalties regime) on operators of essential services and digital service providers in the UK

Data Protection Report - Norton Rose Fulbright

The UK NIS Regulations (implementing the NIS Directive) come into force in the UK today (10 May 2018). These Regulations have received limited press attention, in part due to the emphasis that has been placed on GDPR implementation. However, the NIS Regulations represent a significant change in the legal environment relating to cybersecurity in the UK.… Continue Reading

Ninth Circuit further entrenches circuit split over standing in data breach cases

Norton Rose Fulbright - Data Protection Report blog

On March 8, 2018, the Ninth Circuit issued its highly anticipated decision in In re Zappos.com, Inc., finding that allegations of future risk of identity theft from a data breach are sufficient to confer standing. This decision fuels an ongoing circuit split, pitting the D.C., Sixth, Seventh and now Ninth Circuits against the Second, Fourth, and Eighth Circuits over whether the mere exposure of personal information – without actual identity theft or credit/debit card fraud – establishes Article III standing.… Continue Reading

German DPAs publish templates and guidance on records of processing activities pursuant to Art. 30 GDPR

Data Protection Report - Norton Rose Fulbright

The German Data Protection Authorities (DPAs, acting as the German Data Privacy Conference, Konferenz der unabhängigen Datenschutzbehörden des Bundes und der Länder) recently published templates for the records of processing activities for controllers (Art. 30 para. 1 GDPR) and processors (Art. 30 para. 2 GDPR) together with a corresponding guidance document. This guidance was expected to be released earlier as the EU General Data Protection Regulation (GDPR) will take effect in less than a hundred days and organisations must meet its requirements from 25 May 2018. However, the guidance does not contain significant new information and mainly confirms … Continue Reading

UK Information Commissioner Updates Paper on Big Data, Artificial Intelligence, Machine Learning, and Data Protection

Data Protection Report - Norton Rose Fulbright

On 1 March 2017, the UK Information Commissioner’s Office (ICO) published a paper on big data, artificial intelligence, machine learning and data protection (replacing its early paper published in 2014). Although the paper is described as a “discussion paper”, it makes a number of recommendations that those involved in big data projects would be well advised to incorporate into their projects, and it firmly rejects suggestions that either the existing data protection framework or the GDPR cannot be applied in this context.

The paper works through the implications of big data against the core data protection principles; it … Continue Reading

EU Data Package Highlights Connections between Data Protection and the Digital Single Market

Data Protection Report - Norton Rose Fulbright

On January 10, 2017, the EU Commission published a package of documents on the EU’s data economy strategy, including e-privacy, data protection and the “European Data Economy.” The Commission documents,  published in the context of the Commission’s digital single market (“DSM”) initiative announced in May 2015, illustrate again the strong links between the EU’s digital regulatory strategy, data protection, intellectual property and antitrust policy, notably including the Commission’s preliminary report on its sector inquiry on e-commerce, also launched in May 2015.… Continue Reading

FTC Enforcement Possible for Failing to Guard Against Ransomware

Data Protection Report - Norton Rose Fulbright

Recent comments by FTC Chairwoman Edith Ramirez suggest that a company’s failure to take preventative measures to address ransomware could result in an enforcement action by the FTC, even if a company is never actually subject to a ransomware attack. The Chairwoman’s comments reflect a growing concern among US government agencies regarding ransomware and may foreshadow additional FTC action, building upon a developing trend of US regulators engaging in pre-breach enforcement action.… Continue Reading

NIS Directive Published: EU Member States Have Just Under Two Years to Implement

Data Protection Report - Norton Rose Fulbright

The Directive on Security of Network and Information Systems (known as the NIS Directive) was published in the Official Journal of the European Union on July 19, 2016. Member States will have until May 9, 2018 to implement this Directive into national laws and a further six months to identify “operators of essential services.”

Summary of the NIS Directive

The NIS Directive is the first comprehensive piece of EU legislation relating to the 2013 EU Cybersecurity Strategy. Its objective is to achieve a high common level of security of network and information systems across the EU through improved … Continue Reading

LexBlog