Tag archives: fulbright

Belgian court orders Facebook to stop tracking non-members, rejects FB’s assertion of lack of jurisdiction

On November 9, 2015, the President of the Brussels Court of First Instance ordered Facebook to stop tracking non-members in Belgium without their consent. The court imposed a penalty of EUR 250,000 per day for non-compliance.

The proceeding is the result of a formal recommendation that the Belgian Privacy Commission (BPC) issued in May 2015 requesting Facebook to cease the tracking of non-users. The BPC alleged that Facebook collected information about the web browsing behavior of users who were not Facebook members by using social plug-ins and cookies, which the BPC alleged Facebook placed on users’ computers when they visited … Continue Reading

Reports suggest US-EU agreement on cross-border data transfers near, but will it stick?

Data Protection Report - Norton Rose Fulbright

It is being reported that the EU and the US have reached an agreement in principle on the revised cross-border data transfer framework, commonly referred to as Safe Harbor 2.0. Both sides expect further progress on the specifics in November of this year. Some of the thornier issues, however,regarding US surveillance activities, that are critical to addressing the concerns the ECJ raised in Schrems, are yet to be firmed up with verifiable compliance commitments.… Continue Reading

Schrems Counterpoint: ECJ has good reasons to reject Safe Harbor invalidation

Data Protection Report - Norton Rose Fulbright

The European Court of Justice (ECJ) is expected to rule on Case C-362/14 (the “Schrems” case) on October 6, 2015.  In deciding whether to reject or adopt its Advocate General’s recommendation to invalidate the US-EU Safe Harbor, the ECJ finds itself between the proverbial rock and a hard place. Rejecting the Safe Harbor would lead to uncertainty in the ongoing negotiations to update the Safe Harbor framework, and raise questions about the interpretation of the proposed General Data Protection Regulation, which is currently being finalized in trialogue negotiations among the EU’s Council, Parliament and Commission.  If the … Continue Reading

NLRB asserts employers must bargain with unions on breach response

Data Protection Report - Norton Rose Fulbright

The U.S. National Labor Relations Board (NLRB) recently filed complaints against the United States Postal Service (USPS), alleging that the USPS violated the National Labor Relations Act (NLRA) by failing to collectively bargain with its employees’ union regarding the postal service’s response to a 2014 data breach that reportedly affected over 800,000 current and former postal employees. Specifically, in one of its complaints, the NLRB alleged that the postal service’s unilateral decision to provide credit monitoring and fraud insurance to affected employees without engaging in collective bargaining with the union on these issues violated Sections 8(a)(1) and (5) of … Continue Reading

Energy cybersecurity – a critical concern for the nation

Data Protection Report - Norton Rose Fulbright

We have long recognized that effects of cyber-attacks are not limited to the virtual space, and can affect our physical environment. For example, a stolen trade secret may lead to a competitor who copies the design, to lost sales, to lost jobs. However, the relationship between cybersecurity and physical security is far more direct and significant in the energy sector. There are many examples of devastating impacts stemming from energy infrastructure disasters, and the energy sector’s ever increasing automation and reliance on the digital world for its operations vastly increases its vulnerability to cyber-attacks. The energy sector comprises one of … Continue Reading

Ontario Court of Appeal finds patients’ common law privacy rights not preempted by statute; allows class action to proceed

Data Protection Report - Norton Rose Fulbright

In a recent case involving a breach of patients’ privacy rights — Hopkins v Kay,[i] — the Ontario Court of Appeal ruled that a proposed class action could proceed based on allegations of violation of patients’ common law privacy rights, concluding that those rights were not preempted by the Personal Health Information Protection Act (PHIPA). Specifically, the court determined that PHIPA is not a “complete code” and therefore did not “oust” the plaintiff’s common law tort claim for breach of privacy (the tort of intrusion upon seclusion). Hopkins provides important guidance in the fields of privacy law and class … Continue Reading

White House presses for robust sharing of cyber-threat information

Data Protection Report - Norton Rose Fulbright

On February 13, 2015, President Obama spoke forcefully on cybersecurity threats at the Cybersecurity and Consumer Protection Summit, and signed an Executive Order designed to encourage the sharing of cyber-threat information through the formation of “hubs” – Information Sharing and Analysis Organizations (ISAOs).

The President observed that much of the United States’ critical infrastructure runs on networks connected to the Internet, resulting in vulnerabilities that foreign governments and criminals are probing every day. The President outlined four basic principles that should guide the efforts to combat cyber threats:

  • A shared mission between the private sector and the government;
  • Focus
Continue Reading

Importance of data privacy and transparency in the UK highlighed by Investigatory Powers Tribunal decision

Data Protection Report - Norton Rose Fulbright

A recent landmark ruling from the UK’s Investigatory Powers Tribunal has highlighted the growing importance the UK courts place on data privacy and transparency. It is the first occasion that the Investigatory Powers Tribunal has upheld part of a complaint against the intelligence agencies since it was set up in 2000.

On February 6, 2015 the Investigatory Powers Tribunal, a special forum for investigating and resolving complaints relating to the use of covert techniques by public authorities, released a second judgment in the case of Liberty v The Secretary of State for Foreign and Commonwealth Affairs[1]. The case … Continue Reading

Privacy action in Russia indicates enforcement focus on Western companies

Data Protection Report - Norton Rose Fulbright

According to news reports in Russia, the Russian Federation’s data protection authority – Roscomnadzor – may be targeting Western companies for enforcement action. What appears to be the first enforcement action of this kind is directed at Twitter.

At the heart of the action is an assertion by the head of Roscomnadzor that, while Twitter has responded to thousands of requests for information from the U.S. government, the company has not responded to over 100 requests for user information from the Russian agency. In its letter to Twitter, Roscomnadzor demanded that the company explain its position regarding the disclosure … Continue Reading

SEC’s cyber preparedness priorities on display in the agency’s cybersecurity examination initiative

Data Protection Report - Norton Rose Fulbright

Last week, the U.S. Securities and Exchange Commission’s (“SEC”) Office of Compliance Inspections and Examinations (“OCIE”) published a Risk Alert that summarized findings from the agency’s examinations of the practices employed by financial service firms to address cybersecurity risks.

The focus and results of the OCIE’s evaluation offer firms insight into the types of information security and cybersecurity practices that the SEC considers key to helping organizations manage cyber threats and mitigate the effects of cybersecurity incidents. The survey also confirmed that financial firms remain an attractive target for hackers. The OCIE assessment found that 88% of broker-dealers and 74% … Continue Reading

China requires providers to enforce real-name registration and ban on “harmful” usernames

Data Protection Report - Norton Rose Fulbright

The Cyberspace Administration of China announced on February 4, 2015 new regulations requiring Internet users to register accounts under their real names for social network sites like blogs, discussion forums, comment sections, instant messaging, and related services. The rules impose the obligation to enforce the restrictions on affected businesses, including Western companies operating in China.

The new regulations come after a raft of earlier proposals that have tried with limited success to impose real-name registration requirements on users for a broader scope of Internet services, which included e-commerce, microblogs, video hosting websites, news websites, apps developer portals, online payment systems, … Continue Reading

Cybersecurity incident notification bill introduced in the Netherlands

Data Protection Report - Norton Rose Fulbright

On January 22, 2015, the Netherlands proposed legislation introducing breach notification requirements for critical infrastructure industries, including utilities (electricity, gas and drinking water), telecom, financial services, government (surface-water management bodies) and transport (main ports Rotterdam and Schiphol airport).

The proposed law would require notification in the event of a breach of security or loss of integrity of electronic information systems that are of vital importance to Dutch society (ICT Breaches). Stakeholders have been invited to comment on the Data Processing and Notification Obligation Cybersecurity Act (Wet gegevensverwerking en meldplicht cybersecurity) before March 6, 2015. The bill introduces an obligation to … Continue Reading

Encryption of patient personal information to be the law of the land in New Jersey

Data Protection Report - Norton Rose Fulbright

Following a number of reports of theft and misplacement of computer disks, laptops, and thumb drives containing unencrypted patient information from New Jersey medical centers, the New Jersey state legislature enacted a law on January 9, 2015, which prohibits health insurance carriers from electronically compiling and maintaining certain patient information unless that information has been encrypted.

The law, New Jersey S562 (“S562”), which will become effective on August 1, 2015, supplements the New Jersey Division of Consumer Affairs Consumer Fraud Act. It was passed in response to an epidemic of breaches at New Jersey hospitals that resulted in the … Continue Reading

Just what the doctor ordered: President outlines national breach law proposal

Data Protection Report - Norton Rose Fulbright

Leading up to the President’s State of the Union, the White House previewed several potentially sweeping cybersecurity initiatives—including a proposed federal law that would create a single national breach notification standard, entitled the Personal Data Notification & Protection Act (the “Act”). The President argued that the proposed law will benefit consumers and alleviate the confusion and cost born by companies that must navigate the “patchwork” of differing state laws that currently governs the area of breach notification. In our view, the national breach law proposal may receive bipartisan support, but as always it is very difficult to handicap the Continue Reading

California enacts “Right to be Forgotten” for Minors

Data Protection Report - Norton Rose Fulbright

Following Europe’s recognition of the “right to be forgotten” online, California has enacted its own version of the requirement, though limited to the state’s residents who are minors under 18 (“Minors”). The California law (Cal. Bus. & Prof. Code §§ 22580-81), which became effective January 1, 2015, applies to websites, social media sites, mobile apps and other online services. The law entitles Minors to the right to request and obtain the removal from public view of certain content that they  submit to a website, app or other online service.

The law should prompt online businesses to review and … Continue Reading