Tag archives: Privacy

Turkish Data Protection Board announces extension of VERBİS registration deadline – once again

By Ekin Inal (TR), Ece Sürmen (TR) and Ecem Naz Boyacıoğlu (TR) on December 31, 2019 Posted in Regulatory response

The Turkish Data Protection Board announced the extension of VERBİS registration deadline until June 30, 2020.… Continue reading

Mic Drop: California AG releases long-awaited CCPA Rulemaking

By David Kessler (US), Jeewon Kim Serrato (US), Susan Ross (US), Anna Rudawski (US) and Max Kellogg (US) on October 11, 2019 Posted in Compliance and risk management, Cybersecurity, Enforcement, Regulatory response

On October 10, 2019, with just weeks to go until the law goes into effect, the California Attorney General released the long-awaited draft regulations for the California Consumer Privacy Act (CCPA). The proposed rules shed light on how the California AG is interpreting and will be enforcing key sections of the CCPA. In the press … Continue reading

ICO joins other data protection authorities in issuing statement on Facebook’s cryptocurrency Libra project

By Lara White (UK), Shiv Daddar (UK) and Hemin Hazar (UK) on August 22, 2019 Posted in Compliance and risk management

Data Protection Report - Norton Rose Fulbright

On 18 June 2019, Facebook announced plans to launch a new blockchain enabled cryptocurrency called Libra.… Continue reading

Turkey’s data protection legislation on data controller registry to impact data controllers outside of Turkey

By Ekin Inal (TR) on August 20, 2019 Posted in Regulatory response

Norton Rose Fulbright - Data Protection Report blog

Obligations Turkey’s data protection legislation (TDPL) requires data controllers to notify the Turkish DPA of their processing activities. Unless exempt from the requirement, all data controllers (individuals and legal entities) who process personal data in Turkey must be registered with the Turkish DPA’s Register of Data Controllers Information System (VERBİS), prior to processing any personal … Continue reading

One-Month Countdown to Pass CCPA Amendments Begins

By Jeewon Kim Serrato (US) and Susan Ross (US) on August 12, 2019 Posted in Compliance and risk management, Enforcement, General

On August 12, the California legislature returns after its summer recess. Starting with the Senate Appropriations Committee Hearing today, the legislature will now have approximately a month to continue the markups and send California Consumer Privacy Act (CCPA) amendments to the Governor’s desk for signature before the September 13 deadline. As previously reported, any amendment … Continue reading

Cyber law firm of the year nomination

By Chris Cwalina (US), Ffion Flockhart (UK) and Steven Hadwin (UK) on July 29, 2019 Posted in General

We are pleased to report that Norton Rose Fulbright has been shortlisted for cyber law firm of the year at the 2019 Insurance Insider Cyber Rankings Awards.… Continue reading

FTC to levy unprecedented $US5bn fine against Facebook

By Andrea D'Ambra (US) and Max Kellogg (US) on July 16, 2019 Posted in Data breach, Regulatory response

The Wall Street Journal reported that Federal Trade Commission and Facebook reached a settlement to resolve Facebook’s privacy issues.… Continue reading

New CNIL €400,000 fine for data security breaches and non-compliance with data retention period under the GDPR

By Nadège Martin (FR) and Nilofar Moini Shabestari (FR) on July 8, 2019 Posted in Data breach, Enforcement

Following the now famous €50m fine imposed on Google LLC in January 2019,[1] the French Data Protection Authority (the CNIL) published a decision taken on 28 May 2019[2] imposing a fine of €400,000 on SERGIC, a company specialised in real estate development, purchase, sale, rental and property management.… Continue reading

NT Analyzer Blog Series: Why So Many Cookie Policies Are Broken, Part I – HTML5 LocalStorage

By Steve Roosa (US) on June 25, 2019 Posted in Compliance and risk management, Data breach, NT Analyzer Blog Series

Cookies Are One Piece of a Larger Puzzle There has been an odd preoccupation with cookies for some time now—to the exclusion of other forms of browser tracking, some of which are much more flexible and more robust in their data collection capabilities than cookies. Despite this fact, these other, non-cookie tracking technologies are often … Continue reading

Parenting support club Bounty fined in ‘unprecedented’ data breach

By Lara White (UK) on April 18, 2019 Posted in Enforcement

On 12 April, the Information Commissioners Office (ICO) fined Bounty, a pregnancy and parent support club, £400,000 for illegally sharing personal data belonging to more than 14 million people. As the contravention took place just before the General Data Protection Regulation (GDPR) came into force, the fine was issued under the Data Protection Act 1998 … Continue reading

UK Supreme Court grant Morrisons permission to appeal vicarious liability finding

By Ffion Flockhart (UK), Marcus Evans (UK), Lara White (UK) and Steven Hadwin (UK) on April 17, 2019 Posted in Data breach

The Supreme Court has granted Morrisons to appeal against the judgment of the Court of Appeal in Morrison Supermarkets PLC v Various Claimants.… Continue reading

French court issues decision on legality of Privacy Rules and Terms of Use under data protection and consumer law

By Cécile Auvieux (FR) and Nadège Martin (FR) on April 12, 2019 Posted in Dispute resolution and litigation, Enforcement

Five years after the commencement of legal proceedings against Google by leading French consumer association UFC Que Choisir, the Paris “Tribunal de Grande Instance” (TGI), in a decision dated 12 February 2019, issued its ruling on the legality of the Google+ Terms of Use and Privacy Rules, both with respect to consumer law and personal … Continue reading

EU Advocate General issues opinion on consent for cookies and intersection between ePrivacy-Directive and GDPR

By Lara White (UK), Marcus Evans (UK) and Sven Jacobs (DE) on March 27, 2019 Posted in Dispute resolution and litigation

The opinion includes whether consent is ‘freely given’ pursuant to the ePrivacy-Directive and GDPR and insight on what constitutes ‘informed consent.'… Continue reading

Companies’ right to privacy

By David Kessler (US) and Susan Ross (US) on February 13, 2019 Posted in Compliance and risk management, Dispute resolution and litigation

On January 3, 2019, the federal trial court in Manhattan issued a preliminary injunction, temporarily halting a new local law aimed at required disclosures by home-sharing platforms, such as Airbnb and HomeAway, to the city.… Continue reading

Comments at CCPA public forum in Los Angeles highlight tensions between businesses and consumer rights groups

By Jeewon Kim Serrato (US) and Arleen Fernandez (US) on January 31, 2019 Posted in Compliance and risk management

On January 25, 2019, the California Attorney General’s Office held a public forum in Los Angeles to solicit feedback on the California Consumer Privacy Act of 2018 (“CCPA”) as it prepares to draft regulations which must be adopted on or before July 1, 2020.… Continue reading

First multi-million Euro GDPR fine: Google LLC fined €50 million under GDPR for transparency and consent infringements in relation to use of personal data for personalized ads

By Marcus Evans (UK), Lara White (UK) and Cécile Auvieux (FR) on January 25, 2019 Posted in Compliance and risk management, Cybersecurity, Enforcement, Regulatory response

On January 21,2019 the French data protection authority (the CNIL) imposed a major fine on the U.S. Google entity, Google LLC. It follows two complaints filed as soon as the GDPR came into force by two consumer rights associations, None of Your Business and La Quadrature du Net. We focus here on four key aspects … Continue reading

Transition period under New York Cybersecurity Regulation ends March 1, 2019

By Kathleen Scott (US), Susan Ross (US) and Tristan Coughlin* (US) on January 7, 2019 Posted in Compliance and risk management, Cybersecurity, Enforcement, Fintech, General, Vendor management and transactions

The two-year transitional period under the New York State Department of Financial Services (“DFS”) Cybersecurity Regulation, 23 NYCRR 500 (the “Regulation”), will expire on March 1, 2019, with the final remaining requirement becoming effective. Entities covered by the Regulation that utilize third party service providers, which include not only banks and insurers, but also other … Continue reading

Pennsylvania Supreme Court holds common law duty for employers extends to protecting sensitive employee information

By Andrea D'Ambra (US) and Max Kellogg (US) on December 7, 2018 Posted in Compliance and risk management, Data breach, General, Regulatory response

On November 21, 2018, the Pennsylvania Supreme Court broke new ground by holding that employers have a legal duty to take reasonable care to safeguard its employees’ sensitive personal information from cyberattacks. … Continue reading

Vicarious liability in the data breach context – bad news for UK employers?

By Steven Hadwin (UK), Mya Joel (UK), Marcus Evans (UK), Catrina Smith (UK) and Amanda Sanders (UK) on October 29, 2018 Posted in Data breach

The Court of Appeal has upheld a decision of the High Court holding that an employer can be vicariously liable for data breaches caused by the actions of an employee, even where the employee’s actions were specifically intended to harm the employer. This decision is significant as it means a company can be held liable … Continue reading

Norton Rose Fulbright – cyber law firm of the year nomination

By Chris Cwalina (US), Ffion Flockhart (UK) and Steven Hadwin (UK) on August 29, 2018 Posted in General

We are grateful to our clients and industry contacts for nominating us as cyber law firm of the year at the 2018 Insurance Insider Cyber Rankings Awards. The winner will be determined from the results of a wide-ranging survey of insurers and brokers and will be announced on September 21, 2018.… Continue reading

California Consumer Privacy Act: GDPR-like definition of personal information

By Chris Cwalina (US), Jeewon Kim Serrato (US), Steve Roosa (US) and Tristan Coughlin* (US) on August 27, 2018 Posted in General

This is the Data Protection Report’s third blog post in a series of CCPA blog posts that will break down the major elements of the CCPA which will culminate in a webinar on the CCPA in October. This blog focuses on the CCPA’s broad definition of Personal Information. Stay tuned for additional blogs and information … Continue reading

Overview of Thailand Draft Personal Data Protection Act

By Natpakal Rerknithi (TH), Anna Gamvros (HK) and Ruby Kwok (HK) on August 6, 2018 Posted in Regulatory response

Data protection laws in Asia continue to be introduced and updated. One of the most recent developments in South East Asia is in Thailand. On 22 May 2018, the Thai Cabinet approved in principle a revised draft of Thailand’s first personal data protection act (Draft Act). This Draft Act is currently under consideration by the … Continue reading

FCC TCPA order partially upheld and partially set aside

By Susan Ross (US) on March 17, 2018 Posted in Dispute resolution and litigation

US Supreme Court expands digital privacy rights in Carpenter v. United States

On March 16, 2018, the U.S. Court of Appeals for the District of Columbia Circuit issued its decision on the Federal Communications Commission (FCC) omnibus order of 2015, relating to challenges to four of the FCC’s determinations relating to cell phones. The appellate court upheld the FCC’s determinations that consumers can revoke consent to receive … Continue reading