Archives: Privacy and Data Security

Subscribe to Privacy and Data Security RSS Feed

New Mexico becomes 48th state to enact a data breach law, plus US state-level updates

Written by Jim Halpert and Anne Kierig An active spring state legislative session has already produced a few new state data breach laws. Notably, when New Mexico HB 15 was signed into law on April 6, the state became the 48th in the nation to have a data breach law on the books. The only … Continue Reading

Congress Rolls Back FCC Broadband Privacy Rules: What Does It Mean?

Written by Sydney White and Jim Halpert This week the US House of Representatives passed a Congressional Review Act (CRA) resolution of disapproval of the US Federal Communications Commission (FCC) broadband privacy rules that were approved by the FCC in a straight partisan vote at the end of the Obama Administration, but have not yet … Continue Reading

New York AG Announces Record Year for Data Breaches in New York – and Updates Guidance on Reasonable Security Measures

Written by Michelle Anderson and Anne Kierig New York Attorney General Eric Schneiderman announced that his office received a record number (1,300) of data breach notices in 2016. In the press release, Attorney General Schneiderman also provided a list of recommendations for how organizations can help protect sensitive personal data—a list that could be used … Continue Reading

FRANCE: The French Data Protection Authority (CNIL) Publishes 6-Step Methodology For Compliance With GDPR

Written by Carol Umhoefer and Caroline Chancé  On March 15, 2017, the CNIL published a 6-step methodology for companies that want to prepare for the changes that will apply as from May 25, 2018 under the EU the General Data Protection Regulation (“GDPR”). The abolishment under GDPR of registrations and filings with data protection authorities … Continue Reading

Commerce to Begin Accepting Swiss-US Privacy Shield Applications in a Month

As we noted in our January blog post Swiss-US Privacy Shield Adopted, Aligns with EU-US Privacy Shield, the Department of Commerce will begin accepting self-certifications to the Swiss-US Privacy Shield on April 12, 2017. In response to frequently asked questions, Commerce provides guidance on how to self-certify: Companies already certified under the EU-US Privacy Shield: … Continue Reading

Data protection laws and AI: What can we learn from the GDPR?

Written by Giangiacomo Olivi  Connected devices that exchange substantial volumes of data come with some obvious data protection concerns. Such concerns increase when dealing with artificial intelligence or other devices/robots that autonomously collect large amounts of information and learn though experience. Although there are not (yet) specific regulations on data protection and artificial intelligence (AI), … Continue Reading

CHINA DATA PROTECTION UPDATE (JANUARY 2017)

Guidance on who is a “key information infrastructure operator” under the PRC Cybersecurity Law, and draft regulations on handling minors’ data In the rapidly evolving data protection compliance environment in the People’s Republic of China, this month has seen some helpful clarification around two areas of uncertainty – namely:  some further indications as to whom … Continue Reading

Blog Post: Swiss-US Privacy Shield Adopted, Aligns with EU-US Privacy Shield

Written by Michelle Anderson The Department of Commerce International Trade Administration and Swiss Federal Council announced on January 11, 2017, the creation of a Swiss-US Privacy Shield framework that will “apply the same conditions as the European Union” under the EU-US Privacy Shield framework. This is welcome news for companies that transfer personal data from … Continue Reading

Presidential Commission Issues Recommendations for Improving Public and Private Sector Cybersecurity

Written by James Duchesne The President’s Commission on Enhancing National Cybersecurity (the “Commission”) recently issued a thoughtful report on improving the United States’ cybersecurity posture.  (The full report can be read here.)  The majority of the Commission’s recommendations would require action by the Trump Administration but may nonetheless prove influential.   The Commission was charged under … Continue Reading

EU – First GDPR Guidance published by Article 29 WP

The Article 29 Working Party (‘WP29’) has issued its first guidance on GDPR topics. This guidance (including FAQs) relates to: the right to Data Portability; Data Protection Officers (DPO); and the Lead Supervisory Authority. While WP29 announced that more opinions and guidance will follow – for example, guidelines on Data Protection Impact Assessments and Certification … Continue Reading

CHINA: Significant changes to data and cybersecurity practices under PRC Cybersecurity Law

Written by Carolyn Bigg After a third deliberation, the Chinese government passed the new PRC Cybersecurity Law on 7 November 2016. The new law will come into force on 1 June 2017 and has significant implications for the data privacy and cybersecurity practices of both Chinese companies and international organisations doing business in China. The … Continue Reading

CASL made clearer: CRTC releases its first compliance and enforcement decision under Canada’s Commerce Messages Law

Written by Kelly Friedman, Tamara Hunter and Jim Halpert The Canadian Radio-Television and Telecommunications Commission (CRTC) has issued its first Compliance and Enforcement Decision for violation of Canada’s anti-spam legislation (CASL). Until now, CRTC CASL enforcement actions have taken the form of settlements reached in confidential negotiations between the  Enforcement Branch and the company. But this decision, … Continue Reading

Managing third parties under the Privacy Shield needs care

Written by Rena Mears, Ryan Sulkin, Eric Roth and Jim Halpert Controllers need to negotiate contract terms with third-party controllers and processors that are consistent with the controller’s obligations under the Shield. By Rena Mears, Ryan Sulkin, Eric Roth and Jim Halpert. The Privacy Shield’s heightened infrastructure, regulatory, and documentation requirements present participating companies with … Continue Reading

FCC Adopts Broadband Privacy Rules

Written by Sydney White Today the Federal Communications Commission (FCC) approved new privacy rules for mobile and fixed broadband ISPs by a vote of 3-2. The rules seek to harmonize the requirements for ISPs with current FCC CPNI rules that restrict usage of customer data by telecommunications carriers. The rules are broader than FTC privacy standards. In … Continue Reading

EUROPE: ECJ – Dynamic IP addresses may constitute personal data

Written by Jan Pohle and Jan Spittka In its landmark decision in the case Breyer v. Federal Republic of Germany (decision dated 19 October 2016, case number C-582/14), the European Court of Justice (ECJ) not only ended the long and tricky debate whether dynamic IP addresses constitute personal data even if the data controller processing … Continue Reading

NTIA IoT Workshop

Written by Sydney White In response to comments on the National Telecommunications & Information Administration (NTIA) IoT Request for Comment (RFC) and the Stakeholder Engagement on Cybersecurity in the Digital Ecosystem RFC in 2015, NTIA held a workshop on “Fostering the Advancement of the Internet of Things” September 1.  The workshop  continued the process of … Continue Reading

Belgian Privacy Commission issues a 13 steps plan for companies preparing for GDPR compliance

Following a series of guidance published by fellow national DPAs, the Belgian Privacy Commission launched a 13 step GDPR-readiness roadmap helping companies processing personal data to start preparing themselves. The Privacy Commission will also create a GDPR-themed section on its website where data controllers and processor can consult additional guidelines, instruments and frequently asked questions. … Continue Reading

HONG KONG – HONG KONG’s Privacy Commissioner addresses privacy compliance and best practice for BYOD

Written by Scott Thiel Following the publication of industry-specific BYOD guidelines such as those issued by the Hong Kong Association of Banks (the “HKAB Guidelines“), the trend towards Bring Your Own Device (“BYOD“) has come to the attention of Hong Kong’s Privacy Commissioner. The Commissioner published an information leaflet on 31 August 2016 (the “Information … Continue Reading
LexBlog