Global Privacy & Security Compliance Law Blog

Update: California’s Consumer Right to Privacy Ballot Initiative

Posted in Legislative & Regulatory Developments, Privacy

California ballot initiative, Consumer Right to Privacy Act of 2018, gathers momentum for a November vote, spurring some telecom and internet businesses to organize opposition.

By Michael H. Rubin, Roxana Mondragón-Motta, and Scott C. Jones

Businesses are preparing to oppose a California ballot measure that could impose new data privacy and security obligations, with the threat of significant civil liability for non-compliance. Signatures are being gathered to put the Consumer Right to Privacy Act of 2018 (the “CRPA Measure”) on the November 2018 California ballot. The CRPA Measure, introduced by two California citizens, claims to give California consumers an “effective way to control their personal information” by providing them with (1) a right to request certain information about what personal information covered businesses have collected and sold or disclosed within the last year and (2) the right to opt-out from having their personal information disclosed by a covered business. The initiative also provides multiple avenues for enforcement (private civil actions; attorney general or local prosecutor enforcement; and whistleblower actions).
Continue Reading

New Home for Our Interactive GDPR Implementation Tracker –

Posted in Legislative & Regulatory Developments

The General Data Protection Regulation (GDPR) comes into effect on May 25, 2018. As an EU Regulation, it will be directly effective in each EU member state, but all member states are expected to pass national implementing legislation.

Latham’s GDPR Implementation Tracker is an interactive, web-based tool to help companies doing business in Europe stay abreast of the latest developments. The Implementation Tracker is now available at


Updates will be provided regularly, with additional informative features still to come.

National Cyber Security Centre Releases NIS Directive Guidance

Posted in Legislative & Regulatory Developments, Security

The UK agency’s principles-based guidance on cybersecurity for OES adds important detail to NIS Directive obligations.

By Gail Crawford, Mark Sun, Fiona Maclean, and Malika Sajdik

The National Cyber Security Centre (NCSC) has published introductory guidance for operators of essential services (OES) on the new cybersecurity rules under the EU’s Security of Network and Information Systems Directive (NIS Directive). The NIS Directive is the first EU-wide legislation on cybersecurity and must be transposed into member state domestic legislation by 9 May 2018. (Additional information on the NIS Directive, and the UK’s approach to implementation, is available in this blog post.) The NCSC’s guidance, released 28 January 2018, aims to help OES improve their security infrastructure and reduce their likelihood of suffering a cyber incident. Continue Reading

Cybersecurity: UK Government Releases Response to Public Consultation on NIS Directive

Posted in Legislative & Regulatory Developments

Proposed changes provide indication of the yet-to-be-published contents of the NIS Directive’s implementing regulation.

By Gail CrawfordMark Sun, Fiona Maclean, and Malika Sajdik

The UK government moved closer to implementing the Security of Network and Information Systems Directive (NIS Directive) with the release of its consultation response.

The NIS Directive is the first EU-wide legislation on cybersecurity that aims to enhance network and information system security across vital business sectors within the EU. The UK government launched a public consultation in autumn 2017 to obtain feedback on its proposed approach to implementation. Although the consultation response indicated broad support for the proposals, the UK government has proposed changes to address certain areas of concern. The consultation response, which was released on 28 January 2018, focuses on the following topics.

Continue Reading

Updated: Latham’s GDPR National Implementation Tracker

Posted in Legislative & Regulatory Developments

By Gail Crawford and Mark Sun 

With the assistance of colleagues across the EU, Latham & Watkins has updated its GDPR National Implementation Tracker.

With just over three months to go until the GDPR go-live date on 25 May 2018, two EU member states (Belgium, Slovakia) have joined Austria and Germany in successfully implementing the GDPR in their national laws.

Since our last update in October 2017:

  • Six additional member states have published draft implementing legislation for a total of 16 member states with legislation in progress.
  • Eight member states, however, still have yet to publish any draft.

As the various member state legislation take shape, we will provide further updates on the implementation process. We will also compile an analysis of key areas of derogation from the GDPR for each member state in relation to bases for processing special personal data, exemptions to data subject rights or notice requirements, additional sanctions for breach, and others. Get updates on this and other key data privacy insights by subscribing to our e-mail in the sidebar.

US Government Contractors Face New Cybersecurity Requirements

Posted in Legislative & Regulatory Developments, Security

By Jennifer Archie, Serrin Turner, Kyle Jefcoat, Dean Baxtrasser and Morgan Maddoux

As of December 31, 2017, many United States government contractors face a new compliance requirement involving cybersecurity. This requirement will govern most new Department of Defense (DoD) contracts and, significantly, will apply to many current DoD contracts that include the applicable standard contract clause.

On October 21, 2016, DoD issued a final rule, Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012 (DFARS Rule), which is intended to address “enhanced safeguarding for certain sensitive DoD information.” The DFARS final rule requires contractors to safeguard information systems and imposes investigation and reporting requirements in the case of cyber incidents.

Under the DFARS rule, contractors will be required to comply with the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 — a requirement that goes into effect at the end of this month. The DFARS Rule focuses on protecting “covered defense information” (CDI) — that it defines broadly — and stipulates the basic security requirements a defense contractor must implement and maintain. A defense contractor generally must implement the security requirements in the version of NIST SP 800-1717, which were developed for use on contractors’ internal systems and should enable contractors to comply with the requirements using their existing systems and practices — rather than forcing contractors to build a new system and develop practices from scratch in order to be in compliance. Continue Reading

Article 29 Working Party Publishes Privacy Shield Review: Better, but Needs Work

Posted in Privacy

By Gail Crawford and Mark Sun

The Article 29 Working Party (WP29), an independent European advisory body on data protection and privacy released the results of their first review of the EU-US Privacy Shield on Wednesday (6 December 2017). The WP29 has identified several “significant concerns” with the EU-US Privacy Shield (Privacy Shield) programme, as currently operated. Though the WP29 acknowledges that Privacy Shield is an improvement over the Safe Harbor arrangement, the body has called for the European Commission (EC) and the US authorities to restart discussions on an action plan to address these concerns immediately. The review was conducted jointly between WP29 and US authorities, with feedback from US companies.

Continue Reading

Call for Cybersecurity Guidelines in International Arbitration

Posted in Security

By Hanna Roos and Jennifer Archie

Cybercrime has become a regular feature of global news. The question is not if another attack will happen, but when. Prominent examples include the leak of millions of attorney-client documents from law firms Appleby and Mossack Fonseca, and the “Petya” attack, which brought DLA Piper’s system to a standstill.

Arbitration is also at risk. Parties, arbitrators, counsel, and institutions may be compromised, and the consequences could be serious for the target and the arbitral community as a whole. We explore the risks and consequences in our article, Is our imagination failing us? Call for cybersecurity guidelines in international arbitration.

As the first measure, we advocate a documented assessment of cybersecurity risks at the outset of each arbitration. A bespoke audit helps to avoid both an inadequate cyber security system and a more expensive and complicated system than is necessary. For a checklist of cybersecurity risks to consider at the beginning of an arbitration, see our Practice note, Cybersecurity issues in arbitration: Cybersecurity checklist. Continue Reading

Russian Lawmakers Move to Be Able to Ban Use of VPNs and Similar Access Tools

Posted in Legislative & Regulatory Developments

By Ksenia Koroleva

Russia has adopted a new law further toughening the country’s Internet-blocking regime and introducing a number of restrictive measures applicable to intermediaries providing access to blocked websites, IT networks, and information resources (hereinafter, “Blocked Websites”).

The relevant provisions of Federal Law No. 276-FZ dated July 29, 2017 (the “Anonymizers Law”), came into force on November 1, 2017.

Due to the vague wording and ambiguities, the enforcement of and practice on the Anonymizers Law will likely be complicated.


In 2012, Federal Law No. 307-FZ was adopted (the “Law on Blocking Websites”), which established a Russian register of Blocked Websites (the “Register”) maintained by the Federal Service for Supervision in the Sphere of Telecom, Information Technologies, and Mass Communications (Roskomnadzor).

Pursuant to the Law on Blocking Websites:

  • Websites containing information the dissemination of which is illegal in Russia (such as pornography, information about drugs, suicide, racism, copyright violations, etc.) must be included into the Register following a short remedy period, during which a website owner may remove all relevant information from the website and avoid the inclusion.
  • If the website is included into the Register, access to it from the territory of Russia must be blocked.The scope of the Law on Blocking Websites only extends to blocking access to websites containing the prohibited information and does neither prohibit nor restrict any software or hardware allowing to get access to Blocked Websites and serving as an intermediary between users and Blocked Websites (such software or hardware, the “Access Tools”). As a result, users could in practice visit Blocked Websites and the Russian authorities could do nothing about it.

Continue Reading

GDPR Countdown: Latham’s National Implementation Tracker

Posted in Legislative & Regulatory Developments

By Gail Crawford, Ulrich Wuermeling and Calum Docherty

GDPR ImplementationThe EU General Data Protection Regulation (GDPR) will come into force in May 2018, changing how businesses and the public sector manage customer information. With seven months before the deadline, governments, supervisory authorities, and businesses are working in parallel on GDPR implementation.

Latham reached out to colleagues across the EU to assess the state of the union in terms of national GDPR implementation. Both Germany and Austria have already passed implementing acts, placing them ahead of other EU Member States in aligning with the GDPR. Eleven jurisdictions are in the process of drafting the implementing laws, as they make their way through the national legislative process. Fifteen jurisdictions, however, are still at the initial planning phase.

For full details of how legislation implementation is progressing at a national level, see Latham’s full updated tracker.