Global Privacy & Security Compliance Law Blog

Category Archives: Security

Subscribe to Security RSS Feed

CNIL Publishes White Paper on Digital Payments and Data Privacy

The French Data Protection Authority’s white paper discusses how companies can comply with data privacy and security obligations. By Christian F. McDermott, Myria Saarinen, Calum Docherty, Charlotte Guerin, Jiou (Alex) Park, and Amy Smyth The use of card, contactless, and innovative digital payment solutions has significantly increased in recent years, fueled by the immediate impacts … Continue Reading

China Introduces First Comprehensive Legislation on Personal Information Protection

The Personal Information Protection Law, or PIPL, imposes stringent obligations of a similar standard to the GDPR and will take effect on November 1, 2021. By Hui Xu, Kieran Donovan, and Bianca Lee On August 20, 2021, the Standing Committee of the National People’s Congress adopted the Personal Information Protection Law of the People’s Republic … Continue Reading

China Issues New Regulations to Protect the Critical Information Infrastructure

The regulations aim to protect the security of the CII and impose more compliance obligations in support of the Network Security Law. By Hui Xu and Kieran Donovan On July 30, 2021, the State Council of the People’s Republic of China (PRC) published the Security Protection Regulations on the Critical Information Infrastructure (the Regulations), which … Continue Reading

China’s New Data Security Law: What to Know

The Data Security Law will enhance an increasingly comprehensive legal framework for information and data security in the PRC. By Hui Xu and Kieran Donovan On June 10, 2021, the Standing Committee of China’s National People’s Congress passed the Data Security Law (DSL), which will come into effect on September 1, 2021. The primary purpose of … Continue Reading

EDPB Issues New Guidance on Storing Credit Card Data for Future Purchases

Online retailers storing credit card data for the sole purpose of facilitating further purchases will likely need to obtain consumer consent. By Christian F. McDermott, Calum Docherty, and Victoria Wan Online shopping has boomed in recent years. In 2020, the European statistics agency Eurostat estimated that 7 out of 10 internet users made online purchases … Continue Reading

The EDPB’s Draft Data Transfer Guidance Following Schrems II – A Close Look

The EDPB takes a strict approach in its recent guidance on international data transfers following Schrems II, posing a difficult challenge for businesses. By Gail Crawford, Ian Felstead, Fiona Maclean, Serrin Turner, Tim Wybitul, Victoria Wan and Amy Smyth On 10 November, the European Data Protection Board (EDPB) released its much anticipated draft guidance on … Continue Reading

China Issues Draft Data Security Law for Public Comment

The proposed Data Security Law has a broad jurisdictional scope and will expand the PRC’s regulatory framework for information and data. By Hui Xu, Gail E. Crawford, Jennifer C. Archie, Kieran Donovan, and Aster Y. Lin On July 3, 2020, the Standing Committee of the National People’s Congress of the People’s Republic of China (PRC) … Continue Reading

The Pervasive Threat of Business Email Compromise Fraud — and How to Prevent It

Eliminating the risk of business email compromise (BEC) attacks requires all parties to a financial transaction to pay close attention to email security, financial controls, and communication protocols. By Jennifer C. Archie, Serrin Turner, and Tim Wybitul Key Points: The FBI has identified BEC fraud as the No. 1 financial threat to businesses in the US. … Continue Reading

RuNet Law Comes Into Force: What Is Next

As Russia’s internet law imposes new obligations on technology and infrastructure companies, the Russian government considers subordinate legislation. By Tim Wybitul, Ulrich Wuermeling, and Ksenia Koroleva On November 1, 2019, the majority of provisions of Russia’s internet law (RuNet Law) entered into force. Its principal purpose is to ensure the independent operation, safety, and security … Continue Reading

China Issues New Cybersecurity Law to Protect Children

China’s PCPPIC protects children’s personal information in much the same way as COPPA and the GDPR, but with a few differences. By Wei-Chun (Lex) Kuo, Weina (Grace) Gao, and Cheng-Ling Chen On August 22, 2019, the Cyberspace Administration of China (CAC) released a new data privacy regulation related to children, the Provisions on Cyber Protection … Continue Reading

Post-Brexit Implications for NIS Representative Requirements

UK confirms reciprocal requirements for digital services providers to appoint UK representatives for NIS purposes, following Brexit. By Gail E. Crawford, Fiona Maclean, and Amy Smyth Following a consultation process, the UK government has now confirmed that it will put forward legislation to require non-UK-based digital services providers — larger cloud providers, search engines, and … Continue Reading

France’s CNIL Publishes New Guidance on Cookies

The guidance provides general requirements for obtaining valid consent and details conditions under which audience management cookies may be exempt. By Myria Saarinen and Camille Dorval On 4 July 2019, one day after the UK Information Commissioner’s Office (ICO) published new guidance on cookies, the French Data Protection Authority (CNIL) released its own new guidance … Continue Reading

UK’s ICO Publishes New Guidance on Cookies

The guidance clarifies the interplay between the PECR and GDPR and provides practical steps to achieving cookie compliance. By Fiona M. Maclean, Laura Holden, and Grace E. Erskine The UK’s data protection supervisory authority, the Information Commissioner’s Office (ICO), published guidance on 3 July 2019 to provide greater clarity to organisations grappling with how the … Continue Reading

RuNet Law: New Russian Law Could Significantly Impact Telecom and Internet Providers and Social Media Platforms

Broadly written rules would allow the Russian government greater central control over content and data flows, and greater access to users’ information. By Fiona M. Maclean and Ksenia Koroleva On May 1, 2019, the Russian President signed draft law No. 608767-7, commonly referred to as the Russian Internet Law, or “RuNet Law” (Federal Law No. … Continue Reading

UK’s Proposed “Online Harms” Compliance and Enforcement Regime Will Target Platforms

UK publishes White Paper with hard-hitting regulatory proposals to tackle online harms. By Alain Traill, Stuart Davis, Andrew Moyle, Deborah Kirk and Gail Crawford On 8 April 2019, the Home Office and the Department for Culture, Media and Sport (DCMS) published an “Online Harms White Paper”, proposing a new compliance and enforcement regime intended to … Continue Reading

4 Questions to Consider When Dealing With Children’s Data in the US

The FTC and many state attorneys general aggressively monitor apps, websites, and internet-connected products for COPPA compliance. By Jennifer C. Archie, Michael H. Rubin, and Alexander L. Stout In the United States, collecting data directly from children under 13 years of age is tightly regulated by a federal statute, which is aggressively monitored and enforced. … Continue Reading

EDPB Publishes Regulatory Guidance on Territorial Scope of GDPR

The Guidance provides helpful clarifications for service providers and their customers on both sides of the Atlantic. By Robert Blamires, Fiona M. Maclean, and Danielle van der Merwe Long-awaited guidance on the territorial scope of the General Data Protection Regulation (GDPR) has been published by the European Data Protection Board (EDPB) for public consultation (Guidance). … Continue Reading

German GDPR Fine Proceedings Conclude Favourably for Defending Company

Germany’s first GDPR fine offers lesson for companies planning a data breach policy. By Tim Wybitul, Wolf-Tassilo Böhm, and Isabelle Brams In November 2018, Germany’s first fine under the General Data Protection Regulation (GDPR) was imposed — and it was much lower than many expected. The favourable outcome of the proceedings for the defending company … Continue Reading

A New Era for Data Protection in Brazil

Brazilian Congress passes a data protection bill that seeks to improve privacy and cybersecurity. By Amadeu Ribeiro and Thiago Luís Sombra (Mattos Filho, Veiga Filho Marrey Jr e Quiroga Advogados) and Jennifer Archie and Terese Saplys The Brazilian Congress has been working on a bill relating to the protection of personal data for over eight … Continue Reading

FCA Speaks Out on the Ethics of Big Data

FCA Chair hints that new regulation addressing data ethics in the FinTech space may be on the horizon. By Nicola Higgs, Fiona Maclean and Terese Saplys Will societies of the future be ruled by algocracy, in which algorithms decide how humans are governed? Charles Randell, Chair of the Financial Conduct Authority (FCA) and Payment Systems … Continue Reading

National Cyber Security Centre Releases NIS Directive Guidance

The UK agency’s principles-based guidance on cybersecurity for OES adds important detail to NIS Directive obligations. By Gail Crawford, Mark Sun, Fiona Maclean, and Malika Sajdik The National Cyber Security Centre (NCSC) has published introductory guidance for operators of essential services (OES) on the new cybersecurity rules under the EU’s Security of Network and Information … Continue Reading

US Government Contractors Face New Cybersecurity Requirements

By Jennifer Archie, Serrin Turner, Kyle Jefcoat, Dean Baxtrasser and Morgan Maddoux As of December 31, 2017, many United States government contractors face a new compliance requirement involving cybersecurity. This requirement will govern most new Department of Defense (DoD) contracts and, significantly, will apply to many current DoD contracts that include the applicable standard contract … Continue Reading
LexBlog