Global Privacy & Security Compliance Law Blog

Category Archives: Security

Subscribe to Security RSS Feed

Saudi Arabia Issues Amended Data Protection Law for Consultation

The amendment proposes business-friendly changes regarding data localization and legitimate interests. By Brian Meenagh and Lucy Tucker On November 20, 2022, the Saudi Data and AI Authority (SDAIA) published an amended version of the Kingdom of Saudi Arabia’s (KSA or the Kingdom) Personal Data Protection Law (PDPL) for consultation (the Amended Draft). The Amended Draft … Continue Reading

Hong Kong Issues Guidance on Recommended Data Security Measures

The guidance outlines steps that organizations should take to enhance data security as hybrid working and learning introduce new risks. By Kieran Donovan and Malika Sajdik On August 30, 2022, the Office of the Privacy Commissioner for Personal Data of Hong Kong (PCPD) issued a Guidance Note on Data Security Measures for Information and Communications … Continue Reading

Privacy Enhancing Technologies — A Panacea for Data Protection Compliance?

The Information Commissioner’s Office published draft guidance on privacy enhancing technologies that can be used to comply with privacy-by-design requirements. By Gail Crawford, Fiona Maclean, Irina Vasile, and Amy Smyth On 7 September 2022, the Information Commissioner’s Office (ICO) published a draft guidance on privacy-enhancing technologies (Draft Guidance) in which it explains what privacy enhancing … Continue Reading

EDPB Emphasizes “Dissuasive” Fines in New Draft Guidelines on GDPR Fine Calculation

The EDPB sets out relevant steps and factors that EU supervisory authorities should consider when calculating administrative fines under the GDPR. By Gail Crawford, Ian Felstead, James Lloyd, Tim Wybitul, Irina Vasile, Sami Qureshi, and Amy Smyth On 16 May 2022, the European Data Protection Board (EDPB) adopted draft Guidelines 04/2022 on the calculation of … Continue Reading

Cyber Risk in Finance: A Q&A With Latham Partners

The evolution of cybersecurity-related representations and warranties in M&A transaction documentation has had an impact on financing transactions. Major M&A transactions and IPOs have become the target of increasingly sophisticated cyberattacks, in some cases affecting thousands of companies along the supply chain. Regulators have responded with stepped-up enforcement, extending their reach not just to victim … Continue Reading

New Cyber Incident Reporting Requirements on the Horizon in the US

Companies should take steps now to prepare for the new rules and expectations. By Jennifer C. Archie, Tony Kim, Serrin Turner, Alexander L. Stout, Ryan J. Malo, and James A. Smith The US government continues to expand regulatory requirements around notification and disclosure of major cyberattacks or incidents. New measures are arriving on the heels … Continue Reading

Utah Consumer Privacy Act: Fourth US State Enacts Comprehensive Data Privacy Legislation

Utah enacts data privacy legislation in the mold of California, Colorado, and Virginia, but with less onerous requirements for businesses, in what is expected to be a model for more states going forward. By Jennifer Archie, Michael Rubin, Joseph Hansen, and Wesley Tiu On March 24, 2022, Utah Governor Spencer Cox signed the Utah Consumer … Continue Reading

CNIL Publishes White Paper on Digital Payments and Data Privacy

The French Data Protection Authority’s white paper discusses how companies can comply with data privacy and security obligations. By Christian F. McDermott, Myria Saarinen, Calum Docherty, Charlotte Guerin, Jiou (Alex) Park, and Amy Smyth The use of card, contactless, and innovative digital payment solutions has significantly increased in recent years, fueled by the immediate impacts … Continue Reading

China Introduces First Comprehensive Legislation on Personal Information Protection

The Personal Information Protection Law, or PIPL, imposes stringent obligations of a similar standard to the GDPR and will take effect on November 1, 2021. By Hui Xu, Kieran Donovan, and Bianca Lee On August 20, 2021, the Standing Committee of the National People’s Congress adopted the Personal Information Protection Law of the People’s Republic … Continue Reading

China Issues New Regulations to Protect the Critical Information Infrastructure

The regulations aim to protect the security of the CII and impose more compliance obligations in support of the Network Security Law. By Hui Xu and Kieran Donovan On July 30, 2021, the State Council of the People’s Republic of China (PRC) published the Security Protection Regulations on the Critical Information Infrastructure (the Regulations), which … Continue Reading

China’s New Data Security Law: What to Know

The Data Security Law will enhance an increasingly comprehensive legal framework for information and data security in the PRC. By Hui Xu and Kieran Donovan On June 10, 2021, the Standing Committee of China’s National People’s Congress passed the Data Security Law (DSL), which will come into effect on September 1, 2021. The primary purpose of … Continue Reading

EDPB Issues New Guidance on Storing Credit Card Data for Future Purchases

Online retailers storing credit card data for the sole purpose of facilitating further purchases will likely need to obtain consumer consent. By Christian F. McDermott, Calum Docherty, and Victoria Wan Online shopping has boomed in recent years. In 2020, the European statistics agency Eurostat estimated that 7 out of 10 internet users made online purchases … Continue Reading

The EDPB’s Draft Data Transfer Guidance Following Schrems II – A Close Look

The EDPB takes a strict approach in its recent guidance on international data transfers following Schrems II, posing a difficult challenge for businesses. By Gail Crawford, Ian Felstead, Fiona Maclean, Serrin Turner, Tim Wybitul, Victoria Wan and Amy Smyth On 10 November, the European Data Protection Board (EDPB) released its much anticipated draft guidance on … Continue Reading

China Issues Draft Data Security Law for Public Comment

The proposed Data Security Law has a broad jurisdictional scope and will expand the PRC’s regulatory framework for information and data. By Hui Xu, Gail E. Crawford, Jennifer C. Archie, Kieran Donovan, and Aster Y. Lin On July 3, 2020, the Standing Committee of the National People’s Congress of the People’s Republic of China (PRC) … Continue Reading

The Pervasive Threat of Business Email Compromise Fraud — and How to Prevent It

Eliminating the risk of business email compromise (BEC) attacks requires all parties to a financial transaction to pay close attention to email security, financial controls, and communication protocols. By Jennifer C. Archie, Serrin Turner, and Tim Wybitul Key Points: The FBI has identified BEC fraud as the No. 1 financial threat to businesses in the US. … Continue Reading

RuNet Law Comes Into Force: What Is Next

As Russia’s internet law imposes new obligations on technology and infrastructure companies, the Russian government considers subordinate legislation. By Tim Wybitul, Ulrich Wuermeling, and Ksenia Koroleva On November 1, 2019, the majority of provisions of Russia’s internet law (RuNet Law) entered into force. Its principal purpose is to ensure the independent operation, safety, and security … Continue Reading

China Issues New Cybersecurity Law to Protect Children

China’s PCPPIC protects children’s personal information in much the same way as COPPA and the GDPR, but with a few differences. By Wei-Chun (Lex) Kuo, Weina (Grace) Gao, and Cheng-Ling Chen On August 22, 2019, the Cyberspace Administration of China (CAC) released a new data privacy regulation related to children, the Provisions on Cyber Protection … Continue Reading

Post-Brexit Implications for NIS Representative Requirements

UK confirms reciprocal requirements for digital services providers to appoint UK representatives for NIS purposes, following Brexit. By Gail E. Crawford, Fiona Maclean, and Amy Smyth Following a consultation process, the UK government has now confirmed that it will put forward legislation to require non-UK-based digital services providers — larger cloud providers, search engines, and … Continue Reading

France’s CNIL Publishes New Guidance on Cookies

The guidance provides general requirements for obtaining valid consent and details conditions under which audience management cookies may be exempt. By Myria Saarinen and Camille Dorval On 4 July 2019, one day after the UK Information Commissioner’s Office (ICO) published new guidance on cookies, the French Data Protection Authority (CNIL) released its own new guidance … Continue Reading

UK’s ICO Publishes New Guidance on Cookies

The guidance clarifies the interplay between the PECR and GDPR and provides practical steps to achieving cookie compliance. By Fiona M. Maclean, Laura Holden, and Grace E. Erskine The UK’s data protection supervisory authority, the Information Commissioner’s Office (ICO), published guidance on 3 July 2019 to provide greater clarity to organisations grappling with how the … Continue Reading

RuNet Law: New Russian Law Could Significantly Impact Telecom and Internet Providers and Social Media Platforms

Broadly written rules would allow the Russian government greater central control over content and data flows, and greater access to users’ information. By Fiona M. Maclean and Ksenia Koroleva On May 1, 2019, the Russian President signed draft law No. 608767-7, commonly referred to as the Russian Internet Law, or “RuNet Law” (Federal Law No. … Continue Reading

UK’s Proposed “Online Harms” Compliance and Enforcement Regime Will Target Platforms

UK publishes White Paper with hard-hitting regulatory proposals to tackle online harms. By Alain Traill, Stuart Davis, Andrew Moyle, Deborah Kirk and Gail Crawford On 8 April 2019, the Home Office and the Department for Culture, Media and Sport (DCMS) published an “Online Harms White Paper”, proposing a new compliance and enforcement regime intended to … Continue Reading

4 Questions to Consider When Dealing With Children’s Data in the US

The FTC and many state attorneys general aggressively monitor apps, websites, and internet-connected products for COPPA compliance. By Jennifer C. Archie, Michael H. Rubin, and Alexander L. Stout In the United States, collecting data directly from children under 13 years of age is tightly regulated by a federal statute, which is aggressively monitored and enforced. … Continue Reading
LexBlog