Global Privacy & Security Compliance Law Blog

China Issues New Cybersecurity Law to Protect Children

By Latham & Watkins LLP on Posted in GDPR, Privacy, Security

China’s PCPPIC protects children’s personal information in much the same way as COPPA and the GDPR, but with a few differences.

By Wei-Chun (Lex) Kuo, Weina (Grace) Gao, and Cheng-Ling Chen

On August 22, 2019, the Cyberspace Administration of China (CAC) released a new data privacy regulation related to children, the Provisions on Cyber Protection of Personal Information of Children (儿童个人信息网络保护规定)(PCPPIC). The regulation will come into effect on October 1, 2019, and will apply within the People’s Republic of China (PRC).The PCPPIC’s stated purpose is “protecting the security of children’s personal information and promoting the healthy growth of children in the PRC.” In 29 Articles, the PCPPIC sets forth high-level requirements for the collection, storage, use, transfer, and disclosure of the personal information of children within PRC territory. Continue Reading

How Are European Supervisory Authorities Exercising Cooperation and Consistency In Practice?

By Latham & Watkins LLP on Posted in GDPR, Privacy

Recent action by the Hamburg authority may present implications for companies regulated by a lead data protection supervisory authority in Europe.

By Fiona Maclean, Tim Wybitul, Joachim Grittmann, Wolf Böhm, Isabelle Brams, and Amy Smyth

A German supervisory authority has initiated an investigation into Google’s speech recognition practices and language assistant technologies, which are integrated into its Google Assistant product. More specifically, the Hamburg supervisory authority opened proceedings with the intention to “prohibit Google from carrying out corresponding evaluations by employees or third parties for a period of three months. This is intended to protect the personal rights of those concerned for the time being.

This blog post analyzes the procedure against Google in Germany, in the context of recent trends elsewhere in Europe to transfer cases to lead authorities, and the impact for other companies regulated by a lead supervisory authority. The proceedings against Google might be resolved amicably, but still raise substantial questions over the powers of supervisory authorities under the cooperation and consistency mechanism of the GDPR. Continue Reading

High GDPR Fines: German Data Protection Authority Joins the Club

By Latham & Watkins LLP on Posted in GDPR

Following in the footsteps of the CNIL and the ICO, the Berlin DPA will impose a multimillion-euro fine for breach of the GDPR.

By Tim Wybitul, Joachim Grittmann, Ulrich Wuermeling, Wolf-Tassilo Böhm, and Isabelle Brams

The Berlin Data Protection Authority (Berlin DPA) recently announced that it will issue a multimillion-euro fine for breach of the EU’s General Data Protection Regulation (GDPR), a significant step change in its GDPR enforcement approach. The Berlin DPA’s most significant penalty to date includes two fines on a company totaling €200,000. In that case, as with the latest announcement, the Berlin DPA has not yet named the affected company. The announcement also continues a trend, started by the French Data Protection Authority (CNIL) and followed by the UK Information Commissioner’s Office (ICO), of data protection authorities beginning to show their teeth in GDPR enforcement. Continue Reading

Navigating Data Processing Ethics for FinTech in Hong Kong

By Latham & Watkins LLP on Posted in GDPR, Privacy

If adopted efficiently, the PCPD’s Ethical Accountability Framework should help organizations to demonstrate and enhance trust with individuals.

By Kieran Donovan

In October, 2018, Hong Kong’s Privacy Commissioner for Personal Data (PCPD) presented the findings of an inquiry into the ethics of data processing, commissioned by the PCPD with the help of the Information Accountability Foundation (IAF). The result of the inquiry, published as the Ethical Accountability Framework, provides an “instruction manual” for processing data in an ethical and accountable manner.

Following on the heels of the PCPD’s report, the Hong Kong Monetary Authority (HKMA) issued a Circular titled Use of Personal Data in Fintech Development, encouraging authorized institutions (AIs) to adopt the PCPD’s Ethical Accountability Framework. Continue Reading

Post-Brexit Implications for NIS Representative Requirements

By Latham & Watkins LLP on Posted in Legislative & Regulatory Developments, Privacy, Security

UK confirms reciprocal requirements for digital services providers to appoint UK representatives for NIS purposes, following Brexit.

By Gail E. Crawford, Fiona Maclean, and Amy Smyth

Following a consultation process, the UK government has now confirmed that it will put forward legislation to require non-UK-based digital services providers — larger cloud providers, search engines, and online marketplaces — that provide services into the UK to nominate a UK representative following Brexit. The representative will also have to be registered with the UK Information Commissioner’s Office (ICO).

Non-UK-based digital services providers will remain liable for breaches, notwithstanding the appointment of a representative. A representative will be required to act on behalf of a provider, but it is not currently clear whether a representative maybe be liable for a provider’s breach; whether the updated UK NIS Regulations will address this point explicitly remains to be seen. Continue Reading

France’s CNIL Publishes New Guidance on Cookies

By Latham & Watkins LLP on Posted in GDPR, Privacy, Security

The guidance provides general requirements for obtaining valid consent and details conditions under which audience management cookies may be exempt.

By Myria Saarinen and Camille Dorval

On 4 July 2019, one day after the UK Information Commissioner’s Office (ICO) published new guidance on cookies, the French Data Protection Authority (CNIL) released its own new guidance (Guidance). A corrective version followed on 19 July 2019.

The Guidance clarifies “consent” under Article 82 of the French Data Protection Act (Article 82). Article 82 implements the ePrivacy Directive’s cookies rule and constitutes the foundation of the French rules requiring organizations placing non-essential cookies to provide “clear and complete” information to users and to obtain their consent to the use of cookies. Continue Reading

UK’s Online Harms Regime Must Be ‘Proportionate’, According to the ICO and Ofcom

By Latham & Watkins LLP on Posted in Privacy

Delicate balance required, as regulators and lobbyist warn of the risks of over-regulation while research indicates users seek greater protection.

By Alain Traill

Both the ICO and the outgoing Chief Executive of Ofcom have sounded a cautious note regarding the possible consequences of UK proposals to introduce a new regulatory regime intended to combat online harms. The Internet Association — a Washington based lobbying group — has also voiced its concerns, suggesting that they risk discouraging businesses from continuing to operate in the UK.

The ICO did, however, offer support for key aspects of the proposals, and acknowledged that they identify an “important gap in the existing regulation of the internet”. Furthermore, research carried out on behalf of both Ofcom and the ICO has shown an increasing appetite for online regulation among UK web users. Continue Reading

UK Government Launches ‘Smart Data’ Proposals as Data-Portability Agenda Intensifies

By Latham & Watkins LLP on Posted in GDPR, Privacy

The proposals would grant consumers increasing rights to require providers to share access to their data directly with chosen third parties.

By Alain Traill and Gail Crawford

The UK government has released a consultation advocating the introduction of sweeping new requirements for service providers to share both consumer data (upon request) and data regarding their own products and services, with third parties. The proposals, released on 11 June 2019 by the Department for Business, Energy and Industrial Strategy (BEIS) in its Smart Data report and consultation, are indicative of a wider drive toward requiring companies to free up access to the data they hold. The drivers behind this include a desire to increase competition, foster the growth of data-driven services, and improve consumer choice.

The proposals follow the introduction of a range of sector-specific initiatives in the UK and is part of a concerted government focus on digital strategy, as evidenced in its recent white paper on Regulation for the Fourth Industrial Revolution, as well as the National Data Strategy introduced last year. Continue Reading

UK’s ICO Publishes New Guidance on Cookies

By Latham & Watkins LLP on Posted in GDPR, Security

The guidance clarifies the interplay between the PECR and GDPR and provides practical steps to achieving cookie compliance.

By Fiona M. Maclean, Laura Holden, and Grace E. Erskine

The UK’s data protection supervisory authority, the Information Commissioner’s Office (ICO), published guidance on 3 July 2019 to provide greater clarity to organisations grappling with how the General Data Protection Regulation (GDPR) applies to cookies and similar technologies. The new guidance makes it clear that under the GDPR, consents cannot be the default or blind setting, and consents cannot be bundled, as had been the common “wait and see” practice among many online businesses and sites. Organisations subject to the ICO jurisdiction will want to pay immediate attention to this guidance, including some helpful, pragmatic tips.

The European law on cookies can be found in the European Directive 2002/58/EC (ePrivacy Directive) (as amended by Directive 2009/136/EC), as implemented into UK law by the Privacy and Electronic Communications Regulation 2003 (as amended) (PECR). Regulation 6 PECR constitutes the foundation of the UK rules requiring organisations setting non-essential cookies on websites to provide “clear and comprehensive information” to users and to obtain their consent to the use of cookies.  Continue Reading

UK Regulator Imposes Two Substantial Fines for GDPR Data Breaches

By Latham & Watkins LLP on Posted in GDPR

The ICO issued notices of intent to fine British Airways and Marriott. What happened?

By Gail Crawford, Fiona Maclean, Hayley Pizzey, and Calum Docherty

On 8 July 2019, the UK Information Commissioner’s Office (ICO) announced a notice of intent to fine British Airways £183.39 million (about US$230 million) for violating the General Data Protection Regulation (GDPR). The proposed fine is the largest to date under the GDPR, and equals 1.5% of British Airways’ 2017 global turnover, according to the Financial Times. It follows months of investigation after British Airways notified the ICO of a security incident that led to the theft of customer data in September 2018.

Then on 9 July 2019, the ICO announced a notice of intent to fine Marriott International £99.2 million (about US$124 million) for infringements of the GDPR stemming from a data breach at Starwood, which it acquired in 2016. According to the Wall Street Journal, this fine represents 2.5% of Marriott’s global revenue. Marriott initially announced the data breach in November 2018, which led to an ICO probe. Continue Reading

LexBlog