Global Privacy & Security Compliance Law Blog

California Attorney General’s Office Announces First Public CCPA Enforcement Action

By Latham & Watkins on Posted in Privacy

Aggressive enforcement may be on the horizon now that businesses have had more than two years to comply with California’s landmark privacy law.

By Michael Rubin, Joseph Hansen, Robert Brown, Max Mazzelli, and Wesley Tiu

On August 25, 2022, the California Office of the Attorney General (OAG) announced that it had settled a complaint against Sephora alleging violations of the California Consumer Privacy Act (CCPA). The public settlement was the first since the CCPA became enforceable more than two years ago. Continue Reading

UK Data Protection Bill: Overview of Proposed Changes (Part 1)

By Latham & Watkins on Posted in GDPR, Legislative & Regulatory Developments

The bill would largely build on the UK data protection regime’s EU GDPR-style framework, albeit with UK-specific provisions.

By James Lloyd, Fiona M. Maclean, Calum Docherty, Irina Vasile, Alex Ford-Cox, and Amy Smyth

The UK government introduced the Data Protection and Digital Information Bill (the Bill) to Parliament on 18 July 2022, following the publication of its response to the consultation “Data: a new direction” (the Consultation). (For more information on the Consultation, see this Latham blog post.)

The Bill details the government’s proposals for reforming the current UK data protection regime (consisting primarily of the UK Data Protection Act 2018 (DPA 2018) and the UK General Data Protection Regulation (UK GDPR)).

This article presents an overview of the proposed changes. In part 2, we provide a deeper dive into certain key provisions.

In summary, the proposed changes — while broad in scope — do not amount to a wholesale change in direction for UK data protection laws. Assuming the Bill is passed without amendment, the UK regime would largely build on the current EU GDPR-style framework, albeit with UK-specific provisions. The changes can be grouped into two categories: (1) a more risk-based / outcome-focused approach and (2) developments in key areas around accountability, data subject rights, security, and legal grounds for processing. Continue Reading

UK Data Protection Bill: Examination of Key Provisions (Part 2)

By Latham & Watkins on Posted in GDPR, Legislative & Regulatory Developments

Areas of interest include anonymisation, “recognised legitimate interests”, and the ICO’s role.

By James Lloyd, Fiona M. Maclean, Calum Docherty, Irina Vasile, Alex Ford-Cox, and Amy Smyth

The UK Data Protection and Digital Information Bill (the Bill) sets out the government’s proposals for reforming the current UK data protection regime (consisting primarily of the UK Data Protection Act 2018 (DPA 2018) and the UK General Data Protection Regulation (UK GDPR)). While broad in scope, the proposals do not amount to a wholesale change in direction for UK data protection laws. Assuming the Bill is passed without amendment, the UK regime would largely build on the current EU GDPR-style framework, albeit with UK-specific provisions. The changes can be grouped into two categories: (1) a more risk-based / outcome-focused approach and (2) developments in key areas around accountability, data subject rights, security, and legal grounds for processing.

This article provides a deep dive into certain key provisions of the Bill. In part 1, we provide an overview of the proposed changes. Continue Reading

UK Data Protection Reform: Examining the Road Ahead

By Latham & Watkins on Posted in Legislative & Regulatory Developments

UK government sets out ambitious proposal for reforming the UK data protection landscape.

By Gail E. Crawford, Ian Felstead, Fiona M. Maclean, Irina Vasile, Timothy Neo, and Amy Smyth

On 17 June 2022, the Department for Culture, Media and Sport (DCMS) published its response to its consultation “Data: a new direction” (the Consultation), setting out the government’s plans to reform the UK data protection regime.

These reforms are part of the UK’s National Data Strategy, which seeks to shift focus from prescriptive requirements to a risk-based approach, thereby making data protection less burdensome for businesses and enabling them to protect personal data in a proportionate and appropriate way. The DCMS has indicated, in comments at a recent conference, that the intention and direction of travel is to build on, improve, and clarify the approach that the UK will take with the UK GDPR in a way that benefits businesses whilst maintaining the same level of data protection for individuals.

This blog post scrutinises some of the Consultation’s key takeaways. For a full list of proposals that are being taken forward pursuant to the Consultation, see this response Annex. Continue Reading

CJEU AG Sets High Bar for Responses to Data Subject Access Requests

By Latham & Watkins on Posted in GDPR, Legislative & Regulatory Developments

The Advocate General argues that organisations should provide individuals with information on the specific recipients of their personal data.

By Tim Wybitul, James Lloyd, Isabelle Brams, Irina Vasile, and Amy Smyth

Advocate General Giovanni Pitruzzella (AG) of the Court of Justice of the European Union (CJEU) recently delivered an opinion (the Opinion) regarding the interpretation of an individual’s right of access to their data under Article 15 GDPR (often known as a data subject access request, or DSAR/SAR). Specifically, the Opinion addresses an individual’s right to access information about “the recipients or categories of recipient to whom the personal data have been or will be disclosed […]”, pursuant to Article 15(1)(c) GDPR. The AG delivered the Opinion in the context of Case C-154/21 (the Case), which is currently pending before the CJEU. Continue Reading

EDPB Emphasizes “Dissuasive” Fines in New Draft Guidelines on GDPR Fine Calculation

By Latham & Watkins on Posted in GDPR, Privacy, Security

The EDPB sets out relevant steps and factors that EU supervisory authorities should consider when calculating administrative fines under the GDPR.

By Gail Crawford, Ian Felstead, James Lloyd, Tim Wybitul, Irina Vasile, Sami Qureshi, and Amy Smyth

On 16 May 2022, the European Data Protection Board (EDPB) adopted draft Guidelines 04/2022 on the calculation of administrative fines under the GDPR (Draft Guidelines).[1] The Draft Guidelines are currently subject to public consultation and comments may be submitted until 27 June 2022 (at the latest). The EDPB’s aim is to create a harmonised methodology for the calculation of GDPR fines. All EU supervisory authorities (SAs) must use the same starting points, on the basis of which administrative fines can be subsequently calculated and further tailored for individual cases. The EDPB clearly emphasizes that the Draft Guidelines are not drafted to enable controllers/processors to precisely calculate the expected fine; this determination will rather depend on all the individual circumstances of the case. SAs will need to ensure that fines are effective, proportionate, and dissuasive, taking into account the particularities of each case. While the EDPB acknowledges that SAs retain discretion to account for these particularities, they are clearly expected to follow the methodology set out in the Draft Guidelines. Continue Reading

Cyber Risk in Finance: A Q&A With Latham Partners

By Latham & Watkins on Posted in Privacy, Security

The evolution of cybersecurity-related representations and warranties in M&A transaction documentation has had an impact on financing transactions.

Major M&A transactions and IPOs have become the target of increasingly sophisticated cyberattacks, in some cases affecting thousands of companies along the supply chain. Regulators have responded with stepped-up enforcement, extending their reach not just to victim companies but also to third parties like payment processors and insurance carriers.

Today’s most pressing cybersecurity risks can have a significant effect on borrowers and their lenders, who should take several context-specific steps to limit risk, in addition to undertaking standard diligence including document review, management interviews, and analysis of publicly available information.

Latham & Watkins partners Robert Blamires, Tony Kim, and Jane Summers discuss in this Q&A how cybersecurity representations and warranties have evolved in M&A transactions, how cybersecurity risks can be addressed in the loan market, and how credit agreements can deal with cybersecurity.

New Cyber Incident Reporting Requirements on the Horizon in the US

By Latham & Watkins on Posted in Security

Companies should take steps now to prepare for the new rules and expectations.

By Jennifer C. Archie, Tony Kim, Serrin Turner, Alexander L. Stout, Ryan J. Malo, and James A. Smith

The US government continues to expand regulatory requirements around notification and disclosure of major cyberattacks or incidents. New measures are arriving on the heels of high-profile ransomware attacks on US companies and critical infrastructure, such as the Colonial Pipeline hack that caused gas shortages in the eastern United States last summer.

Announced shared cybersecurity priorities across the Executive Branch include:

  • Cyber hygiene in the public and private sector, especially where critical infrastructure is involved
  • Operational collaboration between the public and private sector for tier one events
  • Disruption of the flow of cryptocurrency or other consideration to attackers
  • Fulsome, accurate, timely disclosure to investors and other stakeholders
  • Comprehensive reporting of incidents

Continue Reading

Utah Consumer Privacy Act: Fourth US State Enacts Comprehensive Data Privacy Legislation

By Latham & Watkins on Posted in Privacy, Security

Utah enacts data privacy legislation in the mold of California, Colorado, and Virginia, but with less onerous requirements for businesses, in what is expected to be a model for more states going forward.

By Jennifer Archie, Michael Rubin, Joseph Hansen, and Wesley Tiu

On March 24, 2022, Utah Governor Spencer Cox signed the Utah Consumer Privacy Act (UCPA), making Utah the fourth US state to enact comprehensive data privacy legislation. The UCPA was introduced on February 17, 2022, and sped through the state legislature, receiving final passage on March 3, 2022.

The UCPA, which is set to take effect on December 31, 2023, builds off existing and forthcoming privacy legislation in California, Colorado, and Virginia, but lightens some of the compliance burdens on businesses. The UCPA does not impose any new privacy obligations on businesses that are not already required in California, and businesses will be familiar with the UCPA’s requirements — all of which have appeared in existing and forthcoming state data privacy laws. In a welcome change for businesses, however, the UCPA is narrower in certain respects as compared to its analogues in California (CCPA/CPRA), Colorado (CPA), and Virginia (VCDPA). (See, e.g., Virginia Consumer Data Protection Act: Second US State Passes Comprehensive Data Privacy Legislation.)

The UCPA represents the latest in a string of state privacy laws that seek to fill a nationwide gap while Congress continues to debate the merits of a federal data privacy law. The UCPA marks a slightly different variation, as it appears to have been more directly informed by industry groups such as TechNet and the State Privacy Security Coalition. These industry groups are working toward a uniform set of privacy laws in the United States, and Utah could set an example for additional states.

This blog post discusses some of the UCPA’s key provisions. Continue Reading

China Issues New Rules on Cybersecurity Review for Network Platform Operators Listing Abroad

By Latham & Watkins on Posted in Legislative & Regulatory Developments

Under the new rules Chinese NPOs holding more than 1 million individuals’ personal information must apply for a cybersecurity review prior to listing abroad.

By Hui Xu, Kieran Donovan, and Bianca Lee

On February 15, 2022, the Cybersecurity Review Measures (2021) (CRM 2021, unofficial English text available here) took effect. CRM 2021 was promulgated on December 28, 2021, by the Cyberspace Administration of China (CAC) and 12 other Chinese central authorities, including the Ministry of State Security, the Ministry of Industry and Information Technology (MIIT), and the China Securities Regulatory Commission (CSRC). The CAC published the first draft of CRM 2021 on July 10, 2021, for public comments, and published the final version on January 4, 2022. The CAC cites the Data Security Law (DSL) as the legal basis for the authority of CRM 2021.

The promulgation of CRM 2021 marks a step forward in China’s strict regulation of Chinese companies’ overseas listing and adds another hurdle to companies’ listing process. However, as the CSRC has repeatedly emphasized to the media, the Chinese government has no intention of banning Chinese companies from listing overseas, but rather wants to strengthen regulation from a national security and data security perspective.

See Latham’s Client Alert for a detailed discussion of CRM 2021, the new requirements that it introduces, and what Chinese companies will need to focus on when considering an overseas listing.

LexBlog