The ICO has confirmed a small, but important, change to the time limits for responding to subject access requests (SARs) under the GDPR. Calculation of the one-month time limit should begin from the date on which the request was received, not the day after. Therefore, if a request is received on 3rd September, the deadline for responding will be 3rd October (rather than 4th October, as previously understood). The ICO update on the subject, which follows a (2004) CJEU decision on time limits, is here and the guidance on subject access rights has been updated to reflect this.
In July, Squire Patton Boggs partner Petrina H. McDaniel and associate Keshia Lipscomb outlined several of the pending amendments expected to impact the scope of the California Consumer Privacy Act (“CCPA”) in an article with Bloomberg Law. Shortly after, the California Senate Judiciary Committee held a nearly 12-hour hearing on Tuesday, July 9th just before the impending deadline for CCPA amendments to be heard before the CCPA’s January 1st effective date.
With new guidance from the committee, Petrina and Keshia followed up with a second article summarizing key takeaways from the July 9th hearing and proposing guidelines for businesses to address the legal ramifications and compliance hurdles of the CCPA. The California Senate has just reconvened from its summer recess and now has until September 13th to pass the remaining amendments through the Senate in time to become part of the CCPA before January 1, 2020.
This summer the ICO has issued significant fines in relation to high profile data breaches since acquiring its new “GDPR charged” powers. With less publicity, but nonetheless important given the increasing awareness of the rights of data subjects to claim damages for breaches of data protection legislation, the Ministry of Justice has recently announced that there are going to be some changes to the Civil Procedure Rules (“CPR”) from 1 October 2019 onwards as regards privacy and data protection claims. Court Rules dealing with defamation cases (CPR Part 53 and the related pre-action protocol) will be amended such that they will also become applicable to any case that includes a claim for misuse of private information, data protection or harassment by publication. Continue Reading
I was recently helping a client in Tokyo respond to a serious and sophisticated cyber breach where hackers executed a transfer of nearly US$1M out of the client’s Hong Kong bank account. In this instance, the hackers had hacked into the CEO’s cloud-based corporate e-mail account and had determined a way to create a transaction that his intermediary company believed to be genuine. The hackers sat on top of the e-mail to intercept any queries and assure colleagues that this was an authorized transfer. The transaction was made on a Friday, in the hopes that it would not be noticed until the following week. Indeed, our client only realized that the transaction had happened on the following Monday, when he received by mail hard copies of the transfer documents from his intermediaries.
In these types of situations, it is essential to act quickly and to focus on the efforts most likely to bear fruit. But what to do when every second that passes makes it more likely that the funds have been transferred to other accounts in other jurisdictions?
Here are some critical things to consider, with many of these actions needing to occur concurrently:
Updated Black List of Processing Operations Requiring DPIA
On July 8, 2019 the updated list of operations requiring a data protection impact assessment (DPIA) was published in the official gazette of the Republic of Poland. The “black list” was updated by the Polish data protection authority, after the European Data Protection Board (EDPB) raised its objections to the original draft published by the Polish regulator on August 17, 2018. According to the EDPB’s opinion 17/2018, the original “black list” could have led to inconsistent application of the requirement for a DPIA and, therefore, should be subject to modifications.
As a result of the EDPB opinion, the Polish supervisory authority has recently made changes to the Polish “black list” of processing operations requiring a DPIA:
Many websites rely on implied consent to set cookies notwithstanding the fact that website cookies require the same opt-in consent as marketing emails. The UK Information Commissioner’s Office (ICO) has made it clear in its new guidance that “opt-in”’ consent must be obtained to set non-essential cookies, such as analytics cookies.
Our team has published an alert which explains the ICO’s interpretation of the rules relating to cookies in the UK and what this means in practice for online businesses. The alert may be accessed here.
The Cyberspace Administration of China (the “CAC”) launched a public consultation on the draft Administrative Measures on Data Security (the “Draft Measures”) on May 28, 2019. This consultation falls in the middle of the publication of the drafts for two other data protection rules, namely the Measures for Security Assessment for Cross-border Transfer of Personal Information and the Measures for Cybersecurity Review.
Together, these three measures will implement a significant portion of the Cyber Security Law (the “CSL”) and become the first set of binding laws focused solely on data protection, adopting certain rules from the non-binding Personal Information Security Specification. The Draft Measures were published just over a year after the General Data Protection Regulation (the “GDPR”) came into effect in the EU and certain similarities between the two regimes are apparent. Continue Reading
As explained in a recent post published on Squire Patton Bogg’s Anticorruption Blog, the DOJ is pursuing providers who submit false claims under the electronic health records initiative. This enforcement action should serve as a reminder to examine carefully attestations of EHR compliance, including the requirement to complete a HIPAA-required security risk assessment.
The California Consumer Privacy Act (“CCPA”), the most expansive state privacy law in US history, will take effect on January 1, 2020.
Our team will share with readers a series of alerts on the major elements of the CCPA. The first in the series – The California Consumer Privacy Act Series – Part 1: Applicability – focuses on the Act’s applicability, including who it will affect, personal information as defined by the CCPA, and the Act’s exemptions.
Our earlier blog posts discuss the nuances of the CCPA and the possibility of a federal privacy framework.
On 30 April, Squire Patton Boggs and the Digital Policy Alliance held an event entitled “Data Governance Under the GDPR: Are DPOs the Best Solution?” The aim of the session was to explore different approaches to the management of tasks involved in data governance, data protection and compliance, and the advantages and disadvantages of having a Data Protection Officer (‘DPO’). Following a scene-setting overview provided by Matthew Kirk, Senior Advisor at SPB, the discussion was led by Lord Erroll (Chairman of the Digital Policy Alliance). Jonathan Bamford (Director of Strategic Policy (Domestic) at the ICO) gave the key-note address and then joined the panel alongside Annette Demmel (Partner – Squire Patton Boggs) and Carol Tullo, OBE (Senior Associate and Legal Counsel – The Trust Bridge). Continue Reading