Topic: Data and cybersecurity

According to the California Attorney General, consumers may now utilize a new technology called the Global Privacy Control (“GPC”) in order to opt out of a “sale” of personal information under the California Consumer Privacy Act (“CCPA”).

As part of its global strategy to ensure compliance with its new cookies mandatory guidelines, and as announced in its priority control themes for 2021, in May 2021 the CNIL issued formal notices to over twenty organizations (including international actors in the digital economy and some public bodies) for not enabling users to accept or refuse cookies using equally easy steps. These organizations all remedied the identified breaches within the month granted, but the CNIL has identified and sent formal enforcement notices regarding the same issue to a further 40 non-compliant organizations in the meantime.

Germany’s highest civil court, the Federal Court Of Justice (Bundesgerichtshof, the FCJ), has just published a decision specifying the scope of data subject access requests (DSARs). The FCJ held that Article 15 of the EU General Data Protection Regulation (GDPR) has a broader scope than previously understood in Germany. Pursuant to the court’s decision, Article 15 GDPR also covers information already known about the data subject, previous correspondence and notes of internal processes or internal communications related to the data subject.

China’s Cyber Security Law (CSL), enacted in 2016, requires operators of critical information infrastructure (CII) to follow a number of enhanced security obligations, including storing within China all personal information and important data collected or generated during their operations in China. Given the more onerous obligation on CII operators, we are constantly asked the same key question by our clients who do business in China: “Am I a CII operator?”. Now, a new regulation provides more clarity on this.

China passed its Personal Information Protection Law (PIPL) on 20 August 2021. The new law will take effect from 1 November 2021 allowing companies just over 2 months to prepare themselves. The full text has not been made public yet.

China passed its Personal Information Protection Law (PIPL) on 20 August 2021. This is China’s first omnibus data protection law, and will take effect from 1 November 2021 allowing companies just over two months to prepare themselves. The PIPL is a game changer for any company with data or business in China. It will add another layer of complexity with respect to compliance with China’s security and data laws and regulations.

Given global trends in the development of privacy laws and enforcement, Canada and several provinces are looking at modernizing their respective privacy regimes. Ontario’s new proposed privacy law, which would govern commercial activities more broadly than current legislation (i.e., our federal legislation, the Personal Information Protection and Electronic Documents Act (PIPEDA), and Ontario’s health privacy legislation, the Personal Health Information Protection Act (PHIPA)), is intended to enhance the public’s confidence in Ontario’s digital economy by recognizing individuals’ fundamental right to privacy and imposing strict compliance obligations and financial penalties on organizations doing business in Ontario.

On 11 February 2021, the Global Legal Entity Identifier Foundation (GLEIF) published issuance and technical infrastructure models for its recently announced verifiable LEI (vLEI) system.

On 11 February 2021, the Global Legal Entity Identifier Foundation (GLEIF) published issuance and technical infrastructure models for its recently announced verifiable LEI (vLEI) system.

On 16 December 2020, the European Commission published a new EU cybersecurity strategy.