Topic: Data and cybersecurity

On 7 March 2024, the European Court of Justice (the ECJ) published an important decision in relation to IAB Europe’s Transparency and Consent Framework (the TCF).

This article first appeared in PLC Magazine in the January / February 2024 issue of PLC Magazine.

A flurry of significant European Court of Justice judgments relating to data protection were published in the final few months of 2023.

2024 was not a happy new year for Genesis Global Trading, Inc. (“GGT”). On January 3, 2024, the New York Department of Financial Services announced a consent order with GGT, where GGT agreed to pay NYDFS $8 million and to surrender its BitLicense (for cryptocurrency trading), due to alleged violations of NYDFS’ cybersecurity and its virtual currency regulations. This post will focus on the cybersecurity regulation issues. (For more information about the crypto and financial services/regulation aspects, please see https://www.nortonrosefulbright.com/en/knowledge/publications/4c9650ae/2023-crypto-round-up

On 3 January 2024, the European Central Bank (ECB) announced that it will be conducting a cyber resilience stress test on 109 directly supervised banks in 2024.

December tends to be a busy time for everyone, so you may have missed a privacy update or two. We have set out some updates in the form of questions, with links in the answers where you can find more information. (For those making this quiz a competitive event, we have included a tie-breaker/bonus question.)

On 19 December 2023, the Financial Conduct Authority (FCA), the Bank of England (BoE) and the Prudential Regulation Authority (PRA) published the latest annual CBEST thematic report.

On December 13, 2023, the Federal Communications Commission (FCC) voted to update a 16-year-old privacy rule expanding breach notification requirements for telecommunications, interconnected Voice over Internet Protocol (VoIP), and telecommunications relay services (TRS). Under the new rule, these companies are now required to adequately safeguard sensitive customer information in an attempt to hold phone companies accountable for protecting customer information and to allow customers to protect their own information.

In our previous post, we discussed specific considerations for common boilerplate provisions in data processing agreements (DPAs). Due to the sensitivity of data transfers and privacy laws, DPAs require careful drafting to ensure the data processor complies with appropriate privacy obligations and is responsible for any non-compliance.

In the fourth podcast in our DE&I series, Hannah McAslan-Schaaf and Lara White discuss the data protection aspects of the FCA’s recent consultation paper on diversity and inclusion.