At the end of last year, Qatar became the first Gulf state to enact a comprehensive privacy law. Until now, the many companies that market to consumers or have employees based in Gulf Cooperation Council (GCC) countries have had to determine their local practices based on the various countries’ patchwork of sector-specific laws and regulations, as well as the differing privacy regimes in force in the region’s business-focused free zones. Now, at least in Qatar, the Personal Data Privacy Law ostensibly serves as a single law governing the collection and processing of data subjects’ personal information, and may serve as an exemplar for future GCC privacy laws.
The European Commission has released proposals for new legislation that seeks to create stronger privacy in electronic communications. The draft Privacy and Electronic Communications Regulation (the “Regulation”) is intended to replace the ePrivacy Directive (2002/58/EC) and will also bring the law in line with the new rules as set out in the General Data Protection Regulation (the “GDPR”) as part of the process to modernize the data protection framework in the EU. As a regulation (rather than a directive) it will apply uniformly across the EU as there will be one single set of rules which will crease more legal certainty, save for certain prescribed areas where EU Member States can have their own rules. Continue Reading
As we previously reported, in December 2016 the New York Department of Financial Services (the “DFS”) announced that it was revising its proposed regulation that would require banks, insurance companies and other financial services institutions regulated by the DFS to adopt broad cybersecurity protections (the “Original Proposal”).
On December 28, 2016, the DFS released a revised version of the Original Proposal (the “Revised Proposal”) that incorporates greater flexibility with respect to requirements as well as delayed compliance deadlines. The Revised Proposal is subject to a final thirty-day comment period.
The CJEU (the European Union Court of Justice) has handed down a decision which makes clear that general and indiscriminate retention of electronic communications is unlawful. National legislation of each European Member State should ensure that mass surveillance only occurs where it is strictly necessary in order to combat serious crime as well as terrorism and meets other stringent requirements.
The references were made by the Swedish and UK courts and concerned the interpretation of the Privacy and Electronic Communications Directive (Directive 2002/58/EC, as amended by Directive 2009/136/EC) (the “Directive”), in light of the rights granted by the Charter of Fundamental Rights of the European Union (the “Charter”), particularly, the right to privacy (Article 7) and the right to protection of personal data (Article 8), and the decision of the CJEU in Digital Rights Ireland (C‑293/12 and C‑594/12).
As we previously reported, in September 2016 the New York Department of Financial Services (the “DFS”) proposed a regulation that would require banks, insurance companies and other financial services institutions regulated by the DFS to adopt broad cybersecurity protections (the “Proposal”). The comment period for the Proposal closed in mid-November.
In late December, a DFS spokesman said that a revised Proposal will be filed with the state register on December 28, 2016 (followed by a new thirty-day comment period) and that the revised Proposal will come into effect on March 1, 2017 (two months later than the Proposal’s previous effective date of January 1, 2017).
On Friday, the Article 29 Working Party issued official guidance relating to the General Data Protection Regulation, or GDPR (which we’ve covered in previous posts here and here). The Article 29 Working Party is comprised of representatives of the various EU Member States’ data protection authorities (DPAs), so this marks the first time that the DPAs have revealed their thoughts on how they plan to interpret and enforce specific GDPR provisions. This is welcome news for companies that, until this point, have been left to figure out compliance strategies without any indication as to how some of the newer concepts the GDPR introduces will operate in practice when the Regulation begins to apply in 2018.
Judge Thomas W. Thrash Jr. of the U.S. District Court of Georgia permanently shelved a derivative suit brought by shareholders of Home Depot.
Home Depot is a multinational home improvement retailer. In September, 2014, Home Depot suffered a data breach that resulted in $192 million in net losses. This breach followed the widely publicized data breaches at several other major retailers and department stores.
Shareholder plaintiffs argued that defendants should have installed basic network security infrastructure to prevent the breach. Specifically, plaintiffs asserted that Home Depot failed to have a firewall, a properly maintained malware and antivirus software, and a policy to regularly test the network and delete cardholder data. This failure was allegedly a breach of Home Depot’s duties of care and loyalty, a waste of corporate assets, and a violation of the Securities Exchange Act, according to plaintiffs.