The People's Bank of China (PBC) recently released its Circular on Further Intensifying the Management of Credit Information Security. According to the circular, the PBC will intensify its management of credit information security by, among other things, practically raising awareness around the management of such information and strengthening information subjects' responsibilities in this regard. It will also optimise operational and control procedures for credit-related businesses.
The Ministry of Industry and Information Technology (MIIT) recently released its Notice to Further Clear and Regulate the Internet Access Service Market. According to the notice, the campaign to clear and regulate the internet access service market has been extended to March 31 2019 in order to solidify the accomplishments achieved and investigate the issues found thus far pursuant to the notice of the same name issued by the MIIT in January 2017.
The Federal Trade Commission has sent warning letters to two foreign companies that market wearable technology for children that collects geolocation data, allowing parents to monitor and communicate with their children. The letters warned the companies to review compliance with the Children's Online Privacy Protection Act, which requires parental notice and consent before collecting, using or sharing personal information from a child under 13 years old.
The General Office of the State Council recently issued the Measures for the Management of Scientific Data, which aim to improve and standardise the management of scientific data, safeguard scientific data security and encourage transparency and the sharing of scientific data. This is the first time that China has released measures which regulate scientific data at the national level. However, compared with some European countries and the United States, China still has far to go in this regard.
Companies regularly store information about their customers, clients, employees, investors, partners and vendors. Privacy and data security are therefore important aspects of most M&A transactions. Although the risk of non-compliance with privacy laws may result in severe negative consequences, many M&A agreements still lack adequate privacy-related representations and warranties.
Retailers are increasingly deploying cloud services solutions to realise cost savings, gain efficiency and enable scalability across numerous functions. However, while the benefits and popularity of cloud services are clear, cloud solutions are not without risks and challenges. In addition to the normal risks inherent in licensing and using technology, there are a number of issues that retailers should keep in mind when contracting for cloud services solutions.
The Crown Commercial Service (CCS) has issued a guide to CCS suppliers about the actions which they must take in light of the implementation of the General Data Protection Regulation (GDPR). Under the GDPR, data processors will face direct legal obligations and can be fined by the Information Commissioner's Office for non-compliance. In addition, data processors will face claims for compensation if they fail to comply with their obligations.
Following a media report that certain mobile phone application software was infringing user privacy, the Ministry of Industry and Information Technology organised talks with three internet companies. The ministry pointed out that the companies had collected and used users' personal information without fully disclosing the purpose of its use. The companies must now conduct rectifications to fully protect users' rights to be informed.
A revised version of the federal Ordinance on Internet Domains recently entered into force. It gives the responsible registries the possibility of temporarily blocking the top-level domain names '.ch' and '.swiss' where they are being used for phishing or malware activities. In addition, anti-cybercrime services can request that registries block the domain names. However, these services require prior recognition from the Swiss Federal Office of Communications.
Members of Parliament recently filed an application to amend the Data Protection Act 2018 in order to clarify certain aspects which have led to confusion over the past couple of months. In addition to several provisions relating to competence, the proposed act, among other things, contains a rephrased version of the fundamental right to data protection, introduces the mandatory appointment of data protection officers and suggests enabling the matching of images with explicit consent.
Bitcoin has received considerable media attention in recent months as its value soared to $20,000 in December 2017, then retreated to around $9,000 in February 2018. While some investors embrace bitcoin, many members of the general public struggle to understand it. Despite the interest in cryptocurrency by investors, very few retailers and merchants accept cryptocurrency as a form of payment. Retailers and merchants appear to be taking a cautious approach.
The EU General Data Protection Regulation and the incoming Data Protection Bill (UK) will introduce a range of new liabilities into the data protection landscape. Data controllers have been warned of a corresponding increase in data protection claims under the new regulatory regime for some time. These warnings have largely focused on the level of fines and new data breach response requirements. However, the brewing perfect storm surrounding compensation claims should also be firmly on solicitors' radars.
The EU General Data Protection Regulation (GDPR) will come into full effect on May 25 2018 and will impact New Zealand businesses that do business with EU residents or entities or have a presence in the European Union. In addition, the privacy commissioner recently released a report recommending that the Privacy Act be substantially amended (including to comply with the GDPR) and the Ministry of Justice has indicated that privacy reform is a key initiative.
The European Commission's recent communication shows that only two member states have adopted the national legislation required to implement the EU General Data Protection Regulation. Others, Croatia included, are at different stages of the process. To meet the May 25 2018 deadline, Croatia should promptly address its national approach to open issues – in particular, its policies surrounding administrative fines.
The Federal Trade Commission has announced an agreement with electronic toy manufacturer VTech Electronics Limited and its US subsidiary settling charges that VTech violated the Children's Online Privacy Protection Act by collecting personal information from hundreds of thousands of children without providing direct notice or obtaining their parent's consent and failing to take reasonable steps to secure the data that it had collected.
The Crown Commercial Service has published a procurement policy note (PPN) in relation to the new data protection legislation that will be implemented shortly. The PPN highlights the fact that the EU General Data Protection Regulation now strikes a more even balance between data processors and data controllers and requires organisations to act immediately to ensure compliance. As the new legislation will apply to the wider public sector, other public bodies may wish to apply the principles of the PPN.
To date, data breach plaintiffs have struggled to find a way to access insurance monies in directors and officers (D&O) liability insurance policies. Recently, plaintiffs have pivoted to securities suits as a potential new way to trigger the deeper pockets associated with D&O policies. Insurers are no doubt monitoring this growing trend of litigation, so insureds should pay close attention to cyber-related exclusions in their D&O policies.
The recently announced Data Protection Bill (which will replace the existing Data Protection Act) will transpose the EU General Data Protection Regulation (GDPR) into UK law and will be applicable despite Brexit. The new enhanced regime will affect all businesses that process data relating to an identified or identifiable natural person. Companies need to be actively preparing to ensure that they are GDPR compliant by identifying what steps are needed to comply with the regime.
The chair of the US Federal Communications Commission recently outlined plans to bury the internet rules promulgated under the Obama administration that required internet service providers (ISPs) to treat all web traffic equally. Under the proposed changes, ISPs would be allowed to offer web-based services at different speeds and differing service quality. In addition, they could enable more favourable speed or quality, or both, for websites that pay a fee.
The extent to which the data subject access request (DSAR) regime will change under the EU General Data Protection Regulation and how this will affect employers is becoming clear. For example, the fee for responding to a DSAR will be abolished and the deadline for compliance will be reduced. While there will be some practical differences, an employer that has appropriate systems and procedures in place to deal with DSARs under the existing regime will not need to radically rethink its approach.