On 1 July 2021,[1] Federal Law No. 236-FZ on the Internet Activities of Foreign Entities in the Russian Federation (the “Law”)[2] came into force, requiring establishment of local presence, such as a branch, a representative office, or a subsidiary, for foreign Internet companies whose activities are focused on Russian users.  The Law supplements the personal data localisation requirements under the…

The U.S. Securities and Exchange Commission this week took the rare step of penalizing a company for its allegedly poor disclosure of a cyber incident. The SEC announced a $1 million civil penalty against Pearson plc (“Pearson”), a London-based educational publishing company that is a U.S. securities issuer. The penalty resolves charges that Pearson misled investors related to a 2018…

European Data Protection Roundup – July Key takeaways from developments this July include: a blockbuster €746 million fine against Amazon – the largest ever GDPR penalty – showing the Regulation’s teeth; the challenges of GDPR-compliant facial recognition, after a Spanish supermarket chain was fined €2.5 million for ostensible GDPR failings; a reminder of the importance of setting and enforcing appropriate…

Earlier this year, we wrote about the SEC’s cybersecurity priorities. Since then, the SEC announced a settlement with First American Title Insurance and Services (“First American”) for violating Rule 13a-15(a) of the Exchange Act, and issued a voluntary request for information to a number of companies in connection with the SolarWinds cyber attack (“Voluntary Request”). In this Debevoise Data Blog…

On July 19, 2021, California Attorney General Rob Bonta announced his first-year enforcement update on the California Consumer Privacy Act (“CCPA”), and unveiled a tool to help the Attorney General’s office (“CAAG”)—the primary enforcer of the CCPA until the California Privacy Protection Agency takes over—identify CCPA violations. Over a year ago, on July 1, 2020, the first day of enforcement,…