Two Chinese information security laws, the Data Security Law (“DSL”) and the Personal Information Protection Law (“PIPL”), are creating difficulties for parties involved in litigation in the United States seeking discovery materials stored in China.

Both the DSL and the PIPL require data processors to obtain approval from the Chinese government before transferring any data stored in China to a foreign court or law enforcement authority, or otherwise face significant penalties such as fines in the millions of dollars.

Litigants in the U.S. should be aware that the DSL and PIPL may impose significant costs and delays in the discovery process, and may be used to avoid turning over certain materials.Continue Reading Chinese data security laws increasingly create roadblocks for litigants seeking discovery in U.S. courts

Background

In light of the growing concern over cybersecurity and the increasing complexity of medical device supply chains, the Medical Device Coordination Group has released updated guidance on cybersecurity for medical devices (the Guidance). The Guidance is intended to supplement the essential requirements listed in Annex I of the Medical Devices Regulations (Regulations 745/2017 and

Last week (28 November 2019), the European Banking Authority (EBA) released the final version of its report entitled ‘EBA Guidelines on ICT and security risk management’ (the Guidelines) (link here) on the mitigation and management of financial institutions’ (FIs) information and communication technology (ICT) and security risks. We highlight below some of the key takeaways.

Background

The EBA released a previous version of the guidelines back in 2017. The Guidelines will incorporate and repeal the 2017 guidelines once the Guidelines come into force on 30 June 2020. The Guidelines are also intended to be read alongside the guidelines on outsourcing that came into force at the end of September 2019.

The Guidelines aim to harmonise requirements for ICT and security risk management.

Their scope will cover:

  • Credit institutions and investment firms (as defined in the EU Capital Requirements Directive) for all of their activities
  • Payment service providers (subject to the revised Payment Services Directive) for their payment services

Continue Reading The EBA releases its final ‘Guidelines on ICT and security risk management’ report

This post was written by Nick Tyler.

The Information Commissioner’s Office (ICO), the UK’s data protection and freedom of information regulator, has launched a high level “Information Rights Strategy”.

In it, the ICO identifies the following priority areas: Internet and mobile services; health; credit and finance; criminal justice; and information security.

The ICO will