Maki DePalo

Maki DePalo devotes her practice to clients' initiatives in technology and corporate transactions encompassing intellectual property licensing, strategic outsourcing, Internet-based marketing and advertising, data privacy and security, governance and compliance. Read more→

Japan and EU agree on Terms of Reciprocal Adequacy for Data Transfers

Posted on: 18 Jul 2018

On July 17, the European Commission (the “Commission”) announced that the European Union and Japan successfully concluded talks on reciprocal adequacy and agreed to recognize each other’s data protection systems as equivalent.  In its press release, the Commission explains that this adequacy agreement will create “the world’s largest area of safe transfers of data based on a high level of protection for personal data.” The General Data Protection Regulation (“GDPR”) came into effect as of May 25 of this year.  Under the GDPR, “adequacy” is the simplest way for companies to […] Read more

Canada Publishes Final Regulations on Mandatory Reporting of Privacy Breaches

Posted on: 20 Apr 2018

On April 18, 2018, the Canadian government published final regulations which include mandatory privacy breach notification, reporting and record-keeping obligations under Canada’s federal data protection law called the Personal Information Protection and Electronic Documents Act (PIPEDA).  These new obligations will come into force on November 1, 2018. PIPEDA applies to private-sector organizations and sets out the ground rules for how businesses must handle personal information in the course of commercial activity, explains the Office of the Privacy Commissioner of Canada (Commissioner).  […] Read more

DHS and FBI Issue a Joint Technical Alert with UK Warning Russian State-Sponsored Cyber Attacks

Posted on: 17 Apr 2018

On April 16, 2018, the Department of Homeland Security (DHS), the Federal Bureau of Investigation (FBI), and the United Kingdom’s National Cyber Security Centre issued a joint Technical Alert (TA), alerting the worldwide cyber exploitation of network infrastructure devices by Russian state-sponsored cyber actors.  The TA explains primary targets to be government and private-sector organizations, critical infrastructure providers, and the Internet service providers (ISPs) supporting these sectors.  The affected systems include: Generic Routing Encapsulation (GRE) Enabled Devices; Cisco Smart […] Read more

Privacy Commissioner of Hong Kong Issues a GDPR Guidance Document

Posted on: 04 Apr 2018

On April 3, the Hong Kong Office of the Privacy Commissioner for Personal Data (PCPD) announced the publication of the “European Union General Data Protection Regulation (GDPR) 2016” guidance document.  The PCPD explains that the publication was issued to raise awareness among organizations and businesses in Hong Kong of the possible impact of the new regulatory framework for data protection in the GDPR.  The guidance document covers various provisions of the GDPR, including extra-territorial application of the GDPR and new data privacy governance requirements.  It also contains a chart […] Read more

Singapore Joins the APEC CBPR and PRP

Posted on: 07 Mar 2018

On March 6, Singapore announced that it has become the sixth country to participate in the Cross-Border Privacy Rules System (CBPR) as of February 20, 2018, joining the United States, Mexico, Canada, Japan and the Republic of Korea, and the second country to participate in the Privacy Recognition for Processors System (PRP) alongside the United States.  The APEC CBPR system is a voluntary, enforceable mechanism that certifies a company’s compliance with the principles in the APEC CBPR and facilitates privacy-respecting transfers of data among APEC member economies. Singapore’s Ministry […] Read more

May 30 is Fast Approaching – Are You Ready for Compliance with the Amended Act on Protection of Personal Information in Japan?

Posted on: 11 Apr 2017

Japan’s Act on Protection of Personal Information currently in force (“Current APPI”) dates back to 2003.  It was originally enacted on May 30, 2003, and came into effect in 2005.  Ten years later, the National Diet passed extensive reforms to modernize the Current APPI in September, 2015.  Although the Amended Act on Protection of Personal Information (“Amended APPI”) has been partly in effect, it will come fully into effect on May 30, 2017. It is important to note that the Amended APPI applies to “personal information handling business operators” which is defined as a person […] Read more

FTC Issues Warning Letters to 28 Companies Claiming Participation in the APEC CBPR System

Posted on: 16 Jul 2016

On July 14, 2016, the Federal Trade Commission (FTC) announced that it had issued warning letters to 28 companies regarding their claim of participation in the Asia Pacific Economic Cooperation Cross Border Privacy Rule (APEC CBPR) system.  The APEC CBPR system is a voluntary, enforceable mechanism that certifies a company’s compliance with the principles in the APEC CBPR and facilitates privacy-respecting transfers of data among APEC member economies.  The warning letter states the FTC’s records do not indicate these companies have taken the requisite steps to be able to claim participation […] Read more

FTC Approves Final Order Prohibiting Misrepresentation about Vipvape’s Participation in APEC Cross Border Privacy Program

Posted on: 01 Jul 2016

On June 29, 2016, the Federal Trade Commission (FTC) announced it had approved a final order resolving the complaint against Vipvape, a manufacturer of hand-held vaporizers.  The complaint alleged Vipvape misrepresented its practices on the website related to Vipvape’s participation in the Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules (CBPR) system when, if fact, Vipvape was not certified to participate in the APEC CBPR system. In the Analysis of Proposed Consent Order to Aid Public Comment, the FTC explained that the APEC CBPR system is a voluntary, enforceable mechanism […] Read more

Support Data Privacy Day on January 28, 2015

Posted on: 27 Jan 2015

Did you know January 28 is Data Privacy Day (DPD)?  DPD commemorates Convention 108, the first legally binding international treaty dealing with privacy and data protection, signed on January 28, 1981.  DPD began in the United States and Canada in January 2008 as an extension of the DPD celebrated in Europe.  On January, 27, 2014, the 113th U.S. Congress adopted a nonbinding resolution expressing support for the designation of January 28 as “National Data Privacy Day.” National Cyber Security Alliance (NCSA), a non-profit organization dedicated to cyber-security education and awareness, […] Read more

NIST releases “Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans.”

Posted on: 16 Dec 2014

On December 12, 2014, the National Institute for Standards and Technology (“NIST”) announced the release of Special Publication 800-53A, Revision 4, Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans (“SP 800-53A”). SP 800-53A is a companion guideline to Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organizations (“SP 800-53”) and discusses how to build effective assessment plans and how to analyze and manage assessment results. NIST’s announcement highlights […] Read more