Welcome to “Last Week in Privacy!” Each week, OneTrust’s in-house privacy experts will give you the top international privacy industry highlights from last week.


Here’s a quick recap of last week’s top privacy industry headlines:

  1. The Office of the Privacy Commissioner of Canada has published draft guidelines on the new mandatory breach reporting requirements that are set to come into force on November 1st. The new requirements include notification of a breach of security involving personal information to the Commissioner’s office and affected individuals where it is reasonable to believe that the breach creates “real risk of significant harm.” In addition, organizations must maintain a record of all breaches, regardless of whether notification is required. The guidelines published by the Commissioner’s office recommend that organizations should develop their own risk-based frameworks for assessing breach risk, and provide examples of types of harms that would be considered “significant.” The guidance also includes a template report that can be used for reporting breaches, and includes details about the information that should be included in breach records.
  2. The White House has released a National Cyber Strategy for protecting U.S. government networks and critical infrastructure from cyber threats. The report focuses on topics such as protecting government networks and critical infrastructure, combating cybercrime and improving incident reporting, developing a cybersecurity workforce, deterring unacceptable behavior in cyberspace, and promoting a more open and secure internet. The report also states that the White House would continue to expand DHS oversight over federal civilian networks and share more threat data with telecoms, as well as taking more of an offensive approach to disrupting cyber attacks from foreign adversaries.
  3. The conference of German data protection authorities, the DSK, has published a common position on the use of Facebook Fan Pages, following the Court of Justice of the EU’s judgment in June that administrators of such pages are to be considered joint controllers of personal data, and thus share joint responsibility under the GDPR. The DSK’s position states that Fan Page administrators need to enter into a joint controllership agreement with Facebook in order to legally run their page.

That’s all for this week, be sure to join us next week for Last Week in Privacy.

Wanting more from our privacy team? Read Brian Philbrook and Andrew Clearwater’s latest posts in CPO Magazine and in IAPP The Privacy Advisor.

Register for our global user conference, PrivacyTECH on October 8-10 in London.