Privacy & Information Security Law Blog

On January 27, 2021, the French Data Protection Authority (the “CNIL”) announced (in French) that it imposed a fine of €150,000 on a data controller, and a fine of €75,000 on its data processor, for failure to implement adequate security measures to protect customers’ personal data against credential stuffing attacks on the website of the data controller. The CNIL decided not to make its decisions public, thereby not disclosing the name of the companies sanctioned.

On January 19, 2021, the UK Information Commissioner’s Office (“ICO”) published its analysis of the application of the UK General Data Protection Regulation (the “UK GDPR”) to transfers from UK-based firms or branches that are registered, required to be registered or otherwise regulated by the U.S. Securities and Exchange Commission (“SEC”).

On January 26, 2021, BBB National Programs announced that it has been endorsed as an Accountability Agent for the APEC Cross-Border Privacy Rules (“CBPR”) and Privacy Recognition for Processors (“PRP”) systems. This makes BBB National Programs the seventh CBPR and PRP Accountability Agent worldwide and the first ever U.S. non-profit to be approved by APEC.

The recent UK case of Soriano v Forensic News and Others tested the territorial reach of the General Data Protection Regulation (“GDPR”) and represents the first UK judgment dealing with the territorial scope of the GDPR. This was a “service out” case, where the claimant, Walter T. Soriano, sought the Court’s permission under the UK Civil Procedure Rules to serve proceedings on the defendants, who were all domiciled in the U.S.

On January 21, 2021, President Biden designated Rebecca Kelly Slaughter as Acting Chair of the Federal Trade Commission.

On January 18, 2021, the European Data Protection Board (“EDPB”) released draft Guidelines 01/2021 on Examples regarding Data Breach Notification (the “Guidelines”). The Guidelines complement the initial Guidelines on personal data breach notification under the EU General Data Protection Regulation (“GDPR”) adopted by the Article 29 Working Party in February 2018. The new draft Guidelines take into account supervisory authorities’ common experiences with data breaches since the GDPR became applicable in May 2018. The EDPB’s aim is to assist data controllers in deciding how to handle data breaches, including by identifying the factors that they must take into account when conducting risk assessments to determine whether a breach must be reported to relevant supervisory authorities and/or the affected data subjects.

The United States Court of Appeals for the Fifth Circuit recently vacated a $4.3 million civil monetary penalty imposed by the Department of Health and Human Services’ Office for Civil Rights (“OCR”) in 2017 against the University of Texas M.D. Anderson Cancer Center (“MD Anderson”). The Court held that OCR’s civil monetary penalty for alleged violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy Rule and HIPAA Security Rule was “arbitrary, capricious, and otherwise unlawful.”

On January 15, 2021, the European Data Protection Board (“EDPB”) and European Data Protection Supervisor (“EDPS”) adopted joint opinions on the draft Standard Contractual Clauses (“SCCs”) released by the European Commission in November 2020, for both international transfers (“International SCCs”) and controller-processor relationships within the EEA (“EEA Controller-Processor SCCs”). 

On December 16, 2020, the Committee of Experts within India’s Ministry of Electronics and Information Technology (MeitY) (the “Committee”) issued a revised report on the Non-Personal Data Governance Framework (the “NPDF”) for India (the “Revised Committee Report”).

On January 13, 2021, Advocate General (“AG”) Michal Bobek of the Court of Justice of the European Union (“CJEU”) issued his Opinion in the Case C-645/19 of Facebook Ireland Limited, Facebook Inc., Facebook Belgium BVBA v. the Belgian Data Protection Authority (“Belgian DPA”).

On January 13, 2021, the FTC announced that fertility-app developer Flo Health, Inc. (“Flo”) agreed to a settlement over allegations that the company shared app users’ health information with third-party data analytics providers despite representations that Flo would keep such information private.

On January 12, 2021, in Wengui v. Clark Hill, PLC, et al., the United States District Court for the District of Columbia rejected a law firm defendant’s assertions of the attorney-client privilege and work product doctrine for forensic reporting and other related information associated with its outside counsel’s data breach investigation.

As reported on the Hunton Retail Law Resource blog, the Federal Trade Commission settled charges with mobile advertising company Tapjoy, Inc., on allegations that the company failed to provide promised rewards in exchange for completed activities such as the payment of money, disclosure of sometimes-sensitive personal information or registration for “free trial” marketing offers.

On January 11, 2021, the FTC announced that Everalbum, Inc. (“Everalbum”), developer of the “Ever” photo storage app, agreed to a settlement over allegations that the company deceived consumers about its use of facial recognition technology and its retention of the uploaded photos and videos of users who deactivated their accounts.

On January 10, 2021, New York City enacted a new biometrics ordinance that regulates the commercial use and sale of biometric identifier information.

On November 23, 2020, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth submitted its response to the European Data Protection Board (“EDPB”) consultation on draft guidelines on relevant and reasoned objections under the General Data Protection Regulation (“GDPR”) cooperation and consistency mechanisms (the “Guidelines). The consultation on the Guidelines took place a few weeks before the EDPB issued its first binding decision under the Article 65 GDPR dispute resolution mechanism.

The Federal Trade Commission issued a call for presentations on consumer privacy and data security research for its sixth annual PrivacyCon, which is to be held on July 27, 2021. The call for presentations asks for empirical research and demonstrations, including economic analyses, with implications for privacy and data security policy and law.

The global privacy and cybersecurity team at Hunton Andrews Kurth has authored multiple chapters of the 2021 Data Protection & Privacy guide by Lexology’s Getting the Deal Through. Partner Aaron P. Simpson and practice chair Lisa J. Sotto served as contributing editors of the ninth edition of the annual guide, which provides summary and analysis in key areas of law, practice and regulation for 150 jurisdictions across the globe.