The Conference of German Data Protection Authorities (“DSK”), the body of the federal and state Data Protection Authorities (“DPAs”) in Germany, recently issued joint recommendations regarding employers’ processing of employee personal data in the context of the coronavirus (“COVID-19”) pandemic. The DSK makes it clear that data protection does not hinder measures to fight COVID-19. According to DSK, employers can collect personal data of employees in order to prevent the spreading of the virus at the workforce. Employers also may process personal data of workplace visitors for COVID-19 related purposes. However, all measures must be proportionate.
On March 25, 2020, the European Data Protection Supervisor (“EDPS”) sent a letter to the Directorate-General for Communications Networks, Content and Technology (“DG CONNECT”) addressing the various initiatives involving telecommunications providers at the Member State level to monitor the spread of the COVID-19 outbreak using location data.
The Dutch Data Protection Authority (Autoriteit Persoonsgegevens, the “Dutch DPA”) recently published materials regarding the COVID-19 crisis, including recommendations and FAQs for employers and recommendations for employees. In the materials, the Dutch DPA emphasizes that, while fighting the virus and saving lives is the top priority, privacy must not be overlooked and the crisis should not become a prelude to a “Big Brother” society.
The International Trade Administration at the U.S. Department of Commerce recently announced that NCC Group has been approved as a U.S. Accountability Agent under the APEC Cross-Border Privacy Rules (“CBPR”) system. NCC Group joins TrustArc and Schellman as the third U.S. Accountability Agent under the CBPR and the sixth Accountability Agent approved under the system overall. NCC Group will now be able to independently assess and certify the compliance of U.S. companies under the APEC CBPR system and under the APEC Privacy Recognition for Processors (“PRP”), a corollary system to the CBPR specifically for processors.
On March 19, 2020, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP published a Q&A on the APEC CBPR and PRP systems. The Q&A is designed to explain the workings of both systems, who is currently participating in them and how interested companies can certify.
On March 13, 2020, the Belgian Data Protection Authority (the “Belgian DPA”) released a statement regarding workplace-related processing of personal data in the context of the COVID-19 crisis (the “Statement”).
To help facilitate data sharing in light of the COVID-19 pandemic, the Global Privacy Assembly has begun compiling the latest guidance from data protection authorities around the world on data protection and data sharing. As of this blog post, the list contains guidance from 26 countries and territories across the globe as well the European Data Protection Board and the United Nations Special Rapporteurs. The list will be updated as additional guidance is provided.
On March 19, 2020, the European Data Protection Board (“EDPB”) published a new statement regarding processing personal data in the context of the COVID-19 outbreak. The EDPB said that emergency is a legal condition which may legitimize restrictions of individual freedoms, provided that these restrictions are proportionate and limited to the emergency period. Several considerations come into play in weighing the lawful processing of personal data in these circumstances.
The French Data Protection Authority (the “CNIL”) recently issued guidance for employers relating to the processing of employee and visitor personal data in the context of the COVID-19 outbreak (the “Guidance”). The Guidance outlines some of the principles relating to those data processing activities.
On March 19, 2020, the Irish Data Protection Authority (the “DPC”) published guidance to assist organizations in understanding their data security obligations and to mitigate their risks of a personal data breach when using cloud-based services (the “Guidance”).
On March 17, 2020, the Executive Committee of the Global Privacy Assembly (“GPA”) issued a statement giving their support to the sharing of personal data by organizations and governments for the purposes of fighting the spread of the COVID-19 pandemic. The GPA brings together data protection regulators from over 80 countries and its membership currently consists of more than 130 data protection regulators around the world, including the UK Information Commissioner’s Office, the U.S. Federal Trade Commission, and the data protection regulators for all EU Member States.
On March 12, 2020, the French Data Protection Authority (the “CNIL”) released its annual inspection strategy for 2020. The CNIL carries out approximately 300 inspections every year. These inspections are initiated (1) following complaints lodged with the CNIL; (2) in light of current topics in the news; (3) after the CNIL has adopted corrective measures (e.g., formal notices, sanctions) in order to verify whether the organization in question adopted the measures or remedied the situation; and (4) as part of the CNIL’s annual inspection strategy.
On March 3, 2020, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, the “Dutch DPA”) announced that it had imposed a €525,000 fine on the Royal Dutch Tennis Association (De Koninklijke Nederlandse Lawn Tennisbond, “KNLTB”) for an illegal sale of personal data.
On March 4, 2020, the UK Information Commissioner’s Office (“ICO”) fined the international airline Cathay Pacific Airways Limited (“Cathay Pacific”) £500,000 for failing to protect the security of its customers’ personal data. The fine was issued under the Data Protection Act 1998 (the “DPA”) and represents the maximum fine available. The ICO found that between October 2014 and May 2018, Cathay Pacific’s computer systems lacked appropriate security measures which led to customers’ personal details being exposed. Of the approximately 9.4 million customers affected worldwide, 111,578 were from the UK.
On February 24, 2020, the European Data Protection Board (“EDPB”) published general policy messages and a synthesis of the contributions and replies by its members - national data protection authorities (“DPAs”) - to the Questionnaire on the Evaluation of the EU General Data Protection Regulation (“GDPR”) sent by the European Commission (the “Contribution”).
On February 21, 2020, the Presidency of the Council of the European Union (“EU Council Presidency”) published a revised part of the proposed Regulation concerning the Respect for Private Life and the Protection of Personal Data in Electronic Communications and Repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications), better known as “the Draft ePrivacy Regulation.”
Update: We are monitoring the COVID-19 situation and, like many of you, re-assessing our in-person gatherings and events over the next few months. As an immediate step, we have decided to postpone our London Breakfast Meeting and will circulate details of a webinar on this topic shortly. We thank you for your understanding.
On March 17, 2020, Hunton Andrews Kurth LLP will host a breakfast briefing in our London office, with guest speakers from Deloitte’s Cyber Breach Support team, to explore UK and EU cyber enforcement trends and discuss the current cybersecurity threat environment. In the face of record-breaking fines handed out by the regulators, securing networks, hardening systems, and protecting data from cyber attacks is becoming ever more critical. Understanding common cyber threats, including the attack vectors, how they work, and how they can be detected, is key to working with IT security colleagues to protect an organization from cyber attacks and respond to incidents.
On February 10, 2020, the Belgian Data Protection Authority (the “Belgian DPA”) published its Recommendation 1/2020 on data processing activities for direct marketing purposes (the “Recommendation”). With this Recommendation, the Belgian DPA aims to clarify the complex rules relating to the processing of personal data for direct marketing purposes, including by providing practical examples and guidelines to the different stakeholders involved in direct marketing activities. Direct marketing is one of the Belgian DPA’s top priorities for the next few years, as indicated in its 2019-2025 Strategic Plan.
On February 19, 2020, the European Commission (“the Commission”) published a White Paper entitled “a European Approach to Excellence and Trust” on artificial intelligence (“AI”). This followed an announcement in November 2019, from the Commission’s current President, Ursula von der Leyen, that she intended to propose rules to regulate AI within the first 100 days of her Presidency, which commenced on December 1, 2019. This White Paper was published alongside the Commission’s data and digital strategies for Europe.
On February 19, 2020, the European Commission (the “Commission”) released a suite of documents including its White Paper on Artificial Intelligence (“AI”), entitled “a European approach to excellence and trust.” In addition, the Commission published two communications—its European strategy for data and a Digital Strategy document entitled “Shaping Europe’s Digital Future.”
On February 1, 2020, the Italian Data Protection Authority (Garante per la protezione dei dati personali, the “Garante”) announced that it had levied a fine of €27,802,946 on TIM S.p.A. (“TIM”), a telecommunications company, for several unlawful marketing data processing practices. Between 2017 and 2019, the Garante received numerous complaints from individuals (including from individuals who were not existing customers of TIM) claiming that they had received unwanted marketing calls, without having provided their consent or despite having registered on an opt-out list. The Garante indicated that the violations impacted several million individuals.
On January 16, 2020, the Federal Trade Commission announced that settlements with five companies of separate allegations that they had falsely claimed certification under the EU-U.S. Privacy Shield framework had been finalized.
On January 14, 2020, the French Data Protection Authority (the “CNIL”) published its draft recommendations on the practical modalities for obtaining users’ consent to store or read non-essential cookies and similar technologies on their devices (the “Recommendations”). The CNIL also published a set of questions and answers on the Recommendations (“FAQs”).
2019 was the “Year of the CCPA” as companies around the world worked tirelessly to comply with the California Consumer Privacy Act of 2018 (“CCPA”). The CCPA aims to provide data privacy rights for California residents and imposes significant new requirements on covered businesses.
On December 12, 2019, the Belgian Data Protection Authority (the “Belgian DPA”) released its draft 2019-2025 Strategic Plan (the “Draft Plan”). In the Draft Plan, the Belgian DPA describes its vision for the years to come, defines its priorities and strategic objectives and lists the necessary means to achieve its objectives.
On December 19, 2019, the members of the Permanent Representations of EU Member States to the Council of the European Union (“the Council”) published a draft position on the application of the General Data Protection Regulation (“GDPR”). After the draft position has been formally adopted by the Council, it will be provided to the European Commission. This is part of the GDPR evaluation process under Article 97 of the GDPR, which requires the European Commission to publish a report on the evaluation and review of the GDPR by May 25, 2020.
On December 19, 2019, the Advocate General of the Court of Justice of the European Union (the “CJEU”) handed down his opinion in the so-called “Schrems II” case (case C-311/18). He recommended that the CJEU uphold the validity of the Standard Contractual Clauses (“SCCs”) as a mechanism for transferring personal data outside of the EU. Given that SCCs are the key data transfer mechanism used by many organizations to transfer personal data outside of the EU, the opinion has far-reaching repercussions and will be welcomed by businesses across the globe.
On December 10, 2019, the French Data Protection Authority (the “CNIL”) published the final version of its standard (“Referential”) concerning the processing of personal data in the context of whistleblowing hotlines. The Referential on whistleblowing hotlines was adopted following a public consultation launched by the CNIL on April 11, 2019. It replaces the CNIL’s Single Authorization AU-004 decision regarding such data processing, and anticipates certain changes introduced by the EU Directive on the protection of whistleblowers (Directive (EU) 2019/1937 of October 23, 2019), which EU Member States will have to implement into their national laws by December 17, 2021. The CNIL also published a set of questions and answers (“FAQs”), which aim to answer some practical questions that the CNIL are regularly asked regarding the operation of a whistleblowing hotline.
On December 11, 2019, the European Data Protection Board (“EDPB”) published its draft guidelines 5/2019 (the “Guidelines”) on the criteria of the right to be forgotten in search engine cases under the EU General Data Protection Regulation (“GDPR”). The Guidelines aim to provide guidance on: (1) the grounds on which individuals can rely for submitting a request for the right to be forgotten in relation to links to web pages containing their personal data; and (2) the exceptions to the right to be forgotten that search engine operators could use to reject such a request. The Guidelines will be supplemented by an appendix on the assessment of criteria for the handling of individuals’ complaints by EU data protection authorities following the refusal by search engine operators to grant the individuals’ request.
On December 10, 2019, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, the “Dutch DPA”) published a statement regarding compliance with the rules on cookie consent (the “Statement”).
On December 6, 2019, the Federal Trade Commission announced its Final Order and Opinion in the matter of Cambridge Analytica, LLC, finding that Cambridge Analytica violated the FTC Act’s Section 5 prohibition against “unfair or deceptive acts or practices” when harvesting personal information through its “GSRApp” Facebook application.
On December 3, 2019, the Federal Trade Commission announced that it had reached settlements in four separate Privacy Shield cases. Specifically, the FTC alleged that Click Labs, Inc., Incentive Services, Inc., Global Data Vault, LLC, and TDARX, Inc. each falsely claimed to participate in the EU-U.S. Privacy Shield framework. The FTC also alleged that Click Labs and Incentive Services falsely claimed to participate in the Swiss-U.S. Privacy Shield framework and that Global Data and TDARX continued to claim participation in the EU-U.S. Privacy Shield after their Privacy Shield certifications lapsed. The complaints further alleged that Global Data and TDARX failed to comply with the Privacy Shield framework, including by failing to (1) verify annually that statements about their Privacy Shield practices were accurate, and (2) affirm that they would continue to apply Privacy Shield protections to personal information collected while participating in the program.
On November 26, 2019, the French Data Protection Authority (the “CNIL”) announced that it had levied a fine of €500,000 on Futura Internationale, a French SME specializing in thermal insulation of private buildings, for various infringements of the EU General Data Protection Regulation (“GDPR”). The infringements related to the company’s direct marketing voice-to-voice calls include failure to (1) comply with the individuals’ objection to the processing of their personal data for direct marketing; (2) process only relevant personal data (by recording excessive comments in the CRM software); (3) provide sufficient notice regarding the recording of phone calls and data processing; (4) cooperate with the CNIL; and (5) implement appropriate data transfer mechanisms for the data transfers to non-EU call center providers.
At its 15th plenary meeting, the European Data Protection Board (“EDPB”) adopted the final guidelines on the territorial scope of the EU General Data Protection Regulation (“GDPR”) (the “Guidelines”), taking into account the feedback it received during the public consultation of its draft guidelines published on November 23, 2018.
On November 26, 2019, the European Data Protection Supervisor’s office (“EDPS”) and the European Parliament announced that Wojciech Wiewiórowski, currently Assistant Supervisor and acting replacement for the European Data Protection Supervisor Giovanni Buttarelli, will officially be the new European Data Protection Supervisor for the new term of office. The Committee of the Permanent Representatives of the Governments of Member States to the European Union (“COREPER”) and the Committee on Civil Liberties, Justice and Home Affairs of the European Parliament (“LIBE”) confirmed Wojciech Wiewiórowski for a 5-year mandate as European Data Protection Supervisor. In the following days, the European Parliament and Council of the European Union will proceed to formally appoint Wojciech Wiewiórowski as the new European Data Protection Supervisor. Wojciech Wiewiórowski has served as Assistant Supervisor since December 2014. Earlier in his career, Wojciech Wiewiórowski was the Inspector General for the Protection of Personal Data at the Polish Data Protection Authority.
On November 13, 2019, the European Data Protection Board (“EDPB”) published its draft guidelines 4/2019 (the “Guidelines”) on the obligation of Data Protection by Design and by Default (“DPbDD”) set out under Article 25 of the EU General Data Protection Regulation (“GDPR”).
On November 19, 2019, the Federal Trade Commission announced that Medable, Inc. (“Medable”) agreed to settle allegations that the company had misrepresented its participation in the EU-U.S. Privacy Shield program. The FTC alleged that, from December 2017 to October 2018, Medable falsely claimed in its online privacy policy that it was a certified participant in the EU-U.S. Privacy Shield framework and adhered to the framework’s principles. According to the complaint, although Medable did initiate an application with the Department of Commerce in December 2017, the company never completed the steps necessary to participate in the framework.
On November 13, 2019, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth issued a discussion paper on “Organizational Accountability in Light of FTC Consent Orders” (the “Discussion Paper”). The Discussion Paper examines the recent $5 billion FTC settlement with Facebook, which resulted from Facebook’s alleged violation of a prior 2012 FTC consent order, and the recent $575 million FTC settlement with Equifax, related to its 2017 data breach.
On November 18, 2019, Hunton Andrews Kurth will host a networking luncheon in the firm’s Brussels office. The luncheon will feature Isabelle Vereecken, Head of the Secretariat of the European Data Protection Board ("EDPB"), and will focus on the role of the EDPB and cooperation between supervisory authorities ("SAs") in cross-border matters.
The European Data Protection Board recently published on its website that the Austrian Data Protection Authority (“Austrian DPA”) imposed an €18 million fine (approximately $20 million) on the Austrian Postal Service, Österreichische Post AG (“ÖPAG”), for various violations of the EU General Data Protection Regulation (“GDPR”). After conducting an investigation, the Austrian DPA established that ÖPAG unlawfully processed and sold data with respect to its customers’ alleged political affinities. Another GDPR violation was related to the ÖPAG’s ...
On November 5, 2019, the Berlin Commissioner for Data Protection and Freedom of Information (“the Berlin Commissioner,” Berliner Beauftragte für Datenschutz und Informationsfreiheit) announced that it had imposed a fine of €14.5 million (approximately $16 million) on Deutsche Wohnen SE, a prominent real estate company. This is the highest fine issued in Germany since the EU General Data Protection Regulation (“GDPR”) became applicable.
On October 22, 2019, the French Data Protection Authority (the “CNIL”) published a list of processing operations (in French) that it considers not requiring a data protection impact assessment (“DPIA”). The CNIL had previously adopted and published a final list of processing operations requiring a DPIA on November 6, 2018. The final list includes 12 types of processing operations for which a DPIA is not considered mandatory. The CNIL provided concrete examples for each type of processing operation, including:
On October 4, 2019, the Presidency of the European Council published its revised text (the “Revised Draft”) of the Proposal for a Regulation Concerning the Respect for Private Life and the Protection of Personal Data in Electronic Communications (the “Draft ePrivacy Regulation”). The Revised Draft was released in preparation for the Working Party on Telecommunications and Information Society’s meeting, which took place on October 11, 2019 (the “WP Tele”) and introduces limited amendments compared to the draft amendments proposed by the Presidency of the European Council last month.
On September 17, 2019, the German Conference of Data Protection Authorities (Datenschutzkonferenz, (“DSK”) examined a proposal for calculating administrative fines under the EU General Data Protection Regulation (“GDPR”). The press release of the DSK states that this initiative aims to ensure a calculation of fines against violations of the GDPR that is “systematic, transparent and understandable.” However, the press release refrains from describing the criteria of the fining model officially, as the fining model has not yet been adopted by the DSK.
On October 2, 2019, the UK Court of Appeal handed down its judgment on the appeal in Richard Lloyd v. Google LLC, in which Richard Lloyd, a consumer protection advocate, seeks to bring a representative action on behalf of four million Apple iPhone users against Google LLC in the United States. Previously, the High Court had refused to grant permission for the proceedings to be served outside the UK. The Court of Appeal reversed the High Court’s judgment, granting permission for service outside the UK and allowing the representative action to proceed. The judgment is significant as it paves the way for representative actions (equivalent to class actions) for data protection infringements in the UK.
On October 15, 2019, Hunton Andrews Kurth will host a luncheon seminar in our Brussels office on Addressing GDPR Challenges: An Interactive Session on Handling Data Breaches. In this roundtable discussion, our speakers will lead a dialogue to share experiences on handling data breaches under the EU General Data Protection Regulation (“GDPR”).
On October 1, 2019, the Court of Justice of the European Union (“CJEU”) issued its decision in an important case involving consent for the use of cookies by a German business called Planet49. Importantly, the Court held that (1) consent for cookies cannot be lawfully established through the use of pre-ticked boxes, and (2) any consent obtained regarding cookies cannot be sufficiently informed in compliance with applicable law if the user cannot reasonably comprehend how the cookies employed on a given website will function.
On September 17, 2019, the Belgian Data Protection Authority (the “Belgian DPA”) imposed a fine of EUR 10,000 on a shop for the disproportionate use of customers’ electronic identity cards (the “eIDs ”) – a national identification card.
On September 24, 2019, the Court of Justice of the European Union (the “CJEU”) released its judgments in cases C-507/17, Google v. CNIL and C-136/17, G.C. and Others v. CNIL regarding (1) the territorial scope of the right to be forgotten, referred to in the judgement as the “right to de-referencing,” and (2) the conditions in which individuals may exercise the right to be forgotten in relation to links to web pages containing sensitive data. The Court’s analysis considered both the EU Data Protection Directive and the EU General Data Protection Regulation (“GDPR”).
On September 9, 2019, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, the “Dutch DPA”) published a report on the privacy complaints it received between January 2019 and June 2019 (the “Report”).
On September 18, 2019, the Presidency of the European Council published its proposed amendments to the Proposal for a Regulation Concerning the Respect for Private Life and the Protection of Personal Data in Electronic Communications (the “Draft ePrivacy Regulation”). The Draft ePrivacy Regulation will replace the ePrivacy Directive and will complete the EU’s framework for data protection and confidentiality of electronic communications.
On September 10, 2019, the French data protection authority (the “CNIL”) updated its existing set of questions and answers (“FAQs”) on the impact of a no-deal Brexit on data transfers from the EU to the UK and how controllers should prepare.
On September 6, 2019, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP submitted formal comments to the European Data Protection Board (the “EDPB”) on its draft guidelines on processing of personal data through video devices (the “Guidelines”). The Guidelines were adopted on July 10, 2019, for public consultation.
On September 4, 2019, the High Court of England and Wales dismissed a challenge to South Wales Police’s use of Automated Facial Recognition technology (“AFR”). The Court determined that the police’s use of AFR had been necessary and proportionate to achieve their statutory obligations.
The Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP is pleased to announce Matthew Starr and Giovanna Carloni have joined CIPL, adding to its expertise in global privacy and data protection policy.
On August 21, 2019, the Belgian Data Protection Authority (the “Belgian DPA”) published a press release informing of its intention to further investigate a data breach that was notified by Adecco Belgium, a temporary employment agency. The data breach affected thousands of biometric data, including fingerprints and images allowing facial recognition, and was suffered by the company Suprema. The compromised data included approximately 2,000 fingerprints of Adecco Belgium’s employees.
On August 21, 2019, the Swedish Data Protection Authority (the “Swedish DPA”) imposed its first fine since the EU General Data Protection Regulation (“GDPR”) came into effect in May, 2018. The Swedish DPA fined a school 200,000 Swedish Kroner for creating a facial recognition program in violation of the GDPR.
On August 15, 2019, the UK Information Commissioner’s Office (“ICO”) announced that it had launched an investigation into the use of live facial recognition technology at the King’s Cross development in London. This follows a letter sent by the mayor of London, Sadiq Khan, to the owner of the development inquiring as to whether the use of the software was legal. The company responsible for the technology said it was used for the purposes of public safety.
On August 15, 2019, the UK Information Commissioner’s Office updated its guidance on the timescale for responding to data subject access requests under the EU General Data Protection Regulation, following a ruling of the Court of Justice of the European Union . The guidance now states that the time limit should be calculated from the day that the request is received, whether or not it is a working day. For example, if a request is received on September 3, the time limit will commence on that date and the response should be provided to the data subject by October 3 ...
On August 12, 2019, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, the “Dutch DPA”) announced its intent to approve Nederland ICT’s Data Pro Code (the “Code”), a code of conduct for the ICT sector. Nederland ICT represents data processors from the IT sector. Data processors that process personal data on behalf of and for a data controller can join this code of conduct. The draft decision of the Dutch DPA regarding the Code was published in the Official Journal of the Netherlands (the “Staatscourant”) on August 12 and interested parties have six weeks to submit their opinion on the draft decision.
On August 7, 2019, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP issued a white paper titled Key Issues Relating to Standard Contractual Clauses for International Transfers and the Way Forward for New Standard Contractual Clauses under the GDPR (the “White Paper”). The White Paper was submitted to the European Commission as part of its ongoing work to update EU Standard Contractual Clauses for international transfers (“SCCs”).
On July 29, 2019, the Court of Justice of the European Union (the “CJEU”) released its judgment in case C-40/17, Fashion ID GmbH & Co. KG vs. Verbraucherzentrale NRW eV. The Higher Regional Court of Düsseldorf (Oberlandesgericht Düsseldorf) requested a preliminary ruling from the CJEU on several provisions of the former EU Data Protection Directive of 1995, which was still applicable to the case since the court proceedings had started before the implementation of the EU General Data Protection Regulation (“GDPR”).
On July 29, 2019, the UK Information Commissioner’s Office (“ICO”) announced the 10 projects that it has selected, out of 64 applicants, to participate in its sandbox. The sandbox, for which applications opened in April 2019, is designed to support organizations in developing innovative products and services with a clear public benefit. The ICO aims to assist the 10 organizations in ensuring that the risks associated with the projects’ use of personal data is mitigated. The selected participants cover a number of sectors, including travel, health, crime, housing and artificial intelligence.
On July 25, 2019, the French Data Protection Authority (the “CNIL”) published new template records of data processing activities pursuant to Article 30 of the EU General Data Protection Regulation (“GDPR”). This provision requires organizations subject to the GDPR to maintain internal records of data processing activities. The CNIL recalled that such records are a key accountability tool under the GDPR for identifying, understanding and controlling data processing activities. Setting up and maintaining these records provide businesses with the opportunity to ask the right questions and limit privacy risks under the GDPR. According to the CNIL, this is also a useful moment to set up a data protection compliance action plan.
The European Data Protection Board (the “EDPB”) recently adopted its Guidelines 3/2019 on processing of personal data through video devices (the “Guidelines”). Although the Guidelines provide examples of data processing for video surveillance, these examples are not exhaustive. The Guidelines aim to provide guidance on how to apply the EU General Data Protection Regulation (“GDPR”) in all potential areas of video device use.
On July 16, 2019, the European Data Protection Board (the “EDPB”) published its Annual Report for 2018 (the “Report”). The Report highlights that the EDPB (1) endorsed 16 guidelines previously adopted by the Article 29 Working Party; (2) adopted four additional guidelines to clarify provisions of the GDPR; (3) adopted 26 consistency opinions to guarantee the consistent application of the EU General Data Protection Regulation (“GDPR”) by the EU data protection authorities; and (4) issued two opinions in the context of the legislative consultation process, as well as a statement on its own initiative and on the draft ePrivacy Regulation.
On July 18, 2019, the French Data Protection Authority (the “CNIL”) published new guidelines on cookies and similar technologies (the “Guidelines”). As announced by the CNIL in its action plan on targeted advertising for 2019-2020, its 2013 cookie guidance is no longer valid in light of the strengthened consent requirements of the EU General Data Protection Regulation (“GDPR”). The Guidelines therefore repeal the CNIL’s 2013 recommendations on cookies and reconceive the rules applicable to the use of cookies and similar technologies in France, as they take shape from (1) the provisions of the EU ePrivacy Directive as implemented under French law, and (2) the GDPR consent requirements.
On July 16, 2019, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, the “Dutch DPA”), announced that it had imposed a fine of €460,000 on a Dutch hospital, HagaZiekenhuis, for insufficient security measures under Article 32 of the EU General Data Protection Regulation (“GDPR”).
The UK Information Commissioner’s Office (“ICO”) published its 2018-19 Annual Report on July 9, 2019. This is the first Annual Report published by the ICO since the EU General Data Protection Regulation (“GDPR”) took effect on May 25, 2018.
The Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP recently published a Q&A document on organizational accountability in data protection (the “Q&A”).
While CIPL has written extensively about the concept of organizational accountability over many years, the Q&A is designed to clarify frequently raised questions about accountability and provide greater context and understanding of the concept, including for law and policy makers considering data privacy legislation around the globe.
On July 9, 2019, the European Data Protection Board (the “EDPB”) adopted Opinion 8/2019 on the Competence of a Supervisory Authority in Case of a Change in Circumstances Relating to the Main or Single Establishment (the “Opinion”) at the request of the French and the Swedish data protection authorities (“DPAs”).
Background – The French and Swedish DPAs’ Initial Request
Simon McDougall, Executive Director for Technology Policy and Innovation for the UK Information Commissioner’s Office (“ICO”), has stated that “change is needed” in the adtech sector. In a speech delivered on July 11, 2019, at the Westminster Media Forum, focusing on the future of online advertising regulation, McDougall commented that “heads are still firmly in the sand” in some pockets of the digital advertising industry, and that many real-time bidding practices are currently being conducted in an unlawful manner, whether or not industry players are aware of it.
On July 9, 2019, the hearing in the so-called Schrems II case (case C-311/18) took place at the Court of Justice of the European Union (“CJEU”) in Luxembourg. The main parties involved in the proceedings, the Irish Data Protection Commissioner (“Irish DPA”), Facebook Ireland Ltd. and the Austrian activist Max Schrems, presented their arguments to the court. In addition, a number of other stakeholders intervened during the hearing, including representatives of the European Parliament, the European Commission, the European Data Protection Board, several EU Member States (including Austria, France, Germany, Ireland, the Netherlands and the UK) and the U.S. government, as well as a number of industry lobby groups and the Electronic Privacy Information Center.
On July 4, 2019, the European Commission published a factsheet on artificial intelligence (“AI”) for Europe (the “Factsheet”). In the Factsheet, the European Commission underlines the importance of AI and its role in improving people’s lives and bringing major benefits to the society and economy. In addition, the Factsheet also describes the EU’s role in AI and the financial investments the Commission is planning to make in AI. The factsheet also includes some examples of projects conducted by the Commission in AI (including in agriculture, data and eHealth, public administration and services, and transport and manufacturing).
On July 9, 2019, the UK Information Commissioner’s Office (“ICO”) announced its intention to fine Marriott International, Inc. (“Marriott”) £99,200,396 (approximately $124 million) for infringements of the EU General Data Protection Regulation (“GDPR”). The ICO’s announcement followed Marriott’s notification of the proposed fine to the U.S. Securities and Exchange Commission (“SEC”).
On July 1, 2019, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, (the “Dutch DPA”)) announced that it had expanded its guidance on data breaches. The updates aim to answer questions about data breaches received by the Dutch DPA from organizations since 2016.
On July 8, 2019, the UK Information Commissioner’s Office (“ICO”) announced that it intends to fine British Airways (“BA”), which is owned by International Consolidated Airlines Group, S.A., £183,390,000 (approximately $230,000,000) for violating the EU General Data Protection Regulation (“GDPR”). This is the first fine to be announced publicly by the ICO under the GDPR and hints at the tough stance it is likely to take with regard to future breaches.
On June 28, 2019, the French data protection authority (the “CNIL”) published its action plan for 2019-2020 to specify the rules applicable to online targeted advertising and to support businesses in their compliance efforts.
The UK Information Commissioner’s Office (“ICO”) recently published an updated report on adtech, following a Fact Finding Forum held in March 2019 and consultation with industry players. The report focuses on whether and how organizations in the adtech sector can comply with the EU General Data Protection Regulation (“GDPR”) and the UK’s implementation of the e-Privacy Directive, known as the Privacy and Electronic Communications Regulations (“PECR”).
The European Data Protection Board (the “EDPB”) recently adopted its Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679 (the “Guidelines”). The Guidelines aim to provide practical guidance with respect to Articles 40 and 41 of the EU General Data Protection Regulation (“GDPR”). In particular, the Guidelines intend to clarify the rules and procedures for the submission, approval and publication of codes of conduct.
To mark the GDPR’s one-year anniversary, the European Commission recently published the results of two surveys meant to illuminate the public’s awareness of the GDPR and its practical applications.
On June 20, 2019, the Senate confirmed Keith Krach as Under Secretary of State for Economic Growth, Energy, and Environment. The former DocuSign and Ariba CEO, nominated by President Trump in January of 2019, will function as the permanent ombudsperson for the EU-U.S. Privacy Shield agreement as part of his role, addressing complaints related to U.S. protection of EU data.
On June 14, 2019, the Federal Trade Commission announced that it has taken action against a number of companies that allegedly misrepresented their compliance with the EU-U.S. and Swiss-U.S. Privacy Shield frameworks (collectively, the “Privacy Shield”) and other international privacy agreements.
On June 12, 2019, the Belgian Data Protection Authority (the “Belgian DPA”) launched a public consultation on direct marketing with a view to updating its Recommendation No. 02/2013 of January 30, 2013 on direct marketing (the “Direct Marketing Recommendation”).
On June 12, 2019, Hunton Andrews Kurth and its Centre for Information Policy Leadership (“CIPL”) hosted a roundtable discussion in the firm’s Brussels office on the update of the EU Standard Contractual Clauses for international data transfers (“SCCs”). More than 30 privacy leaders joined together to discuss the challenges of the current SCCs and provide their insights on the updated versions. Hunton partner David Dumont led the discussion, while CIPL President Bojana Bellamy illuminated CIPL’s work in this area. The session also featured Cristina Monti, Policy Officer in the International Data Flows and Protection Unit of the EU Commission DG Justice and Consumers.
On June 1, 2019, New Decree No. 2019-536 (the “Implementing Decree”) took force, enabling the French Data Protection Act, as amended by an Ordinance of December 12, 2018, likewise to enter into force. This marks the completion of the adaption of French law to the EU General Data Protection Regulation (“GDPR”) and the EU Police and Criminal Justice Directive (Directive (EU) 2016/680).
On May 30, 2019, the UK Information Commissioner’s Office (“ICO”) published its reflections on the year that has passed since the implementation of the EU General Data Protection Regulation (“GDPR”), together with a blog post by Elizabeth Denham, the UK Information Commissioner.
On June 6, 2019, the French Data Protection Authority (the “CNIL”) announced that it levied a fine of €400,000 on SERGIC, a French real estate service provider, for failure to (1) implement appropriate security measures and (2) define data retention periods for the personal data of unsuccessful rental candidates.
On May 31, 2019, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP issued a white paper on GDPR One Year In: Practitioners Take Stock of the Benefits and Challenges (the “White Paper”). In addition, CIPL submitted the White Paper along with a separate response to the European Commission’s questionnaire to prepare for the June 2019 stocktaking exercise on the application of the EU General Data Protection Regulation (“GDPR”).
On June 12, 2019, Hunton Andrews Kurth and its Centre for Information Policy Leadership (“CIPL”) will host a roundtable discussion in the firm’s Brussels office on the update of the EU Standard Contractual Clauses for international data transfers. The seminar will feature Ms. Cristina Monti, Policy Officer in the International Data Flows and Protection Unit of the EU Commission DG Justice and Consumers. Participants will:
On May 28, 2019, shortly after the appointment of the new Belgian commissioner and the Director of the Litigation Chamber, the Belgian Data Protection Authority (the “Belgian DPA”) imposed its first fine since the EU General Data Protection Regulation ( “GDPR”) came into effect. The Belgian DPA fined a Belgian mayor EUR 2,000 for abusive use of personal data obtained in the context of his mayoral functions for election campaign purposes.
On May 27, 2019, the Irish government announced that Helen Dixon, who currently serves as Irish Data Protection Commissioner, was appointed to a second five-year term in her position. Her reappointment was approved by a May 27 Cabinet vote.
On May 22, 2019, the European Data Protection Board (the “EDPB”) published on its website a summary of enforcement actions taken by the European Economic Area Supervisory Authorities (“EEA Supervisory Authorities”) one year after the entry into force of the General Data Protection Regulation (the “GDPR”). Reflecting on the growing numbers of data controllers designating a lead supervisory authority, the EDPB reported that of the 446 cross-border cases opened by EEA Supervisory Authorities, 205 of these cases have led to One-Stop-Shop procedures. The EDPB ...
At its annual conference, CYBERUK, the National Cyber Security Centre (the “NCSC”), pledged not to pass on confidential information about cyberattacks to the UK Information Commissioner’s Office (the “ICO”) without the consent of the affected organization. This commitment is an attempt to reassure organizations, encouraging them to report and seek assistance in the event of a cybersecurity incident.
The French Data Protection Authority (the “CNIL”) recently published its Annual Activity Report for 2018 (the “Report”) and released its annual inspection program for 2019.
On April 25, 2019, the Belgian Data Protection Authority (the “Belgian DPA”) published its Annual Activity Report for 2018 (the “Annual Report”), highlighting the main developments and accomplishments of the past year.
On April 15, 2019, the UK Information Commissioner’s Office (the “ICO”) issued for public consultation a draft code of practice, “Age Appropriate Design,” that will regulate the provision of online services likely to be accessed by children in the UK. Given the extraterritorial reach of the UK Data Protection Act 2018, organizations based outside of the UK may be subject to the code, which is expected to take effect by the end of 2019. The deadline for responding to the public consultation is May 31, 2019.
On April 15, 2019, the Greek Data Protection Authority (“DPA”) fined Hellenic Petroleum S.A. EUR 20,000 for unlawful processing of personal data and EUR 10,000 for failing to adopt appropriate data security measures.
On April 17, 2019, the Dutch Data Protection Authority, the Autoriteit Persoonsgegevens (the “Dutch DPA”) issued six recommendations (in Dutch) for companies, to be taken into account when drafting privacy policies for the purpose of Article 24.2 of the EU General Data Protection Regulation (the “GDPR”). Article 24.2 of the GDPR provides the obligation for data controllers to implement privacy policies for accountability purposes, under certain criteria. The published recommendations follow the Dutch DPA’s investigation of companies’ privacy policies. The investigation focused on companies that process sensitive personal data, including health data and data related to individuals’ political beliefs. Alongside the recommendations, the Dutch DPA released a report (in Dutch) summarizing the investigation’s results.
On October 22, 2018, the UK Court of Appeal upheld the High Court’s decision that VM Morrison Supermarkets PLC (“Morrisons”) was vicariously liable for a data breach caused by a disgruntled former employee, despite Morrisons being cleared of any wrongdoing (VM Morrison Supermarkets PLC v Various Claimants). The case is important, given its potential “floodgate” effect on data breach class action claims in the UK. The Supreme Court has granted Morrisons permission to appeal the judgment on all grounds.
On April 12, 2019, the European Data Protection Board (“EDPB”) published draft guidelines 2/2019 on the processing of personal data in the context of the provision of online services to data subjects (the “Guidelines”).
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code