Privacy & Information Security Law Blog

On June 19, 2020, France’s Highest Administrative Court (“Conseil d’Etat”) upheld the decision of the French Data Protection Authority (the “CNIL”) to impose a €50 million fine on Google LLC (“Google”) under the EU General Data Protection Regulation (the “GDPR”) for its alleged failure to (1) provide notice in an easily accessible form, using clear and plain language, when users configure their Android mobile devices and create Google accounts, and (2) obtain users’ valid consent to process their personal data for ad personalization purposes. Google had appealed this decision before the Conseil d’Etat. Because the Conseil d’Etat hears cases on appeal from the CNIL in both the first and last instances, the CNIL’s fine is now final. This fine against Google was the first fine imposed by the CNIL under the GDPR and is the highest fine imposed by an EU supervisory authority under the GDPR to date.

On June 16, 2020, the European Data Protection Board (the “EDPB”) released a statement on the processing of personal data in the context of reopening borders following the COVID-19 outbreak (the “Statement”).

On June 16, 2020, the European Data Protection Board (the “EDPB”) released a statement on the data protection impact of the interoperability of contact tracing apps within the EU (the “Statement”). The EDPB issued this Statement following the publication of “Interoperability guidelines for approved contact tracing mobile applications in the EU” by the eHealth Network on May 13, 2020. In its guidelines, the eHealth Network calls for an interoperable framework in the EU that would enable users to rely on a single contact tracing application regardless of the Member State or region in which they reside.

On June 12, 2020, the Brazilian President Jair Bolsonaro approved Law #14,010/2020 (the “Law”). This Law was created to establish an urgent legal framework for the private sector in the context of the COVID-19 crisis. Among other topics, it delays until August 1, 2021 the applicability of the provisions relating to sanctions for non-compliance with the new Brazilian data protection law (Lei Geral de Proteção de Dados Pessoais, “LGPD”).

On May 29, 2020, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth submitted formal comments to the European Commission’s Consultation on a European Strategy for Data (the “Strategy”).

On June 9, 2020, the French Data Protection Authority (the “CNIL”) published its Annual Activity Report for 2019 (the “Report”).

On June 5, 2020, the Belgian Data Protection Authority (the “Belgian DPA”) published guidance on its website (the “Guidance”) regarding temperature checks during the COVID-19 crisis. The Guidance aims to provide advice to organizations looking to control access to their premises by restricting individuals with fevers in order to prevent further spread of the virus.

On June 2, 2020, the European Data Protection Board (the “EDPB”) announced that it had released a statement on restrictions on data subject rights in connection with the state of emergency in EU Member States amid the COVID-19 pandemic (the “Statement”).

On May 29, 2020, the Litigation Chamber of the Belgian Data Protection Authority (the “Belgian DPA”) imposed a fine of €1,000 on a non-profit organization. The decision followed a complaint filed by an individual who continued to receive promotional materials from the organization after he had objected to the processing of his contact details for direct marketing purposes and had requested that the organization erase his data from its database.

On June 3, 2020, the Presidency of the Council of the European Union (“the Presidency”) published a progress report on the proposed Regulation concerning the Respect for Private Life and the Protection of Personal Data in Electronic Communications and Repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications), better known as “the Draft ePrivacy Regulation” (the “Progress Report”).

On May 29, 2020, the German Federal Court of Justice (Bundesgerichtshof, “BGH”), Germany’s highest court for civil and criminal matters, issued its ruling on case Planet49 (I ZR 7/16) regarding consent requirements for the use of cookies and telemarketing activities. In October 2017, the BGH suspended its proceedings and submitted questions to the Court of Justice of the European Union (“CJEU”) for a preliminary ruling regarding the effectiveness of obtaining consent for the use of cookies through a pre-ticked checkbox. As we have previously reported, the CJEU answered these questions in its judgement in Planet49 GmbH v. Verbraucherzentrale Bundesverband e.V. (C-673/17), which was issued on October 1, 2019.

The Global Privacy Assembly (“GPA”), a forum for data protection and privacy authorities, has established a COVID-19 Taskforce (“the Taskforce”) to advise on best practices, provide insight and drive practical responses regarding privacy issues raised by the pandemic. It aims to provide a balance between enabling governmental responses to the crisis and protecting individuals’ privacy.

On May 25 and May 26, 2020 respectively, the Belgian Data Protection Authority (the “Belgian DPA”) published two opinions on draft laws introducing COVID-19-related tracking initiatives: (1) the Opinion 42/2020 on the draft law for the creation of a database by Sciensano, a public health institution (“Opinion 42/2020”), and (2) the Opinion 43/2020 on the draft law for the use of contact tracing apps to fight the spread of COVID-19 (“Opinion 43/2020”).

The implementation of Thailand’s Personal Data Protection Act B.E. 2562 (A.D. 2019) (the “PDPA”) has been delayed until May 31, 2021.

On May 19, 2020, the Belgian Data Protection Authority (the “Belgian DPA”) announced that the Litigation Chamber had imposed a €50,000 fine on a social media provider for unlawful processing of personal data in connection with the “invite-a-friend” function offered on its platform.

We previously posted about the Tapplock, Inc. (“Tapplock”) settlement with the Federal Trade Commission (“FTC”) over allegations that the company violated Section 5 of the FTC Act by falsely claiming that its “smart locks” were secure. Earlier this month, the FTC voted 5-0 to approve the settlement.

On the second anniversary of the EU General Data Protection Regulation (the “GDPR”), the Belgian Data Protection Authority (the “Belgian DPA”) published a Statement with some key GDPR-related numbers (the “Statement”).

On May 18, 2020, the European Data Protection Board (“EDPB”) released its Annual Report (the “Report”) providing details of the EDPB’s work in 2019. This included publication of guidelines, binding decisions and general guidance on the interpretation of EU data protection law.

The Court of Justice of the European Union (“CJEU”) has announced via its Twitter feed that it will deliver its judgement in the Schrems II case (case C-311/18) on July 16, 2020. This judgement will determine the validity of the Standard Contractual Clauses (“SCCs” or Model Clauses) as a transfer mechanism under the General Data Protection Regulation (“GDPR”). SCCs are relied on by many global companies, including Facebook and Microsoft, for international transfers of EU personal data.

Pakistan’s Ministry of Information Technology and Telecommunication recently introduced a new draft of Pakistan’s Personal Data Protection Bill, 2020 (the “Bill”) and launched a public consultation regarding the same. The public consultation period will end on May 15, 2020. The Bill, which applies to “any person who processes” or “has control over or authorizes the processing of” any personal data, if the data subject, the controller or processor are located in Pakistan, would establish certain requirements and restrictions related to the processing of personal data, as well as penalties for violating the law. In addition, under the Bill, the federal government would, within six months of coming into force, establish a Personal Data Protection Authority of Pakistan with rulemaking authority to enforce the act.

The Dutch Data Protection Authority (Autoriteit Persoonsgegevens, the “Dutch DPA”) recently imposed a €750,000 fine on a company for unlawful processing of employees’ fingerprints for attendance taking and time registration purposes.

On May 7, 2020, the French Data Protection Authority (the “CNIL”) updated its previous guidance for employers relating to the processing of employee and visitor personal data in the context of the COVID-19 outbreak, in particular, in the context of lifting containment measures (the “Updated Guidance”). Some employers may consider implementing systematic body temperature checks at the entrance to their premises. Similarly, employers may wish to assess employees’ exposure to the virus or their health statuses when they return to work. The Updated Guidance analyzes some of these practices and outlines the principles applicable to data processing activities.

Join us on May 19, 2020, for an in-depth webinar on the Key Privacy Considerations for Reopening Businesses in the EU. Our featured speakers, Hunton Brussels lawyers Claire François and Laura Léonard, will highlight key data protection issues that arise in connection with the measures employers may take to limit or prevent the spread of COVID-19, including:

• The types of health information that may be collected from employees and visitors;
• Measures to consider when processing that information; and
• Whether and how to conduct temperature checks.

Update: View the recording of this ...

On May 6, 2020, the European Data Protection Board (the “EDPB”) published its Guidelines 05/2020 (the “EDPB Guidelines”) on consent under the EU General Data Protection Regulation (the “GDPR”). The EDPB Guidelines are a slightly updated version of the Article 29 Working Party’s Guidelines on consent under the GDPR (the WP29 Guidelines), which were adopted in April 2018 and endorsed by the EDPB in its first Plenary meeting.

On April 28, 2020, the Litigation Chamber of the Belgian Data Protection Authority (the “Belgian DPA”) imposed a €50,000 fine on a company for non-compliance with the requirements under the General Data Protection Regulation (“GDPR”) related to the appointment of a data protection officer (“DPO”).

On April 28, 2020, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP submitted formal comments to the European Commission’s consultation on its roadmap for the two-year evaluation of the EU General Data Protection Regulation (“GDPR”) (the “Response”).

On April 30, 2020, the French Data Protection Authority (the “CNIL”) published guidance on the extraction of web users’ personal data from online public spaces by web scraping tools and re-use of such data for direct marketing (the “Guidance”). The Guidance was issued following inspections carried out by the CNIL in 2019.

On April 25, 2020, the Philippines National Privacy Commission (“NPC”) issued a statement that it is investigating several breach notifications it has received relating to the unauthorized disclosure of sensitive personal information of confirmed and suspected COVID-19 patients (the “Statement”).

On April 29, 2020, the Brazilian President issued Provisional Measure #959/2020, which provisionally delays the applicability date of the Brazilian data protection law (Lei Geral de Proteção de Dados Pessoais – “LGPD”) to May 3, 2021.

The Cyberspace Administration of China (“CAC”), together with 11 other authorities, has jointly issued the Measures for Cybersecurity Review (the “Measures”), which will take effect on June 1, 2020, and the currently-effective Measures for Examining the Security of Network Products and Services will be repealed simultaneously.

On April 16, 2020, the Centre for Information Policy Leadership (“CIPL”), in collaboration with the Centro de Estudos de Direito, Internet e Sociedade of Instituto Brasiliense de Direito Público (“CEDIS-IDP”), published a White Paper (the “White Paper”) on the Role of the Brazilian Data Protection Authority (“ANPD”) under Brazil’s New Data Protection Law (“LGPD”). The White Paper is accompanied by two infographics: 1) the priorities of the Agência Nacional de Proteção de Dados, and 2) the case for an effective Brazil DPA - the ANPD.

As the COVID-19 outbreak continues to unfold, businesses are dealing with new and unprecedented operational and legal challenges. There also are key data protection considerations for businesses in connection with the COVID-19 pandemic, including compliance with the requirements around the processing of personal data for health monitoring purposes, crisis management issues and steps to be implemented to ensure the continuity of privacy compliance programs.

On April 21, 2020, the European Data Protection Board (“EDPB”) adopted Guidelines on the processing of health data for scientific purposes in the context of the COVID-19 pandemic. The aim of the Guidelines is to provide clarity on the most urgent matters relating to health data, such as legal basis for processing, the implementation of adequate safeguards and the exercise of data subject rights.

On April 16, 2020, the European eHealth Network—a voluntary network connecting national authorities responsible for eHealth designated by EU Member States—published a common EU toolbox for the use of contact tracing and warning apps in response to the coronavirus pandemic (the “Toolbox”). The Toolbox is part of the common EU coordinated approach to using COVID-19 mobile apps, as set out in the European Commission’s Recommendation of April 8, 2020. The Toolbox was accompanied by guidance from the European Commission on data protection and privacy aspects of the use of such apps (the “Guidance”).

Elizabeth Denham, the UK Information Commissioner, has released an opinion in response to the joint effort announced by Apple Inc. (“Apple”) and Google LLC (“Google”) to enable the use of Bluetooth technology to help governments and health agencies reduce the spread of COVID-19 by building contact-tracing technology into iOS and Android smartphones. In the opinion, the Information Commissioner concludes that the "Contact Tracing Framework" (“CTF”) being developed supports data protection principles.

On April 15, 2020, the French Data Protection Authority (the “CNIL”) published the final version of its standard (“Referential”) concerning the processing of personal data for core Human Resources (“HR”) management purposes. That Referential was adopted following a public consultation launched by the CNIL on April 11, 2019. The CNIL also published a set of questions and answers (“FAQs”), which aim to answer some practical questions that the CNIL are regularly asked regarding HR data processing activities.

On April 14, 2020, the European Data Protection Board (“EDPB”) adopted a letter concerning the European Commission's (the “Commission”) draft Guidance on apps supporting the fight against the COVID-19 pandemic. This letter was written to the Commission following the Commission’s adoption of a recommendation to develop a common European approach to using mobile applications and mobile location data in response to the pandemic on April 8, 2020.

On April 3, 2020, the Brazilian Senate approved Bill of Law (“PL 1179/2020”), which includes a number of emergency measures intended to address the COVID-19 pandemic. Importantly, one provision delays the effective date of the Brazilian Data Protection Law (Lei Geral de Proteção de Dados Pessoais, “LGPD”) until January 2021. Fines and sanctions for companies that fail to comply with the LGPD are now scheduled to become effective August 2021.

On April 9, 2020, the Belgian Data Protection Authority (the “Belgian DPA”) released guidance and a set of frequently asked questions (“FAQs”) regarding the use of cookies and other tracking technologies.

On April 14, 2020, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP published an article entitled “COVID-19 Meets Privacy: A Case Study for Accountability” (the “Article”).

On April 7, 2020, the European Data Protection Board (the “EDPB”) announced that it had assigned mandates to its expert subgroups to develop guidance on several aspects of data processing amidst the COVID-19 crisis.

On April 8, 2020, the European Commission adopted a recommendation to develop a common European approach to using mobile applications and mobile location data in response to the coronavirus pandemic (the “Recommendation”).

A Canadian maker of Internet-connected padlocks, Tapplock, Inc. (“Tapplock”), settled Federal Trade Commission (“FTC”) allegations that the company violated Section 5 of the FTC Act by falsely claiming that its “smart locks” were secure. The FTC alleged that Tapplock “did not take reasonable measures to secure its locks, or take reasonable precautions or follow industry best practices for protecting consumers’ personal information.” The FTC further alleged that Tapplock did not have a security program in place prior to security researchers discovering vulnerabilities in the design and function of the smart locks.

On April 6, 2020, the Irish Data Protection Commission (the “DPC”) published a report summarizing the DPC’s findings following a cookie sweep of select websites across a range of sectors, as well as a new guidance note on the use of cookies and other tracking technologies.

On March 31, 2020, the Belgian Data Protection Authority (the “Belgian DPA”) published a short statement on its website (the “Statement”) regarding health-related apps. The Belgian DPA indicated that the Statement is in response to numerous questions regarding the use of personal data in the context of the COVID-19 pandemic.

On April 1, 2020, the French Data Protection Authority (the “CNIL”) released guidance for employers on how to implement teleworking (the “Guidance”) as well as best practices for their employees in this context (the “Best Practices”).

The Conference of German Data Protection Authorities (“DSK”), the body of the federal and state Data Protection Authorities (“DPAs”) in Germany, recently issued joint recommendations regarding employers’ processing of employee personal data in the context of the coronavirus (“COVID-19”) pandemic. The DSK makes it clear that data protection does not hinder measures to fight COVID-19. According to DSK, employers can collect personal data of employees in order to prevent the spreading of the virus at the workforce. Employers also may process personal data of workplace visitors for COVID-19 related purposes. However, all measures must be proportionate.

On March 25, 2020, the European Data Protection Supervisor (“EDPS”) sent a letter to the Directorate-General for Communications Networks, Content and Technology (“DG CONNECT”) addressing the various initiatives involving telecommunications providers at the Member State level to monitor the spread of the COVID-19 outbreak using location data.

On March 12, 2020, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP submitted formal comments to the Office of the Privacy Commissioner of Canada (“OPC”) in response to its proposals for ensuring appropriate regulation of artificial intelligence (“AI”).

The Dutch Data Protection Authority (Autoriteit Persoonsgegevens, the “Dutch DPA”) recently published materials regarding the COVID-19 crisis, including recommendations and FAQs for employers and recommendations for employees. In the materials, the Dutch DPA emphasizes that, while fighting the virus and saving lives is the top priority, privacy must not be overlooked and the crisis should not become a prelude to a “Big Brother” society.

On March 9, 2020, the APEC Cross-Border Privacy Rules (“CBPR”) system Joint Oversight Panel approved the Philippines’ application to join the APEC CBPR system. The Philippines becomes the ninth APEC economy to join the CBPR system, joining the United States, Mexico, Canada, Japan, South Korea, Singapore, Chinese Taipei and Australia.

The Spanish Data Protection Authority (the “AEPD”) recently published a report on data processing activities carried out by data controllers in the private and public sectors as a result of the spread of the COVID-19 virus (the “Report”).

The International Trade Administration at the U.S. Department of Commerce recently announced that NCC Group has been approved as a U.S. Accountability Agent under the APEC Cross-Border Privacy Rules (“CBPR”) system. NCC Group joins TrustArc and Schellman as the third U.S. Accountability Agent under the CBPR and the sixth Accountability Agent approved under the system overall. NCC Group will now be able to independently assess and certify the compliance of U.S. companies under the APEC CBPR system and under the APEC Privacy Recognition for Processors (“PRP”), a corollary system to the CBPR specifically for processors.
On March 19, 2020, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP published a Q&A on the APEC CBPR and PRP systems. The Q&A is designed to explain the workings of both systems, who is currently participating in them and how interested companies can certify.

On March 13, 2020, the Belgian Data Protection Authority (the “Belgian DPA”) released a statement regarding workplace-related processing of personal data in the context of the COVID-19 crisis (the “Statement”).

To help facilitate data sharing in light of the COVID-19 pandemic, the Global Privacy Assembly has begun compiling the latest guidance from data protection authorities around the world on data protection and data sharing. As of this blog post, the list contains guidance from 26 countries and territories across the globe as well the European Data Protection Board and the United Nations Special Rapporteurs. The list will be updated as additional guidance is provided.

On March 19, 2020, the European Data Protection Board (“EDPB”) published a new statement regarding processing personal data in the context of the COVID-19 outbreak. The EDPB said that emergency is a legal condition which may legitimize restrictions of individual freedoms, provided that these restrictions are proportionate and limited to the emergency period. Several considerations come into play in weighing the lawful processing of personal data in these circumstances.

The UK Information Commissioner’s Office (“ICO”) has published guidance regarding its expectations for controllers and health professionals during the COVID-19 outbreak.

In its guidance for controllers, the ICO adopted a pragmatic stance, stating: “We know you might need to share information quickly or adapt the way you work. Data protection will not stop you doing that. It’s about being proportionate - if something feels excessive from the public’s point of view, then it probably is.”

The French Data Protection Authority (the “CNIL”) recently issued guidance for employers relating to the processing of employee and visitor personal data in the context of the COVID-19 outbreak (the “Guidance”). The Guidance outlines some of the principles relating to those data processing activities.

On March 19, 2020, the Irish Data Protection Authority (the “DPC”) published guidance to assist organizations in understanding their data security obligations and to mitigate their risks of a personal data breach when using cloud-based services (the “Guidance”).

On March 17, 2020, the Executive Committee of the Global Privacy Assembly (“GPA”) issued a statement giving their support to the sharing of personal data by organizations and governments for the purposes of fighting the spread of the COVID-19 pandemic. The GPA brings together data protection regulators from over 80 countries and its membership currently consists of more than 130 data protection regulators around the world, including the UK Information Commissioner’s Office, the U.S. Federal Trade Commission, and the data protection regulators for all EU Member States.

Hunton’s Centre for Information Policy Leadership (“CIPL”) reports on the top privacy-related priorities for this year:

1.  Global Convergence and Interoperability between Privacy Regimes

Around the world, new privacy laws are coming into force and outdated laws continue to be updated: the EU General Data Protection Regulation (“GDPR”), Brazil’s Lei Geral de Proteção de Dados Pessoais (“LGPD”), Thailand’s Personal Data Protection Act, India’s and Indonesia’s proposed bills, California’s Consumer Privacy Act (“CCPA”), and the various efforts in the rest of the United States at the federal and state levels. This proliferation of privacy laws is bound to continue.

On March 12, 2020, the French Data Protection Authority (the “CNIL”) released its annual inspection strategy for 2020. The CNIL carries out approximately 300 inspections every year. These inspections are initiated (1) following complaints lodged with the CNIL; (2) in light of current topics in the news; (3) after the CNIL has adopted corrective measures (e.g., formal notices, sanctions) in order to verify whether the organization in question adopted the measures or remedied the situation; and (4) as part of the CNIL’s annual inspection strategy.

On March 12, 2020, the Centre for Information Policy Leadership (“CIPL”), in collaboration with Hunton Andrews Kurth LLP, published its legal note, “Artificial Intelligence and Data Protection: How the GDPR Regulates AI.”

On March 3, 2020, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, the “Dutch DPA”) announced that it had imposed a €525,000 fine on the Royal Dutch Tennis Association (De Koninklijke Nederlandse Lawn Tennisbond, “KNLTB”) for an illegal sale of personal data.

On March 4, 2020, the UK Information Commissioner’s Office (“ICO”) fined the international airline Cathay Pacific Airways Limited (“Cathay Pacific”) £500,000 for failing to protect the security of its customers’ personal data. The fine was issued under the Data Protection Act 1998 (the “DPA”) and represents the maximum fine available. The ICO found that between October 2014 and May 2018, Cathay Pacific’s computer systems lacked appropriate security measures which led to customers’ personal details being exposed. Of the approximately 9.4 million customers affected worldwide, 111,578 were from the UK.

On February 24, 2020, the European Data Protection Board (“EDPB”) published general policy messages and a synthesis of the contributions and replies by its members - national data protection authorities (“DPAs”) - to the Questionnaire on the Evaluation of the EU General Data Protection Regulation (“GDPR”) sent by the European Commission (the “Contribution”).

On March 2, 2020, the UK Information Commissioner’s Office (“ICO”) fined CRDNN Limited, a lead generation company, £500,000—the maximum amount available for a breach of the Electronic Communications Regulations (“PECR”). The fine was imposed after CRDNN carried out over 193 million unsolicited automated direct marketing calls relating to window scrappage, window and conservatory sales, boiler sales, and debt management between June and October 2018.

On March 1, 2020, the Provisions on the Governance of Network Information Content Ecology (the “Provisions”) took effect. The Provisions govern China’s network information content ecology—including content producers (the “Producers”), content service platforms (the “Platforms”), content service users (the “Users”), industry organizations and Departments of Cyberspace Administration at all levels.

On March 5, 2020 the Cybersecurity Law Report will host a webinar with panelists, Hunton Andrews Kurth LLP partner Bridget Treacy and Refinitiv’s chief privacy officer Vivienne Artz, on the General Data Protection Regulation’s (“GDPR”) territorial scope entitled, “Gauging GDPR’s Global Reach.” This webinar will explore the global effect of the GDPR in both the digital and geographic arenas.

On February 21, 2020, the Presidency of the Council of the European Union (“EU Council Presidency”) published a revised part of the proposed Regulation concerning the Respect for Private Life and the Protection of Personal Data in Electronic Communications and Repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications), better known as “the Draft ePrivacy Regulation.”

Update: We are monitoring the COVID-19 situation and, like many of you, re-assessing our in-person gatherings and events over the next few months. As an immediate step, we have decided to postpone our London Breakfast Meeting and will circulate details of a webinar on this topic shortly. We thank you for your understanding.

On March 17, 2020, Hunton Andrews Kurth LLP will host a breakfast briefing in our London office, with guest speakers from Deloitte’s Cyber Breach Support team, to explore UK and EU cyber enforcement trends and discuss the current cybersecurity threat environment. In the face of record-breaking fines handed out by the regulators, securing networks, hardening systems, and protecting data from cyber attacks is becoming ever more critical. Understanding common cyber threats, including the attack vectors, how they work, and how they can be detected, is key to working with IT security colleagues to protect an organization from cyber attacks and respond to incidents.

On February 10, 2020, the Belgian Data Protection Authority (the “Belgian DPA”) published its Recommendation 1/2020 on data processing activities for direct marketing purposes (the “Recommendation”). With this Recommendation, the Belgian DPA aims to clarify the complex rules relating to the processing of personal data for direct marketing purposes, including by providing practical examples and guidelines to the different stakeholders involved in direct marketing activities. Direct marketing is one of the Belgian DPA’s top priorities for the next few years, as indicated in its 2019-2025 Strategic Plan.

On February 19, 2020, the Information Commissioner's Office (“ICO”) launched a consultation on its draft AI auditing framework guidance for organizations (“Guidance”). The Guidance is open for consultation until April 1, 2020 and responses can be submitted via the ICO’s online survey.

On February 19, 2020, the European Commission (“the Commission”) published a White Paper entitled “a European Approach to Excellence and Trust” on artificial intelligence (“AI”). This followed an announcement in November 2019, from the Commission’s current President, Ursula von der Leyen, that she intended to propose rules to regulate AI within the first 100 days of her Presidency, which commenced on December 1, 2019. This White Paper was published alongside the Commission’s data and digital strategies for Europe.

On February 19, 2020, the European Commission (the “Commission”) released a suite of documents including its White Paper on Artificial Intelligence (“AI”), entitled “a European approach to excellence and trust.” In addition, the Commission published two communications—its European strategy for data and a Digital Strategy document entitled “Shaping Europe’s Digital Future.”

On February 9, 2020, amidst the ongoing coronavirus outbreak ("2019-nCoV”) in China, in order to protect personal information collected during the fight against coronavirus, such as the personal data of diagnosed patients, suspected patients and individuals who have been in close contact with diagnosed patients, the Cyberspace Administration of China released a Circular on Ensuring Effective Personal Information Protection and Utilization of Big Data to Support Joint Efforts for Epidemic Prevention and Control (the “Circular”) to emphasize the protection of relevant personal data.

On January 30, 2020, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP submitted formal comments to the Department of Telecommunications at the Brazilian Ministry of Science, Technology, Innovations and Communications (“MCTIC”) on its public consultation on creating a national Artificial Intelligence (“AI”) strategy for Brazil (the “Consultation”).

On February 1, 2020, the Italian Data Protection Authority (Garante per la protezione dei dati personali, the “Garante”) announced that it had levied a fine of €27,802,946 on TIM S.p.A. (“TIM”), a telecommunications company, for several unlawful marketing data processing practices. Between 2017 and 2019, the Garante received numerous complaints from individuals (including from individuals who were not existing customers of TIM) claiming that they had received unwanted marketing calls, without having provided their consent or despite having registered on an opt-out list. The Garante indicated that the violations impacted several million individuals.

On January 21, 2020, the UK Information Commissioner’s Office (“ICO”) published the final version of its Age Appropriate Design Code (“the code”), which sets out the standards that online services need to meet in order to protect children’s privacy. It applies to providers of information services likely to be accessed by children in the UK, including applications, programs, websites, social media platforms, messaging services, games, community environments and connected toys and devices, where these offerings involve the processing of personal data.

On January 16, 2020, the Senate approved the United States-Mexico-Canada Agreement (“USMCA”), sending it to the President’s desk for ratification. Mexico ratified the Agreement in June 2019, and Canada is expected to follow suit later this month. To coincide with its ratification, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth issued a white paper entitled What Does the USMCA Mean for a U.S. Federal Privacy Law?

On January 16, 2020, the Federal Trade Commission announced that settlements with five companies of separate allegations that they had falsely claimed certification under the EU-U.S. Privacy Shield framework had been finalized.

2019 was the “Year of the CCPA” as companies around the world worked tirelessly to comply with the California Consumer Privacy Act of 2018 (“CCPA”). The CCPA aims to provide data privacy rights for California residents and imposes significant new requirements on covered businesses.

On January 8, 2020, the Information Commissioner's Office (“ICO”) launched a consultation on its draft direct marketing code of practice (the “Draft Code”), as required by section 122 of the Data Protection Act 2018 (“DPA 18”). The Draft Code is open for public consultation until March 4, 2020.

According to MLex, on January 6, 2020, the Seoul Eastern District Court found Kim Jin-Hwan, a privacy officer of the South Korean travel agency Hana Tour Service Inc., guilty of negligence in failing to prevent a 2017 data breach that affected over 465,000 customers of the agency and 29,000 Hana Tour employees.

On December 12, 2019, the Belgian Data Protection Authority (the “Belgian DPA”) released its draft 2019-2025 Strategic Plan (the “Draft Plan”). In the Draft Plan, the Belgian DPA describes its vision for the years to come, defines its priorities and strategic objectives and lists the necessary means to achieve its objectives.

Canadian Prime Minister Justin Trudeau has signaled his intent to overhaul data privacy within Canada. Prime Minister Trudeau recently sent a Mandate Letter to Navdeep Bains, the Minister of Innovation, Science and Industry, that contained a number of mandates with respect to data privacy. Specifically, the Mandate Letter states that Minister Bains is expected to work with the Minister of Justice, Attorney General of Canada and the Minister of Canadian Heritage to advance Canada’s Digital Charter and enhance powers for the Privacy Commissioner, in order to establish a new set of online rights, including:

• data portability;
• the ability to withdraw, remove and erase basic personal data from a platform;
• the knowledge of how personal data is being used, including with a national advertising registry, and the ability to withdraw consent for the sharing or sale of data;
• the ability to review and challenge the amount of personal data that a company or government has collected;
• proactive data security requirements;
• the ability to be informed when personal data is breached with appropriate compensation; and,
• the ability to be free from online discrimination including bias and harassment.

On December 19, 2019, the Advocate General of the Court of Justice of the European Union (the “CJEU”) handed down his opinion in the so-called “Schrems II” case (case C-311/18). He recommended that the CJEU uphold the validity of the Standard Contractual Clauses (“SCCs”) as a mechanism for transferring personal data outside of the EU. Given that SCCs are the key data transfer mechanism used by many organizations to transfer personal data outside of the EU, the opinion has far-reaching repercussions and will be welcomed by businesses across the globe.

On December 11, 2019, an updated version of India’s draft data privacy bill was introduced in the Indian Parliament (the “Draft Bill”) by the Ministry of Electronics and Information Technology (“MeitY”). The Draft Bill updates a prior version submitted to MeitY in July 2018.

On December 10, 2019, the French Data Protection Authority (the “CNIL”) published the final version of its standard (“Referential”) concerning the processing of personal data in the context of whistleblowing hotlines. The Referential on whistleblowing hotlines was adopted following a public consultation launched by the CNIL on April 11, 2019. It replaces the CNIL’s Single Authorization AU-004 decision regarding such data processing, and anticipates certain changes introduced by the EU Directive on the protection of whistleblowers (Directive (EU) 2019/1937 of October 23, 2019), which EU Member States will have to implement into their national laws by December 17, 2021. The CNIL also published a set of questions and answers (“FAQs”), which aim to answer some practical questions that the CNIL are regularly asked regarding the operation of a whistleblowing hotline.

On December 11, 2019, the European Data Protection Board (“EDPB”) published its draft guidelines 5/2019 (the “Guidelines”) on the criteria of the right to be forgotten in search engine cases under the EU General Data Protection Regulation (“GDPR”). The Guidelines aim to provide guidance on: (1) the grounds on which individuals can rely for submitting a request for the right to be forgotten in relation to links to web pages containing their personal data; and (2) the exceptions to the right to be forgotten that search engine operators could use to reject such a request. The Guidelines will be supplemented by an appendix on the assessment of criteria for the handling of individuals’ complaints by EU data protection authorities following the refusal by search engine operators to grant the individuals’ request.

On December 10, 2019, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, the “Dutch DPA”) published a statement regarding compliance with the rules on cookie consent (the “Statement”).

On November 26, 2019, the French Data Protection Authority (the “CNIL”) announced that it had levied a fine of €500,000 on Futura Internationale, a French SME specializing in thermal insulation of private buildings, for various infringements of the EU General Data Protection Regulation (“GDPR”). The infringements related to the company’s direct marketing voice-to-voice calls include failure to (1) comply with the individuals’ objection to the processing of their personal data for direct marketing; (2) process only relevant personal data (by recording excessive comments in the CRM software); (3) provide sufficient notice regarding the recording of phone calls and data processing;  (4) cooperate with the CNIL; and (5) implement appropriate data transfer mechanisms for the data transfers to non-EU call center providers.

As reported by Russian law firm Alrud, on November 21, 2019, the Russian State Duma passed a bill (the “Bill”) that would increase the minimum fines that may be imposed for violations of Russia’s data protection laws. The Bill would allow for maximum administrative fines of 18 million RUB (approximately $282,000 USD) for violations of Russia’s data localization requirement, which requires entities processing personal data of Russian citizens to process that data in databases located within the territory of Russia. This represents a significant departure from the maximum administrative fines that may be imposed for other data protection violations in Russia as it is significantly higher than other potential penalties.

At its 15th plenary meeting, the European Data Protection Board (“EDPB”) adopted the final guidelines on the territorial scope of the EU General Data Protection Regulation (“GDPR”) (the “Guidelines”), taking into account the feedback it received during the public consultation of its draft guidelines published on November 23, 2018.

On November 26, 2019, the European Data Protection Supervisor’s office (“EDPS”) and the European Parliament announced that Wojciech Wiewiórowski, currently Assistant Supervisor and acting replacement for the European Data Protection Supervisor Giovanni Buttarelli, will officially be the new European Data Protection Supervisor for the new term of office. The Committee of the Permanent Representatives of the Governments of Member States to the European Union (“COREPER”) and the Committee on Civil Liberties, Justice and Home Affairs of the European Parliament (“LIBE”) confirmed Wojciech Wiewiórowski for a 5-year mandate as European Data Protection Supervisor. In the following days, the European Parliament and Council of the European Union will proceed to formally appoint Wojciech Wiewiórowski as the new European Data Protection Supervisor. Wojciech Wiewiórowski has served as Assistant Supervisor since December 2014. Earlier in his career, Wojciech Wiewiórowski was the Inspector General for the Protection of Personal Data at the Polish Data Protection Authority.

On November 13, 2019, the European Data Protection Board (“EDPB”) published its draft guidelines 4/2019 (the “Guidelines”) on the obligation of Data Protection by Design and by Default (“DPbDD”) set out under Article 25 of the EU General Data Protection Regulation (“GDPR”).

On November 19, 2019, the Federal Trade Commission announced that Medable, Inc. (“Medable”) agreed to settle allegations that the company had misrepresented its participation in the EU-U.S. Privacy Shield program. The FTC alleged that, from December 2017 to October 2018, Medable falsely claimed in its online privacy policy that it was a certified participant in the EU-U.S. Privacy Shield framework and adhered to the framework’s principles. According to the complaint, although Medable did initiate an application with the Department of Commerce in December 2017, the company never completed the steps necessary to participate in the framework.

On November 13, 2019, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth issued a discussion paper on “Organizational Accountability in Light of FTC Consent Orders” (the “Discussion Paper”). The Discussion Paper examines the recent $5 billion FTC settlement with Facebook, which resulted from Facebook’s alleged violation of a prior 2012 FTC consent order, and the recent $575 million FTC settlement with Equifax, related to its 2017 data breach.

On October 22, 2019, the drafting group of China’s National Information Security Standardization Technology Committee (“NISSTC”) released a third set of draft amendments to the Information Security Technology - Personal Information Security Specification (GB/T 35273 – 2017) (the “Updated Draft Specification”). The original Specification, first issued on December 29, 2017, became effective May 1, 2018, and saw earlier draft amendments on February 1, 2019 and June 25, 2019. The NISSTC received more than 400 public comments on the proposed June amendments. The latest draft amendment was issued without a public comment period.

On November 18, 2019, Hunton Andrews Kurth will host a networking luncheon in the firm’s Brussels office. The luncheon will feature Isabelle Vereecken, Head of the Secretariat of the European Data Protection Board ("EDPB"), and will focus on the role of the EDPB and cooperation between supervisory authorities ("SAs") in cross-border matters.