Privacy & Information Security Law Blog

On April 7, 2020, the European Data Protection Board (the “EDPB”) announced that it had assigned mandates to its expert subgroups to develop guidance on several aspects of data processing amidst the COVID-19 crisis.

On April 8, 2020, the European Commission adopted a recommendation to develop a common European approach to using mobile applications and mobile location data in response to the coronavirus pandemic (the “Recommendation”).

A Canadian maker of Internet-connected padlocks, Tapplock, Inc. (“Tapplock”), settled Federal Trade Commission (“FTC”) allegations that the company violated Section 5 of the FTC Act by falsely claiming that its “smart locks” were secure. The FTC alleged that Tapplock “did not take reasonable measures to secure its locks, or take reasonable precautions or follow industry best practices for protecting consumers’ personal information.” The FTC further alleged that Tapplock did not have a security program in place prior to security researchers discovering vulnerabilities in the design and function of the smart locks.

As of early April, hundreds of millions of workers around the world have been affected by “stay-at-home” or “station-in-place” orders issued by governments in response to the COVID-19 pandemic. To cope, transaction processors are shifting work out of their high-security delivery centers and into the spare bedrooms and home offices of their personnel. That shift creates security challenges that have chief information security officers’ (“CISOs’”) heads spinning. Specifically, special challenges are created when work-from-home (“WFH”) orders affect payment cardholder data that is subject to the Payment Card Industry’s Data Security Standard (“PCI DSS”).

Join us on April 20, 2020, for an in-depth webinar on Business Continuity and COVID-19 from a GDPR Perspective. Our featured speakers, Hunton Brussels lawyers David Dumont and Anna Pateraki, will discuss key considerations with respect to ensuring business continuity and management of your GDPR compliance program amidst the COVID-19 pandemic.

On April 9, 2020, the Federal Trade Commission (“FTC”) issued guidance under the Children’s Online Privacy Protection Act (“COPPA”) for operators of educational technology (“EdTech”) used both in school settings and for virtual learning. The FTC’s guidance stresses that, while COPPA generally requires companies that collect personal information online from children under age 13 to provide notice of their data collection and use practices, and obtain verifiable parental consent, in the educational context and under certain conditions, schools can consent on behalf of parents to the collection of student personal information.

On April 6, 2020, the Irish Data Protection Commission (the “DPC”) published a report summarizing the DPC’s findings following a cookie sweep of select websites across a range of sectors, as well as a new guidance note on the use of cookies and other tracking technologies.

On March 31, 2020, the Belgian Data Protection Authority (the “Belgian DPA”) published a short statement on its website (the “Statement”) regarding health-related apps. The Belgian DPA indicated that the Statement is in response to numerous questions regarding the use of personal data in the context of the COVID-19 pandemic.

Listen as Phyllis H. Marcus, partner at Hunton Andrews Kurth and Co-Chair of the ABA Antitrust Law Section’s Privacy and Information Security Committee, speaks about the privacy concerns over using smart devices on the ABA’s Our Curious Amalgam podcast, Is Your Assistant Spying on You? Understanding the Privacy Law Issues Involving In-Home Assistants.

On April 2, 2020, the French Data Protection Authority (the “CNIL”) published a press release highlighting the importance of the ISO/IEC 27701 standard for the protection of personal data. The CNIL reminds that this is an international standard that defines the management system and security measures that need to be implemented for the processing of personal data (“personally identifiable information” under the ISO/IEC 27701 standard), by extending the requirements of two well-known information security standards.