Privacy & Information Security Law Blog

On October 6, 2020, the Court of Justice of the European Union (“CJEU”) handed down Grand Chamber judgments determining that the ePrivacy Directive (the “Directive”) does not allow for EU Member States to adopt legislation intended to restrict the scope of its confidentiality obligations unless they comply with the general principles of EU law, particularly the principle of proportionality, as well as fundamental rights under the Charter of Fundamental Rights of the European Union (the “Charter”).

On October 1, 2020, the UK Information Commissioner’s Office (“ICO”) launched a public consultation on its draft Statutory Guidance (the “Guidance”). The Guidance provides an overview of the ICO’s powers and how it intends to regulate and enforce data protection legislation in the UK, including its approach to calculating fines.

The increasing development and use of AI technology is raising several compliance questions, particularly in the context of the EU General Data Protection Regulation (“GDPR”). The European Commission has already begun working on future AI legislation. Join us on October 14, 2020, for a webinar on Artificial Intelligence: Key Considerations for GDPR Compliance Today and Tomorrow.

On September 30, 2020, the Belgian Data Protection Authority (the “Belgian DPA”) released its 2019 Annual Report (the “Report”). Notably, 2019 was the year of the Belgian DPA’s first fines under the EU General Data Protection Regulation (the “GDPR”) and the release of the Belgian DPA’s 2019-2025 Strategic Plan.

On October 1, 2020, the Hamburg Data Protection Authority (“DPA”) fined Hennes & Mauritz AB (“H&M”) € 35.3 million for unlawful employee monitoring practices in the company’s service center concerning several hundred employees. According to the DPA’s press release, H&M was maintaining excessive details about employees’ private lives since 2014. This includes notes taken by managers regarding (1) employees’ vacation experiences, illnesses, diagnoses and symptoms as discussed with managers during welcome-back talks after employees’ vacation or sick leave, and (2) information ranging from employees’ family problems to religious beliefs obtained by managers during floor talks. The information was stored digitally and could be read by up to 50 managers throughout the company. According to the DPA, the managers’ notes were sometimes made with a high level of detail and maintained over great periods of time. The press release states that the information was used to evaluate the performance of employees, create employee profiles and make other employment-related decisions.

On October 1, 2020, the French Data Protection Authority (the “CNIL”) published a revised version of its guidelines on cookies and similar technologies (the “Guidelines”), its final recommendations on the practical modalities for obtaining users’ consent to store or read non-essential cookies and similar technologies on their devices (the “Recommendations”) and a set of questions and answers on the Recommendations (“FAQs”).

On September 30, 2020, Anthem, Inc. (“Anthem”) entered into an assurance of voluntary compliance (the “Agreement”) with the attorneys general of 42 states and the District of Columbia to settle claims under state and federal law relating to Anthem’s 2015 data breach (the “Breach”).

On October 1, 2020, the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) issued an advisory alerting companies of potential sanctions risks related to facilitating ransomware payments.  The five-page advisory states that ransomware victims who pay ransom amounts, and third-party companies that negotiate or pay ransom on their behalf, “not only encourage future ransomware payment demands but also may risk violating OFAC regulations.”

On September 25, 2020, the District Court of New Mexico granted Google’s motion to dismiss a lawsuit filed on February 20, 2020, by New Mexico Attorney General Hector Balderas alleging, among other claims, that the company violated the federal Children’s Online Privacy Protection Act (“COPPA” or the “Act”) by using G Suite for Education to “spy on New Mexico students’ online activities for its own commercial purposes, without notice to parents and without attempting to obtain parental consent.”

On September 24, 2020, the Centre for Information Policy Leadership at Hunton Andrews Kurth (“CIPL”) released a new paper (the “Paper”) on the Path Forward for International Data Transfers under the GDPR after the CJEU Schrems II Decision.