Privacy & Information Security Law Blog

On July 1, 2019, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, (the “Dutch DPA”)) announced that it had expanded its guidance on data breaches. The updates aim to answer questions about data breaches received by the Dutch DPA from organizations since 2016.

On July 8, 2019, the UK Information Commissioner’s Office (“ICO”) announced that it intends to fine British Airways (“BA”), which is owned by International Consolidated Airlines Group, S.A., £183,390,000 (approximately $230,000,000) for violating the EU General Data Protection Regulation (“GDPR”). This is the first fine to be announced publicly by the ICO under the GDPR and hints at the tough stance it is likely to take with regard to future breaches.

On June 14, 2019, the United States Court of Appeals for the Ninth Circuit affirmed summary judgment in favor of Facebook, holding that the company did not violate the Illinois Biometric Information Privacy Act (“BIPA”) (740 ICLS ¶¶ 15, 20).

On July 2, 2019, the Federal Trade Commission announced a case involving the operator of an online rewards website who allegedly failed to take reasonable steps to secure consumers’ personal data.

On June 28, 2019, the French data protection authority (the “CNIL”) published its action plan for 2019-2020 to specify the rules applicable to online targeted advertising and to support businesses in their compliance efforts.

The UK Information Commissioner’s Office (“ICO”) recently published an updated report on adtech, following a Fact Finding Forum held in March 2019 and consultation with industry players. The report focuses on whether and how organizations in the adtech sector can comply with the EU General Data Protection Regulation (“GDPR”) and the UK’s implementation of the e-Privacy Directive, known as the Privacy and Electronic Communications Regulations (“PECR”).

On June 19, 2019, the National Institute of Standards and Technology (“NIST”) issued its draft SP 800-171B guidelines (the “draft”), which outlines enhanced measures to protect controlled unclassified information (“CUI”) held by government contractors.

The European Data Protection Board (the “EDPB”) recently adopted its Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679 (the “Guidelines”). The Guidelines aim to provide practical guidance with respect to Articles 40 and 41 of the EU General Data Protection Regulation (“GDPR”). In particular, the Guidelines intend to clarify the rules and procedures for the submission, approval and publication of codes of conduct.

Today marks one year since the California Consumer Privacy Act of 2018 (“CCPA”) was passed and signed into law. The CCPA signals a dramatic shift in the data privacy regime in the United States, imposing on covered businesses the most prescriptive general privacy rules in the nation. In addition, the past year has seen a legislative explosion in the form of similar proposed state laws and potential federal data privacy legislation.

Given the value of personal information as a significant corporate asset, companies seeking to acquire or merge with another business should focus carefully on the data they will obtain as a result of the transaction. In addition, as cybersecurity attacks continue unabated, companies must carefully evaluate how personal information maintained by a potential target is protected. In a recent article published by Bloomberg Law, Hunton Andrews Kurth partner Lisa J. Sotto and counsel Ryan P. Logan discuss how legal frameworks involving U.S. federal and state law, the EU General Data Protection Regulation, antitrust law and other relevant legal regimes may affect how a company can use personal information following a transaction. The article also addresses key questions companies should ask during the due diligence process, how answers to those questions impact the deal documents and offers post-closing strategies companies should consider.