Privacy & Information Security Law Blog

Maryland Governor Larry Hogan recently signed into law House Bill 1154 (the “Bill”), which amends the state’s data breach notification law. Among other obligations, the amendments expand the required actions a business must take after becoming aware of a data security breach.

On May 31, 2019, the Asia-Pacific Economic Cooperation (“APEC”) endorsed Schellman & Company as the second U.S. “Accountability Agent” overseeing the APEC Cross-Border Privacy Rules (“CBPR”) and Privacy Recognition for Processors (“PRP”) systems. Along with TrustArc, Schellman & Company will now be able to independently assess and certify the compliance of U.S. companies under the APEC CBPR and PRP systems.

On June 12, 2019, Hunton Andrews Kurth and its Centre for Information Policy Leadership (“CIPL”) hosted a roundtable discussion in the firm’s Brussels office on the update of the EU Standard Contractual Clauses for international data transfers (“SCCs”). More than 30 privacy leaders joined together to discuss the challenges of the current SCCs and provide their insights on the updated versions. Hunton partner David Dumont led the discussion, while CIPL President Bojana Bellamy illuminated CIPL’s work in this area. The session also featured Cristina Monti, Policy Officer in the International Data Flows and Protection Unit of the EU Commission DG Justice and Consumers.

On June 1, 2019, New Decree No. 2019-536 (the “Implementing Decree”) took force, enabling the French Data Protection Act, as amended by an Ordinance of December 12, 2018, likewise to enter into force. This marks the completion of the adaption of French law to the EU General Data Protection Regulation (“GDPR”) and the EU Police and Criminal Justice Directive (Directive (EU) 2016/680).

On May 30, 2019, the UK Information Commissioner’s Office (“ICO”) published its reflections on the year that has passed since the implementation of the EU General Data Protection Regulation (“GDPR”), together with a blog post by Elizabeth Denham, the UK Information Commissioner.

On May 31, 2019, the Cyberspace Administration of China (the “CAC”) published Draft Regulations on Network Protection of Minor’s Personal Information (the “Draft Regulations”), timing the release to coincide with International Children’s Day. The Draft Regulations, based on the existing Cybersecurity Law of China (the “Cybersecurity Law”), is more protective of minors’ information than the Information Security Technology — Personal Information Security Specification (GB/T 35273 – 2017) (the “Specification”) and its draft amendment, which also address some limited provisions on network operators’ use and treatment of minors’ information.

On May 31, 2019, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP submitted comments to the UK Information Commissioner’s Office (the “ICO”) public consultation on its draft code of practice for age appropriate design for online services (the “Code”).

On June 6, 2019, the French Data Protection Authority (the “CNIL”) announced that it levied a fine of €400,000 on SERGIC, a French real estate service provider, for failure to (1) implement appropriate security measures and (2) define data retention periods for the personal data of unsuccessful rental candidates.

On May 28, 2019, the Cyberspace Administration of China (“CAC”) released draft Data Security Administrative Measures (the “Measures”) for public comment. The Measures, which, when finalized, will be legally binding, supplement the Cybersecurity Law of China (the “Cybersecurity Law”) that took force on June 1, 2017, with detailed and practical requirements for network operators who collect, store, transmit, process and use data within Chinese territory. The Measures likely will significantly impact network operators’ compliance programs in China.

On May 30, 2019, the Maine House and Senate passed a bill (L.D. 946) that will place restrictions on broadband Internet service providers from selling customer data without the customer’s affirmative consent. The bill will apply to providers operating within Maine in connection with the broadband Internet access services they provide to customers who are physically located and billed for service received in Maine.