Privacy & Information Security Law Blog

On May 2, 2021, the Norwegian data protection authority, Datatilsynet, notified Disqus Inc. (“Disqus”), a U.S. company owned by Zeta Global, of its intention to issue a fine of 25 million Norwegian Krone (approximately 2.5 million Euros). The preliminary fine was issued for failure to comply with the General Data Protection Regulation’s (“GDPR”) accountability, lawfulness and transparency requirements, primarily due to Disqus’ tracking of website visitors.

On May 6, 2021, Google announced that beginning in the second quarter of 2022, mobile app developers submitting new apps and app updates to the Google Play store will be required to disclose certain information regarding their apps’ data collection, use, sharing and security practices, as well as provide a privacy policy for their apps. This information will be displayed in a new “safety section” of Google Play.

On April 29, 2021, China issued a second version of the draft Personal Information Protection Law (“Draft PIPL”). The Draft PIPL will be open for public comments until May 28, 2021.

While the framework of this version of the Draft PIPL is the same as the prior version issued on October 21, 2020, below we summarize the material changes in the second version of the Draft PIPL.

On April 29, 2021, China issued a second draft version of the Data Security Law (“Draft DSL”). The Draft DSL will be open for public comments until May 28, 2021.

While the framework of this version of the Draft DSL is the same as the prior version issued on July 3, 2020, below we summarize the material changes in the second version of the Draft DSL.

On April 23, 2021, the National Information Security Standardization Technical Committee of China published a draft standard (in Chinese) on Security Requirements of Facial Recognition Data (the “Standard”). The Standard, which is non-mandatory, details requirements for collecting, processing, sharing and transferring data used for facial recognition.

On April 27, 2021, the Portuguese Data Protection Authority (Comissão Nacional de Proteção de Dados, the “CNPD”) ordered the National Institute of Statistics (the “INE”) to suspend, within 12 hours, any international transfers of personal data to the U.S. or other third countries that have not been recognized as providing an adequate level of data protection.

On April 23, 2021, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth submitted its response to the European Data Protection Board (“EDPB”) consultation on draft guidelines on virtual voice assistants (the “Guidelines”). The Guidelines were adopted on March 12, 2021 for public consultation.

As reported on the Hunton Retail Law Blog, on April 26, 2021, the U.S. Court of Appeals for the Second Circuit affirmed the dismissal on Article III standing grounds of a data breach class action predicated on an alleged increased risk of identity theft. McMorris v. Carlos Lopez & Assocs., LLC, No. 19-4310, 2021 WL 1603808 (2d Cir. Apr. 26, 2021). Notably, the district court that dismissed the action raised the issue of standing sua sponte in advance of a scheduled class settlement fairness hearing.

On April 22, 2021, the Belgian Constitutional Court annulled (in French) the framework set forth by the Law of 29 May 2016 (the “Law”) requiring telecommunications providers to retain electronic communications data in bulk.

Building upon its April 2020 business guidance on Artificial Intelligence and algorithms, on April 19, 2021, the FTC published new guidance focused on how businesses can promote truth, fairness and equity in their use of AI.