Privacy & Information Security Law Blog

On February 5, 2021, the state Senate of Virginia voted unanimously to approve Senate Bill 1392, titled the Consumer Data Protection Act, after the House of Delegates approved an identical House bill by an 89-9 vote. Each bill likely will be heard in committee next week by the opposite chamber, which provides additional opportunities to make amendments. Minor, clarifying amendments will likely be added in committee, but they are not expected to alter the main components of the bill. Virginia’s General Assembly will adjourn Sine Die on March 1, and legislators have until then to finalize the details of the legislation. Virginia’s Governor Ralph Northam would be in a position to sign the bill later in March. Notably, the Governor has line item veto authority, so the bill could also possibly be amended after it passes the General Assembly.

On February 8, 2021, Pinellas County, Florida officials announced that a hacker had remotely gained access to the City of Oldsmar's water treatment system on two separate occasions and was able to change the setting for sodium hydroxide in the water supply. The incident highlights the danger to local government information systems and the dangers of remote access vulnerabilities.

On February 5, 2020, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth submitted a response to the European Commission’s (the “Commission’s”) public consultation on the Commission’s Proposal for a Regulation on European Data Governance (the “Data Governance Act,” or “DGA”). This proposal is the first set of initiatives announced under the broader European Data Strategy.

On February 10, 2021, representatives of the EU Member States reached an agreement on the Council of the European Union’s (the “Council’s”) negotiating mandate for the draft ePrivacy Regulation, which will replace the current ePrivacy Directive. The text approved by the EU Member States was prepared under Portugal’s Presidency and will form the basis of the Council’s negotiations with the European Parliament on the final terms of the ePrivacy Regulation.

On January 28, 2021, international Data Privacy Day, the newly formed Brazilian data protection authority (Agência Nacional de Proteção de Dados, the “ANPD”) published its regulatory strategy for 2021-2023 and work plan for 2021-2022 (in Portuguese).

On February 4, 2021, the French Data Protection Authority (the “CNIL”) announced (in French) that it sent letters and emails to approximately 300 organizations, both private and public, to remind them of the new cookie law rules and the need to audit sites and apps to comply with those rules by March 31, 2021.

This is an extraordinary and unprecedented time for the retail industry. Hunton Andrews Kurth’s 2020 Retail Industry Year in Review provides an in-depth analysis of the issues and challenges that retailers faced in the past year, and a look ahead at what they can expect in 2021. The Year in Review includes several articles authored by our privacy and cybersecurity lawyers, including on topics such as the cashier-less technology revolution, the California Privacy Rights Act of 2020 and “buy now, pay later” plans.

Read the full publication.

On January 27, 2021, the French Data Protection Authority (the “CNIL”) announced (in French) that it imposed a fine of €150,000 on a data controller, and a fine of €75,000 on its data processor, for failure to implement adequate security measures to protect customers’ personal data against credential stuffing attacks on the website of the data controller. The CNIL decided not to make its decisions public, thereby not disclosing the name of the companies sanctioned.

On January 19, 2021, the UK Information Commissioner’s Office (“ICO”) published its analysis of the application of the UK General Data Protection Regulation (the “UK GDPR”) to transfers from UK-based firms or branches that are registered, required to be registered or otherwise regulated by the U.S. Securities and Exchange Commission (“SEC”).

On January 26, 2021, BBB National Programs announced that it has been endorsed as an Accountability Agent for the APEC Cross-Border Privacy Rules (“CBPR”) and Privacy Recognition for Processors (“PRP”) systems. This makes BBB National Programs the seventh CBPR and PRP Accountability Agent worldwide and the first ever U.S. non-profit to be approved by APEC.