Privacy & Information Security Law Blog

On November 24, 2020, a multistate coalition of Attorneys General announced that The Home Depot, Inc. (“Home Depot”) agreed to pay $17.5 million and implement a series of data security practices in response to a data breach the company experienced in 2014. The $17.5 million payment will be divided among the 46 participating states and the District of Colombia. We previously reported on a settlement Home Depot reached in 2017 to resolve a putative class action brought by financial institutions impacted by the 2014 data breach.

On December 3, 2020, Hunton Andrews Kurth will host a webinar on Machine Learning Hot Topics: Negotiating Global Data Protection and IP Terms. Join our Hunton speakers, Brittany Bacon, Tyler Maddry and Anna Pateraki, as they discuss key data protection and intellectual property considerations when drafting and negotiating global agreements involving machine learning (“ML”) services and engaging in new ML practices.

On November 17, 2020, the Senate passed by unanimous consent H.R. 1668, the Internet of Things (“IoT”) Cybersecurity Improvement Act (the “IoT Bill”). The House previously passed the IoT Bill in September after negotiations with the Senate to resolve differences in their respective bills. The IoT Bill now heads to the President’s desk for signature.

On November 18, 2020, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth submitted its response to the Standing Committee of the National People’s Congress (“NPC”) of the People’s Republic of China on the Draft Personal Information Protection Law (“PIPL”).

On November 12, 2020, Chief Judge Nancy J. Rosenstengel of the U.S. District Court for the Southern District of Illinois rejected Apple Inc.’s (“Apple’s”) motion to dismiss a class action alleging its facial recognition software violates Illinois’ Biometric Information Privacy Act (“BIPA”). Judge Rosenstengel agreed with Apple, however, that the federal court lacks subject matter jurisdiction over portions of the complaint.

On November 12, 2020, somewhat in the shadow of the new standard contractual clauses for data transfers to recipients outside the European Economic Area (“EEA”), the European Commission also adopted draft standard contractual clauses to be used between controllers and processors in the EEA (“EEA Controller-Processor SCCs”).

On November 13, 2020, the UK Information Commissioner’s Office (“ICO”) fined Ticketmaster UK Limited (“Ticketmaster”) £1.25 million for failing to keep its customers’ personal data secure. The ICO found that Ticketmaster had failed to implement appropriate security measures to prevent a cyber attack, breaching the requirements of Articles 5(1)(f) and 32 of the EU General Data Protection Regulation (“GDPR”). The ICO acted as the lead supervisory authority with regard to the cross-border processing affected by this breach, and the penalty has been approved by the other EU data protection authorities through the GDPR’s cooperation process. Ticketmaster has indicated that it will appeal the fine.

On November 12, 2020, the European Commission published a draft implementing decision on standard contractual clauses for the transfer of personal data to third countries pursuant to the EU General Data Protection Regulation (“GDPR”), along with its draft set of new standard contractual clauses (the “SCCs”).

On November 11, 2020, the European Data Protection Board (the “EDPB”) published its long-awaited recommendations following the Schrems II judgement regarding supplementary measures in the context of international transfer safeguards such as Standard Contractual Clauses (“SCCs”) (the “Recommendations”). In addition, the EDPB published recommendations on the European Essential Guarantees for surveillance measures (the “EEG Recommendations”), which complement the Recommendations. The Recommendations are subject to a public consultation, which closes on December 21, 2020.

On November 9, 2020, the Federal Trade Commission announced it had entered into an consent agreement (the “Proposed Settlement”) with Zoom Video Communications, Inc. (“Zoom”) to settle allegations that the video conferencing provider engaged in a series of unfair and deceptive practices that undermined the security of its user base, which, according to the FTC, has grown from 10 million users in December 2019 to 300 million in April 2020 during the COVID-19 pandemic.