Privacy & Information Security Law Blog

On October 21, 2020, the UK Information Commissioner’s Office (“ICO”) released its updated guidance on the data subject right of access under Article 15 of the EU General Data Protection Regulation (“GDPR”). The ICO provided a draft of the guidance for consultation in December 2019, and in response to the feedback it received, supplemented the guidance with additional content. The guidance provides more in-depth advice for organizations than what was provided in the ICO’s previous guide and includes examples designed to demonstrate how the GDPR’s requirements will apply in practice.

On October 22, 2020, the Consumer Financial Protection Bureau (“CFPB”) issued a notice of proposed rulemaking (the “Proposed Rule”) to implement Section 1033 of the Dodd-Frank Act (the “Act”) regarding consumers’ access to their financial information.

On November 5, 2020, Hunton Andrews Kurth will host a panel discussion with representatives from the UK Information Commissioner's Office (“ICO”) and the French Data Protection Authority (“CNIL”) to explore the latest developments on cookie guidance and compare their respective approaches. In our webinar titled “From a Regulator’s Perspective: Latest Developments on Cookie Guidance from the ICO and CNIL,” our speakers will discuss practical cookie law issues, including:

On October 13, 2020, France’s highest administrative court (the “Conseil d’État”) issued a summary judgment that rejected a request for the suspension of France’s centralized health data platform, Health Data Hub (the “HDH”), currently hosted by Microsoft. However, the Conseil d’État recognized that there is a risk of U.S. intelligence services requesting the data and called for additional guarantees under the control of the French data protection authority (the “CNIL”).

On October 15, 2020, Brazil’s President Bolsonaro officially nominated the five Directors of the new Brazilian data protection authority (Agência Nacional de Proteção de Dados, “ANPD”), as published in the Brazilia Official Journal. The Decree establishing the ANPD, on which we reported earlier, is now fully in effect. All five nominations, however, must still be approved by the Brazilian Senate, which means there are further steps before the ANPD is fully established and operational.

On October 16, 2020, the UK Information Commissioner’s Office (“ICO”) announced its fine of £20,000,000 (approximately $25,850,000) for British Airways (“BA”), which is owned by International Consolidated Airlines Group, S.A, for violations of the EU General Data Protection Regulation (“GDPR”). This is a significant (approximately 90%) decrease from the proposed fine of £183,390,000 (approximately $230,000,000) announced by the ICO in July 2019, but is the largest fine imposed to date by the ICO.

During its 39th plenary session on October 8, 2020, the European Data Protection Board (“EDPB”) adopted guidelines on relevant and reasoned objection under the General Data Protection Regulation (“GDPR”) (the “Guidelines”). The Guidelines relate to the cooperation and consistency provisions set out in Chapter VII of the GDPR, under which a lead supervisory authority (“LSA”) has a duty to cooperate with other concerned supervisory authorities (“CSAs”) in order to reach a consensus.

On October 12, 2020, the California Attorney General (“AG”) issued a third set of proposed modifications to the regulations implementing the California Consumer Privacy Act of 2018 (“CCPA”). As we previously reported, the long-awaited CCPA regulations were approved by the California Office of Administrative law and became effective on August 14, 2020. This new set of proposed modifications would revise portions of the regulations relating to the notice of right to opt-out, methods for submitting opt-out of sale requests, and verification of authorized agents ...

On October 6, 2020, the Court of Justice of the European Union (“CJEU”) handed down Grand Chamber judgments determining that the ePrivacy Directive (the “Directive”) does not allow for EU Member States to adopt legislation intended to restrict the scope of its confidentiality obligations unless they comply with the general principles of EU law, particularly the principle of proportionality, as well as fundamental rights under the Charter of Fundamental Rights of the European Union (the “Charter”).

On October 1, 2020, the UK Information Commissioner’s Office (“ICO”) launched a public consultation on its draft Statutory Guidance (the “Guidance”). The Guidance provides an overview of the ICO’s powers and how it intends to regulate and enforce data protection legislation in the UK, including its approach to calculating fines.