Privacy & Information Security Law Blog

On August 11, 2020, the Court of Appeal of England and Wales overturned the High Court’s dismissal of a challenge to South Wales Police’s use of Automated Facial Recognition technology (“AFR”), finding that its use was unlawful and violated human rights.

On August 5, 2020, the French Data Protection Authority (the “CNIL”) announced that it has levied a fine of €250,000 on French online shoe retailer, Spartoo, for various infringements of the EU General Data Protection Regulation (“GDPR”). This is the first penalty under the GDPR enforced by the CNIL as the lead supervisory authority (“Lead SA”) in cooperation with other EU supervisory authorities (“SAs”).

On August 10, 2020, European Commissioner for Justice Didier Reynders and U.S. Secretary of Commerce Wilbur Ross released a joint press statement (the “Statement”) following the ruling of the Court of Justice of the European Union (“CJEU”) in the Schrems II case.

On July 13, 2020, a Committee of Experts within India’s Ministry of Electronics and Information Technology (“the Committee”) published the first draft of a Non-Personal Data Governance Framework for India for public consultation.

On August 4, 2020, Senators Jeff Merkley (OR) and Bernie Sanders (VT) introduced the National Biometric Information Privacy Act of 2020 (the “bill”). The bill would require companies to obtain individuals’ consent before collecting biometric data. Specifically, the bill would prohibit private companies from collecting biometric data—including eye scans, voiceprints, faceprints and fingerprints—without individuals’ written consent, and from profiting off of biometric data. The bill provides individuals and state attorneys general the ability to institute legal proceedings against entities for alleged violations of the act.

On July 30, 2020, the Council of the European Union (the “Council”) imposed for the first time restrictive measures against six individuals and three entities responsible for or involved in various cyber attacks, including the “WannaCry,” “NotPetya” and “Operation Cloud Hopper” attacks and the attack against the Organization for the Prohibition of Chemical Weapons. Sanctions imposed by the Council include a travel ban, an asset freeze and a prohibition against making funds available to the sanctioned EU individuals and entities.

On July 30, 2020, the Litigation Chamber of the Belgian Data Protection Authority (the “Belgian DPA”) imposed a €20,000 fine on Belgian telecommunications provider Proximus N.V. (“Proximus”) for several data protection infringements related to Proximus’ public directory. In particular, the claimant requested that Proximus remove his contact details from the public directory and inform other publishers of public directories not to publish his personal data. Despite informing the claimant that it was going to proceed accordingly, Proximus still published his personal data in its public directory and shared it with other publishers of public directories.

The U.S. Department of Commerce has issued two new sets of FAQs in light of the Court of Justice of the European Union’s (“CJEU’s”) recent decision to invalidate the EU-U.S. Privacy Shield in Schrems II. We previously reported on the Schrems II ruling and its implication for businesses that transfer personal data to the U.S. The new FAQs from the Department of Commerce address the impact of the decision on the EU-U.S. Privacy Shield framework and the Swiss-U.S. Privacy Shield framework.

On July 27, 2020, the Enforcement Bureau of the Federal Communications Commission (the “FCC”) designated the Industry Traceback Group (“ITG”) as the FCC’s official consortium for coordinating efforts to trace illegal robocalls. The ITG is a collaboration of wireline, wireless, VoIP and cable industry companies, led by USTelecom, with the mission of tracing and identifying the source of illegal robocalls. According to the ITG, it conducted more than 1,000 trace-back operations in 2019 and unmasked the source of more than 10 million robocalls.

On July 28, 2020, German supervisory authorities (Datenschutzkonferenz, the “DSK”) issued a statement reiterating the requirement for additional safeguards when organizations rely on Standard Contractual Clauses (“SCCs”) or Binding Corporate Rules (“BCRs”) for the transfer of personal data to third countries in the wake of the Court of Justice of the European Union’s (the “CJEU”) invalidation of the Privacy Shield Framework. In its July 16, 2020 judgment, the CJEU concluded that SCCs issued by the European Commission for the transfer of personal data to data processors established outside of the EU are valid, subject to the need to assess whether additional safeguards are required depending on the recipient jurisdiction. In this same decision, the CJEU struck down the EU-U.S. Privacy Shield Framework.