Privacy & Information Security Law Blog

When compared to the EU or the U.S., China has lacked a comprehensive data protection and data security law that regulates in detail requirements and procedures relating to the collection, processing, control and storage of personal data. In recent years, China has seen developments on data protection both in legislation and in practice. Recently, another significant draft law on data security was issued by the Chinese legislative authority. On June 28 to June 30, 2020, the 20th Session of the 13th Standing Committee of the National People’s Congress of China (the “NPC”) deliberated on the draft of the Data Security Law (the “Draft”), and on July 3, published the Draft on the NPC’s official website for public comment. The public comment period for the Draft will end on August 16, 2020. It is expected that the Draft will be finalized within the year and that the regulatory requirements relating to data security eventually will be reflected in law in China.

Last month, in In re: Capital One Customer Data Security Breach Litigation, E.D. Va., No. 1:19-md-02915, U.S. Magistrate Judge John Anderson (the “Judge”) ordered Capital One Financial Corp. (“Capital One”) to disclose a forensic report to the plaintiffs in a lawsuit stemming from Capital One’s 2019 data breach. In doing so, the Judge rejected Capital One’s argument that the report is protected from disclosure to the plaintiffs by the work product doctrine.

On June 24, 2020, the Washington State Attorney General (“Washington AG”) announced that it had settled an enforcement action against the owners of the “We Heart It” social media platform for alleged violations of the Children’s Online Privacy Protection Act (“COPPA”) and the Washington State Consumer Protection Act. Under the consent decree, the defendants must pay $100,000, with an additional $400,000 suspended contingent upon compliance with the consent decree.

On July 1, 2020, the UK Information Commissioner’s Office (“ICO”) launched a joint endeavor with the Competition and Markets Authority (“CMA”) and Office of Communications (“Ofcom”), named the Digital Regulation Cooperation Forum (“DRCF”). The DRCF is intended to promote collaboration between the three regulators and pool their collective expertise with regard to data, privacy, competition, communications and content in digital markets and services. It also intends to engage regularly with the UK government.

On July 1, 2020, the California Consumer Privacy Act of 2018 (“CCPA”) became enforceable by the California Attorney General. Under the statute, businesses are granted 30 days to cure any alleged violations of the law after being notified of alleged noncompliance. If a business fails to cure the alleged violation, it may be subject to an injunction and liable for a civil penalty of up to $2,500 for each violation or $7,500 for each intentional violation.

The Italian Data Protection Authority (Garante per la protezione dei dati personali, “Garante”) recently announced that it levied a €600,000 fine on banking institution UniCredit for several violations of the Italian Personal Data Protection Code, in its pre-General Data Protection Regulation (“GDPR”) form.

On June 25, 2020, the European Commission launched a public consultation on the revision of the Directive on Security of Network and Information Systems (the “NIS Directive”). According to the Commission, a revision is needed because cybersecurity capabilities in EU Member States remain unequal despite progress made with the NIS Directive, and the level of protection in the EU is insufficient. In addition, the rapid digitalization of society has expanded the threat landscape and presents new challenges requiring adaptive and innovative responses.

On June 23, 2020, the German Federal Court of Justice (the Bundesgerichtshof, or “BGH”) issued a decision confirming the enforceability, in preliminary proceedings, of the order of the German Federal Cartel Office (the “Bundeskartellamt”) against Facebook’s data practices.

On June 25, 2020, the European Data Protection Board (“EDPB”) published a new register containing decisions by national supervisory authorities (“SAs”) based on the One-Stop-Shop cooperation procedure set forth under Article 60 of the EU General Data Protection Regulation (the “GDPR”). Under Article 60 of the GDPR, SAs have the duty to cooperate on cross-border cases to ensure consistent application of the GDPR. In this context, the lead SA is responsible for preparing draft decisions and working together with the concerned SAs to reach a consensus.

Zeyn Bhyat of ENSafrica reports that on June 22, 2020, it was announced that South Africa’s comprehensive privacy law known as the Protection of Personal Information Act, 2013 (the “POPIA”) will become effective on July 1, 2020. POPIA acts as the more detailed framework legislation supporting South Africa’s constitutional right to privacy.