Privacy & Information Security Law Blog

On August 26, 2021, the UK Department of Culture, Media and Sport (“DCMS”) made news by publishing a document indicating its intent to begin making adequacy decisions for UK data transfers to foreign jurisdictions and by announcing its preferred candidate for the position of new UK Information Commissioner.

The Children’s Advertising Review Unit (“CARU”), a part of a part of the Better Business Bureau National Programs (“BBBNP”), released its revised Children’s Advertising Guidelines (the “Guidelines”) earlier this month. The Guidelines, which contain some notable changes, will go into effect in January 2022.

On August 20, 2021, China’s 13^th Standing Committee of the National People’s Congress passed the Personal Information Protection Law (the “PIPL”). As we previously reported, the PIPL is China’s first comprehensive data protection law. It is modeled, in part, on other jurisdictions’ omnibus data protection regimes, including the EU General Data Protection Regulation (“GDPR”). The PIPL will become effective on November 1, 2021. Below are some of the key provisions under the PIPL.

On August 9, 2021, the UK First-Tier Tribunal (General Regulatory Chamber) (“FTT”) reduced a fine imposed by the UK Information Commissioner’s Office (“ICO”) against Doorstep Dispensaree Ltd (“DDL”) from £275,000 to £92,000, a reduction of approximately two thirds. DDL, which supplies medicines to customers and care homes, was fined in December 2019 for failure to comply with the EU General Data Protection Regulation (“GDPR”). The ICO also issued an Enforcement Notice, requiring DDL to take certain actions to bring its processing into compliance.

Laura Liguori of Portolano Cavallo reports that on June 10, 2021, the Italian Data Protection Authority (Garante or “DPA”) adopted a new version of its guidelines for cookies and other tracking mechanisms (the “Guidelines”).

On July 30, 2021, the UK High Court handed down its judgment in the case of Warren v DSG Retail Ltd [2021] EWHC 2168 (QB), determining that the claimant could not seek damages on the basis of misuse of personal information, breach of confidence or common law negligence following a data breach.

On August 2, 2021, the Italian Data Protection Authority (Garante per la protezione dei dati personali, “Garante”) announced that it had levied a €2,500,000 fine on Deliveroo Italy s.r.l. for the unlawful processing of personal data of approximately 8,000 Deliveroo riders, and various infringements of the EU Genera Data Protection Regulation (the “GDPR”).

On July 29, 2021, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth submitted its response to the European Commission’s Consultation on the Draft Artificial Intelligence Act (the “Act”). Feedback received as part of this consultation will feed into discussions with the European Parliament and the European Council as the proposal makes its way through the EU legislative process.

On July 31, 2021, Zoom Video Communications, Inc. (“Zoom” or the “Company”) agreed to pay $85 million to settle a class action suit that alleged the Company violated users’ privacy rights by misleading consumers about encryption security, sharing data through third-party integrations without adequate notice or consent, and failing to protect private meetings from being disturbed by “zoombombings.” Class members would be eligible to receive payment, regardless of whether they paid for a Zoom account.

On July 21, 2021, a bipartisan group of Senators introduced the Cyber Incident Notification Act of 2021 (the “Act”). The Act would require federal government agencies, federal contractors and operators of critical infrastructure to notify the federal government in the event of a cybersecurity incident.