Privacy & Information Security Law Blog

On February 7, 2020, the California Attorney General (“AG”) issued modified draft regulations implementing the California Consumer Privacy Act of 2018 (“CCPA”). The AG has provided a redline to the initial draft regulations about which we previously reported.  According to the AG’s website, the modified draft regulations are subject to another public comment period. The deadline to submit written comments is February 24, 2020, at 5:00 p.m. (PST).

On January 16, 2020, the Senate approved the United States-Mexico-Canada Agreement (“USMCA”), sending it to the President’s desk for ratification. Mexico ratified the Agreement in June 2019, and Canada is expected to follow suit later this month. To coincide with its ratification, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth issued a white paper entitled What Does the USMCA Mean for a U.S. Federal Privacy Law?

On December 11, 2019, an updated version of India’s draft data privacy bill was introduced in the Indian Parliament (the “Draft Bill”) by the Ministry of Electronics and Information Technology (“MeitY”). The Draft Bill updates a prior version submitted to MeitY in July 2018.

On November 29, 2019, Senator Roger Wicker (MS), Chairman of the Senate Commerce Committee, circulated a draft of a comprehensive federal privacy bill entitled the United States Consumer Data Privacy Act of 2019 (“the Bill”).

As reported by Russian law firm Alrud, on November 21, 2019, the Russian State Duma passed a bill (the “Bill”) that would increase the minimum fines that may be imposed for violations of Russia’s data protection laws. The Bill would allow for maximum administrative fines of 18 million RUB (approximately $282,000 USD) for violations of Russia’s data localization requirement, which requires entities processing personal data of Russian citizens to process that data in databases located within the territory of Russia. This represents a significant departure from the maximum administrative fines that may be imposed for other data protection violations in Russia as it is significantly higher than other potential penalties.

On September 20, 2019, Bloomberg Law reported that California Attorney General Xavier Becerra anticipates that draft regulations implementing the California Consumer Privacy Act of 2018 (“CCPA”) will be published this October. According to Bloomberg’s reporting, the Attorney General aims to issue final regulations by January 1, 2020, the CCPA’s compliance deadline. Under the CCPA, the Attorney General may begin enforcement of the law six months after the publication of final regulations or July 1, 2020, whichever is sooner ...

Ecuador is seeking to pass a data protection bill in the wake of a massive data breach that resulted in the personal data of up to 20 million people being made available online. According to reports, the bill draws on the EU General Data Protection Regulation (“GDPR”) in certain ways—for example, as relates to international data transfers—but diverges in other respects. The data protection bill headed to Ecuador’s national assembly today.

There are six bills pending before the California legislature that would amend the California Consumer Privacy Act of 2018 (“CCPA”). These bills could significantly alter the law’s application and associated compliance obligations, including with respect to HR data, B2B customer data, loyalty programs and the definition of “personal information.” As of September 12, three bills have passed out of the California Senate and are pending before the Assembly for a concurring vote: AB 874, AB 1146 and AB 1564. The California legislature must vote on all pending CCPA ...

On July 25, 2019, New York Governor Andrew Cuomo signed into law Senate Bill S5575B (the “Bill”), an amendment to New York’s breach notification law (the “Act”). The Bill expands the Act’s definition of “breach of the security of the system” and the types of information (i.e., “private information”) covered by the Act, and makes certain changes to the Act’s requirements for breach notification.

The Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP recently published a Q&A document on organizational accountability in data protection (the “Q&A”).

While CIPL has written extensively about the concept of organizational accountability over many years, the Q&A is designed to clarify frequently raised questions about accountability and provide greater context and understanding of the concept, including for law and policy makers considering data privacy legislation around the globe.

The Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP recently published a white paper on Organizational Accountability’s Existence in U.S. Regulatory Compliance and its Relevance for a Federal Data Privacy Law (the “White Paper”).

A number of bills to amend the California Consumer Privacy Act of 2018 (“CCPA”) are still pending before the California legislature. Of particular interest to many businesses is AB 25. AB 25 would exempt from the CCPA’s application “[p]ersonal information collected by a business about a natural person in the course of the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of that business” if the personal information is collected and used by the business solely within the context of the person’s role or former role as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or a contractor of that business. The bill also would exempt from the CCPA’s application emergency contact information of these exempted categories of individuals and information necessary to administer benefits for persons related to such individuals.  Notably, AB 25 does not appear to exempt business-to-business customer representatives or representatives of other third-party business partners.  AB 25 also would authorize a business to require authentication of a consumer that is reasonable in light of the nature of the personal information requested. The bill further would authorize a business to require a consumer to submit the consumer’s verifiable request through the consumer’s account, where the consumer maintains an account with the business.

Today marks one year since the California Consumer Privacy Act of 2018 (“CCPA”) was passed and signed into law. The CCPA signals a dramatic shift in the data privacy regime in the United States, imposing on covered businesses the most prescriptive general privacy rules in the nation. In addition, the past year has seen a legislative explosion in the form of similar proposed state laws and potential federal data privacy legislation.

Texas Governor Greg Abbott recently signed into law HB 4390 (the “Bill”), which amends the state’s data breach notification law and creates an advisory council tasked with studying and developing recommendations regarding data privacy legislation.

Maryland Governor Larry Hogan recently signed into law House Bill 1154 (the “Bill”), which amends the state’s data breach notification law. Among other obligations, the amendments expand the required actions a business must take after becoming aware of a data security breach.

On June 1, 2019, New Decree No. 2019-536 (the “Implementing Decree”) took force, enabling the French Data Protection Act, as amended by an Ordinance of December 12, 2018, likewise to enter into force. This marks the completion of the adaption of French law to the EU General Data Protection Regulation (“GDPR”) and the EU Police and Criminal Justice Directive (Directive (EU) 2016/680).

On May 30, 2019, the Maine House and Senate passed a bill (L.D. 946) that will place restrictions on broadband Internet service providers from selling customer data without the customer’s affirmative consent. The bill will apply to providers operating within Maine in connection with the broadband Internet access services they provide to customers who are physically located and billed for service received in Maine.

On May 24, 2019, Oregon Governor Kate Brown signed Senate Bill 684 (the “Bill”) into law. The Bill, which takes effect January 1, 2020, amends the Oregon Consumer Identity Theft Protection Act (“OCITPA”) by enhancing the breach notification requirements applicable to third-party vendors.

On June 4, 2019, Hunton hosted a webinar with partners Lisa Sotto, Aaron Simpson, Brittany Bacon and Fred Eames on the evolving U.S. privacy landscape. The past year has seen highly consequential legislative developments in U.S. privacy law affecting compliance obligations for businesses that have or use consumer data. Various states and the U.S. Congress are considering bills that could transform privacy in the United States. In this program, our speakers discuss the California Consumer Privacy Act of 2018 (“CCPA”) and other significant state and federal privacy legislation.

On May 27, 2019, the Illinois General Assembly voted 79-32 to approve Senate Bill 1624, an amendment to the Personal Information Protection Act (“PIPA”). The bill’s sponsor, Senator Suzy Glowiak (D), expects Illinois Governor J.B. Pritzker (D) to sign the bill into law in short order. The amendment had already unanimously passed the state Senate last month.

On May 16, 2019, the California State Senate Appropriations Committee did not approve SB 561, a bill that would have amended the California Consumer Privacy Act (“CCPA”) to expand the private right of action to permit consumers to sue for any violations of the CCPA. The Committee’s decision to hold the bill means it will not pass out of the Senate this session.

On May 10, 2019, New Jersey Governor Phil Murphy signed into law a bill that amends New Jersey’s data breach notification law to expand the definition of personal information to include online account information. The amendment goes into effect September 1, 2019.

As reported by Bloomberg Law, on May 7, 2019, Washington State Governor Jay Inslee signed a bill (HB 1071) amending Washington’s data breach notification law. The new requirements include the following:

• Expanded Definition of Personal Information. HB 1071 expands the definition of “personal information.” Washington’s breach notification law previously defined personal information as an individual’s name in combination with the individual’s Social Security number, state identification card number, or financial account or credit or debit card number in combination with any required security code, access code or password that would permit access to an individual’s financial account. HB 1071 adds the following data elements to the definition, when compromised in combination with an individual’s name:
  • full date of birth;
  • private key that is unique to an individual and that is used to authenticate or sign an electronic record;
  • student, military or passport identification number;
  • health insurance policy number or health insurance identification number;
  • any information about a consumer’s medical history or mental or physical condition or about a health care professional’s medical diagnosis or treatment of the consumer; or
  • biometric data generated by automatic measurements of an individual’s biological characteristics such as a fingerprint, voiceprint, eye retinas, irises or other unique biological patterns or characteristics that is used to identify a specific individual.

In late April, the California state legislature’s Privacy and Consumer Protection Committee held hearings on nine bills that seek to refine the California Consumer Privacy Act of 2018 (“CCPA”) by clarifying the legislation and limiting its scope. Eight bills advanced to the Assembly Appropriations Committee; the ninth is non-fiscal and will next be heard by the full Assembly. Last week, the California Assembly Appropriations Committee approved three of the bills. These bills, now on the Assembly’s “Consent Calendar,” will be heard this week. The Appropriations Committee will hold hearings on the other five bills in the next two weeks.

From the Assembly’s Appropriations Committee, bills must go through the full Assembly, the California Senate and the California governor to be enacted as law.

On April 22, 2019, Washington state legislators voted to send HB 1071 (the “Bill”) to Governor Jay Inslee for consideration. The Bill was requested by Attorney General Ferguson and would strengthen Washington’s data breach law. The request to amend the current law followed Attorney General Ferguson’s third annual Data Breach Report, which found that data breaches affected nearly 3.4 million Washingtonians between July 2017 and July 2018.

The much-discussed Washington Privacy Act, Senate Bill 5376 (“SB 5376”), appears to have died after failing to receive a House vote by an April 17, 2019 deadline for action on non-budget policy bills. Though the bill could be revived before the regular session ends on April 28, 2019, Washington lawmakers expressed doubt.

Social media platforms, file hosting sites, discussion forums, messaging services and search engines in the UK are likely to come under increased pressure to monitor and edit online content after the UK Department of Digital, Culture, Media and Sport (“DCMS”) announced in its Online Harms White Paper (the “White Paper”), released this month, proposals for a new regulatory framework to make companies more responsible for users’ online safety. Notably, the White Paper proposes a new duty of care owed to website users, and an independent regulator to oversee compliance.

Hunton Andrews Kurth LLP, in coordination with the U.S. Chamber of Commerce, recently issued a report setting forth best practices for an effective data breach notification framework (the “Report”). Lead Hunton authors are Lisa J. Sotto, chair of the Global Privacy and Cybersecurity practice, and partners Brittany M. Bacon and Aaron P. Simpson.

As we previously reported, the California Consumer Privacy Act of 2018 (“CCPA”) delays the California Attorney General’s enforcement of the CCPA until six months after publication of the Attorney General’s implementing regulations, or July 1, 2020, whichever comes first. The California Department of Justice anticipates publishing a Notice of Proposed Regulatory Action concerning the CCPA in Fall 2019.

On January 10, 2019, Massachusetts Governor Charlie Baker signed legislation amending the state’s data breach law. The amendments take effect on April 11, 2019.

The California Department of Justice will host six public forums on the California Consumer Privacy Act of 2018 (“CCPA”) to provide the general public an opportunity to participate in the CCPA rulemaking process. Individuals may attend or speak at the events or submit written comments by email to privacyregulations@doj.ca.gov or by mail to the California Department of Justice, ATTN: Privacy Regulations Coordinator, 300 S. Spring St., Los Angeles, CA 90013.

On November 9, 2018, Serbia’s National Assembly enacted a new data protection law. The Personal Data Protection Law, which becomes effective on August 21, 2019, is modeled after the EU General Data Protection Regulation (“GDPR”).

On November 1, 2018, Senator Ron Wyden (D-Ore.) released a draft bill, the Consumer Data Protection Act, that seeks to “empower consumers to control their personal information.” The draft bill imposes heavy penalties on organizations and their executives, and would require senior executives of companies with more than one billion dollars per year of revenue or data on more than 50 million consumers to file annual data reports with the Federal Trade Commission. The draft bill would subject senior company executives to imprisonment for up to 20 years or fines up to $5 million, or both, for certifying false statements on an annual data report. Additionally, like the EU General Data Protection Regulation, the draft bill proposes a maximum fine of 4% of total annual gross revenue for companies that are found to be in violation of Section 5 of the FTC Act.

As reported on the Blockchain Legal Resource, California Governor Jerry Brown recently signed into law Assembly Bill No. 2658 for the purpose of further studying blockchain’s application to Californians. In doing so, California joins a growing list of states officially exploring distributed ledger technology.

On September 30, 2018, the U.S., Mexico and Canada announced a new trade agreement (the “USMCA”) aimed at replacing the North American Free Trade Agreement. Notably, the USMCA’s chapter on digital trade recognizes “the economic and social benefits of protecting the personal information of users of digital trade” and will require the U.S., Canada and Mexico (the “Parties”) to each “adopt or maintain a legal framework that provides for the protection of the personal information of the users[.]” The frameworks should include key principles such as: limitations on collection, choice, data quality, purpose specification, use limitation, security safeguards, transparency, individual participation and accountability.

On September 28, 2018, California Governor Jerry Brown signed into law two identical bills regulating Internet-connected devices sold in California. S.B. 327 and A.B. 1906 (the “Bills”), aimed at the “Internet of Things,” require that manufacturers of connected devices—devices which are “capable of connecting to the Internet, directly or indirectly,” and are assigned an Internet Protocol or Bluetooth address, such as Nest’s thermostat—outfit the products with “reasonable” security features by January 1, 2020; or, in the bills’ words: “equip [a] device with a reasonable security feature or features that are appropriate to the nature and function of the device, appropriate to the information it may collect, contain, or transmit, and designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure[.]”

On September 26, 2018, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP submitted formal comments to the Indian Ministry of Electronics and Information Technology on the draft Indian Data Protection Bill 2018 (“Draft Bill”).

On September 26, 2018, the U.S. Senate Committee on Commerce, Science, and Transportation convened a hearing on Examining Consumer Privacy Protections with representatives of major technology and communications firms to discuss approaches to protecting consumer privacy, how the U.S. might craft a federal privacy law, and companies’ experiences in implementing the EU General Data Protection Regulation (“GDPR”) and the California Consumer Privacy Act (“CCPA”).

On September 23, 2018, California Governor Jerry Brown signed into law SB-1121 (the “Bill”), which makes limited substantive and technical amendments to the California Consumer Privacy Act of 2018 (“CCPA”). The Bill takes effect immediately,  and delays the California Attorney General’s enforcement of the CCPA until six months after publication of the Attorney General’s implementing regulations, or July 1, 2020, whichever comes first. 

Effective September 21, 2018, Section 301 of the Economic Growth, Regulatory Relief, and Consumer Protection Act (the “Act”) requires consumer reporting agencies to provide free credit freezes and year-long fraud alerts to consumers throughout the country. Under the Act, consumer reporting agencies must each set up a webpage designed to enable consumers to request credit freezes, fraud alerts, extended fraud alerts and active duty fraud alerts. The webpage must also give consumers the ability to opt out of the use of information in a consumer report to send the consumer a ...

On August 31, 2018, the California State Legislature passed SB-1121, a bill that delays enforcement of the California Consumer Privacy Act of 2018 (“CCPA”) and makes other modest amendments to the law. The bill now goes to the Governor for signing. The provisions of the CCPA will become operative on January 1, 2020. As we have previously reported, the CCPA introduces key privacy requirements for businesses. The Act was passed quickly by California lawmakers in an effort to remove a ballot initiative of the same name from the November 6, 2018, statewide ballot. The CCPA’s hasty passage resulted in a number of drafting errors and inconsistencies in the law, which SB-1121 seeks to remedy. The amendments to the CCPA are primarily technical, with few substantive changes.

On August 22, 2018, California Attorney General Xavier Becerra raised significant concerns regarding the recently enacted California Consumer Privacy Act of 2018 (“CCPA”) in a letter addressed to the CCPA’s sponsors, Assemblyman Ed Chau and Senator Robert Hertzberg. Writing to “reemphasize what [he] expressed previously to [them] and [state] legislative leaders and Governor Brown,” Attorney General Becerra highlighted what he described as five primary flaws that, if unresolved, will undermine the intention behind and effective enforcement of the CCPA.

As reported in BNA Privacy Law Watch, a California legislative proposal would allocate additional resources to the California Attorney General’s office to facilitate the development of regulations required under the recently enacted California Consumer Privacy Act of 2018 (“CCPA”). CCPA was enacted in June 2018 and takes effect January 1, 2020. CCPA requires the California Attorney General to issue certain regulations prior to the effective date, including, among others, (1) to update the categories of data that constitute “personal information” under CCPA ...

On August 3, 2018, Ohio Governor John Kasich signed into law Senate Bill 220 (the “Bill”), which provides covered entities with an affirmative defense to tort claims, based on Ohio law or brought in an Ohio court, that allege or relate to the failure to implement reasonable information security controls which resulted in a data breach. According to the Bill, its purpose is “to be an incentive and to encourage businesses to achieve a higher level of cybersecurity through voluntary action.” The Bill will take effect 90 days after it is provided to the Ohio Secretary of State ...

This post has been updated. 

As reported by Mundie e Advogados, on July 10, 2018, Brazil’s Federal Senate approved a Data Protection Bill of Law (the “Bill”). The Bill, which is inspired by the EU General Data Protection Regulation (“GDPR”), is expected to be sent to the Brazilian President in the coming days.

As reported by Mattos Filho, Veiga Filho, Marrey Jr e Quiroga Advogados, the Bill establishes a comprehensive data protection regime in Brazil and imposes detailed rules for the collection, use, processing and storage of personal data, both electronic and physical.

On July 3, 2018, a draft bill (the “Data Protection Bill”) was introduced that would establish a comprehensive data protection regime in Kenya. The Data Protection Bill would require “banks, telecommunications operators, utilities, private and public companies and individuals” to obtain data subjects’ consent before collecting and processing their personal data. The Data Protection Bill also would impose certain data security obligations related to the collection, processing and storage of data, and would place restrictions on third-party data ...

On June 28, 2018, the Governor of California signed AB 375, the California Consumer Privacy Act of 2018 (the “Act”). The Act introduces key privacy requirements for businesses, and was passed quickly by California lawmakers in an effort to remove a ballot initiative of the same name from the November 6, 2018, statewide ballot. We previously reported on the relevant ballot initiative. The Act will take effect January 1, 2020.

On June 21, 2018, California lawmakers introduced AB 375, the California Consumer Privacy Act of 2018 (the “Bill”). If enacted and signed by the Governor by June 28, 2018, the Bill would introduce key privacy requirements for businesses, but would also result in the removal of a ballot initiative of the same name from the November 6, 2018, statewide ballot. We previously reported on the relevant ballot initiative.

On November 6, 2018, California voters will consider a ballot initiative called the California Consumer Privacy Act (“the Act”). The Act is designed to give California residents (i.e., “consumers”) the right to request from businesses (see “Applicability” below) the categories of personal information the business has sold or disclosed to third parties, with some exceptions. The Act would also require businesses to disclose in their privacy notices consumers’ rights under the Act, as well as how consumers may opt out of the sale of their personal information if the business sells consumer personal information.

Recently, the Personal Data Collection and Protection Ordinance (“the Ordinance”) was introduced to the Chicago City Council. The Ordinance would require businesses to (1) obtain prior opt-in consent from Chicago residents to use, disclose or sell their personal information; (2) notify affected Chicago residents and the City of Chicago in the event of a data breach; (3) register with the City of Chicago if they qualify as “data brokers”; (4) provide specific notification to mobile device users for location services; and (5) obtain prior express consent to use geolocation data from mobile applications.

On June 12, 2018, Vietnam’s parliament approved a new cybersecurity law  that contains data localization requirements, among other obligations. Technology companies doing business in the country will be required to operate a local office and store information about Vietnam-based users within the country. The law also requires social media companies to remove offensive content from their online service within 24 hours at the request of the Ministry of Information and Communications and the Ministry of Public Security’s cybersecurity task force. Companies could face ...

Recently, Louisiana amended its Database Security Breach Notification Law (the “amended law”). Notably, the amended law (1) amends the state’s data breach notification law to expand the definition of personal information and requires notice to affected Louisiana residents within 60 days, and (2) imposes data security and destruction requirements on covered entities. The amended law goes into effect on August 1, 2018.

On June 6, 2018, the U.S. Court of Appeals for the Eleventh Circuit vacated a 2016 Federal Trade Commission (“FTC”) order compelling LabMD to implement a “comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers.” The Eleventh Circuit agreed with LabMD that the FTC order was unenforceable because it did not direct the company to stop any “unfair act or practice” within the meaning of Section 5(a) of the Federal Trade Commission Act (the “FTC Act”).

On May 14, 2018, the Department of Energy (“DOE”) Office of Electricity Delivery & Energy Reliability released its Multiyear Plan for Energy Sector Cybersecurity (the “Plan”). The Plan is significantly guided by DOE’s 2006 Roadmap to Secure Control Systems in the Energy Sector and 2011 Roadmap to Achieve Energy Delivery Systems Cybersecurity. Taken together with DOE’s recent announcement creating the new Office of Cybersecurity, Energy Security, and Emergency Response (“CESER”), DOE is clearly asserting its position as the energy sector’s Congressionally-recognized sector-specific agency (“SSA”) on cybersecurity.

On April 11, 2018, Arizona amended its data breach notification law (the “amended law”). The amended law will require persons, companies and government agencies doing business in the state to notify affected individuals within 45 days of determining that a breach has resulted in or is reasonably likely to result in substantial economic loss to affected individuals. The old law only required notification “in the most expedient manner possible and without unreasonable delay.” The amended law also broadens the definition of personal information and requires regulatory notice and notice to the consumer reporting agencies (“CRAs”) under certain circumstances.

On May 4, 2018, St. Kitts and Nevis’ legislators passed the Data Protection Bill 2018 (the “Bill”). The Bill was passed to promote the protection of personal data processed by public and private bodies.

The Canadian government recently published a cabinet order stating that the effective date for breach notification provisions in the Digital Privacy Act would be November 1, 2018. At that time, businesses that experience a "breach of security safeguards" would be required to notify affected individuals, as well as the Privacy Commissioner and any other organization or government institution that might be able to reduce the risk of harm resulting from the breach.

Recently, the General Services Administration (“GSA”) announced its plan to upgrade its cybersecurity requirements in an effort to build upon the Department of Defense’s new cybersecurity requirements, DFAR Section 252.204-7012, that became effective on December 31, 2017.

On January 30, 2018, the UK Court of Appeal ruled that the Data Retention and Investigatory Powers Act (“DRIPA”) was inconsistent with EU law. The judgment, pertaining to the now-expired act, is relevant to current UK surveillance practices and is likely to result in major amendments to the Investigatory Powers Act (“IP Act”), the successor of DRIPA.

Stephen Mathias of the law firm Kochhar & Co. reports from India that in a landmark judgment delivered in August 2017, the Supreme Court of India (“Court”) unanimously held that the right to privacy is a fundamental right under the Constitution of India. The Court also delivered six separate concurring judgments, with the main judgment being delivered by four of the nine judges.

On August 14, 2017, the Colombian Superintendence of Industry and Commerce (“SIC”) announced that it was adding the United States to its list of nations that provide an adequate level of protection for the transfer of personal information, according to a report from Bloomberg BNA. The SIC, along with the Superintendence of Finance, is Colombia’s data protection authority, and is responsible for enforcing Colombia’s data protection law. Under Colombian law, transfers of personal information to countries that are deemed to have laws providing an adequate level of ...

On May 16, 2017, the Governor of the State of Washington, Jay Inslee, signed into law House Bill 1493 (“H.B. 1493”), which sets forth requirements for businesses who collect and use biometric identifiers for commercial purposes. The law will become effective on July 23, 2017. With the enactment of H.B. 1493, Washington becomes the third state to pass legislation regulating the commercial use of biometric identifiers. Previously, both Illinois and Texas enacted the Illinois Biometric Information Privacy Act (740 ILCS 14) (“BIPA”) and the Texas Statute on the Capture or Use of Biometric Identifier (Tex. Bus. & Com. Code Ann. §503.001), respectively.

On May 25, 2017, Oregon Governor Kate Brown signed into law H.B. 2090, which updates Oregon’s Unlawful Trade Practices Act by holding companies liable for making misrepresentations on their websites (e.g., in privacy policies) or in their consumer agreements about how they will use, disclose, collect, maintain, delete or dispose of consumer information. Pursuant to H.B. 2090, a company engages in an unlawful trade practice if it makes assertions to consumers regarding the handling of their information that are materially inconsistent with its actual practices. Consumers can ...

On March 28, 2017, the French Data Protection Authority (“CNIL”) published its Annual Activity Report for 2016 (the “Report”) and released its annual inspection program for 2017.

On February 13, 2017, the Parliament of Australia passed legislation that amends the Privacy Act of 1988 (the “Privacy Act”) and requires companies with revenue over $3 million AUD ($2.3 million USD) to notify affected Australian residents and the Australian Information Commissioner (the “Commissioner”) in the event of an “eligible data breach.”

On February 6, 2017, the House of Representatives suspended its rules and passed by voice vote H.R 387, the Email Privacy Act. As we previously reported, the Email Privacy Act amends the Electronic Communications Privacy Act (“ECPA”) of 1986. In particular, the legislation would require government entities to obtain a warrant, based on probable cause, before accessing the content of any emails or electronic communications stored with third-party service providers, regardless of how long the communications have been held in electronic storage by such providers.

On January 25, 2017, President Trump issued an Executive Order entitled “Enhancing Public Safety in the Interior of the United States.” While the Order is primarily focused on the enforcement of immigration laws in the U.S., Section 14 declares that “Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.” This provision has sparked a firestorm of controversy in the international privacy community, raising questions regarding the Order’s impact on the Privacy Shield framework, which facilitates lawful transfers of personal data from the EU to the U.S. While political ramifications are certainly plausible from an EU-U.S. perspective, absent further action from the Trump Administration, Section 14 of the Order should not impact the legal viability of the Privacy Shield framework.

On January 24, 2017, the UK Supreme Court handed down its judgment in the case of R (on the application of Miller and another) (Respondents) v. Secretary of State for Exiting the European Union (Appellant) [2017] UKSC 5. The case concerned the process to be followed to effect the UK’s withdrawal from the European Union and, in particular, whether the UK government may commence the UK’s withdrawal using executive powers, or whether Parliamentary approval is required. The Supreme Court held, by majority, that the UK government cannot commence the UK’s withdrawal from the EU without the approval of Parliament.

On January 9, 2017, Representatives Kevin Yoder (R-KS) and Jared Polis (D-CO) reintroduced the Email Privacy Act, which would amend the Electronic Communications Privacy Act (“ECPA”) of 1986. In particular, the legislation would require government entities to obtain a warrant, based on probable cause, before accessing the content of any emails or electronic communications stored with third-party service providers, regardless of how long the communications have been held in electronic storage by such providers. Although ECPA currently requires law enforcement agencies to obtain a warrant to search the contents of electronic communications held by service providers that are less than 180 days old, communications that are more than 180 days old can be obtained with a subpoena.

On January 3, 2017, Bloomberg Law: Privacy and Data Security reported that Chilean legislators are soon expected to consider a new data protection law (the “Bill”) which would impose new privacy compliance standards and certain enforcement provisions on companies doing business in Chile. 

On November 16, 2016, the UK Investigatory Powers Bill (the “Bill”) was approved by the UK House of Lords. Following ratification of the Bill by Royal Assent, which is expected before the end of 2016, the Bill will officially become law in the UK. The draft of the Bill has sparked controversy, as it will hand significant and wide-ranging powers to state surveillance agencies, and has been strongly criticized by some privacy and human rights advocacy groups. 

This post has been updated. 

On November 10, 2016, the Court of Appeal for Moscow’s Taginsky District upheld an August 2016 decision by the district’s lower court that LinkedIn had violated Russian data protection laws. Access to the professional networking site is now set to be blocked across Russia.

The National Highway Safety Administration (“NHTSA”) recently issued non-binding guidance that outlines best practices for automobile manufacturers to address automobile cybersecurity. The guidance, entitled Cybersecurity Best Practices for Modern Vehicles (the “Cybersecurity Guidance”), was recently previewed in correspondence with the House of Representatives' Committee on Energy and Commerce (“Energy and Commerce Committee”).

On October 14, 2016, the National Highway Transportation Administration (“NHTSA”) indicated in a letter to Congress that it intends to issue new best practices on vehicle cybersecurity. This letter came in response to an earlier request from the House Committee on Energy and Commerce (“Energy and Commerce Committee”) that NHTSA convene an industry-wide effort to develop a plan to address vulnerabilities posed to vehicles by On-Board Diagnostics (“OBD-II”) ports. Since 1994, the Environmental Protection Agency has required OBD-II ports be installed in all vehicles so that they can be tested for compliance with the Clean Air Act. OBD-II ports provide valuable vehicle diagnostic information and allow for aftermarket devices providing services such as “good driver” insurance benefits and vehicle tracking. Because OBD-II ports provide direct access to a vehicle’s internal network; however, OBD-II ports are widely cited as the central vulnerability to vehicle cybersecurity.

On October 19, 2016, the Court of Justice of the European Union (the “CJEU”) issued its judgment in Patrick Breyer v. Bundesrepublik Deutschland, following the Opinion of Advocate General Manuel Campos Sánchez-Bordona on May 12, 2016. The CJEU followed the Opinion of the Advocate General and declared that a dynamic IP address registered by a website operator must be treated as personal data by that operator to the extent that the user's Internet service provider ("ISP") has - and may provide - additional data that in combination with the IP address that would allow for the identification of the user.

On September 20, 2016, the Department of Transportation, through the National Highway Traffic Safety Administration (“NHTSA”), released federal cyber guidance for autonomous cars entitled Federal Automated Vehicles Policy (“guidance”).

Recently, the National Privacy Commission (the “Commission”) of the Philippines published the final text of its Implementing Rules and Regulations of Republic Act No. 10173, known as the Data Privacy Act of 2012 (the “IRR”). The IRR has a promulgation date of August 24, 2016, and went into effect 15 days after the publication in the official Gazette.

The Office of Management and Budget (“OMB”) recently issued updates to Circular A-130 covering the management of federal information resources. OMB revised Circular A-130 “to reflect changes in law and advances in technology, as well as to ensure consistency with Executive Orders, Presidential Directives, and other OMB policy.” The revised policies are intended to transform how privacy is addressed across the branches of the federal government.

The State Administration for Industry and Commerce of the People’s Republic of China published a draft of its Implementing Regulations for the P.R.C. Law on the Protection of the Rights and Interests of Consumers (the “Draft”) for public comment. The draft is open for comment until September 5, 2016.

On July 19, 2016, Advocate General Saugmandsgaard Oe (“Advocate General”), published his Opinion on two joined cases relating to data retention requirements in the EU, C-203/15 and C-698/15. These cases were brought following the Court of Justice for the European Union’s (“CJEU's”) decision in the Digital Rights Ireland case, which invalidated Directive 2006/24/EC on data retention. The two cases, referred from courts in Sweden and the UK respectively, sought to establish whether a general obligation to retain data is compatible with the fundamental rights to privacy and data protection under EU law.

On June 29, 2016, the Federal Trade Commission announced that, to account for inflation, it is increasing the civil penalty maximums for certain violations of the FTC Act effective August 1, 2016. The FTC’s authority for issuing these adjustments comes from the Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015. The Federal Register Notice indicates which sections of the FTC Act the adjustments will apply to, and the corresponding increases. For example, the FTC has increased the maximum fine from $16,000 to $40,000 for certain violations of Section 5 of ...

This post has been updated. 

On June 17, 2016, the National Privacy Commission (the “Commission”) of the Philippines released draft guidelines entitled, Implementing Rules and Regulations of the Data Privacy Act of 2012 (“IRR”), for public consultation.

Under the IRR, the processing of personal data has to adhere to the principles of transparency, legitimate purpose and proportionality. The IRR defines personal data as personal information, sensitive information and privileged information. Sensitive information refers to personal information about an individual’s race, ethnicity, health, education, genetic or sexual life of a person, proceedings related to an offense committed by a person, health records and tax returns. According to the IRR, the personal information controller should take organizational, physical and technical security measures for data protection. Such security measures include the designation of a privacy officer, limitations on physical access and the adoption of technical and logical security measures.

On June 23, 2016, the UK held a referendum to decide upon its continued membership in the European Union. The outcome has resulted in the decision for the UK to withdraw its membership from the European Union. Despite the result, data protection standards are unlikely to be affected.

TCCWNA. The very acronym evokes head scratches and sighs of angst and frustration among many lawyers in the retail industry. You have probably heard about it. You may have even been warned about it. And you may currently be trying to figure out how best to minimize your risk and exposure this very moment. But what is it and why has virtually every retailer been hit with a TCCWNA class action demand letter or lawsuit in the past few months? And why are most retailers scrambling to update the terms and conditions of their websites?

On June 15, 2016, the U.S. Department of Homeland Security (“DHS”) and U.S. Department of Justice (“DOJ”) jointly issued final guidance on the Cybersecurity Information Sharing Act of 2015 (“CISA”). Enacted in December 2015, CISA includes a variety of measures designed to strengthen private and public sector cybersecurity. In particular, CISA provides protections from civil liability, regulatory action and disclosure under the Freedom of Information Act (“FOIA”) and other open government laws for “cyber threat indicators” (“CTI”) and “defensive measures” (“DM”) that are shared: (1) among businesses or (2) between businesses and the government through a DHS web portal. Congress passed CISA in order to increase the sharing of cybersecurity information among businesses and between businesses and the government, and to improve the quality and quantity of timely, actionable cybersecurity intelligence in the hands of the private sector and government information security professionals.

On June 2, 2016, the European Union and the U.S. signed an Umbrella Agreement, which will implement a comprehensive data protection framework for criminal law enforcement cooperation. The agreement is not yet in effect and additional procedural steps are needed to finalize the agreement. The European Council will adopt a decision on the Umbrella Agreement after obtaining consent from the European Parliament.

On April 13, 2016, Nebraska Governor Pete Ricketts signed into law LB 835 (the “Bill”), which among other things, adds a regulator notification requirement and broadens the definition of “personal information” in the state’s data breach notification statute, Neb. Rev. Stat. §§ 87-802 to 87-804. The amendments take effect on July 20, 2016.

On March 24, 2016, the Grand National Assembly of Turkey approved the Law on Personal Data Protection, which is Turkey’s first comprehensive data protection legislation. The law will become effective once it is ratified by Turkey’s President and published in the Official Gazette of the Republic of Turkey.

On March 24, 2016, Tennessee Governor Bill Haslam signed into law S.B. 2005, as amended by Amendment No. 1 to S.B. 2005 (the “Bill”), which makes a number of changes to the state’s data breach notification statute, Tenn. Code § 47-18-2107. The amendments take effect on July 1, 2016.

On February 24, 2016, President Obama signed the Judicial Redress Act (the “Act”) into law. The Act grants non-U.S. citizens certain rights, including a private right of action for alleged privacy violations that occur in the U.S. The Act was signed after Congress approved an amendment that limits the right to sue to only those citizens of countries which (1) permit the “transfer of personal data for commercial purposes” to the U.S., and (2) do not impose personal data transfer policies that “materially impede” U.S. national security interests.

On February 16, 2016, the Department of Homeland Security (“DHS”), in collaboration with other federal agencies, released a series of documents outlining procedures for both federal and non-federal entities to share and disseminate cybersecurity information. These documents were released as directed by the Cybersecurity Act of 2015 (the “Act”), signed into law on December 18, 2015. The Act outlines a means by which the private sector may enjoy protection from civil liability when sharing certain cybersecurity information with the federal government and private entities. These documents represent the first steps by the executive branch to implement the Act.

On February 10, 2016, the U.S. House of Representatives passed the Judicial Redress Act, which had been approved by the Senate the night before and included a recent Senate amendment. The House of Representatives previously passed the original bill in October 2015, but the bill was sent back to the House due to the recent Senate amendment. The Judicial Redress Act grants non-U.S. citizens certain rights, including a private right of action for alleged privacy violations that occur in the U.S. The amendment limits the right to sue to only those citizens of countries that (1) permit the “transfer of personal data for commercial purposes” to the U.S., and (2) do not impose personal data transfer policies that “materially impede” U.S. national security interests. The bill now heads to President Obama to sign.

On February 9, 2016, President Obama signed an Executive Order establishing a permanent Federal Privacy Council (“Privacy Council”) that will serve as the principal interagency support structure to improve the privacy practices of government agencies and entities working on their behalf. The Privacy Council is charged with building on existing interagency efforts to protect privacy and provide expertise and assistance to government agencies, expand the skill and career development opportunities of agency privacy professionals, improve the management of agency privacy programs, and promote collaboration between and among agency privacy professionals.

On January 13, 2016, the Russian Data Protection Authority (Roscommandzor) released its plan for audits this year to assess compliance with Russia’s data localization law, which became effective on September 1, 2015. The localization law requires companies to store the personal data of Russians in databases located in Russia. The audit plan indicates that the Roscommandzor will audit large, multinational companies doing business in numerous jurisdictions and processing the personal data of Russian citizens ...

On January 28, 2016, the Senate Judiciary Committee passed the Judicial Redress Act (the “Act”), which would give EU citizens the right to sue over certain data privacy issues in the U.S. The Act passed after an amendment was approved which would condition EU citizens’ right to sue on EU Member States (1) allowing companies to transfer personal data to the U.S. for commercial purposes and (2) having personal data transfer policies which do not materially impede the national security interests of the U.S. The vote was initially set to take place on January 21, 2016, but was delayed.

On January 21, 2016, a Senate Judiciary Committee vote on the Judicial Redress Act, which would give EU citizens the right to sue over certain data privacy issues in the U.S., has reportedly been postponed. As reported by Forbes, the vote may have been delayed due to amendments to the fifth paragraph of the bill, which deals with litigation pursuant to the act. The vote was initially scheduled for today.

On December 17, 2015, the German Federal Diet (Bundestag) adopted a draft law introducing class action-like claims that will enable consumer protection associations to sue companies for violations of German data protection law.

On December 16, 2015, leaders in the U.S. House of Representatives and Senate released a $1.1 trillion omnibus spending bill that contained cybersecurity information sharing language that is based on a compromise between the Cybersecurity Information Sharing Act, which passed in the Senate in October, and two cybersecurity information sharing bills that passed in the House earlier this year. Specifically, the omnibus spending bill included Division N, the Cybersecurity Act of 2015 (the "Act"). 

In late October, the Brazilian Ministry of Justice (the “Ministry”) issued its revised Draft Bill for the Protection of Personal Data (“Draft Bill”). The Ministry released its preliminary draft in January 2015, and the Centre for Information Policy Leadership at Hunton & Williams LLP (“CIPL”) filed public comments to the draft on May 5, 2015.

On November 5, 2015, the White House released the proposed text of the Trans-Pacific Partnership Agreement (the “TPP”) containing a chapter on cross-border data transfers in the context of electronic commerce. In the chapter on Electronic Commerce, Chapter 14, the TPP includes commitments from participating parties to adopt and maintain a legal framework to protect personal information, and encourages cross-border data transfers to help facilitate business and trade.