Privacy & Information Security Law Blog

On October 18, 2022, the New York State Department of Financial Services (“NYDFS”) announced that EyeMed Vision Care LLC (“EyeMed”) agreed to a $4.5 million settlement for violations of the Cybersecurity Regulation (23 NYCRR Part 500) that contributed to the exposure of hundreds of thousands of consumers’ health data in connection with a cybersecurity event in 2020.

On October 12, 2022, New York Attorney General Letitia James announced that her office had secured a $1.9 million penalty from e-commerce retailer Zoetop, owner of SHEIN and ROMWE, following an improperly handled data breach. The Office of the Attorney General of the State of New York (“NYAG”) alleged in its Assurance of Discontinuance that Zoetop failed to properly handle the breach and lied about its scope to consumers.

On September 27, 2022, California Governor Gavin Newsom signed into law a pair of bills designed to prevent medical information and other data held by California entities from being used in out-of-state abortion prosecutions. 

On September 26, 2022, the UK Information Commissioner’s Office (“ICO”) confirmed in a statement that it issued TikTok Inc. and TikTok Information Technologies UK Limited (together, “TikTok”) a notice of intent to potentially impose a £27 million fine for failing to protect children’s privacy. This notice of intent follows an investigation by the ICO finding that TikTok may have breached UK data protection law between May 2018 and July 2020 by failing to protect children’s privacy when using the TikTok platform.

On September 21, 2022, Denmark’s data protection authority Datatilsynet (“Danish DPA”) announced its guidance that Google Analytics, Google’s audience measurement tool, is not compliant with the EU General Data Protection Regulation (“GDPR”), as the tool transfers personal data to the United States which, following Schrems II, does not offer an adequate level of data protection.

On September 20, 2022, Indonesia’s parliament ratified the Personal Data Protection Act (the “Act”). The Act is the first comprehensive data protection law to be enacted in Indonesia and will come into effect on a date set by the Minister of State Secretariat. Organizations subject to the Act will have two years to come into compliance with the Act’s requirements.

On September 15, 2022, California Governor Gavin Newsom signed into law the California Age-Appropriate Design Code Act (the “Act”). The Act, which takes effect July 1, 2024, places new legal obligations on companies with respect to online products and services that are “likely to be accessed by children” under the age of 18.

On September 5, 2022, the Irish Data Protection Commissioner (the “DPC”) imposed a €405,000,000 fine on Instagram (a Meta-owned social media platform) for violations of the EU General Data Protection Regulation’s (“GDPR’s”) rules on the processing of children’s personal data.

On July 7, 2022, the Cyberspace Administration of China (the “CAC”) issued the Measures on Security Assessment on Cross-border Transfer (the “Measures”), which became effective on September 1, 2022, and provide a six-month grace period to the relevant data handlers. On August 31, 2022, the CAC issued the Guidelines on Application for Security Assessment on Cross-border Transfer (the “Guidelines”), which further clarify certain issues and provide specific application documents for security assessments (including templates of application forms for security assessment on cross-border transfer and self-assessments report for risks of cross-border transfer).

On June 10, 2022, New York became the first state to require attorneys to complete at least one credit of cybersecurity, privacy and data protection training as part of their continuing legal education (“CLE”) requirements. The new requirement will take effect July 1, 2023.

On July 28, 2022, a federal judge approved TikTok’s $92 million class action settlement of various privacy claims made under state and federal law. The agreement will resolve litigation that began in 2019 and involved claims that TikTok, owned by the Chinese company ByteDance, violated the Illinois Biometric Information Privacy Act (“BIPA”) and the federal Video Privacy Protection Act (“VPPA”) by improperly harvesting users’ personal data. U.S. District Court Judge John Lee of the Northern District of Illinois also awarded approximately $29 million in fees to class counsel.

In July 2022, Maria Ostashenko from ALRUD Law Firm reports that the Russian Parliament passed, and the President of the Russian Federation signed into law, major reforms in data protection and information governance. The reforms include:

• Significant changes to Federal Law No. 152-FZ on Personal Data, including the scope of its application, new rules for cross-border transfer of personal data, data breach notifications, and additional protections for data subjects;
• New amendments to the Unified Biometric System regulations;
• Establishment of a countersanction-information ...

On July 22, 2022, T-Mobile entered into an agreement to settle a class action lawsuit stemming from its 2021 data breach. The breach involved the personal information of 76.6 million U.S. residents and was T-Mobile’s fifth breach over a four year period. The proposed settlement will require T-Mobile to pay $500 million to settle customers’ claims and to bolster its cybersecurity practices.  

On July 7, 2022, the Irish Data Protection Commission (the “DPC”) sent a draft decision to other EU data protection authorities, proposing to block Meta’s transfers of personal data from the EU to the United States.

On June 30, 2022, the New York Office of the Attorney General (“NYOAG”) announced a $400,000 agreement with Wegmans Food Markets, Inc. (“Wegmans”) in connection with a cloud storage security issue. The NYOAG alleges that Wegmans exposed the personal information of three million consumers by storing the data in misconfigured cloud storage containers.

On July 8, 2022, President Biden issued an Executive Order titled, “Protecting Access to Reproductive Health Care Services,” in response to the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization that overturned Roe v. Wade. The Executive Order aims, in part, to “ [p]rotect[] the privacy of patients and their access to accurate information” regarding reproductive health care services. It directs the Department of Health and Human Services (“HHS”) and the Federal Trade Commission to take certain steps to address the potential threat to patient privacy caused by the transfer and sale of sensitive health-related data, and by digital surveillance related to reproductive health care services from fraudulent schemes or deceptive practices.

On June 24, 2022, the New York State Department of Financial Services (“NYDFS” or the “Department”) announced it had entered into a $5 million settlement with Carnival Corp. (“Carnival”), the world’s largest cruise-ship operator, for violations of the Cybersecurity Regulation (23 NYCRR Part 500) in connection with four cybersecurity events between 2019 and 2021, including two ransomware events.  

On June 23, 2022, Italy’s data protection authority (the “Garante”) determined that a website’s use of the audience measurement tool Google Analytics is not compliant with the EU General Data Protection Regulation (“GDPR”), as the tool transfers personal data to the United States, which does not offer an adequate level of data protection. In making this determination, the Garante joins other EU data protection authorities, including the French and Austrian regulators, that also have found use of the tool to be unlawful.

On June 21, 2022, the Colorado Attorney General’s Office announced it is seeking informal input from the public on its rulemaking related to the Colorado Privacy Act (“CPA”). Before starting its formal rulemaking process, the Office has indicated it wants to better “understand the community’s thoughts and concerns about data privacy.”

On June 10, 2022, the Centre for Information Policy Leadership at Hunton Andrews Kurth published a white paper entitled “Local Law Assessments and Online Services – Refining the Approach to Beneficial and Privacy-Protective Cross-Border Data Flows A: Case Study from British Columbia.” The paper discusses recent developments in British Columbia that demonstrated a recognition by law- and policy-makers of the importance of cross-border data flows to an efficient and effective public sector.

On June 3, 2022, House Energy and Commerce Chair Rep. Frank Pallone (D-NJ), Ranking Member Rep. Cathy McMorris Rodgers (R-WA) and Senate Commerce, Science and Transportation Committee Ranking Member Sen. Roger Wicker (R-MS) released a new comprehensive federal privacy bill, the American Data Privacy and Protection Act (“ADPPA”).

On June 1, 2022, Thailand’s Personal Data Protection Act (“PDPA”) entered into force after three years of delays. The PDPA, originally enacted in May 2019, provides for a one-year grace period, with the main operative provisions of the law originally set to come into force in 2020. Due to the COVID-19 pandemic, however, the Thai government issued royal decrees to extend the compliance deadline to June 1, 2022. 

On May 10, 2022, as part of the Queen’s Speech, the UK government announced its intention to introduce a Data Reform Bill (the “Bill”). The UK government’s background and briefing notes to the Queen’s Speech state that the purpose of the Bill is to “take advantage of the benefits of Brexit to create a world class data rights regime…that reduces burdens on businesses, boosts the economy, helps scientists to innovate and improves the lives of people in the UK.”

On May 10, 2022, Connecticut Governor Ned Lamont signed An Act Concerning Personal Data Privacy and Online Monitoring, after the law was previously passed by the Connecticut General Assembly in April. Connecticut is now the fifth state to enact a consumer privacy law.

On April 11, 2022, Virginia Governor Glenn Youngkin signed into law three bills that amend the Virginia Consumer Data Protection Act (“VCDPA”) ahead of the VCDPA’s January 1, 2023 effective date. The bills, HB 381, HB 714 and SB 534, (1) add a new exemption to the VCDPA’s right to delete; (2) modify the VCDPA’s definition of “nonprofit”; and (3) abolish the Consumer Privacy Fund.

On April 12, 2022, Colorado Attorney General Phil Weiser made remarks at the International Association of Privacy Professionals Global Privacy Summit in Washington, D.C., where he invited stakeholders to provide informal public comments on the Colorado Privacy Act (“CPA”) rulemaking.

On April 11, 2022, Federal Trade Commission Chair Lina Khan spoke at the opening of the International Association of Privacy Professionals’ Global Privacy Summit. This speech marks Khan’s first major privacy address since her appointment last June.

On April 8, 2022, the New York Bar issued an opinion to protect “confidential” client identity information stored on an attorney’s smartphone. In particular, the opinion prohibits an attorney who stores “confidential” (as defined under Rule 1.6 of the New York Rules of Professional Conduct) client identity information in the attorney’s “contacts” folder on the attorney’s smartphone from consenting to share their “contacts” with a smartphone app, unless certain criteria are met.

On March 29 and March 30, 2022, the California Privacy Protection Agency (“CPPA”) held via video conference two public pre-rulemaking informational sessions regarding the California Privacy Rights Act (“CPRA”). During the sessions, members of the California Attorney General’s Office and various privacy and cybersecurity experts led discussions on topics such as the sale and sharing of personal information, dark patterns, data privacy impact assessments, cybersecurity audits and automated decision-making. The CPPA Board has not at this time responded to the views expressed by the experts at the meetings.

On February 28, 2022, the Emirate of Dubai enacted Law No. 4 of 2022 on the Regulation of Virtual Assets (“VAL”) and established the Dubai Virtual Assets Regulatory Authority (“VARA”). By establishing a legal framework for businesses related to virtual assets, including crypto assets and non-fungible tokens (NFTs), this landmark law reflects Dubai’s vision to become one of the leading jurisdictions for entrepreneurs and investors of blockchain technology.

On April 7, 2022, the European Data Protection Board (the “EDPB”) released a statement on the announcement of a new Trans-Atlantic Data Privacy Framework (the “Statement”).

On March 18, 2022, Indiana Governor Eric Holcomb signed into law an amendment to Indiana’s data breach notification statute. The amendment requires notification of a data breach to affected individuals and the Indiana Attorney General without unreasonable delay, but no later than forty-five (45) days after discovery of the breach. The amendment will take effect on July 1, 2022.

On January 18, 2022, New Jersey Governor Phil Murphy signed into law Assembly Bill No. 3950, requiring employers to provide written notice to employees prior to the use of tracking devices in vehicles used by employees (the “Act”). The Act will go into effect on April 18, 2022.

On March 25, 2022, the U.S. District Court for the Northern District of Illinois approved a $1.1 million settlement with TikTok Inc. (“TikTok”) to resolve claims that TikTok collected children’s data and sold it to third parties without parental consent. The plaintiffs sued TikTok in 2019, alleging that TikTok did not seek verifiable parental consent prior to collecting personal information of children under 13 on the popular video platform in violation of the Children’s Online Privacy Protection Act. The complaint further alleged that TikTok disclosed and sold user data, including lip-syncing videos created by children who used a TikTok-affiliated app called Musical.ly, to third parties, without parental consent. The $1.1 million settlement will be distributed among class members, who consist of U.S. users who, prior to the settlement’s effective date and while under the age of 13, registered for or used TikTok or Musical.ly.

On March 29 and March 30, 2022, the California Privacy Protection Agency (“CPPA”) will hold public pre-rulemaking informational sessions regarding the California Privacy Rights Act (“CPRA”) via video conference. As we previously reported, the CPPA, which has rulemaking authority under the CPRA and will be responsible for implementing and enforcing the CPRA, recently estimated that it will not publish final CPRA regulations until the third or fourth quarter of 2022.

On March 15, 2022, the Federal Trade Commission (FTC) announced a proposed settlement with custom merchandise platform CafePress in connection with the company’s alleged failure to implement reasonable security measures, and its alleged attempt to cover up a 2019 data breach. The proposed settlement would require CafePress to implement a comprehensive data security program and pay $500,000 in redress to affected individuals.

On March 24, 2022, Utah became the fourth state in the U.S., following California, Virginia and Colorado, to enact a consumer data privacy law, the Utah Consumer Privacy Act (the “UCPA”). The UCPA resembles Virginia’s Consumer Data Protection Act (“VCDPA”) and Colorado’s Consumer Privacy Act (“CPA”), and, to a lesser extent, the California Consumer Privacy Act (as amended by the California Privacy Rights Act) (“CCPA/CPRA”). The UCPA will take effect on December 31, 2023.

On February 18, 2022, California Assembly Member Evan Low (D) introduced a pair of bills – AB 2871 and AB 2891 – that would extend the duration of the current exemptions in the California Consumer Privacy Act (“CCPA”) (as amended by the California Privacy Rights Act (“CPRA”)) for certain HR data and business-to-business (“B2B”) customer representative personnel data from most of the law’s requirements. The existing temporary “HR” and “B2B” exemptions were first introduced through amendments to the CCPA, and were extended by the CPRA, under which the exemptions will sunset on the CPRA’s compliance deadline, January 1, 2023.

The Federal Trade Commission has reached a settlement with WW International, Inc. and Kurbo, Inc. over allegations the companies improperly registered children for the “Kurbo by WW” online weight loss management program. In pleadings filed on February 16, 2022, in federal court in the Northern District of California, the FTC claims WW and Kurbo offered a service that was tailored for children but that failed to ensure parental involvement in the registration process. According to the FTC, the defendants created an age gate that children could easily evade, and that ...

On January 28, 2022, in celebration of Data Privacy Day, the Colorado Attorney General’s Office issued prepared remarks from Colorado Attorney General Phil Weiser and published guidance on data security best practices. In his remarks, Attorney General Weiser highlighted the importance of protecting data security and outlined his office’s plans for implementing the Colorado Privacy Act (“CPA”), which takes effect July 1, 2023.

On January 12, 2022, the French Data Protection Authority (the “CNIL”) published guidelines on the re-use of personal data by data processors for their own purposes (such as product improvement or the development of new products and services) under the EU General Data Protection Regulation (“GDPR”) (the “Guidelines”). This post outlines key takeaways from the Guidelines.

Stephen Mathias from Kochhar & Co. reports that on December 16, 2021, the Indian Joint Parliamentary Committee (the “JPC”) submitted its report on India’s draft Data Protection Bill (the “Bill”). The Bill is now likely to be passed by Parliament in its next session, beginning in February 2022, and likely will enter into force in the first half of 2022. In its report, the JPC recommended a phased approach to implementing the law, beginning with the appointment of various government officers, such as the Data Protection Authority (“DPA”), with full implementation of the law to be completed within 24 months. The JPC’s report also contained a revised draft of the Bill. Certain key aspects of the revised Bill are summarized below.

On November 19, 2021, the European Data Protection Board (“EDPB”) published its draft Guidelines 05/2021 (the “Guidelines”) on the interplay between the application of Article 3 of the EU General Data Protection Regulation (“GDPR”), which sets forth the GDPR’s territorial scope, and the GDPR’s provisions on international data transfers. The Guidelines aim to assist organizations subject to the GDPR in identifying whether a data processing activity constitutes an international data transfer under the GDPR, as the GDPR does not define the term.

On November 5, 2021, IAB Europe (“IAB EU”) announced that, in the coming weeks, the Belgian Data Protection Authority plans to share with other data protection authorities a draft ruling on the IAB EU Transparency & Consent Framework (“TCF”). The TCF is a GDPR consent solution built by IAB EU that has become a widely used approach to collecting consent to cookies under the GDPR. The draft ruling is expected to find that the TCF does not comply with the GDPR, in part because IAB EU acts as a controller, and the digital signals the TCF creates to capture individuals’ consent to cookies are personal data under the GDPR. Because IAB EU does not consider itself a controller with respect to the TCF, it does not currently comply with the GDPR’s controller obligations.

On November 10, 2021, the UK Supreme Court issued its long-awaited judgment in the Lloyd v Google case. The decision is expected to make it difficult in practice for a future class action lawsuit that is brought on behalf of a class of individuals who have not actively opted in to being represented by the lead claimant to proceed under UK law.

Beginning in 2022, Apple and Google will impose new privacy requirements on mobile apps available for download in the Apple App Store and Google Play Store, respectively. As described further below, Apple’s new account deletion requirement will apply to all mobile app submissions to the Apple App Store beginning January 31, 2022. Similarly, Google’s new Data Safety section will launch in February 2022, and app developers will be required to submit to the Google Play Store Data Safety forms and Privacy Policies by April 2022.

On October 29, 2021, the Cyberspace Administration of China (“CAC”) released for public comment “Draft Measures on Security Assessment of Cross-border Data Transfer” (“Draft Measures”). The CAC, in its third legislative attempt to build a cross-border data transfer mechanism in China, issued the Draft Measures three days before the November 1, 2021 effective date of the Personal Information Protection Law (“PIPL”).

During the week of October 4, 2021, California Governor Gavin Newsom signed into law bills amending the California Privacy Rights Act of 2020 (“CPRA”), California’s data breach notification law and California’s data security law. Additional bills, amending the California Confidentiality of Medical Information Act (“CMIA”) and the California Insurance Code, also were also signed into law. The Governor also signed into law a bill protecting the privacy and security of genetic data processed by direct-to-consumer genetic testing companies and a bill designed to prevent the sale, purchase and use of data obtained by illegal means.

On October 12, 2021, the Oxford County Court determined that a homeowner had breached the Data Protection Act 2018 (“DPA”) and UK General Data Protection Regulation (“UK GDPR”) by using Ring security cameras around his property. In Dr Mary Fairhurst v Mr Jon Woodard, Fairhurst claimed harassment, nuisance and breach of UK data protection law based on her former neighbor, Woodard’s, use of security cameras and lights around his property. While the claim in nuisance failed, the judge found for the claimant on the claims of harassment and breach of data protection law.

On August 29, 2021, a New York City Council bill amending the New York City Administrative Code to address customer data collected by food delivery services from online orders became law after the 30-day period for the mayor to sign or veto lapsed. Effective December 27, 2021, the law will permit restaurants to request customer data from third-party food delivery services and require delivery services to provide, on at least a monthly basis, such customer data until the restaurant “requests to no longer receive such customer data.” Customer data includes name, phone number, email address, delivery address and contents of the order.

On August 16, 2021, the U.S. Securities and Exchange Commission (“SEC”) announced that Pearson plc (“Pearson”), a publicly traded British multinational educational publishing and services company, agreed to pay a $1 million civil penalty in a settlement related to charges that Pearson misled investors about a 2018 data breach resulting in the theft of millions of student records. The SEC’s order found that Pearson made material misstatements and omissions about the data breach in a report furnished to the SEC and in a media statement.

On August 25, 2021, New Mexico Attorney General (“AG”) Hector Balderas sued Rovio Entertainment (“Rovio” or the “Company”), the developer of the popular Angry Birds mobile app games, alleging that the Company violated the federal Children’s Online Privacy Protection Act (“COPPA”) by knowingly collecting data from players under age 13 and sharing it with advertisers. Under COPPA, developers of child-directed apps are required to provide notice to parents of their data collection practices and obtain verifiable parental consent to collect personal information from children under 13.

On August 20, 2021, China’s 13^th Standing Committee of the National People’s Congress passed the Personal Information Protection Law (the “PIPL”). As we previously reported, the PIPL is China’s first comprehensive data protection law. It is modeled, in part, on other jurisdictions’ omnibus data protection regimes, including the EU General Data Protection Regulation (“GDPR”). The PIPL will become effective on November 1, 2021. Below are some of the key provisions under the PIPL.

On August 2, 2021, the Italian Data Protection Authority (Garante per la protezione dei dati personali, “Garante”) announced that it had levied a €2,500,000 fine on Deliveroo Italy s.r.l. for the unlawful processing of personal data of approximately 8,000 Deliveroo riders, and various infringements of the EU Genera Data Protection Regulation (the “GDPR”).

On July 16, 2021, the Luxembourg data protection authority (Commission nationale pour la protection des donées, “CNPD”) imposed a record-breaking €746 million fine on Amazon Europe Core S.à.r.l. for alleged violations of the EU General Data Protection Regulation (“GDPR”). The CNPD also ordered Amazon to revise certain of its practices. As Amazon has its EU headquarters in Luxembourg, the CNPD acts as Amazon’s lead supervisory authority in the EU.

On June 16, 2021, the UK Government’s Taskforce on Innovation, Growth and Regulatory Reform published an independent report containing recommendations to the Prime Minister on how the UK can reshape its approach to regulation in the wake of Brexit (the “Report”). Among wide-ranging proposals across a range of areas, the Report recommends replacing the UK General Data Protection Regulation (“UK GDPR”) with a new UK Framework of Citizen Data Rights. The proposed approach would aim to give individuals greater control over their personal data while also allowing increased data flows and driving growth in the digital economy. The Report will be considered by the Government’s Better Regulation Committee.

On June 4, 2021, the European Commission published the final version of the implementing decision on standard contractual clauses for transfers of personal data to third countries under the EU General Data Protection Regulation (“GDPR”), as well as the final version of the new standard contractual clauses (the “SCCs”). The European Commission had previously published draft versions of the implementing decision and the SCCs in November 2020.

On June 3, 2021, Google informed app developers that beginning in late 2021, when Android 12 OS users opt out of personalized ads, the advertising ID provided by Google Play services (the Google Ad ID, or “GAID”) will not be made available to app developers for any purpose.

On May 27, 2021, the European Data Protection Supervisor (the “EDPS”) announced that it has opened two investigations regarding (1) the use of cloud services provided by Amazon Web Services and Microsoft under Cloud II contracts by European Union institutions, bodies and agencies; and (2) the use of Microsoft Office 365 by the European Commission.

On May 26, 2021, the Court of Appeal handed down its judgment in the case of R (Open Rights Group and the3million) v Secretary of State for the Home Department and Others [2021] EWCA Civ 800, finding that the UK 2018 Data Protection Act’s (“DPA 2018”) “immigration exemption” is unlawful.

On May 12, 2021, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, the “Dutch DPA”) imposed a €525,000 fine on Locatefamily.com for failure to comply with the obligation imposed under Article 27 of the EU General Data Protection Regulation (“GDPR”) to appoint a representative in the EU.

On May 10, 2021, the Ecuadorian National Assembly unanimously approved the Organic Law on Data Protection (the “Data Protection Law”), which President Moreno is expected to sign.

On May 11, 2021, the European Parliament issued a press release requesting that the European Commission amend its draft decisions on UK adequacy to more closely align with EU court rulings and the opinion of the European Data Protection Board (“EDPB”). The request came after the Parliament’s Civil Liberties Committee (the “Committee”) passed a resolution evaluating the Commission’s approach regarding the adequacy of the UK’s data protection regime. The Members of European Parliament (“MEPs”) stated that if the Commission’s implementing decisions are adopted without amendment, transfers of personal data to the UK should be suspended when there is the potential for indiscriminate access to personal data.

On April 29, 2021, the New York City Council passed the Tenant Data Privacy Act (“TDPA”), which would regulate the collection, use, safeguarding and retention of tenant data by owners of “smart access” buildings. The TDPA has been sent to the New York City Mayor’s desk for signature.

On May 2, 2021, the Norwegian data protection authority, Datatilsynet, notified Disqus Inc. (“Disqus”), a U.S. company owned by Zeta Global, of its intention to issue a fine of 25 million Norwegian Krone (approximately 2.5 million Euros). The preliminary fine was issued for failure to comply with the General Data Protection Regulation’s (“GDPR”) accountability, lawfulness and transparency requirements, primarily due to Disqus’ tracking of website visitors.

On May 6, 2021, Google announced that beginning in the second quarter of 2022, mobile app developers submitting new apps and app updates to the Google Play store will be required to disclose certain information regarding their apps’ data collection, use, sharing and security practices, as well as provide a privacy policy for their apps. This information will be displayed in a new “safety section” of Google Play.

On April 29, 2021, China issued a second version of the draft Personal Information Protection Law (“Draft PIPL”). The Draft PIPL will be open for public comments until May 28, 2021.

While the framework of this version of the Draft PIPL is the same as the prior version issued on October 21, 2020, below we summarize the material changes in the second version of the Draft PIPL.

On April 27, 2021, the Portuguese Data Protection Authority (Comissão Nacional de Proteção de Dados, the “CNPD”) ordered the National Institute of Statistics (the “INE”) to suspend, within 12 hours, any international transfers of personal data to the U.S. or other third countries that have not been recognized as providing an adequate level of data protection.

On April 23, 2021, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth submitted its response to the European Data Protection Board (“EDPB”) consultation on draft guidelines on virtual voice assistants (the “Guidelines”). The Guidelines were adopted on March 12, 2021 for public consultation.

As reported on the Hunton Retail Law Blog, on April 26, 2021, the U.S. Court of Appeals for the Second Circuit affirmed the dismissal on Article III standing grounds of a data breach class action predicated on an alleged increased risk of identity theft. McMorris v. Carlos Lopez & Assocs., LLC, No. 19-4310, 2021 WL 1603808 (2d Cir. Apr. 26, 2021). Notably, the district court that dismissed the action raised the issue of standing sua sponte in advance of a scheduled class settlement fairness hearing.

On April 22, 2021, the Belgian Constitutional Court annulled (in French) the framework set forth by the Law of 29 May 2016 (the “Law”) requiring telecommunications providers to retain electronic communications data in bulk.

On April 20, 2021, Apple announced that its AppTracking Transparency Framework (“ATT Framework”) will go into effect starting April 26, 2021, along with the upcoming public release of iOS 14.5, iPadOS 14.5 and tvOS 14.5.

On April 14, 2021, the European Data Protection Board (“EDPB”) announced that it had adopted its Opinion on the draft UK adequacy decision issued by the European Commission on February 19, 2021. The EDPB’s Opinion is non-binding but will be persuasive. The adequacy decision will be formally adopted if it is approved by the EU Member States acting through the European Council. If the adequacy decision is adopted, transfers of personal data from the EU to the UK may continue following the end of the post-Brexit transition period without the implementation of a data transfer mechanism under the EU General Data Protection Regulation (“GDPR”), such as Standard Contractual Clauses.

On April 8, 2021, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth submitted comments in response to the Ministry of Public Security (“MPS”) of Vietnam’s Draft Decree on Personal Data Protection (“Draft Decree”).

On April 1, 2021, California’s Supreme Court ruled unanimously that the state’s prohibition on recording calls without consent applies to parties on the call and not just third-party eavesdroppers. Writing for the Court, Chief Justice Tani G. Cantil-Sakauye wrote that California’s penal code “prohibits parties as well as nonparties from intentionally recording a communication transmitted between a cellular or cordless phone and another device without the consent of all parties to the communication.”

On March 31, 2021, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, the “Dutch DPA”), announced a fine of €475,000 for Dutch headquartered online travel agency Booking.com for failure to report a data breach within 72 hours of becoming aware of the incident in 2019.

On March 15, 2021, China’s State Administration for Market Regulation (“SAMR”) issued Measures for the Supervision and Administration of Online Transactions (the “Measures”) (in Chinese). The Measures implement rules for the E-commerce Law of China and provide specific rules for addressing registration of an online operation entity, supervision of new business models (such as social e-commerce and livestreaming), platform operators’ responsibilities, protection of consumers’ rights and protection of personal information.

On March 26, 2021, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth submitted its comments on the Irish Data Protection Commissioner’s (“DPC”) draft guidance on safeguarding the personal data of children when providing online services, “Children Front and Centre—Fundamentals for a Child-Oriented Approach to Data Processing” (the “Draft Guidance”).

On March 15, 2021, the state Data Protection Authority of Bavaria (“Bavarian DPA”) declared the use of U.S. e-mail marketing service Mailchimp by a fashion magazine (acting as controller) in Bavaria impermissible due to non-compliance with Schrems II mitigation steps in relation to the transfer of e-mail addresses to Mailchimp in the U.S.

On March 19, 2021, the Secretary of State for Digital, Culture, Media & Sport (“DCMS”) signed a Memorandum of Understanding (“MoU”) with the UK Information Commissioner’s Office (the “ICO”) with respect to new UK adequacy assessments following the UK’s departure from the European Union. The MoU sets out how DCMS and third countries will negotiate adequacy decisions, referred to under the MoU as “adequacy regulations”. These permit the free transfer of personal data collected in the UK to the relevant “adequate” jurisdiction.

On March 12, 2021, France’s highest administrative court (the “Conseil d’État”) issued a summary judgment that rejected a request for the suspension of the partnership between the French Ministry of Health and Doctolib, a leading provider of online medical consultations in Europe, for the management of COVID-19 vaccination appointments.

On March 12, 2021, the European Data Protection Board (“EDPB”) published its Guidelines 01/2021 on Virtual Voice Assistants for consultation (the “Guidelines”). Virtual voice assistants (“VVAs”) understand and execute voice commands or coordinate with other IT systems. These tools are available on most smartphones and other devices and collect significant amounts of personal data, such as through user commands. In addition, VVAs require a terminal device equipped with a microphone and transfer data to remote service. These activities raise compliance issues under both the General Data Protection Regulation (“GDPR”) and the e-Privacy Directive.

On March 3, 2020, the New York Department of Financial Services (“NYDFS”) announced it had entered into a settlement with Residential Mortgage Services, Inc. (“RMS”) related to allegations that RMS violated the NYDFS Cybersecurity Regulation in connection with a 2019 data breach.

On March 2, 2021, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth submitted its response to the European Data Protection Board (“EDPB”) consultation on draft guidelines on examples regarding data breach notification (the “Guidelines”). The Guidelines were adopted on January 14, 2021 for public consultation.

On February 19, 2021, the European Commission published a draft data protection adequacy decision relating to the UK. If the draft decision is adopted, organizations in the EU will be able to continue to transfer personal data to organizations in the UK without restriction, and will not need to rely upon data transfer mechanisms, such as the EU Standard Contractual Clauses, to ensure an adequate level of protection.

On February 5, 2020, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth submitted a response to the European Commission’s (the “Commission’s”) public consultation on the Commission’s Proposal for a Regulation on European Data Governance (the “Data Governance Act,” or “DGA”). This proposal is the first set of initiatives announced under the broader European Data Strategy.

On January 27, 2021, the French Data Protection Authority (the “CNIL”) announced (in French) that it imposed a fine of €150,000 on a data controller, and a fine of €75,000 on its data processor, for failure to implement adequate security measures to protect customers’ personal data against credential stuffing attacks on the website of the data controller. The CNIL decided not to make its decisions public, thereby not disclosing the name of the companies sanctioned.

On January 19, 2021, the UK Information Commissioner’s Office (“ICO”) published its analysis of the application of the UK General Data Protection Regulation (the “UK GDPR”) to transfers from UK-based firms or branches that are registered, required to be registered or otherwise regulated by the U.S. Securities and Exchange Commission (“SEC”).

The recent UK case of Soriano v Forensic News and Others tested the territorial reach of the General Data Protection Regulation (“GDPR”) and represents the first UK judgment dealing with the territorial scope of the GDPR. This was a “service out” case, where the claimant, Walter T. Soriano, sought the Court’s permission under the UK Civil Procedure Rules to serve proceedings on the defendants, who were all domiciled in the U.S.

On January 18, 2021, the European Data Protection Board (“EDPB”) released draft Guidelines 01/2021 on Examples regarding Data Breach Notification (the “Guidelines”). The Guidelines complement the initial Guidelines on personal data breach notification under the EU General Data Protection Regulation (“GDPR”) adopted by the Article 29 Working Party in February 2018. The new draft Guidelines take into account supervisory authorities’ common experiences with data breaches since the GDPR became applicable in May 2018. The EDPB’s aim is to assist data controllers in deciding how to handle data breaches, including by identifying the factors that they must take into account when conducting risk assessments to determine whether a breach must be reported to relevant supervisory authorities and/or the affected data subjects.

On January 15, 2021, the European Data Protection Board (“EDPB”) and European Data Protection Supervisor (“EDPS”) adopted joint opinions on the draft Standard Contractual Clauses (“SCCs”) released by the European Commission in November 2020, for both international transfers (“International SCCs”) and controller-processor relationships within the EEA (“EEA Controller-Processor SCCs”). 

On December 16, 2020, the Committee of Experts within India’s Ministry of Electronics and Information Technology (MeitY) (the “Committee”) issued a revised report on the Non-Personal Data Governance Framework (the “NPDF”) for India (the “Revised Committee Report”).

The Federal Trade Commission issued a call for presentations on consumer privacy and data security research for its sixth annual PrivacyCon, which is to be held on July 27, 2021. The call for presentations asks for empirical research and demonstrations, including economic analyses, with implications for privacy and data security policy and law.

On December 24, 2020, the European Union and the United Kingdom reached an agreement in principle on the historic EU-UK Trade and Cooperation Agreement (the “Trade Agreement”). For data protection purposes, there is a further transition period of up to six months to enable the European Commission to complete its adequacy assessment of the UK’s data protection laws. For the time being, personal data can continue to be exported from the EU to the UK without implementing additional safeguards.

On December 18, 2020, federal financial regulatory agencies, including the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation and the Office of the Comptroller of the Currency (collectively, the “Agencies”) announced a proposed rule (the “Proposed Rule”) that would require “banking organizations” to notify their primary federal regulator within 36 hours following any “computer-security incident” that rises to the level of a “notification incident.” The Proposed Rule also would require service providers to notify at least two individuals at the banking organizations they service immediately after experiencing a computer-security incident that materially disrupts, degrades or impairs the services they provide.

On December 17, 2020, the UK Information Commissioner’s Office (“ICO”) published its Data Sharing Code of Practice (the “Code”), in accordance with its obligation to do so under the Data Protection Act 2018 (the “DPA”).

On December 15, 2020, the Irish Data Protection Commission (“DPC”) announced its fine of €450,000 against Twitter International Company (“Twitter”), following its investigation into a breach resulting from a bug in Twitter’s design. The fine is the largest issued by the Irish DPC under the EU General Data Protection Regulation (“GDPR”) to date and is also its first against a U.S.-based organization.

On December 10, 2020, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth submitted its response to the European Commission’s invitation for comments on its draft implementing decision on standard contractual clauses (“SCCs”) to be used for the transfer of personal data from a controller or processor subject to the EU General Data Protection Regulation (“GDPR”) (i.e., a data exporter) to a controller or (sub-)processor not subject to the GDPR (i.e., a data importer).

On December 10, 2020, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth submitted its response to the European Commission’s invitation for comments on its draft implementing decision on standard contractual clauses (“SCCs”) between controllers and processors for purposes of Article 28 of the EU General Data Protection Regulation (the “GDPR”). Article 28 of the GDPR sets out specific provisions that must be executed between data controllers and processors when personal data is shared.

Hunton Andrews Kurth is pleased to announce the release of Sweet & Maxwell’s fifth edition of Data Protection Law and Practice, written by Rosemary Jay, Hunton Andrews Kurth’s senior consultant attorney. This edition has been re-written to provide a thorough review of the current state of data protection law in the UK, along with details of relevant background context.