Privacy & Information Security Law Blog

On April 22, 2021, the Belgian Constitutional Court annulled (in French) the framework set forth by the Law of 29 May 2016 (the “Law”) requiring telecommunications providers to retain electronic communications data in bulk.

On April 20, 2021, Apple announced that its AppTracking Transparency Framework (“ATT Framework”) will go into effect starting April 26, 2021, along with the upcoming public release of iOS 14.5, iPadOS 14.5 and tvOS 14.5.

On April 14, 2021, the European Data Protection Board (“EDPB”) announced that it had adopted its Opinion on the draft UK adequacy decision issued by the European Commission on February 19, 2021. The EDPB’s Opinion is non-binding but will be persuasive. The adequacy decision will be formally adopted if it is approved by the EU Member States acting through the European Council. If the adequacy decision is adopted, transfers of personal data from the EU to the UK may continue following the end of the post-Brexit transition period without the implementation of a data transfer mechanism under the EU General Data Protection Regulation (“GDPR”), such as Standard Contractual Clauses.

On April 8, 2021, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth submitted comments in response to the Ministry of Public Security (“MPS”) of Vietnam’s Draft Decree on Personal Data Protection (“Draft Decree”).

On April 1, 2021, California’s Supreme Court ruled unanimously that the state’s prohibition on recording calls without consent applies to parties on the call and not just third-party eavesdroppers. Writing for the Court, Chief Justice Tani G. Cantil-Sakauye wrote that California’s penal code “prohibits parties as well as nonparties from intentionally recording a communication transmitted between a cellular or cordless phone and another device without the consent of all parties to the communication.”

On March 31, 2021, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, the “Dutch DPA”), announced a fine of €475,000 for Dutch headquartered online travel agency Booking.com for failure to report a data breach within 72 hours of becoming aware of the incident in 2019.

On March 15, 2021, China’s State Administration for Market Regulation (“SAMR”) issued Measures for the Supervision and Administration of Online Transactions (the “Measures”) (in Chinese). The Measures implement rules for the E-commerce Law of China and provide specific rules for addressing registration of an online operation entity, supervision of new business models (such as social e-commerce and livestreaming), platform operators’ responsibilities, protection of consumers’ rights and protection of personal information.

On March 26, 2021, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth submitted its comments on the Irish Data Protection Commissioner’s (“DPC”) draft guidance on safeguarding the personal data of children when providing online services, “Children Front and Centre—Fundamentals for a Child-Oriented Approach to Data Processing” (the “Draft Guidance”).

On March 15, 2021, the state Data Protection Authority of Bavaria (“Bavarian DPA”) declared the use of U.S. e-mail marketing service Mailchimp by a fashion magazine (acting as controller) in Bavaria impermissible due to non-compliance with Schrems II mitigation steps in relation to the transfer of e-mail addresses to Mailchimp in the U.S.

On March 19, 2021, the Secretary of State for Digital, Culture, Media & Sport (“DCMS”) signed a Memorandum of Understanding (“MoU”) with the UK Information Commissioner’s Office (the “ICO”) with respect to new UK adequacy assessments following the UK’s departure from the European Union. The MoU sets out how DCMS and third countries will negotiate adequacy decisions, referred to under the MoU as “adequacy regulations”. These permit the free transfer of personal data collected in the UK to the relevant “adequate” jurisdiction.

On March 12, 2021, France’s highest administrative court (the “Conseil d’État”) issued a summary judgment that rejected a request for the suspension of the partnership between the French Ministry of Health and Doctolib, a leading provider of online medical consultations in Europe, for the management of COVID-19 vaccination appointments.

On March 12, 2021, the European Data Protection Board (“EDPB”) published its Guidelines 01/2021 on Virtual Voice Assistants for consultation (the “Guidelines”). Virtual voice assistants (“VVAs”) understand and execute voice commands or coordinate with other IT systems. These tools are available on most smartphones and other devices and collect significant amounts of personal data, such as through user commands. In addition, VVAs require a terminal device equipped with a microphone and transfer data to remote service. These activities raise compliance issues under both the General Data Protection Regulation (“GDPR”) and the e-Privacy Directive.

On March 3, 2020, the New York Department of Financial Services (“NYDFS”) announced it had entered into a settlement with Residential Mortgage Services, Inc. (“RMS”) related to allegations that RMS violated the NYDFS Cybersecurity Regulation in connection with a 2019 data breach.

On March 2, 2021, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth submitted its response to the European Data Protection Board (“EDPB”) consultation on draft guidelines on examples regarding data breach notification (the “Guidelines”). The Guidelines were adopted on January 14, 2021 for public consultation.

On February 19, 2021, the European Commission published a draft data protection adequacy decision relating to the UK. If the draft decision is adopted, organizations in the EU will be able to continue to transfer personal data to organizations in the UK without restriction, and will not need to rely upon data transfer mechanisms, such as the EU Standard Contractual Clauses, to ensure an adequate level of protection.

On February 5, 2020, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth submitted a response to the European Commission’s (the “Commission’s”) public consultation on the Commission’s Proposal for a Regulation on European Data Governance (the “Data Governance Act,” or “DGA”). This proposal is the first set of initiatives announced under the broader European Data Strategy.

On January 27, 2021, the French Data Protection Authority (the “CNIL”) announced (in French) that it imposed a fine of €150,000 on a data controller, and a fine of €75,000 on its data processor, for failure to implement adequate security measures to protect customers’ personal data against credential stuffing attacks on the website of the data controller. The CNIL decided not to make its decisions public, thereby not disclosing the name of the companies sanctioned.

On January 19, 2021, the UK Information Commissioner’s Office (“ICO”) published its analysis of the application of the UK General Data Protection Regulation (the “UK GDPR”) to transfers from UK-based firms or branches that are registered, required to be registered or otherwise regulated by the U.S. Securities and Exchange Commission (“SEC”).

The recent UK case of Soriano v Forensic News and Others tested the territorial reach of the General Data Protection Regulation (“GDPR”) and represents the first UK judgment dealing with the territorial scope of the GDPR. This was a “service out” case, where the claimant, Walter T. Soriano, sought the Court’s permission under the UK Civil Procedure Rules to serve proceedings on the defendants, who were all domiciled in the U.S.

On January 18, 2021, the European Data Protection Board (“EDPB”) released draft Guidelines 01/2021 on Examples regarding Data Breach Notification (the “Guidelines”). The Guidelines complement the initial Guidelines on personal data breach notification under the EU General Data Protection Regulation (“GDPR”) adopted by the Article 29 Working Party in February 2018. The new draft Guidelines take into account supervisory authorities’ common experiences with data breaches since the GDPR became applicable in May 2018. The EDPB’s aim is to assist data controllers in deciding how to handle data breaches, including by identifying the factors that they must take into account when conducting risk assessments to determine whether a breach must be reported to relevant supervisory authorities and/or the affected data subjects.

On January 15, 2021, the European Data Protection Board (“EDPB”) and European Data Protection Supervisor (“EDPS”) adopted joint opinions on the draft Standard Contractual Clauses (“SCCs”) released by the European Commission in November 2020, for both international transfers (“International SCCs”) and controller-processor relationships within the EEA (“EEA Controller-Processor SCCs”). 

On December 16, 2020, the Committee of Experts within India’s Ministry of Electronics and Information Technology (MeitY) (the “Committee”) issued a revised report on the Non-Personal Data Governance Framework (the “NPDF”) for India (the “Revised Committee Report”).

The Federal Trade Commission issued a call for presentations on consumer privacy and data security research for its sixth annual PrivacyCon, which is to be held on July 27, 2021. The call for presentations asks for empirical research and demonstrations, including economic analyses, with implications for privacy and data security policy and law.

On December 24, 2020, the European Union and the United Kingdom reached an agreement in principle on the historic EU-UK Trade and Cooperation Agreement (the “Trade Agreement”). For data protection purposes, there is a further transition period of up to six months to enable the European Commission to complete its adequacy assessment of the UK’s data protection laws. For the time being, personal data can continue to be exported from the EU to the UK without implementing additional safeguards.

On December 18, 2020, federal financial regulatory agencies, including the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation and the Office of the Comptroller of the Currency (collectively, the “Agencies”) announced a proposed rule (the “Proposed Rule”) that would require “banking organizations” to notify their primary federal regulator within 36 hours following any “computer-security incident” that rises to the level of a “notification incident.” The Proposed Rule also would require service providers to notify at least two individuals at the banking organizations they service immediately after experiencing a computer-security incident that materially disrupts, degrades or impairs the services they provide.

On December 17, 2020, the UK Information Commissioner’s Office (“ICO”) published its Data Sharing Code of Practice (the “Code”), in accordance with its obligation to do so under the Data Protection Act 2018 (the “DPA”).

On December 15, 2020, the Irish Data Protection Commission (“DPC”) announced its fine of €450,000 against Twitter International Company (“Twitter”), following its investigation into a breach resulting from a bug in Twitter’s design. The fine is the largest issued by the Irish DPC under the EU General Data Protection Regulation (“GDPR”) to date and is also its first against a U.S.-based organization.

On December 10, 2020, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth submitted its response to the European Commission’s invitation for comments on its draft implementing decision on standard contractual clauses (“SCCs”) to be used for the transfer of personal data from a controller or processor subject to the EU General Data Protection Regulation (“GDPR”) (i.e., a data exporter) to a controller or (sub-)processor not subject to the GDPR (i.e., a data importer).

On December 10, 2020, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth submitted its response to the European Commission’s invitation for comments on its draft implementing decision on standard contractual clauses (“SCCs”) between controllers and processors for purposes of Article 28 of the EU General Data Protection Regulation (the “GDPR”). Article 28 of the GDPR sets out specific provisions that must be executed between data controllers and processors when personal data is shared.

Hunton Andrews Kurth is pleased to announce the release of Sweet & Maxwell’s fifth edition of Data Protection Law and Practice, written by Rosemary Jay, Hunton Andrews Kurth’s senior consultant attorney. This edition has been re-written to provide a thorough review of the current state of data protection law in the UK, along with details of relevant background context.

On November 12, 2020, somewhat in the shadow of the new standard contractual clauses for data transfers to recipients outside the European Economic Area (“EEA”), the European Commission also adopted draft standard contractual clauses to be used between controllers and processors in the EEA (“EEA Controller-Processor SCCs”).

On November 12, 2020, the European Commission published a draft implementing decision on standard contractual clauses for the transfer of personal data to third countries pursuant to the EU General Data Protection Regulation (“GDPR”), along with its draft set of new standard contractual clauses (the “SCCs”).

On October 22, 2020, the Consumer Financial Protection Bureau (“CFPB”) issued a notice of proposed rulemaking (the “Proposed Rule”) to implement Section 1033 of the Dodd-Frank Act (the “Act”) regarding consumers’ access to their financial information.

In an op-ed recently published by The Richmond Times-Dispatch, former Governor of Virginia and Global Strategy Advisor of the Centre for Information Policy Leadership at Hunton Andrews Kurth Terry McAuliffe discusses why a U.S. federal privacy law is essential to economic recovery in the wake of the COVID-19 pandemic. McAuliffe highlights how the U.S., unlike other countries, lacks a comprehensive privacy law.

On August 26, 2020, as reported by Brazilian firm Mattos Filho, Veiga Filho, Marrey Jr. e Quiroga Advogados, the Brazilian Senate unexpectedly rejected the President’s Provisional Measure that was previously passed by the House of Representatives and aimed to postpone the applicability of the new Brazilian data protection law (Lei Geral de Proteção de Dados Pessoais, or “LGPD”). The LGPD now will come into effect when the President signs the bill within 15 days of receiving the bill from Congress. The LGPD’s sanctions provisions, however, will continue to apply from August 1, 2021. The President also has issued a decree creating the new Brazilian data protection authority.

On July 30, 2020, the Litigation Chamber of the Belgian Data Protection Authority (the “Belgian DPA”) imposed a €20,000 fine on Belgian telecommunications provider Proximus N.V. (“Proximus”) for several data protection infringements related to Proximus’ public directory. In particular, the claimant requested that Proximus remove his contact details from the public directory and inform other publishers of public directories not to publish his personal data. Despite informing the claimant that it was going to proceed accordingly, Proximus still published his personal data in its public directory and shared it with other publishers of public directories.

On July 1, 2020, the Dubai International Financial Centre (“DIFC”) Data Protection Law No. 5 of 2020 came into effect (“New DP Law”). Due to the current pandemic, a three-month grace period, running until October 1, 2020, has been provided for companies to comply. The New DP Law replaces DIFC Law No. 1 of 2007. The release of the New DP Law is, in part, an effort to ensure that the DIFC, a financial hub for the Middle East, Africa and South Asia, meets the standard of data protection required to receive an “adequacy” finding from the European Commission and the United Kingdom, meaning that companies may transfer EU/UK personal data to the DIFC without putting in place a transfer mechanism (such as Standard Contractual Clauses).

On July 1, 2020, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, the “Dutch DPA”) published its 2019 annual report (the “Report”). The Report shows that in 2019, the Dutch DPA focused on enforcement actions, after having raised awareness about the EU General Data Protection Regulation (the “GDPR”) in 2018. Below are key findings from the Report.

On June 23, 2020, the German Federal Court of Justice (the Bundesgerichtshof, or “BGH”) issued a decision confirming the enforceability, in preliminary proceedings, of the order of the German Federal Cartel Office (the “Bundeskartellamt”) against Facebook’s data practices.

The UK Prime Minister, Boris Johnson, announced on June 23, 2020, that restrictions relating to COVID-19 would be eased as of July 4. Although many measures remain in place to prevent the virus’ spread, certain businesses, including restaurants and pubs, will be able to reopen in the UK, with the recommendation that staff-customer contact be minimized.

On June 18, 2020, Senator Sherrod Brown (OH) released a discussion draft of a privacy bill entitled the Data Accountability and Transparency Act of 2020 (“the Bill”). The Bill would provide individuals with several new rights regarding their personal data; implement rules limiting how personal data is collected, used or shared; and establish a new federal agency called the Data Accountability and Transparency Agency to protect individuals’ privacy and enforce those rules.

On June 11, 2020, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth submitted its response (the “Response”) to the European Commission’s consultation regarding its white paper on “a European Approach to Excellence and Trust” on artificial intelligence (the “White Paper”).

On June 19, 2020, France’s Highest Administrative Court (the “Conseil d’Etat”) issued a decision partially annulling the guidelines of the French Data Protection Authority (the “CNIL”) on cookies and similar technologies (the “Guidelines”). The Conseil d’Etat annulled the provision of the Guidelines imposing a general and absolute ban on ‘cookie walls’ that prevent users who do not consent to the use of cookies from accessing a site or mobile app. However, the Conseil d’Etat upheld the main part of the Guidelines. On the day of the Conseil d’Etat’s decision, the CNIL published a statement (the “Statement”) announcing that they took note of the decision and will strictly comply with it.

The UK Information Commissioner’s Office (“ICO”) has released guidance to assist employers in implementing appropriate safeguards as workplaces reopen, titled “Coronavirus Recovery - Six Data Protection Steps for Organisations” (the “guidance”). This guidance sets out the key principles of data protection that should be kept in mind as employers put measures in place to prevent the spread of COVID-19.

On June 19, 2020, France’s Highest Administrative Court (“Conseil d’Etat”) upheld the decision of the French Data Protection Authority (the “CNIL”) to impose a €50 million fine on Google LLC (“Google”) under the EU General Data Protection Regulation (the “GDPR”) for its alleged failure to (1) provide notice in an easily accessible form, using clear and plain language, when users configure their Android mobile devices and create Google accounts, and (2) obtain users’ valid consent to process their personal data for ad personalization purposes. Google had appealed this decision before the Conseil d’Etat. Because the Conseil d’Etat hears cases on appeal from the CNIL in both the first and last instances, the CNIL’s fine is now final. This fine against Google was the first fine imposed by the CNIL under the GDPR and is the highest fine imposed by an EU supervisory authority under the GDPR to date.

On June 16, 2020, the European Data Protection Board (the “EDPB”) released a statement on the processing of personal data in the context of reopening borders following the COVID-19 outbreak (the “Statement”).

On June 16, 2020, the European Data Protection Board (the “EDPB”) released a statement on the data protection impact of the interoperability of contact tracing apps within the EU (the “Statement”). The EDPB issued this Statement following the publication of “Interoperability guidelines for approved contact tracing mobile applications in the EU” by the eHealth Network on May 13, 2020. In its guidelines, the eHealth Network calls for an interoperable framework in the EU that would enable users to rely on a single contact tracing application regardless of the Member State or region in which they reside.

On June 12, 2020, the Brazilian President Jair Bolsonaro approved Law #14,010/2020 (the “Law”). This Law was created to establish an urgent legal framework for the private sector in the context of the COVID-19 crisis. Among other topics, it delays until August 1, 2021 the applicability of the provisions relating to sanctions for non-compliance with the new Brazilian data protection law (Lei Geral de Proteção de Dados Pessoais, “LGPD”).

On June 9, 2020, the French Data Protection Authority (the “CNIL”) published its Annual Activity Report for 2019 (the “Report”).

On June 2, 2020, the European Data Protection Board (the “EDPB”) announced that it had released a statement on restrictions on data subject rights in connection with the state of emergency in EU Member States amid the COVID-19 pandemic (the “Statement”).

On June 3, 2020, the Presidency of the Council of the European Union (“the Presidency”) published a progress report on the proposed Regulation concerning the Respect for Private Life and the Protection of Personal Data in Electronic Communications and Repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications), better known as “the Draft ePrivacy Regulation” (the “Progress Report”).

On May 29, 2020, the German Federal Court of Justice (Bundesgerichtshof, “BGH”), Germany’s highest court for civil and criminal matters, issued its ruling on case Planet49 (I ZR 7/16) regarding consent requirements for the use of cookies and telemarketing activities. In October 2017, the BGH suspended its proceedings and submitted questions to the Court of Justice of the European Union (“CJEU”) for a preliminary ruling regarding the effectiveness of obtaining consent for the use of cookies through a pre-ticked checkbox. As we have previously reported, the CJEU answered these questions in its judgement in Planet49 GmbH v. Verbraucherzentrale Bundesverband e.V. (C-673/17), which was issued on October 1, 2019.

The Global Privacy Assembly (“GPA”), a forum for data protection and privacy authorities, has established a COVID-19 Taskforce (“the Taskforce”) to advise on best practices, provide insight and drive practical responses regarding privacy issues raised by the pandemic. It aims to provide a balance between enabling governmental responses to the crisis and protecting individuals’ privacy.

On May 25 and May 26, 2020 respectively, the Belgian Data Protection Authority (the “Belgian DPA”) published two opinions on draft laws introducing COVID-19-related tracking initiatives: (1) the Opinion 42/2020 on the draft law for the creation of a database by Sciensano, a public health institution (“Opinion 42/2020”), and (2) the Opinion 43/2020 on the draft law for the use of contact tracing apps to fight the spread of COVID-19 (“Opinion 43/2020”).

The implementation of Thailand’s Personal Data Protection Act B.E. 2562 (A.D. 2019) (the “PDPA”) has been delayed until May 31, 2021.

We previously posted about the Tapplock, Inc. (“Tapplock”) settlement with the Federal Trade Commission (“FTC”) over allegations that the company violated Section 5 of the FTC Act by falsely claiming that its “smart locks” were secure. Earlier this month, the FTC voted 5-0 to approve the settlement.

On the second anniversary of the EU General Data Protection Regulation (the “GDPR”), the Belgian Data Protection Authority (the “Belgian DPA”) published a Statement with some key GDPR-related numbers (the “Statement”).

The Court of Justice of the European Union (“CJEU”) has announced via its Twitter feed that it will deliver its judgement in the Schrems II case (case C-311/18) on July 16, 2020. This judgement will determine the validity of the Standard Contractual Clauses (“SCCs” or Model Clauses) as a transfer mechanism under the General Data Protection Regulation (“GDPR”). SCCs are relied on by many global companies, including Facebook and Microsoft, for international transfers of EU personal data.

Pakistan’s Ministry of Information Technology and Telecommunication recently introduced a new draft of Pakistan’s Personal Data Protection Bill, 2020 (the “Bill”) and launched a public consultation regarding the same. The public consultation period will end on May 15, 2020. The Bill, which applies to “any person who processes” or “has control over or authorizes the processing of” any personal data, if the data subject, the controller or processor are located in Pakistan, would establish certain requirements and restrictions related to the processing of personal data, as well as penalties for violating the law. In addition, under the Bill, the federal government would, within six months of coming into force, establish a Personal Data Protection Authority of Pakistan with rulemaking authority to enforce the act.

The Dutch Data Protection Authority (Autoriteit Persoonsgegevens, the “Dutch DPA”) recently imposed a €750,000 fine on a company for unlawful processing of employees’ fingerprints for attendance taking and time registration purposes.

On May 7, 2020, the French Data Protection Authority (the “CNIL”) updated its previous guidance for employers relating to the processing of employee and visitor personal data in the context of the COVID-19 outbreak, in particular, in the context of lifting containment measures (the “Updated Guidance”). Some employers may consider implementing systematic body temperature checks at the entrance to their premises. Similarly, employers may wish to assess employees’ exposure to the virus or their health statuses when they return to work. The Updated Guidance analyzes some of these practices and outlines the principles applicable to data processing activities.

On April 25, 2020, the Philippines National Privacy Commission (“NPC”) issued a statement that it is investigating several breach notifications it has received relating to the unauthorized disclosure of sensitive personal information of confirmed and suspected COVID-19 patients (the “Statement”).

On April 30, 2020, Senator Roger Wicker (MS), Chairman of the Senate Commerce Committee, along with Senators John Thune (SD), Jerry Moran (KS) and Marsha Blackburn (TN), announced plans to introduce the COVID-19 Consumer Data Protection Act of 2020 (“the bill”), which would put temporary rules in place regarding the collection, processing and transfer of data used to combat the spread of the coronavirus. The bill would only apply during the course of the COVID-19 Public Health Emergency as declared by the Secretary of Health and Human Services, and would only apply to specific uses of certain personal data.

On April 29, 2020, the Brazilian President issued Provisional Measure #959/2020, which provisionally delays the applicability date of the Brazilian data protection law (Lei Geral de Proteção de Dados Pessoais – “LGPD”) to May 3, 2021.

California Attorney General (“AG”) Xavier Becerra recently issued an alert emphasizing the rights of California consumers under the California Consumer Privacy Act (“CCPA”) during the COVID-19 pandemic. The alert follows media reports that the AG’s office is “committed to enforcing the law upon finalizing the rules or [by] July 1, whichever comes first,” even with the “new reality created by COVID-19.”

On April 16, 2020, the Centre for Information Policy Leadership (“CIPL”), in collaboration with the Centro de Estudos de Direito, Internet e Sociedade of Instituto Brasiliense de Direito Público (“CEDIS-IDP”), published a White Paper (the “White Paper”) on the Role of the Brazilian Data Protection Authority (“ANPD”) under Brazil’s New Data Protection Law (“LGPD”). The White Paper is accompanied by two infographics: 1) the priorities of the Agência Nacional de Proteção de Dados, and 2) the case for an effective Brazil DPA - the ANPD.

As the COVID-19 outbreak continues to unfold, businesses are dealing with new and unprecedented operational and legal challenges. There also are key data protection considerations for businesses in connection with the COVID-19 pandemic, including compliance with the requirements around the processing of personal data for health monitoring purposes, crisis management issues and steps to be implemented to ensure the continuity of privacy compliance programs.

On April 13, 2020, the New York Department of Financial Services (“NYDFS”) issued guidance (“April guidance”) to all New York State entities covered under NYDFS’s cybersecurity regulation regarding assessing and addressing heightened cybersecurity risks due to the COVID-19 pandemic. In asking regulated entities to address risks “appropriately,” the April guidance references NYDFS’s earlier March 10, 2020 guidance calling on regulated institutions to submit to the agency (within 30 days of the guidance) plans “to address operational risks posed by the outbreak of a novel coronavirus,” including “assessment[s] of potential increased cyber-attacks and fraud.”

On April 16, 2020, the European eHealth Network—a voluntary network connecting national authorities responsible for eHealth designated by EU Member States—published a common EU toolbox for the use of contact tracing and warning apps in response to the coronavirus pandemic (the “Toolbox”). The Toolbox is part of the common EU coordinated approach to using COVID-19 mobile apps, as set out in the European Commission’s Recommendation of April 8, 2020. The Toolbox was accompanied by guidance from the European Commission on data protection and privacy aspects of the use of such apps (the “Guidance”).

Elizabeth Denham, the UK Information Commissioner, has released an opinion in response to the joint effort announced by Apple Inc. (“Apple”) and Google LLC (“Google”) to enable the use of Bluetooth technology to help governments and health agencies reduce the spread of COVID-19 by building contact-tracing technology into iOS and Android smartphones. In the opinion, the Information Commissioner concludes that the "Contact Tracing Framework" (“CTF”) being developed supports data protection principles.

On April 15, 2020, the French Data Protection Authority (the “CNIL”) published the final version of its standard (“Referential”) concerning the processing of personal data for core Human Resources (“HR”) management purposes. That Referential was adopted following a public consultation launched by the CNIL on April 11, 2019. The CNIL also published a set of questions and answers (“FAQs”), which aim to answer some practical questions that the CNIL are regularly asked regarding HR data processing activities.

On April 3, 2020, the Brazilian Senate approved Bill of Law (“PL 1179/2020”), which includes a number of emergency measures intended to address the COVID-19 pandemic. Importantly, one provision delays the effective date of the Brazilian Data Protection Law (Lei Geral de Proteção de Dados Pessoais, “LGPD”) until January 2021. Fines and sanctions for companies that fail to comply with the LGPD are now scheduled to become effective August 2021.

On April 14, 2020, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP published an article entitled “COVID-19 Meets Privacy: A Case Study for Accountability” (the “Article”).

On April 7, 2020, the European Data Protection Board (the “EDPB”) announced that it had assigned mandates to its expert subgroups to develop guidance on several aspects of data processing amidst the COVID-19 crisis.

On April 8, 2020, the European Commission adopted a recommendation to develop a common European approach to using mobile applications and mobile location data in response to the coronavirus pandemic (the “Recommendation”).

On April 6, 2020, the Irish Data Protection Commission (the “DPC”) published a report summarizing the DPC’s findings following a cookie sweep of select websites across a range of sectors, as well as a new guidance note on the use of cookies and other tracking technologies.

On March 31, 2020, the Belgian Data Protection Authority (the “Belgian DPA”) published a short statement on its website (the “Statement”) regarding health-related apps. The Belgian DPA indicated that the Statement is in response to numerous questions regarding the use of personal data in the context of the COVID-19 pandemic.

On March 31, 2020, the Federal Trade Commission (“FTC”) announced that it will hold a workshop on data portability on September 22, 2020. Data portability allows consumers to obtain a copy of the data an organization holds about them (e.g., emails, photos, contacts, calendar, social media content), in a format that can easily be downloaded and transferred to another entity or to themselves. Data portability has been embraced as a consumer right in the EU General Data Protection Regulation (“GDPR”), California Consumer Privacy Act (“CCPA”), and several recent privacy bills at both the state and federal level.

On April 1, 2020, the French Data Protection Authority (the “CNIL”) released guidance for employers on how to implement teleworking (the “Guidance”) as well as best practices for their employees in this context (the “Best Practices”).

The Conference of German Data Protection Authorities (“DSK”), the body of the federal and state Data Protection Authorities (“DPAs”) in Germany, recently issued joint recommendations regarding employers’ processing of employee personal data in the context of the coronavirus (“COVID-19”) pandemic. The DSK makes it clear that data protection does not hinder measures to fight COVID-19. According to DSK, employers can collect personal data of employees in order to prevent the spreading of the virus at the workforce. Employers also may process personal data of workplace visitors for COVID-19 related purposes. However, all measures must be proportionate.

On March 25, 2020, the European Data Protection Supervisor (“EDPS”) sent a letter to the Directorate-General for Communications Networks, Content and Technology (“DG CONNECT”) addressing the various initiatives involving telecommunications providers at the Member State level to monitor the spread of the COVID-19 outbreak using location data.

On March 18, 2020, Washington Governor Jay Inslee signed into law a bill amending Washington State’s Agency Breach Notification Law (“Agency Breach Law”). The Agency Breach Law applies to all state and local agencies, including state and municipal offices, departments, bureaus and commissions.

The Dutch Data Protection Authority (Autoriteit Persoonsgegevens, the “Dutch DPA”) recently published materials regarding the COVID-19 crisis, including recommendations and FAQs for employers and recommendations for employees. In the materials, the Dutch DPA emphasizes that, while fighting the virus and saving lives is the top priority, privacy must not be overlooked and the crisis should not become a prelude to a “Big Brother” society.

The Spanish Data Protection Authority (the “AEPD”) recently published a report on data processing activities carried out by data controllers in the private and public sectors as a result of the spread of the COVID-19 virus (the “Report”).

On March 13, 2020, the Belgian Data Protection Authority (the “Belgian DPA”) released a statement regarding workplace-related processing of personal data in the context of the COVID-19 crisis (the “Statement”).

On March 19, 2020, the European Data Protection Board (“EDPB”) published a new statement regarding processing personal data in the context of the COVID-19 outbreak. The EDPB said that emergency is a legal condition which may legitimize restrictions of individual freedoms, provided that these restrictions are proportionate and limited to the emergency period. Several considerations come into play in weighing the lawful processing of personal data in these circumstances.

The French Data Protection Authority (the “CNIL”) recently issued guidance for employers relating to the processing of employee and visitor personal data in the context of the COVID-19 outbreak (the “Guidance”). The Guidance outlines some of the principles relating to those data processing activities.

On March 17, 2020, the Executive Committee of the Global Privacy Assembly (“GPA”) issued a statement giving their support to the sharing of personal data by organizations and governments for the purposes of fighting the spread of the COVID-19 pandemic. The GPA brings together data protection regulators from over 80 countries and its membership currently consists of more than 130 data protection regulators around the world, including the UK Information Commissioner’s Office, the U.S. Federal Trade Commission, and the data protection regulators for all EU Member States.

On March 10, 2020, the Vermont Attorney General filed a lawsuit against Clearview AI (“Clearview”), alleging that Clearview violated Vermont’s consumer protection law and data broker law. We previously reported on Vermont’s data broker law, which was the first data broker legislation in the U.S.

On March 12, 2020, Senator Jerry Moran (KS) introduced a comprehensive federal privacy bill entitled the Consumer Data Privacy and Security Act of 2020 (the “Act”).

Hunton’s Centre for Information Policy Leadership (“CIPL”) reports on the top privacy-related priorities for this year:

1.  Global Convergence and Interoperability between Privacy Regimes

Around the world, new privacy laws are coming into force and outdated laws continue to be updated: the EU General Data Protection Regulation (“GDPR”), Brazil’s Lei Geral de Proteção de Dados Pessoais (“LGPD”), Thailand’s Personal Data Protection Act, India’s and Indonesia’s proposed bills, California’s Consumer Privacy Act (“CCPA”), and the various efforts in the rest of the United States at the federal and state levels. This proliferation of privacy laws is bound to continue.

As reported by Bloomberg Law, on March 12, 2020, the Washington House and Senate were unable to reach consensus on the Washington Privacy Act.  As we reported this January, lawmakers in Washington state introduced a new version of the Washington Privacy Act, a comprehensive data privacy bill.  In the past two months, the much-discussed bill flew through the Washington Senate and House, but ultimately failed to pass.

The bill’s House version would have provided for a private right of action while the bill’s Senate version would have given sole enforcement authority to the state ...

On March 3, 2020, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, the “Dutch DPA”) announced that it had imposed a €525,000 fine on the Royal Dutch Tennis Association (De Koninklijke Nederlandse Lawn Tennisbond, “KNLTB”) for an illegal sale of personal data.

On February 24, 2020, the European Data Protection Board (“EDPB”) published general policy messages and a synthesis of the contributions and replies by its members - national data protection authorities (“DPAs”) - to the Questionnaire on the Evaluation of the EU General Data Protection Regulation (“GDPR”) sent by the European Commission (the “Contribution”).

On March 1, 2020, the Provisions on the Governance of Network Information Content Ecology (the “Provisions”) took effect. The Provisions govern China’s network information content ecology—including content producers (the “Producers”), content service platforms (the “Platforms”), content service users (the “Users”), industry organizations and Departments of Cyberspace Administration at all levels.

On February 21, 2020, the Presidency of the Council of the European Union (“EU Council Presidency”) published a revised part of the proposed Regulation concerning the Respect for Private Life and the Protection of Personal Data in Electronic Communications and Repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications), better known as “the Draft ePrivacy Regulation.”

On February 10, 2020, the Belgian Data Protection Authority (the “Belgian DPA”) published its Recommendation 1/2020 on data processing activities for direct marketing purposes (the “Recommendation”). With this Recommendation, the Belgian DPA aims to clarify the complex rules relating to the processing of personal data for direct marketing purposes, including by providing practical examples and guidelines to the different stakeholders involved in direct marketing activities. Direct marketing is one of the Belgian DPA’s top priorities for the next few years, as indicated in its 2019-2025 Strategic Plan.

On February 19, 2020, the Information Commissioner's Office (“ICO”) launched a consultation on its draft AI auditing framework guidance for organizations (“Guidance”). The Guidance is open for consultation until April 1, 2020 and responses can be submitted via the ICO’s online survey.

On February 19, 2020, the European Commission (“the Commission”) published a White Paper entitled “a European Approach to Excellence and Trust” on artificial intelligence (“AI”). This followed an announcement in November 2019, from the Commission’s current President, Ursula von der Leyen, that she intended to propose rules to regulate AI within the first 100 days of her Presidency, which commenced on December 1, 2019. This White Paper was published alongside the Commission’s data and digital strategies for Europe.

On February 19, 2020, the European Commission (the “Commission”) released a suite of documents including its White Paper on Artificial Intelligence (“AI”), entitled “a European approach to excellence and trust.” In addition, the Commission published two communications—its European strategy for data and a Digital Strategy document entitled “Shaping Europe’s Digital Future.”