Privacy & Information Security Law Blog

The UK Prime Minister, Boris Johnson, announced on June 23, 2020, that restrictions relating to COVID-19 would be eased as of July 4. Although many measures remain in place to prevent the virus’ spread, certain businesses, including restaurants and pubs, will be able to reopen in the UK, with the recommendation that staff-customer contact be minimized.

On June 18, 2020, Senator Sherrod Brown (OH) released a discussion draft of a privacy bill entitled the Data Accountability and Transparency Act of 2020 (“the Bill”). The Bill would provide individuals with several new rights regarding their personal data; implement rules limiting how personal data is collected, used or shared; and establish a new federal agency called the Data Accountability and Transparency Agency to protect individuals’ privacy and enforce those rules.

On June 11, 2020, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth submitted its response (the “Response”) to the European Commission’s consultation regarding its white paper on “a European Approach to Excellence and Trust” on artificial intelligence (the “White Paper”).

On June 19, 2020, France’s Highest Administrative Court (the “Conseil d’Etat”) issued a decision partially annulling the guidelines of the French Data Protection Authority (the “CNIL”) on cookies and similar technologies (the “Guidelines”). The Conseil d’Etat annulled the provision of the Guidelines imposing a general and absolute ban on ‘cookie walls’ that prevent users who do not consent to the use of cookies from accessing a site or mobile app. However, the Conseil d’Etat upheld the main part of the Guidelines. On the day of the Conseil d’Etat’s decision, the CNIL published a statement (the “Statement”) announcing that they took note of the decision and will strictly comply with it.

The UK Information Commissioner’s Office (“ICO”) has released guidance to assist employers in implementing appropriate safeguards as workplaces reopen, titled “Coronavirus Recovery - Six Data Protection Steps for Organisations” (the “guidance”). This guidance sets out the key principles of data protection that should be kept in mind as employers put measures in place to prevent the spread of COVID-19.

On June 19, 2020, France’s Highest Administrative Court (“Conseil d’Etat”) upheld the decision of the French Data Protection Authority (the “CNIL”) to impose a €50 million fine on Google LLC (“Google”) under the EU General Data Protection Regulation (the “GDPR”) for its alleged failure to (1) provide notice in an easily accessible form, using clear and plain language, when users configure their Android mobile devices and create Google accounts, and (2) obtain users’ valid consent to process their personal data for ad personalization purposes. Google had appealed this decision before the Conseil d’Etat. Because the Conseil d’Etat hears cases on appeal from the CNIL in both the first and last instances, the CNIL’s fine is now final. This fine against Google was the first fine imposed by the CNIL under the GDPR and is the highest fine imposed by an EU supervisory authority under the GDPR to date.

On June 16, 2020, the European Data Protection Board (the “EDPB”) released a statement on the processing of personal data in the context of reopening borders following the COVID-19 outbreak (the “Statement”).

On June 16, 2020, the European Data Protection Board (the “EDPB”) released a statement on the data protection impact of the interoperability of contact tracing apps within the EU (the “Statement”). The EDPB issued this Statement following the publication of “Interoperability guidelines for approved contact tracing mobile applications in the EU” by the eHealth Network on May 13, 2020. In its guidelines, the eHealth Network calls for an interoperable framework in the EU that would enable users to rely on a single contact tracing application regardless of the Member State or region in which they reside.

On June 12, 2020, the Brazilian President Jair Bolsonaro approved Law #14,010/2020 (the “Law”). This Law was created to establish an urgent legal framework for the private sector in the context of the COVID-19 crisis. Among other topics, it delays until August 1, 2021 the applicability of the provisions relating to sanctions for non-compliance with the new Brazilian data protection law (Lei Geral de Proteção de Dados Pessoais, “LGPD”).

On June 9, 2020, the French Data Protection Authority (the “CNIL”) published its Annual Activity Report for 2019 (the “Report”).

On June 2, 2020, the European Data Protection Board (the “EDPB”) announced that it had released a statement on restrictions on data subject rights in connection with the state of emergency in EU Member States amid the COVID-19 pandemic (the “Statement”).

On June 3, 2020, the Presidency of the Council of the European Union (“the Presidency”) published a progress report on the proposed Regulation concerning the Respect for Private Life and the Protection of Personal Data in Electronic Communications and Repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications), better known as “the Draft ePrivacy Regulation” (the “Progress Report”).

On May 29, 2020, the German Federal Court of Justice (Bundesgerichtshof, “BGH”), Germany’s highest court for civil and criminal matters, issued its ruling on case Planet49 (I ZR 7/16) regarding consent requirements for the use of cookies and telemarketing activities. In October 2017, the BGH suspended its proceedings and submitted questions to the Court of Justice of the European Union (“CJEU”) for a preliminary ruling regarding the effectiveness of obtaining consent for the use of cookies through a pre-ticked checkbox. As we have previously reported, the CJEU answered these questions in its judgement in Planet49 GmbH v. Verbraucherzentrale Bundesverband e.V. (C-673/17), which was issued on October 1, 2019.

The Global Privacy Assembly (“GPA”), a forum for data protection and privacy authorities, has established a COVID-19 Taskforce (“the Taskforce”) to advise on best practices, provide insight and drive practical responses regarding privacy issues raised by the pandemic. It aims to provide a balance between enabling governmental responses to the crisis and protecting individuals’ privacy.

On May 25 and May 26, 2020 respectively, the Belgian Data Protection Authority (the “Belgian DPA”) published two opinions on draft laws introducing COVID-19-related tracking initiatives: (1) the Opinion 42/2020 on the draft law for the creation of a database by Sciensano, a public health institution (“Opinion 42/2020”), and (2) the Opinion 43/2020 on the draft law for the use of contact tracing apps to fight the spread of COVID-19 (“Opinion 43/2020”).

The implementation of Thailand’s Personal Data Protection Act B.E. 2562 (A.D. 2019) (the “PDPA”) has been delayed until May 31, 2021.

We previously posted about the Tapplock, Inc. (“Tapplock”) settlement with the Federal Trade Commission (“FTC”) over allegations that the company violated Section 5 of the FTC Act by falsely claiming that its “smart locks” were secure. Earlier this month, the FTC voted 5-0 to approve the settlement.

On the second anniversary of the EU General Data Protection Regulation (the “GDPR”), the Belgian Data Protection Authority (the “Belgian DPA”) published a Statement with some key GDPR-related numbers (the “Statement”).

The Court of Justice of the European Union (“CJEU”) has announced via its Twitter feed that it will deliver its judgement in the Schrems II case (case C-311/18) on July 16, 2020. This judgement will determine the validity of the Standard Contractual Clauses (“SCCs” or Model Clauses) as a transfer mechanism under the General Data Protection Regulation (“GDPR”). SCCs are relied on by many global companies, including Facebook and Microsoft, for international transfers of EU personal data.

Pakistan’s Ministry of Information Technology and Telecommunication recently introduced a new draft of Pakistan’s Personal Data Protection Bill, 2020 (the “Bill”) and launched a public consultation regarding the same. The public consultation period will end on May 15, 2020. The Bill, which applies to “any person who processes” or “has control over or authorizes the processing of” any personal data, if the data subject, the controller or processor are located in Pakistan, would establish certain requirements and restrictions related to the processing of personal data, as well as penalties for violating the law. In addition, under the Bill, the federal government would, within six months of coming into force, establish a Personal Data Protection Authority of Pakistan with rulemaking authority to enforce the act.

The Dutch Data Protection Authority (Autoriteit Persoonsgegevens, the “Dutch DPA”) recently imposed a €750,000 fine on a company for unlawful processing of employees’ fingerprints for attendance taking and time registration purposes.

On May 7, 2020, the French Data Protection Authority (the “CNIL”) updated its previous guidance for employers relating to the processing of employee and visitor personal data in the context of the COVID-19 outbreak, in particular, in the context of lifting containment measures (the “Updated Guidance”). Some employers may consider implementing systematic body temperature checks at the entrance to their premises. Similarly, employers may wish to assess employees’ exposure to the virus or their health statuses when they return to work. The Updated Guidance analyzes some of these practices and outlines the principles applicable to data processing activities.

On April 25, 2020, the Philippines National Privacy Commission (“NPC”) issued a statement that it is investigating several breach notifications it has received relating to the unauthorized disclosure of sensitive personal information of confirmed and suspected COVID-19 patients (the “Statement”).

On April 30, 2020, Senator Roger Wicker (MS), Chairman of the Senate Commerce Committee, along with Senators John Thune (SD), Jerry Moran (KS) and Marsha Blackburn (TN), announced plans to introduce the COVID-19 Consumer Data Protection Act of 2020 (“the bill”), which would put temporary rules in place regarding the collection, processing and transfer of data used to combat the spread of the coronavirus. The bill would only apply during the course of the COVID-19 Public Health Emergency as declared by the Secretary of Health and Human Services, and would only apply to specific uses of certain personal data.

On April 29, 2020, the Brazilian President issued Provisional Measure #959/2020, which provisionally delays the applicability date of the Brazilian data protection law (Lei Geral de Proteção de Dados Pessoais – “LGPD”) to May 3, 2021.

California Attorney General (“AG”) Xavier Becerra recently issued an alert emphasizing the rights of California consumers under the California Consumer Privacy Act (“CCPA”) during the COVID-19 pandemic. The alert follows media reports that the AG’s office is “committed to enforcing the law upon finalizing the rules or [by] July 1, whichever comes first,” even with the “new reality created by COVID-19.”

On April 16, 2020, the Centre for Information Policy Leadership (“CIPL”), in collaboration with the Centro de Estudos de Direito, Internet e Sociedade of Instituto Brasiliense de Direito Público (“CEDIS-IDP”), published a White Paper (the “White Paper”) on the Role of the Brazilian Data Protection Authority (“ANPD”) under Brazil’s New Data Protection Law (“LGPD”). The White Paper is accompanied by two infographics: 1) the priorities of the Agência Nacional de Proteção de Dados, and 2) the case for an effective Brazil DPA - the ANPD.

As the COVID-19 outbreak continues to unfold, businesses are dealing with new and unprecedented operational and legal challenges. There also are key data protection considerations for businesses in connection with the COVID-19 pandemic, including compliance with the requirements around the processing of personal data for health monitoring purposes, crisis management issues and steps to be implemented to ensure the continuity of privacy compliance programs.

On April 13, 2020, the New York Department of Financial Services (“NYDFS”) issued guidance (“April guidance”) to all New York State entities covered under NYDFS’s cybersecurity regulation regarding assessing and addressing heightened cybersecurity risks due to the COVID-19 pandemic. In asking regulated entities to address risks “appropriately,” the April guidance references NYDFS’s earlier March 10, 2020 guidance calling on regulated institutions to submit to the agency (within 30 days of the guidance) plans “to address operational risks posed by the outbreak of a novel coronavirus,” including “assessment[s] of potential increased cyber-attacks and fraud.”

On April 16, 2020, the European eHealth Network—a voluntary network connecting national authorities responsible for eHealth designated by EU Member States—published a common EU toolbox for the use of contact tracing and warning apps in response to the coronavirus pandemic (the “Toolbox”). The Toolbox is part of the common EU coordinated approach to using COVID-19 mobile apps, as set out in the European Commission’s Recommendation of April 8, 2020. The Toolbox was accompanied by guidance from the European Commission on data protection and privacy aspects of the use of such apps (the “Guidance”).

Elizabeth Denham, the UK Information Commissioner, has released an opinion in response to the joint effort announced by Apple Inc. (“Apple”) and Google LLC (“Google”) to enable the use of Bluetooth technology to help governments and health agencies reduce the spread of COVID-19 by building contact-tracing technology into iOS and Android smartphones. In the opinion, the Information Commissioner concludes that the "Contact Tracing Framework" (“CTF”) being developed supports data protection principles.

On April 15, 2020, the French Data Protection Authority (the “CNIL”) published the final version of its standard (“Referential”) concerning the processing of personal data for core Human Resources (“HR”) management purposes. That Referential was adopted following a public consultation launched by the CNIL on April 11, 2019. The CNIL also published a set of questions and answers (“FAQs”), which aim to answer some practical questions that the CNIL are regularly asked regarding HR data processing activities.

On April 3, 2020, the Brazilian Senate approved Bill of Law (“PL 1179/2020”), which includes a number of emergency measures intended to address the COVID-19 pandemic. Importantly, one provision delays the effective date of the Brazilian Data Protection Law (Lei Geral de Proteção de Dados Pessoais, “LGPD”) until January 2021. Fines and sanctions for companies that fail to comply with the LGPD are now scheduled to become effective August 2021.

On April 14, 2020, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP published an article entitled “COVID-19 Meets Privacy: A Case Study for Accountability” (the “Article”).

On April 7, 2020, the European Data Protection Board (the “EDPB”) announced that it had assigned mandates to its expert subgroups to develop guidance on several aspects of data processing amidst the COVID-19 crisis.

On April 8, 2020, the European Commission adopted a recommendation to develop a common European approach to using mobile applications and mobile location data in response to the coronavirus pandemic (the “Recommendation”).

On April 6, 2020, the Irish Data Protection Commission (the “DPC”) published a report summarizing the DPC’s findings following a cookie sweep of select websites across a range of sectors, as well as a new guidance note on the use of cookies and other tracking technologies.

On March 31, 2020, the Belgian Data Protection Authority (the “Belgian DPA”) published a short statement on its website (the “Statement”) regarding health-related apps. The Belgian DPA indicated that the Statement is in response to numerous questions regarding the use of personal data in the context of the COVID-19 pandemic.

On March 31, 2020, the Federal Trade Commission (“FTC”) announced that it will hold a workshop on data portability on September 22, 2020. Data portability allows consumers to obtain a copy of the data an organization holds about them (e.g., emails, photos, contacts, calendar, social media content), in a format that can easily be downloaded and transferred to another entity or to themselves. Data portability has been embraced as a consumer right in the EU General Data Protection Regulation (“GDPR”), California Consumer Privacy Act (“CCPA”), and several recent privacy bills at both the state and federal level.

On April 1, 2020, the French Data Protection Authority (the “CNIL”) released guidance for employers on how to implement teleworking (the “Guidance”) as well as best practices for their employees in this context (the “Best Practices”).

The Conference of German Data Protection Authorities (“DSK”), the body of the federal and state Data Protection Authorities (“DPAs”) in Germany, recently issued joint recommendations regarding employers’ processing of employee personal data in the context of the coronavirus (“COVID-19”) pandemic. The DSK makes it clear that data protection does not hinder measures to fight COVID-19. According to DSK, employers can collect personal data of employees in order to prevent the spreading of the virus at the workforce. Employers also may process personal data of workplace visitors for COVID-19 related purposes. However, all measures must be proportionate.

On March 25, 2020, the European Data Protection Supervisor (“EDPS”) sent a letter to the Directorate-General for Communications Networks, Content and Technology (“DG CONNECT”) addressing the various initiatives involving telecommunications providers at the Member State level to monitor the spread of the COVID-19 outbreak using location data.

On March 18, 2020, Washington Governor Jay Inslee signed into law a bill amending Washington State’s Agency Breach Notification Law (“Agency Breach Law”). The Agency Breach Law applies to all state and local agencies, including state and municipal offices, departments, bureaus and commissions.

The Dutch Data Protection Authority (Autoriteit Persoonsgegevens, the “Dutch DPA”) recently published materials regarding the COVID-19 crisis, including recommendations and FAQs for employers and recommendations for employees. In the materials, the Dutch DPA emphasizes that, while fighting the virus and saving lives is the top priority, privacy must not be overlooked and the crisis should not become a prelude to a “Big Brother” society.

The Spanish Data Protection Authority (the “AEPD”) recently published a report on data processing activities carried out by data controllers in the private and public sectors as a result of the spread of the COVID-19 virus (the “Report”).

On March 13, 2020, the Belgian Data Protection Authority (the “Belgian DPA”) released a statement regarding workplace-related processing of personal data in the context of the COVID-19 crisis (the “Statement”).

On March 19, 2020, the European Data Protection Board (“EDPB”) published a new statement regarding processing personal data in the context of the COVID-19 outbreak. The EDPB said that emergency is a legal condition which may legitimize restrictions of individual freedoms, provided that these restrictions are proportionate and limited to the emergency period. Several considerations come into play in weighing the lawful processing of personal data in these circumstances.

The French Data Protection Authority (the “CNIL”) recently issued guidance for employers relating to the processing of employee and visitor personal data in the context of the COVID-19 outbreak (the “Guidance”). The Guidance outlines some of the principles relating to those data processing activities.

On March 17, 2020, the Executive Committee of the Global Privacy Assembly (“GPA”) issued a statement giving their support to the sharing of personal data by organizations and governments for the purposes of fighting the spread of the COVID-19 pandemic. The GPA brings together data protection regulators from over 80 countries and its membership currently consists of more than 130 data protection regulators around the world, including the UK Information Commissioner’s Office, the U.S. Federal Trade Commission, and the data protection regulators for all EU Member States.

On March 10, 2020, the Vermont Attorney General filed a lawsuit against Clearview AI (“Clearview”), alleging that Clearview violated Vermont’s consumer protection law and data broker law. We previously reported on Vermont’s data broker law, which was the first data broker legislation in the U.S.

On March 12, 2020, Senator Jerry Moran (KS) introduced a comprehensive federal privacy bill entitled the Consumer Data Privacy and Security Act of 2020 (the “Act”).

Hunton’s Centre for Information Policy Leadership (“CIPL”) reports on the top privacy-related priorities for this year:

1.  Global Convergence and Interoperability between Privacy Regimes

Around the world, new privacy laws are coming into force and outdated laws continue to be updated: the EU General Data Protection Regulation (“GDPR”), Brazil’s Lei Geral de Proteção de Dados Pessoais (“LGPD”), Thailand’s Personal Data Protection Act, India’s and Indonesia’s proposed bills, California’s Consumer Privacy Act (“CCPA”), and the various efforts in the rest of the United States at the federal and state levels. This proliferation of privacy laws is bound to continue.

As reported by Bloomberg Law, on March 12, 2020, the Washington House and Senate were unable to reach consensus on the Washington Privacy Act.  As we reported this January, lawmakers in Washington state introduced a new version of the Washington Privacy Act, a comprehensive data privacy bill.  In the past two months, the much-discussed bill flew through the Washington Senate and House, but ultimately failed to pass.

The bill’s House version would have provided for a private right of action while the bill’s Senate version would have given sole enforcement authority to the state ...

On March 3, 2020, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, the “Dutch DPA”) announced that it had imposed a €525,000 fine on the Royal Dutch Tennis Association (De Koninklijke Nederlandse Lawn Tennisbond, “KNLTB”) for an illegal sale of personal data.

On February 24, 2020, the European Data Protection Board (“EDPB”) published general policy messages and a synthesis of the contributions and replies by its members - national data protection authorities (“DPAs”) - to the Questionnaire on the Evaluation of the EU General Data Protection Regulation (“GDPR”) sent by the European Commission (the “Contribution”).

On March 1, 2020, the Provisions on the Governance of Network Information Content Ecology (the “Provisions”) took effect. The Provisions govern China’s network information content ecology—including content producers (the “Producers”), content service platforms (the “Platforms”), content service users (the “Users”), industry organizations and Departments of Cyberspace Administration at all levels.

On February 21, 2020, the Presidency of the Council of the European Union (“EU Council Presidency”) published a revised part of the proposed Regulation concerning the Respect for Private Life and the Protection of Personal Data in Electronic Communications and Repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications), better known as “the Draft ePrivacy Regulation.”

On February 10, 2020, the Belgian Data Protection Authority (the “Belgian DPA”) published its Recommendation 1/2020 on data processing activities for direct marketing purposes (the “Recommendation”). With this Recommendation, the Belgian DPA aims to clarify the complex rules relating to the processing of personal data for direct marketing purposes, including by providing practical examples and guidelines to the different stakeholders involved in direct marketing activities. Direct marketing is one of the Belgian DPA’s top priorities for the next few years, as indicated in its 2019-2025 Strategic Plan.

On February 19, 2020, the Information Commissioner's Office (“ICO”) launched a consultation on its draft AI auditing framework guidance for organizations (“Guidance”). The Guidance is open for consultation until April 1, 2020 and responses can be submitted via the ICO’s online survey.

On February 19, 2020, the European Commission (“the Commission”) published a White Paper entitled “a European Approach to Excellence and Trust” on artificial intelligence (“AI”). This followed an announcement in November 2019, from the Commission’s current President, Ursula von der Leyen, that she intended to propose rules to regulate AI within the first 100 days of her Presidency, which commenced on December 1, 2019. This White Paper was published alongside the Commission’s data and digital strategies for Europe.

On February 19, 2020, the European Commission (the “Commission”) released a suite of documents including its White Paper on Artificial Intelligence (“AI”), entitled “a European approach to excellence and trust.” In addition, the Commission published two communications—its European strategy for data and a Digital Strategy document entitled “Shaping Europe’s Digital Future.”

On February 9, 2020, amidst the ongoing coronavirus outbreak ("2019-nCoV”) in China, in order to protect personal information collected during the fight against coronavirus, such as the personal data of diagnosed patients, suspected patients and individuals who have been in close contact with diagnosed patients, the Cyberspace Administration of China released a Circular on Ensuring Effective Personal Information Protection and Utilization of Big Data to Support Joint Efforts for Epidemic Prevention and Control (the “Circular”) to emphasize the protection of relevant personal data.

At this point, most companies doing business in California are aware of the California Consumer Privacy Act (“CCPA”), and most have been bracing for the eventual onslaught of class action litigation to follow its passage.

The Securities and Exchange Commission’s (“SEC”) Office of Compliance Inspections and Examinations (“OCIE”) recently announced the publication of a report entitled “Cybersecurity and Resiliency Observations.” The report summarizes the observations gleaned from OCIE’s cybersecurity examinations of broker-dealers, investment advisers, clearing agencies, national securities exchanges and other SEC registrants.

On January 21, 2020, the UK Information Commissioner’s Office (“ICO”) published the final version of its Age Appropriate Design Code (“the code”), which sets out the standards that online services need to meet in order to protect children’s privacy. It applies to providers of information services likely to be accessed by children in the UK, including applications, programs, websites, social media platforms, messaging services, games, community environments and connected toys and devices, where these offerings involve the processing of personal data.

On January 13, 2020, lawmakers in Washington state introduced a new version of the Washington Privacy Act, a comprehensive data privacy bill, in both the state Senate and House of Representatives. It would apply to companies conducting business in Washington or who provide products or services to Washington residents.

On January 8, 2020, the Information Commissioner's Office (“ICO”) launched a consultation on its draft direct marketing code of practice (the “Draft Code”), as required by section 122 of the Data Protection Act 2018 (“DPA 18”). The Draft Code is open for public consultation until March 4, 2020.

According to MLex, on January 6, 2020, the Seoul Eastern District Court found Kim Jin-Hwan, a privacy officer of the South Korean travel agency Hana Tour Service Inc., guilty of negligence in failing to prevent a 2017 data breach that affected over 465,000 customers of the agency and 29,000 Hana Tour employees.

Canadian Prime Minister Justin Trudeau has signaled his intent to overhaul data privacy within Canada. Prime Minister Trudeau recently sent a Mandate Letter to Navdeep Bains, the Minister of Innovation, Science and Industry, that contained a number of mandates with respect to data privacy.

On December 18, 2019, the House Energy and Commerce Committee released a bipartisan staff-level draft privacy bill (“the bill”). While comprehensive in scope, much of the key language in the bill was left in brackets, meaning the two sides have not yet reached a compromise on final language.

On December 11, 2019, an updated version of India’s draft data privacy bill was introduced in the Indian Parliament (the “Draft Bill”) by the Ministry of Electronics and Information Technology (“MeitY”). The Draft Bill updates a prior version submitted to MeitY in July 2018.

On December 10, 2019, the French Data Protection Authority (the “CNIL”) published the final version of its standard (“Referential”) concerning the processing of personal data in the context of whistleblowing hotlines. The Referential on whistleblowing hotlines was adopted following a public consultation launched by the CNIL on April 11, 2019. It replaces the CNIL’s Single Authorization AU-004 decision regarding such data processing, and anticipates certain changes introduced by the EU Directive on the protection of whistleblowers (Directive (EU) 2019/1937 of October 23, 2019), which EU Member States will have to implement into their national laws by December 17, 2021. The CNIL also published a set of questions and answers (“FAQs”), which aim to answer some practical questions that the CNIL are regularly asked regarding the operation of a whistleblowing hotline.

On December 11, 2019, the European Data Protection Board (“EDPB”) published its draft guidelines 5/2019 (the “Guidelines”) on the criteria of the right to be forgotten in search engine cases under the EU General Data Protection Regulation (“GDPR”). The Guidelines aim to provide guidance on: (1) the grounds on which individuals can rely for submitting a request for the right to be forgotten in relation to links to web pages containing their personal data; and (2) the exceptions to the right to be forgotten that search engine operators could use to reject such a request. The Guidelines will be supplemented by an appendix on the assessment of criteria for the handling of individuals’ complaints by EU data protection authorities following the refusal by search engine operators to grant the individuals’ request.

As reported by Russian law firm Alrud, on November 21, 2019, the Russian State Duma passed a bill (the “Bill”) that would increase the minimum fines that may be imposed for violations of Russia’s data protection laws. The Bill would allow for maximum administrative fines of 18 million RUB (approximately $282,000 USD) for violations of Russia’s data localization requirement, which requires entities processing personal data of Russian citizens to process that data in databases located within the territory of Russia. This represents a significant departure from the maximum administrative fines that may be imposed for other data protection violations in Russia as it is significantly higher than other potential penalties.

On November 13, 2019, the European Data Protection Board (“EDPB”) published its draft guidelines 4/2019 (the “Guidelines”) on the obligation of Data Protection by Design and by Default (“DPbDD”) set out under Article 25 of the EU General Data Protection Regulation (“GDPR”).

On November 18, 2019, the ranking members from four Senate Committees (Senator Maria Cantwell (WA) from Commerce, Senator Dianne Feinstein (CA) from Judiciary, Senator Sherrod Brown (OH), and Senator Patty Murray (WA) from Health, Education, Labor and Pensions) released a set of “core principles” for federal privacy legislation.

The European Data Protection Board recently published on its website that the Austrian Data Protection Authority (“Austrian DPA”) imposed an €18 million fine (approximately $20 million) on the Austrian Postal Service, Österreichische Post AG (“ÖPAG”), for various violations of the EU General Data Protection Regulation (“GDPR”). After conducting an investigation, the Austrian DPA established that ÖPAG unlawfully processed and sold data with respect to its customers’ alleged political affinities. Another GDPR violation was related to the ÖPAG’s ...

On November 5, 2019, Representatives Anna G. Eshoo (CA) and Zoe Lofgren (CA) introduced the Online Privacy Act (the “Act”), which proposes sweeping legislation that would create federal privacy rights for individuals, require companies to adhere to data minimization and establish a federal Digital Privacy Agency (“DPA”).

On September 24, 2019, the Court of Justice of the European Union (the “CJEU”) released its judgments in cases C-507/17, Google v. CNIL and C-136/17, G.C. and Others v. CNIL regarding (1) the territorial scope of the right to be forgotten, referred to in the judgement as the “right to de-referencing,” and (2) the conditions in which individuals may exercise the right to be forgotten in relation to links to web pages containing sensitive data. The Court’s analysis considered both the EU Data Protection Directive and the EU General Data Protection Regulation (“GDPR”).

On September 9, 2019, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, the “Dutch DPA”) published a report on the privacy complaints it received between January 2019 and June 2019 (the “Report”).

California marked the end of the 2019 legislative session this past Friday, September 13, by passing five out of six pending bills to amend the California Consumer Privacy Act of 2018 (“CCPA”). The bills – AB-25, AB-874, AB-1146, AB-1355 and AB-1564 – now head to California Governor Newsom’s desk for signature, which must occur by October 13 for the bills to be signed into law. The only pending bill not to pass was AB-846, which would have addressed the law’s application to customer loyalty programs; it was ordered to the inactive file at the request of Senator Jackson.

The Cayman Islands Data Protection Law, 2017 (“DPL”), which was published in June 2017, will go into force on September 30, 2019. The DPL includes requirements for the protection of personal data and is centered upon eight data protection principles. According to the newly minted Cayman Islands data protection authority, the DPL aligns the Cayman Islands with other major jurisdictions around the world. It includes many concepts that exist in other comprehensive data protection laws, such as the EU General Data Protection Regulation. For example, the DPL includes personal data processing limitations, individual data subject rights, data breach notification obligations and cross-border transfer restrictions.

On August 21, 2019, the Swedish Data Protection Authority (the “Swedish DPA”) imposed its first fine since the EU General Data Protection Regulation (“GDPR”) came into effect in May, 2018. The Swedish DPA fined a school 200,000 Swedish Kroner for creating a facial recognition program in violation of the GDPR.

On June 1, 2019, New Decree No. 2019-536 (the “Implementing Decree”) took force, enabling the French Data Protection Act, as amended by an Ordinance of December 12, 2018, likewise to enter into force. This marks the completion of the adaption of French law to the EU General Data Protection Regulation (“GDPR”) and the EU Police and Criminal Justice Directive (Directive (EU) 2016/680).

On June 6, 2019, the French Data Protection Authority (the “CNIL”) announced that it levied a fine of €400,000 on SERGIC, a French real estate service provider, for failure to (1) implement appropriate security measures and (2) define data retention periods for the personal data of unsuccessful rental candidates.

On May 27, 2019, Thailand’s Personal Data Protection Act B.E. 2562 (A.D. 2019) (the “PDPA”), which was passed by the National Legislative Assembly on February 28, 2019, was finally published in the Government Gazette, and thus became effective on May 28, 2019. Although now effective, the main operative provisions concerning personal data protection (including requests for data subjects’ consent; collection/use and disclosure of personal data; rights of data subjects; complaints; civil liabilities and penalties) will not come into force until one year after their ...

On April 15, 2019, the UK Information Commissioner’s Office (the “ICO”) issued for public consultation a draft code of practice, “Age Appropriate Design,” that will regulate the provision of online services likely to be accessed by children in the UK. Given the extraterritorial reach of the UK Data Protection Act 2018, organizations based outside of the UK may be subject to the code, which is expected to take effect by the end of 2019. The deadline for responding to the public consultation is May 31, 2019.

On April 24, 2019, the Federal Trade Commission announced two data security cases involving online operators—one, an online rewards website, and the second, a dress-up games website—that were alleged to have failed to take reasonable steps to secure consumers’ data, which allowed hackers to breach both websites.

On April 15, 2019, the Greek Data Protection Authority (“DPA”) fined Hellenic Petroleum S.A. EUR 20,000 for unlawful processing of personal data and EUR 10,000 for failing to adopt appropriate data security measures.

On April 22, 2019, Washington state legislators voted to send HB 1071 (the “Bill”) to Governor Jay Inslee for consideration. The Bill was requested by Attorney General Ferguson and would strengthen Washington’s data breach law. The request to amend the current law followed Attorney General Ferguson’s third annual Data Breach Report, which found that data breaches affected nearly 3.4 million Washingtonians between July 2017 and July 2018.

On April 12, 2019, the European Data Protection Board (“EDPB”) published draft guidelines 2/2019 on the processing of personal data in the context of the provision of online services to data subjects (the “Guidelines”).

On April 12, 2019, Senator Edward J. Markey (MA) introduced the Privacy Bill of Rights Act (the “Act”), comprehensive privacy legislation intended to protect individuals’ “personal information,” defined as “information that directly or indirectly identifies, relates to, describes, is capable of being associated with, or could reasonably be linked to, a particular individual.” This definition is substantially similar to the definition of “personal information” contained in the California Consumer Privacy Act of 2018. The Act also includes an enumerated list of examples that constitute “personal information” and specifically excludes certain publicly available information from the term.

On April 11, 2019, the French Data Protection Authority (the “CNIL”) launched an online public consultation regarding two new CNIL draft standards (“Referentials”) concerning the processing of personal data for (1) core HR management purposes and (2) the operation of a whistleblowing hotline.

On January 25, 2019, Nigeria’s National Information Technology Development Agency (“NITDA”) issued the Nigeria Data Protection Regulation 2019 (the “Regulation”). Many concepts of the Regulation mirror the EU General Data Protection Regulation (“GDPR”).

On March 27, 2019, Utah Governor Gary Herbert signed HB57, the first U.S. law to protect electronic information that individuals have shared with certain third parties. The bill, called the “Electronic Information or Data Privacy Act,” places restrictions on law enforcement’s ability to obtain certain types of “electronic information or data” of a Utah resident, including (1) location information, stored data or transmitted data of an electronic device, and (2) data that is stored with a “remote computing service provider” (i.e., data stored in digital devices or servers).  The law provides for situations in which law enforcement may obtain such information without a warrant.

On February 28, 2019, Thailand’s National Legislative Assembly finally approved and endorsed the draft Personal Data Protection Act (the “PDPA”), which will now be submitted for royal endorsement and subsequent publication in the Government Gazette. Publication is anticipated to occur within the next few weeks.

On January 10, 2019, Advocate General Maciej Szpunar (“Advocate General”) of the Court of Justice of the European Union (“CJEU”) issued an Opinion in the case of Google v. CNIL, which is currently pending before the CJEU. In the Opinion, the Advocate General provided his views concerning the territorial scope of the right to be forgotten under the relevant EU Data Protection Directive in the case at hand.

On December 28, 2018, the French Data Protection Authority (the “CNIL”) published guidance regarding the conditions to be met by organizations in order to lawfully share personal data with business partners or other third parties, such as data brokers. The guidance focused, in particular, on such a scenario in the context of the EU General Data Protection Regulation (“GDPR”). The CNIL guidance sets forth the 5 following conditions:

On December 20, 2018, the French data protection authority (the “CNIL”) announced that it levied a €400,000 fine on Uber France SAS, the French establishment of Uber B.V. and Uber Technologies Inc., for failure to implement some basic security measures that made possible the 2016 Uber data breach.

The Agency of Access to Public Information (Agencia de Acceso a la Información Pública) (“AAIP”) has approved a set of guidelines for binding corporate rules (“BCRs”), a mechanism that multinational companies may use in cross-border data transfers to affiliates in countries with inadequate data protection regimes under the AAIP.