Privacy & Information Security Law Blog

On January 30, 2020, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP submitted formal comments to the Department of Telecommunications at the Brazilian Ministry of Science, Technology, Innovations and Communications (“MCTIC”) on its public consultation on creating a national Artificial Intelligence (“AI”) strategy for Brazil (the “Consultation”).

On February 1, 2020, the Italian Data Protection Authority (Garante per la protezione dei dati personali, the “Garante”) announced that it had levied a fine of €27,802,946 on TIM S.p.A. (“TIM”), a telecommunications company, for several unlawful marketing data processing practices. Between 2017 and 2019, the Garante received numerous complaints from individuals (including from individuals who were not existing customers of TIM) claiming that they had received unwanted marketing calls, without having provided their consent or despite having registered on an opt-out list. The Garante indicated that the violations impacted several million individuals.

On January 21, 2020, the UK Information Commissioner’s Office (“ICO”) published the final version of its Age Appropriate Design Code (“the code”), which sets out the standards that online services need to meet in order to protect children’s privacy. It applies to providers of information services likely to be accessed by children in the UK, including applications, programs, websites, social media platforms, messaging services, games, community environments and connected toys and devices, where these offerings involve the processing of personal data.

On January 16, 2020, the Senate approved the United States-Mexico-Canada Agreement (“USMCA”), sending it to the President’s desk for ratification. Mexico ratified the Agreement in June 2019, and Canada is expected to follow suit later this month. To coincide with its ratification, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth issued a white paper entitled What Does the USMCA Mean for a U.S. Federal Privacy Law?

On January 16, 2020, the Federal Trade Commission announced that settlements with five companies of separate allegations that they had falsely claimed certification under the EU-U.S. Privacy Shield framework had been finalized.

2019 was the “Year of the CCPA” as companies around the world worked tirelessly to comply with the California Consumer Privacy Act of 2018 (“CCPA”). The CCPA aims to provide data privacy rights for California residents and imposes significant new requirements on covered businesses.

On January 8, 2020, the Information Commissioner's Office (“ICO”) launched a consultation on its draft direct marketing code of practice (the “Draft Code”), as required by section 122 of the Data Protection Act 2018 (“DPA 18”). The Draft Code is open for public consultation until March 4, 2020.

According to MLex, on January 6, 2020, the Seoul Eastern District Court found Kim Jin-Hwan, a privacy officer of the South Korean travel agency Hana Tour Service Inc., guilty of negligence in failing to prevent a 2017 data breach that affected over 465,000 customers of the agency and 29,000 Hana Tour employees.

On December 12, 2019, the Belgian Data Protection Authority (the “Belgian DPA”) released its draft 2019-2025 Strategic Plan (the “Draft Plan”). In the Draft Plan, the Belgian DPA describes its vision for the years to come, defines its priorities and strategic objectives and lists the necessary means to achieve its objectives.

Canadian Prime Minister Justin Trudeau has signaled his intent to overhaul data privacy within Canada. Prime Minister Trudeau recently sent a Mandate Letter to Navdeep Bains, the Minister of Innovation, Science and Industry, that contained a number of mandates with respect to data privacy. Specifically, the Mandate Letter states that Minister Bains is expected to work with the Minister of Justice, Attorney General of Canada and the Minister of Canadian Heritage to advance Canada’s Digital Charter and enhance powers for the Privacy Commissioner, in order to establish a new set of online rights, including:

• data portability;
• the ability to withdraw, remove and erase basic personal data from a platform;
• the knowledge of how personal data is being used, including with a national advertising registry, and the ability to withdraw consent for the sharing or sale of data;
• the ability to review and challenge the amount of personal data that a company or government has collected;
• proactive data security requirements;
• the ability to be informed when personal data is breached with appropriate compensation; and,
• the ability to be free from online discrimination including bias and harassment.

On December 19, 2019, the Advocate General of the Court of Justice of the European Union (the “CJEU”) handed down his opinion in the so-called “Schrems II” case (case C-311/18). He recommended that the CJEU uphold the validity of the Standard Contractual Clauses (“SCCs”) as a mechanism for transferring personal data outside of the EU. Given that SCCs are the key data transfer mechanism used by many organizations to transfer personal data outside of the EU, the opinion has far-reaching repercussions and will be welcomed by businesses across the globe.

On December 11, 2019, an updated version of India’s draft data privacy bill was introduced in the Indian Parliament (the “Draft Bill”) by the Ministry of Electronics and Information Technology (“MeitY”). The Draft Bill updates a prior version submitted to MeitY in July 2018.

On December 10, 2019, the French Data Protection Authority (the “CNIL”) published the final version of its standard (“Referential”) concerning the processing of personal data in the context of whistleblowing hotlines. The Referential on whistleblowing hotlines was adopted following a public consultation launched by the CNIL on April 11, 2019. It replaces the CNIL’s Single Authorization AU-004 decision regarding such data processing, and anticipates certain changes introduced by the EU Directive on the protection of whistleblowers (Directive (EU) 2019/1937 of October 23, 2019), which EU Member States will have to implement into their national laws by December 17, 2021. The CNIL also published a set of questions and answers (“FAQs”), which aim to answer some practical questions that the CNIL are regularly asked regarding the operation of a whistleblowing hotline.

On December 11, 2019, the European Data Protection Board (“EDPB”) published its draft guidelines 5/2019 (the “Guidelines”) on the criteria of the right to be forgotten in search engine cases under the EU General Data Protection Regulation (“GDPR”). The Guidelines aim to provide guidance on: (1) the grounds on which individuals can rely for submitting a request for the right to be forgotten in relation to links to web pages containing their personal data; and (2) the exceptions to the right to be forgotten that search engine operators could use to reject such a request. The Guidelines will be supplemented by an appendix on the assessment of criteria for the handling of individuals’ complaints by EU data protection authorities following the refusal by search engine operators to grant the individuals’ request.

On December 10, 2019, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, the “Dutch DPA”) published a statement regarding compliance with the rules on cookie consent (the “Statement”).

On November 26, 2019, the French Data Protection Authority (the “CNIL”) announced that it had levied a fine of €500,000 on Futura Internationale, a French SME specializing in thermal insulation of private buildings, for various infringements of the EU General Data Protection Regulation (“GDPR”). The infringements related to the company’s direct marketing voice-to-voice calls include failure to (1) comply with the individuals’ objection to the processing of their personal data for direct marketing; (2) process only relevant personal data (by recording excessive comments in the CRM software); (3) provide sufficient notice regarding the recording of phone calls and data processing;  (4) cooperate with the CNIL; and (5) implement appropriate data transfer mechanisms for the data transfers to non-EU call center providers.

As reported by Russian law firm Alrud, on November 21, 2019, the Russian State Duma passed a bill (the “Bill”) that would increase the minimum fines that may be imposed for violations of Russia’s data protection laws. The Bill would allow for maximum administrative fines of 18 million RUB (approximately $282,000 USD) for violations of Russia’s data localization requirement, which requires entities processing personal data of Russian citizens to process that data in databases located within the territory of Russia. This represents a significant departure from the maximum administrative fines that may be imposed for other data protection violations in Russia as it is significantly higher than other potential penalties.

At its 15th plenary meeting, the European Data Protection Board (“EDPB”) adopted the final guidelines on the territorial scope of the EU General Data Protection Regulation (“GDPR”) (the “Guidelines”), taking into account the feedback it received during the public consultation of its draft guidelines published on November 23, 2018.

On November 26, 2019, the European Data Protection Supervisor’s office (“EDPS”) and the European Parliament announced that Wojciech Wiewiórowski, currently Assistant Supervisor and acting replacement for the European Data Protection Supervisor Giovanni Buttarelli, will officially be the new European Data Protection Supervisor for the new term of office. The Committee of the Permanent Representatives of the Governments of Member States to the European Union (“COREPER”) and the Committee on Civil Liberties, Justice and Home Affairs of the European Parliament (“LIBE”) confirmed Wojciech Wiewiórowski for a 5-year mandate as European Data Protection Supervisor. In the following days, the European Parliament and Council of the European Union will proceed to formally appoint Wojciech Wiewiórowski as the new European Data Protection Supervisor. Wojciech Wiewiórowski has served as Assistant Supervisor since December 2014. Earlier in his career, Wojciech Wiewiórowski was the Inspector General for the Protection of Personal Data at the Polish Data Protection Authority.

On November 13, 2019, the European Data Protection Board (“EDPB”) published its draft guidelines 4/2019 (the “Guidelines”) on the obligation of Data Protection by Design and by Default (“DPbDD”) set out under Article 25 of the EU General Data Protection Regulation (“GDPR”).

On November 19, 2019, the Federal Trade Commission announced that Medable, Inc. (“Medable”) agreed to settle allegations that the company had misrepresented its participation in the EU-U.S. Privacy Shield program. The FTC alleged that, from December 2017 to October 2018, Medable falsely claimed in its online privacy policy that it was a certified participant in the EU-U.S. Privacy Shield framework and adhered to the framework’s principles. According to the complaint, although Medable did initiate an application with the Department of Commerce in December 2017, the company never completed the steps necessary to participate in the framework.

On November 13, 2019, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth issued a discussion paper on “Organizational Accountability in Light of FTC Consent Orders” (the “Discussion Paper”). The Discussion Paper examines the recent $5 billion FTC settlement with Facebook, which resulted from Facebook’s alleged violation of a prior 2012 FTC consent order, and the recent $575 million FTC settlement with Equifax, related to its 2017 data breach.

On October 22, 2019, the drafting group of China’s National Information Security Standardization Technology Committee (“NISSTC”) released a third set of draft amendments to the Information Security Technology - Personal Information Security Specification (GB/T 35273 – 2017) (the “Updated Draft Specification”). The original Specification, first issued on December 29, 2017, became effective May 1, 2018, and saw earlier draft amendments on February 1, 2019 and June 25, 2019. The NISSTC received more than 400 public comments on the proposed June amendments. The latest draft amendment was issued without a public comment period.

On November 18, 2019, Hunton Andrews Kurth will host a networking luncheon in the firm’s Brussels office. The luncheon will feature Isabelle Vereecken, Head of the Secretariat of the European Data Protection Board ("EDPB"), and will focus on the role of the EDPB and cooperation between supervisory authorities ("SAs") in cross-border matters.

The European Data Protection Board recently published on its website that the Austrian Data Protection Authority (“Austrian DPA”) imposed an €18 million fine (approximately $20 million) on the Austrian Postal Service, Österreichische Post AG (“ÖPAG”), for various violations of the EU General Data Protection Regulation (“GDPR”). After conducting an investigation, the Austrian DPA established that ÖPAG unlawfully processed and sold data with respect to its customers’ alleged political affinities. Another GDPR violation was related to the ÖPAG’s ...

On November 5, 2019, the Berlin Commissioner for Data Protection and Freedom of Information (“the Berlin Commissioner,” Berliner Beauftragte für Datenschutz und Informationsfreiheit) announced that it had imposed a fine of €14.5 million (approximately $16 million) on Deutsche Wohnen SE, a prominent real estate company. This is the highest fine issued in Germany since the EU General Data Protection Regulation (“GDPR”) became applicable.

On October 30, 2019, Facebook reached a settlement with the UK Information Commissioner’s Office (“ICO”) under which it agreed to pay (without admission of liability) the £500,000 fine imposed by the ICO in 2018 in relation to the processing and sharing of its users’ personal data with Cambridge Analytica.

On November 19, 2019, Hunton Andrews Kurth will host an in-person breakfast briefing in the firm’s London office to explore the California Consumer Privacy Act (“CCPA”), against the backdrop of the EU General Data Protection Regulation (“GDPR”).

In the seminar, we will discuss:

• The CCPA in the context of the GDPR, covering the similarities and differences between the frameworks
•  Key CCPA obligations
• The CCPA’s approach to enforcement and penalties
• How businesses are approaching CCPA compliance, and leveraging their GDPR work

The event will be led by Hunton partners ...

On October 22, 2019, the French Data Protection Authority (the “CNIL”) published a list of processing operations (in French) that it considers not requiring a data protection impact assessment (“DPIA”). The CNIL had previously adopted and published a final list of processing operations requiring a DPIA on November 6, 2018. The final list includes 12 types of processing operations for which a DPIA is not considered mandatory. The CNIL provided concrete examples for each type of processing operation, including:

On October 4, 2019, the Presidency of the European Council published its revised text (the “Revised Draft”) of the Proposal for a Regulation Concerning the Respect for Private Life and the Protection of Personal Data in Electronic Communications (the “Draft ePrivacy Regulation”). The Revised Draft was released in preparation for the Working Party on Telecommunications and Information Society’s meeting, which took place on October 11, 2019 (the “WP Tele”) and introduces limited amendments compared to the draft amendments proposed by the Presidency of the European Council last month.

On September 17, 2019, the German Conference of Data Protection Authorities (Datenschutzkonferenz, (“DSK”) examined a proposal for calculating administrative fines under the EU General Data Protection Regulation (“GDPR”).  The press release of the DSK states that this initiative aims to ensure a calculation of fines against violations of the GDPR that is “systematic, transparent and understandable.” However, the press release refrains from describing the criteria of the fining model officially, as the fining model has not yet been adopted by the DSK.

On October 1, 2019, China’s Provisions on Cyber Protection of Children’s Personal Information (“Provisions”) became effective. The Cyberspace Administration of China had released the Provisions on August 23, 2019, and they are the first rules focusing on the protection of children’s personal information in China.

On September 25, 2019, the Centre for Information Policy Leadership at Hunton Andrews Kurth (“CIPL”) and the Instituto Brasiliense de Direito Público (“IDP”) had the first of a series of workshops for their joint project on “Brazilian Data Protection Implementation and Effective Regulation.” This is an exclusive project that aims to contribute to the debates around the Brazilian Data Protection Law (Lei Geral de Proteção de Dados Pessoais (“LGPD”)), including the development of good practices for data governance and the implementation and enforcement of this law. As part of this project, CIPL will organize additional multi-stakeholder workshops, webinars and training sessions, and prepare white papers on key topics for data protection in Brazil.

On October 2, 2019, the UK Court of Appeal handed down its judgment on the appeal in Richard Lloyd v. Google LLC, in which Richard Lloyd, a consumer protection advocate, seeks to bring a representative action on behalf of four million Apple iPhone users against Google LLC in the United States. Previously, the High Court had refused to grant permission for the proceedings to be served outside the UK. The Court of Appeal reversed the High Court’s judgment, granting permission for service outside the UK and allowing the representative action to proceed. The judgment is significant as it paves the way for representative actions (equivalent to class actions) for data protection infringements in the UK.

On October 15, 2019, Hunton Andrews Kurth will host a luncheon seminar in our Brussels office on Addressing GDPR Challenges: An Interactive Session on Handling Data Breaches. In this roundtable discussion, our speakers will lead a dialogue to share experiences on handling data breaches under the EU General Data Protection Regulation (“GDPR”).

On October 1, 2019, the Court of Justice of the European Union (“CJEU”) issued its decision in an important case involving consent for the use of cookies by a German business called Planet49. Importantly, the Court held that (1) consent for cookies cannot be lawfully established through the use of pre-ticked boxes, and (2) any consent obtained regarding cookies cannot be sufficiently informed in compliance with applicable law if the user cannot reasonably comprehend how the cookies employed on a given website will function.

On September 17, 2019, the Belgian Data Protection Authority (the “Belgian DPA”) imposed a fine of EUR 10,000 on a shop for the disproportionate use of customers’ electronic identity cards (the “eIDs ”) – a national identification card.

On September 27, 2019, the Centre for Information Policy Leadership at Hunton Andrews Kurth LLP submitted comments on Innovation, Science and Economic Development Canada’s Proposals to Modernize the Personal Information Protection and Electronic Documents Act (“PIPEDA”) (the “Comments”).

On September 24, 2019, the Court of Justice of the European Union (the “CJEU”) released its judgments in cases C-507/17, Google v. CNIL and C-136/17, G.C. and Others v. CNIL regarding (1) the territorial scope of the right to be forgotten, referred to in the judgement as the “right to de-referencing,” and (2) the conditions in which individuals may exercise the right to be forgotten in relation to links to web pages containing sensitive data. The Court’s analysis considered both the EU Data Protection Directive and the EU General Data Protection Regulation (“GDPR”).

On September 23, 2019, the Office of the Privacy Commissioner of Canada (“OPC”) announced that it completed its consultation on transfers for processing and that the OPC’s current guidelines for processing personal data across borders remain unchanged. Under these guidelines, consent for transfers to data processors generally is not required.

On September 20, 2019, the Philippines National Privacy Commission (“NPC”) announced it has filed its notice of intent to join the APEC Cross-Border Privacy Rules (“CBPR”) system. The Philippines would be the ninth member of the CBPR system, joining the U.S., Mexico, Canada, Japan, South Korea, Singapore, Australia and Chinese Taipei.

On September 9, 2019, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, the “Dutch DPA”) published a report on the privacy complaints it received between January 2019 and June 2019 (the “Report”).

Ecuador is seeking to pass a data protection bill in the wake of a massive data breach that resulted in the personal data of up to 20 million people being made available online. According to reports, the bill draws on the EU General Data Protection Regulation (“GDPR”) in certain ways—for example, as relates to international data transfers—but diverges in other respects. The data protection bill headed to Ecuador’s national assembly today.

On September 18, 2019, the Presidency of the European Council published its proposed amendments to the Proposal for a Regulation Concerning the Respect for Private Life and the Protection of Personal Data in Electronic Communications (the “Draft ePrivacy Regulation”). The Draft ePrivacy Regulation will replace the ePrivacy Directive and will complete the EU’s framework for data protection and confidentiality of electronic communications.

On September 10, 2019, the French data protection authority (the “CNIL”) updated its existing set of questions and answers (“FAQs”) on the impact of a no-deal Brexit on data transfers from the EU to the UK and how controllers should prepare.

On September 6, 2019, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP submitted formal comments to the European Data Protection Board (the “EDPB”) on its draft guidelines on processing of personal data through video devices (the “Guidelines”). The Guidelines were adopted on July 10, 2019, for public consultation.

The Cayman Islands Data Protection Law, 2017 (“DPL”), which was published in June 2017, will go into force on September 30, 2019. The DPL includes requirements for the protection of personal data and is centered upon eight data protection principles. According to the newly minted Cayman Islands data protection authority, the DPL aligns the Cayman Islands with other major jurisdictions around the world. It includes many concepts that exist in other comprehensive data protection laws, such as the EU General Data Protection Regulation. For example, the DPL includes personal data processing limitations, individual data subject rights, data breach notification obligations and cross-border transfer restrictions.

On September 4, 2019, the High Court of England and Wales dismissed a challenge to South Wales Police’s use of Automated Facial Recognition technology (“AFR”). The Court determined that the police’s use of AFR had been necessary and proportionate to achieve their statutory obligations.

The Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP is pleased to announce Matthew Starr and Giovanna Carloni have joined CIPL, adding to its expertise in global privacy and data protection policy.

On August 21, 2019, the Belgian Data Protection Authority (the “Belgian DPA”) published a press release informing of its intention to further investigate a data breach that was notified by Adecco Belgium, a temporary employment agency. The data breach affected thousands of biometric data, including fingerprints and images allowing facial recognition, and was suffered by the company Suprema. The compromised data included approximately 2,000 fingerprints of Adecco Belgium’s employees.

On August 21, 2019, the Swedish Data Protection Authority (the “Swedish DPA”) imposed its first fine since the EU General Data Protection Regulation (“GDPR”) came into effect in May, 2018. The Swedish DPA fined a school 200,000 Swedish Kroner for creating a facial recognition program in violation of the GDPR.

On August 15, 2019, the UK Information Commissioner’s Office (“ICO”) announced that it had launched an investigation into the use of live facial recognition technology at the King’s Cross development in London. This follows a letter sent by the mayor of London, Sadiq Khan, to the owner of the development inquiring as to whether the use of the software was legal. The company responsible for the technology said it was used for the purposes of public safety.

On August 15, 2019, the UK Information Commissioner’s Office updated its guidance on the timescale for responding to data subject access requests under the EU General Data Protection Regulation, following a ruling of the Court of Justice of the European Union . The guidance now states that the time limit should be calculated from the day that the request is received, whether or not it is a working day. For example, if a request is received on September 3, the time limit will commence on that date and the response should be provided to the data subject by October 3 ...

On August 12, 2019, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, the “Dutch DPA”) announced its intent to approve Nederland ICT’s Data Pro Code (the “Code”), a code of conduct for the ICT sector. Nederland ICT represents data processors from the IT sector. Data processors that process personal data on behalf of and for a data controller can join this code of conduct. The draft decision of the Dutch DPA regarding the Code was published in the Official Journal of the Netherlands (the “Staatscourant”) on August 12 and interested parties have six weeks to submit their opinion on the draft decision.

On August 7, 2019, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP issued a white paper titled Key Issues Relating to Standard Contractual Clauses for International Transfers and the Way Forward for New Standard Contractual Clauses under the GDPR (the “White Paper”). The White Paper was submitted to the European Commission as part of its ongoing work to update EU Standard Contractual Clauses for international transfers (“SCCs”).

On August 5, 2019, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP responded to the Office of the Privacy Commissioner of Canada’s (“OPC”) reframed consultation on transfers for processing. The reframed consultation replaced a previously suspended OPC consultation dealing with the same topic to which CIPL had also responded.

On July 29, 2019, the Court of Justice of the European Union (the “CJEU”) released its judgment in case C-40/17, Fashion ID GmbH & Co. KG vs. Verbraucherzentrale NRW eV. The Higher Regional Court of Düsseldorf (Oberlandesgericht Düsseldorf) requested a preliminary ruling from the CJEU on several provisions of the former EU Data Protection Directive of 1995, which was still applicable to the case since the court proceedings had started before the implementation of the EU General Data Protection Regulation (“GDPR”).

On July 29, 2019, the UK Information Commissioner’s Office (“ICO”) announced the 10 projects that it has selected, out of 64 applicants, to participate in its sandbox. The sandbox, for which applications opened in April 2019, is designed to support organizations in developing innovative products and services with a clear public benefit. The ICO aims to assist the 10 organizations in ensuring that the risks associated with the projects’ use of personal data is mitigated. The selected participants cover a number of sectors, including travel, health, crime, housing and artificial intelligence.

On July 25, 2019, the French Data Protection Authority (the “CNIL”) published new template records of data processing activities pursuant to Article 30 of the EU General Data Protection Regulation (“GDPR”). This provision requires organizations subject to the GDPR to maintain internal records of data processing activities. The CNIL recalled that such records are a key accountability tool under the GDPR for identifying, understanding and controlling data processing activities. Setting up and maintaining these records provide businesses with the opportunity to ask the right questions and limit privacy risks under the GDPR. According to the CNIL, this is also a useful moment to set up a data protection compliance action plan.

The European Data Protection Board (the “EDPB”) recently adopted its Guidelines 3/2019 on processing of personal data through video devices (the “Guidelines”). Although the Guidelines provide examples of data processing for video surveillance, these examples are not exhaustive. The Guidelines aim to provide guidance on how to apply the EU General Data Protection Regulation (“GDPR”) in all potential areas of video device use.

On July 16, 2019, the European Data Protection Board (the “EDPB”) published its Annual Report for 2018 (the “Report”). The Report highlights that the EDPB (1) endorsed 16 guidelines previously adopted by the Article 29 Working Party; (2) adopted four additional guidelines to clarify provisions of the GDPR; (3) adopted 26 consistency opinions to guarantee the consistent application of the EU General Data Protection Regulation (“GDPR”) by the EU data protection authorities; and (4) issued two opinions in the context of the legislative consultation process, as well as a statement on its own initiative and on the draft ePrivacy Regulation.

On July 23, 2019, APEC issued a press release announcing the recent appointment of the Infocomm Media Development Authority (“IMDA”) as Singapore’s Accountability Agent for the APEC Cross-Border Privacy Rules (“CBRP”) and APEC Privacy Recognition for Processors (“PRP”). This makes Singapore the third APEC economy that has fully operationalized its participation in the CBPR system, following the United States, which has two CBPR Accountability Agents, and Japan, which has one CBPR Accountability Agent.

On July 18, 2019, the French Data Protection Authority (the “CNIL”) published new guidelines on cookies and similar technologies (the “Guidelines”). As announced by the CNIL in its action plan on targeted advertising for 2019-2020, its 2013 cookie guidance is no longer valid in light of the strengthened consent requirements of the EU General Data Protection Regulation (“GDPR”). The Guidelines therefore repeal the CNIL’s 2013 recommendations on cookies and reconceive the rules applicable to the use of cookies and similar technologies in France, as they take shape from (1) the provisions of the EU ePrivacy Directive as implemented under French law, and (2) the GDPR consent requirements.

On July 16, 2019, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, the “Dutch DPA”), announced that it had imposed a fine of €460,000 on a Dutch hospital, HagaZiekenhuis, for insufficient security measures under Article 32 of the EU General Data Protection Regulation (“GDPR”).

The UK Information Commissioner’s Office (“ICO”) published its 2018-19 Annual Report on July 9, 2019. This is the first Annual Report published by the ICO since the EU General Data Protection Regulation (“GDPR”) took effect on May 25, 2018.

The Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP recently published a Q&A document on organizational accountability in data protection (the “Q&A”).

While CIPL has written extensively about the concept of organizational accountability over many years, the Q&A is designed to clarify frequently raised questions about accountability and provide greater context and understanding of the concept, including for law and policy makers considering data privacy legislation around the globe.

On July 9, 2019, the European Data Protection Board (the “EDPB”) adopted Opinion 8/2019 on the Competence of a Supervisory Authority in Case of a Change in Circumstances Relating to the Main or Single Establishment (the “Opinion”) at the request of the French and the Swedish data protection authorities (“DPAs”).

Background – The French and Swedish DPAs’ Initial Request

Simon McDougall, Executive Director for Technology Policy and Innovation for the UK Information Commissioner’s Office (“ICO”), has stated that “change is needed” in the adtech sector. In a speech delivered on July 11, 2019, at the Westminster Media Forum, focusing on the future of online advertising regulation, McDougall commented that “heads are still firmly in the sand” in some pockets of the digital advertising industry, and that many real-time bidding practices are currently being conducted in an unlawful manner, whether or not industry players are aware of it.

On July 9, 2019, the hearing in the so-called Schrems II case (case C-311/18) took place at the Court of Justice of the European Union (“CJEU”) in Luxembourg. The main parties involved in the proceedings, the Irish Data Protection Commissioner (“Irish DPA”), Facebook Ireland Ltd. and the Austrian activist Max Schrems, presented their arguments to the court. In addition, a number of other stakeholders intervened during the hearing, including representatives of the European Parliament, the European Commission, the European Data Protection Board, several EU Member States (including Austria, France, Germany, Ireland, the Netherlands and the UK) and the U.S. government, as well as a number of industry lobby groups and the Electronic Privacy Information Center.

On July 4, 2019, the European Commission published a factsheet on artificial intelligence (“AI”) for Europe (the “Factsheet”). In the Factsheet, the European Commission underlines the importance of AI and its role in improving people’s lives and bringing major benefits to the society and economy. In addition, the Factsheet also describes the EU’s role in AI and the financial investments the Commission is planning to make in AI. The factsheet also includes some examples of projects conducted by the Commission in AI (including in agriculture, data and eHealth, public administration and services, and transport and manufacturing).

On July 9, 2019, the UK Information Commissioner’s Office (“ICO”) announced its intention to fine Marriott International, Inc. (“Marriott”) £99,200,396 (approximately $124 million) for infringements of the EU General Data Protection Regulation (“GDPR”). The ICO’s announcement followed Marriott’s notification of the proposed fine to the U.S. Securities and Exchange Commission (“SEC”).

On July 1, 2019, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, (the “Dutch DPA”)) announced that it had expanded its guidance on data breaches. The updates aim to answer questions about data breaches received by the Dutch DPA from organizations since 2016.

On July 8, 2019, the UK Information Commissioner’s Office (“ICO”) announced that it intends to fine British Airways (“BA”), which is owned by International Consolidated Airlines Group, S.A., £183,390,000 (approximately $230,000,000) for violating the EU General Data Protection Regulation (“GDPR”). This is the first fine to be announced publicly by the ICO under the GDPR and hints at the tough stance it is likely to take with regard to future breaches.

On June 28, 2019, the French data protection authority (the “CNIL”) published its action plan for 2019-2020 to specify the rules applicable to online targeted advertising and to support businesses in their compliance efforts.

The UK Information Commissioner’s Office (“ICO”) recently published an updated report on adtech, following a Fact Finding Forum held in March 2019 and consultation with industry players. The report focuses on whether and how organizations in the adtech sector can comply with the EU General Data Protection Regulation (“GDPR”) and the UK’s implementation of the e-Privacy Directive, known as the Privacy and Electronic Communications Regulations (“PECR”).

The European Data Protection Board (the “EDPB”) recently adopted its Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679 (the “Guidelines”). The Guidelines aim to provide practical guidance with respect to Articles 40 and 41 of the EU General Data Protection Regulation (“GDPR”). In particular, the Guidelines intend to clarify the rules and procedures for the submission, approval and publication of codes of conduct.

To mark the GDPR’s one-year anniversary, the European Commission recently published the results of two surveys meant to illuminate the public’s awareness of the GDPR and its practical applications.

On June 20, 2019, the Senate confirmed Keith Krach as Under Secretary of State for Economic Growth, Energy, and Environment. The former DocuSign and Ariba CEO, nominated by President Trump in January of 2019, will function as the permanent ombudsperson for the EU-U.S. Privacy Shield agreement as part of his role, addressing complaints related to U.S. protection of EU data.

On June 14, 2019, the Federal Trade Commission announced that it has taken action against a number of companies that allegedly misrepresented their compliance with the EU-U.S. and Swiss-U.S. Privacy Shield frameworks (collectively, the “Privacy Shield”) and other international privacy agreements.

On June 13, 2019, the Cyberspace Administration of China (the “CAC”) released Draft Measures on Security Assessment of Cross-Border Transfer of Personal Information (“Draft Measures”) for public comment, the window for which ends July 13, 2019.

On June 12, 2019, the Belgian Data Protection Authority (the “Belgian DPA”) launched a public consultation on direct marketing with a view to updating its Recommendation No. 02/2013 of January 30, 2013 on direct marketing (the “Direct Marketing Recommendation”).

On May 31, 2019, the Asia-Pacific Economic Cooperation (“APEC”) endorsed Schellman & Company as the second U.S. “Accountability Agent” overseeing the APEC Cross-Border Privacy Rules (“CBPR”) and Privacy Recognition for Processors (“PRP”) systems. Along with TrustArc, Schellman & Company will now be able to independently assess and certify the compliance of U.S. companies under the APEC CBPR and PRP systems.

On June 12, 2019, Hunton Andrews Kurth and its Centre for Information Policy Leadership (“CIPL”) hosted a roundtable discussion in the firm’s Brussels office on the update of the EU Standard Contractual Clauses for international data transfers (“SCCs”). More than 30 privacy leaders joined together to discuss the challenges of the current SCCs and provide their insights on the updated versions. Hunton partner David Dumont led the discussion, while CIPL President Bojana Bellamy illuminated CIPL’s work in this area. The session also featured Cristina Monti, Policy Officer in the International Data Flows and Protection Unit of the EU Commission DG Justice and Consumers.

On June 1, 2019, New Decree No. 2019-536 (the “Implementing Decree”) took force, enabling the French Data Protection Act, as amended by an Ordinance of December 12, 2018, likewise to enter into force. This marks the completion of the adaption of French law to the EU General Data Protection Regulation (“GDPR”) and the EU Police and Criminal Justice Directive (Directive (EU) 2016/680).

On May 30, 2019, the UK Information Commissioner’s Office (“ICO”) published its reflections on the year that has passed since the implementation of the EU General Data Protection Regulation (“GDPR”), together with a blog post by Elizabeth Denham, the UK Information Commissioner.

On May 31, 2019, the Cyberspace Administration of China (the “CAC”) published Draft Regulations on Network Protection of Minor’s Personal Information (the “Draft Regulations”), timing the release to coincide with International Children’s Day. The Draft Regulations, based on the existing Cybersecurity Law of China (the “Cybersecurity Law”), is more protective of minors’ information than the Information Security Technology — Personal Information Security Specification (GB/T 35273 – 2017) (the “Specification”) and its draft amendment, which also address some limited provisions on network operators’ use and treatment of minors’ information.

On May 31, 2019, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP submitted comments to the UK Information Commissioner’s Office (the “ICO”) public consultation on its draft code of practice for age appropriate design for online services (the “Code”).

On June 6, 2019, the French Data Protection Authority (the “CNIL”) announced that it levied a fine of €400,000 on SERGIC, a French real estate service provider, for failure to (1) implement appropriate security measures and (2) define data retention periods for the personal data of unsuccessful rental candidates.

On May 28, 2019, the Cyberspace Administration of China (“CAC”) released draft Data Security Administrative Measures (the “Measures”) for public comment. The Measures, which, when finalized, will be legally binding, supplement the Cybersecurity Law of China (the “Cybersecurity Law”) that took force on June 1, 2017, with detailed and practical requirements for network operators who collect, store, transmit, process and use data within Chinese territory. The Measures likely will significantly impact network operators’ compliance programs in China.

On May 31, 2019, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP issued a white paper on GDPR One Year In: Practitioners Take Stock of the Benefits and Challenges (the “White Paper”). In addition, CIPL submitted the White Paper along with a separate response to the European Commission’s questionnaire to prepare for the June 2019 stocktaking exercise on the application of the EU General Data Protection Regulation (“GDPR”).

On June 12, 2019, Hunton Andrews Kurth and its Centre for Information Policy Leadership (“CIPL”) will host a roundtable discussion in the firm’s Brussels office on the update of the EU Standard Contractual Clauses for international data transfers. The seminar will feature Ms. Cristina Monti, Policy Officer in the International Data Flows and Protection Unit of the EU Commission DG Justice and Consumers. Participants will:

On May 28, 2019, shortly after the appointment of the new Belgian commissioner and the Director of the Litigation Chamber, the Belgian Data Protection Authority (the “Belgian DPA”) imposed its first fine since the EU General Data Protection Regulation ( “GDPR”) came into effect. The Belgian DPA fined a Belgian mayor EUR 2,000 for abusive use of personal data obtained in the context of his mayoral functions for election campaign purposes.

On May 27, 2019, the Irish government announced that Helen Dixon, who currently serves as Irish Data Protection Commissioner, was appointed to a second five-year term in her position. Her reappointment was approved by a May 27 Cabinet vote.

On May 24, 2019, the Cyberspace Administration of China (the “CAC”), together with eleven other relevant government authorities, jointly released the draft Cybersecurity Review Measures for public comment. The deadline for public comment is June 24, 2019.

On May 27, 2019, Thailand’s Personal Data Protection Act B.E. 2562 (A.D. 2019) (the “PDPA”), which was passed by the National Legislative Assembly on February 28, 2019, was finally published in the Government Gazette, and thus became effective on May 28, 2019. Although now effective, the main operative provisions concerning personal data protection (including requests for data subjects’ consent; collection/use and disclosure of personal data; rights of data subjects; complaints; civil liabilities and penalties) will not come into force until one year after their ...

As reported by Bloomberg Law, on May 24, 2019, the Office of the Privacy Commissioner of Canada (the “OPC”) suspended its public consultation on transborder data flows (the “Consultation”). The suspension follows the announcement of the Digital Charter by the Canadian government, which puts forward principles for digital reform, including improvements to Canadian privacy law.

On May 22, 2019, the European Data Protection Board (the “EDPB”) published on its website a summary of enforcement actions taken by the European Economic Area Supervisory Authorities (“EEA Supervisory Authorities”) one year after the entry into force of the General Data Protection Regulation (the “GDPR”). Reflecting on the growing numbers of data controllers designating a lead supervisory authority, the EDPB reported that of the 446 cross-border cases opened by EEA Supervisory Authorities, 205 of these cases have led to One-Stop-Shop procedures. The EDPB ...

At its annual conference, CYBERUK, the National Cyber Security Centre (the “NCSC”), pledged not to pass on confidential information about cyberattacks to the UK Information Commissioner’s Office (the “ICO”) without the consent of the affected organization. This commitment is an attempt to reassure organizations, encouraging them to report and seek assistance in the event of a cybersecurity incident.

On April 11, 2019, the People’s Republic of China’s Network Security Bureau of the Ministry of Public Security, the Beijing Network Industry Association and the Third Research Institution of the Ministry of Public Security jointly released a “Guide to Protection of Security of Internet Personal Information (the “Guide”). The Guide presents itself as a reference, rather than a legally-enforceable regulation, but how it will interact with cybersecurity-related law, regulations and standards in practice remains to be seen.

The French Data Protection Authority (the “CNIL”) recently published its Annual Activity Report for 2018 (the “Report”) and released its annual inspection program for 2019.