Privacy & Information Security Law Blog

As previously reported on July 12, 2019, Facebook will pay a $5 billion penalty to the Federal Trade Commission to resolve a privacy probe into whether Facebook violated a prior FTC consent decree requiring the company to better protect user privacy. The $5 billion penalty is the largest imposed on any company for violating consumers’ privacy – nearly 20 times the largest privacy or data security penalty to date.

On July 23, 2019, APEC issued a press release announcing the recent appointment of the Infocomm Media Development Authority (“IMDA”) as Singapore’s Accountability Agent for the APEC Cross-Border Privacy Rules (“CBRP”) and APEC Privacy Recognition for Processors (“PRP”). This makes Singapore the third APEC economy that has fully operationalized its participation in the CBPR system, following the United States, which has two CBPR Accountability Agents, and Japan, which has one CBPR Accountability Agent.

On July 18, 2019, the French Data Protection Authority (the “CNIL”) published new guidelines on cookies and similar technologies (the “Guidelines”). As announced by the CNIL in its action plan on targeted advertising for 2019-2020, its 2013 cookie guidance is no longer valid in light of the strengthened consent requirements of the EU General Data Protection Regulation (“GDPR”). The Guidelines therefore repeal the CNIL’s 2013 recommendations on cookies and reconceive the rules applicable to the use of cookies and similar technologies in France, as they take shape from (1) the provisions of the EU ePrivacy Directive as implemented under French law, and (2) the GDPR consent requirements.

On July 16, 2019, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, the “Dutch DPA”), announced that it had imposed a fine of €460,000 on a Dutch hospital, HagaZiekenhuis, for insufficient security measures under Article 32 of the EU General Data Protection Regulation (“GDPR”).

On July 22, 2019, the Federal Trade Commission announced that Equifax Inc. (“Equifax”) agreed to pay at least $575 million, and potentially up to $700 million, as part of a global settlement agreement with the FTC, the Consumer Financial Protection Bureau (“CFPB”), and 48 U.S. states and territories to resolve investigations into the colossal data breach the company suffered in 2017. This is the largest data breach settlement in U.S. history.

According to media reports, the Federal Trade Commission has approved a multimillion dollar fine as part of a settlement with Google related to the FTC’s investigation into YouTube’s children’s data privacy practices. The FTC found that, in violation of COPPA, Google had failed to adequately protect children under 13 who used the video-streaming service and improperly collected their data.

On July 17, 2019, the Federal Trade Commission published a notice in the Federal Register announcing an accelerated review of its Children’s Online Privacy Protection Rule (“COPPA Rule” or “Rule”), seeking feedback on the effectiveness of the 2013 amendments to the Rule, and soliciting input on whether additional changes are needed. Citing questions regarding the Rule’s application to the educational technology sector, voice-enabled connected devices, and general audience platforms that host child-directed content, the FTC indicated that it was moving up its review from a standard 10-year timeframe. The Commission vote to conduct the Rule review was unanimous, 5-0.

The UK Information Commissioner’s Office (“ICO”) published its 2018-19 Annual Report on July 9, 2019. This is the first Annual Report published by the ICO since the EU General Data Protection Regulation (“GDPR”) took effect on May 25, 2018.

The Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP recently published a Q&A document on organizational accountability in data protection (the “Q&A”).

While CIPL has written extensively about the concept of organizational accountability over many years, the Q&A is designed to clarify frequently raised questions about accountability and provide greater context and understanding of the concept, including for law and policy makers considering data privacy legislation around the globe.

On July 9, 2019, the European Data Protection Board (the “EDPB”) adopted Opinion 8/2019 on the Competence of a Supervisory Authority in Case of a Change in Circumstances Relating to the Main or Single Establishment (the “Opinion”) at the request of the French and the Swedish data protection authorities (“DPAs”).

Background – The French and Swedish DPAs’ Initial Request