Privacy & Information Security Law Blog

On March 28, 2019, the French data protection authority (“CNIL”) published a “Model Regulation” addressing the use of biometric systems to control access to premises, devices and apps at work. The Model Regulation lays down binding rules for data controllers who are subject to French data protection law and process employee biometric data for such purposes. The CNIL also released a related set of questions and answers (“FAQs”).

Hunton Andrews Kurth LLP, in coordination with the U.S. Chamber of Commerce, recently issued a report setting forth best practices for an effective data breach notification framework (the “Report”). Lead Hunton authors are Lisa J. Sotto, chair of the Global Privacy and Cybersecurity practice, and partners Brittany M. Bacon and Aaron P. Simpson.

The UK Information Commissioner’s Office (“ICO”) has issued a Monetary Penalty Notice to pensions release provider Grove Pensions Solutions Ltd (“Grove”), fining it £40,000 after the company used contact details collected by a third party for its direct marketing campaign. Grove used a specialist third-party marketing agency to send emails on its behalf to mailing lists, negligently failing to obtain valid consent from individuals who received the marketing emails. Despite seeking external advice (including legal advice), the ICO decided that Grove should have known of the risk that its conduct would breach rules on direct marketing, particularly given recent widespread publicity of this issue in the UK. The fine was imposed under the Data Protection Act 1998.

On March 29, 2019, the Belgian House of Representatives appointed a new commissioner and four directors, who will lead the reformed Belgian data protection authority (“DPA”). The appointments follow a vote of the plenary of the Belgian parliament.

On March 27, 2019, Utah Governor Gary Herbert signed HB57, the first U.S. law to protect electronic information that individuals have shared with certain third parties. The bill, called the “Electronic Information or Data Privacy Act,” places restrictions on law enforcement’s ability to obtain certain types of “electronic information or data” of a Utah resident, including (1) location information, stored data or transmitted data of an electronic device, and (2) data that is stored with a “remote computing service provider” (i.e., data stored in digital devices or servers).  The law provides for situations in which law enforcement may obtain such information without a warrant.

On March 12, 2019, the European Parliament (“Parliament”) approved the proposal for a regulation of the European Parliament and of the Council on ENISA, and repealing Regulation (EU) 526/2013, and on Information and Communication Technology cybersecurity certification (collectively, the “Cybersecurity Act”). The Parliament’s approval follows a political agreement between the European Commission, the Parliament and the Council of the European Union (“Council”) reached last December.

The Cybersecurity Act aims to achieve a high level of cybersecurity and cyber resilience, and to promote individuals’ trust in the EU digital single market.

On March 14, 2019, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, the “Dutch DPA”) published a press release announcing its policy (in Dutch) for calculating administrative fines (the “Policy”).

The Dutch DPA has the power to impose administrative fines for violations of the EU General Data Protection Regulation (“GDPR”), the Dutch law implementing the GDPR, the Police Data Act, the Judicial Data and Criminal Records Act, the Telecommunications Act, the Electronic Identification, Authentication and Trust Services (eIDAS) Regulation and the General Administrative Law Act.

On March 21, 2019, Advocate General Maciej Szpunar (“Advocate General”) of the Court of Justice of the European Union (“CJEU”) issued an Opinion in the Case C-673/17 of Planet49 GmbH v Bundesverband der Verbraucherzentralen und Verbraucherverbände – Verbraucherzentrale Bundesverband e.V. (i.e., the Federation of German Consumer Organizations, the “Bundesverband”), which is currently pending before the CJEU. In the Opinion, the Advocate General provided his views on how to obtain valid consent to the use of cookies in the case.

The UK’s Information Commissioner’s Office (“ICO”) has fined Vote Leave Limited (the UK’s official Brexit campaign) £40,000 for sending almost 200,000 unsolicited texts promoting the aims of the campaign. In an unrelated action, the ICO has carried out searches of a business believed to have been responsible for initiating nuisance telephone calls. The ICO has highlighted nuisance calls, spam texts and unsolicited direct marketing as areas of “significant public concern,” and is increasingly imposing sanctions on businesses that infringe the Privacy and Electronic Communications Regulations 2003 (“PEC Regulations”), which prohibit these practices. In its view, the monetary penalty imposed on Vote Leave should act as a “deterrent against non-compliance, on the part of all persons running businesses currently engaging in these practices.”

The Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP has issued a white paper on Ten Principles for a Revised U.S. Privacy Framework (the “White Paper”). CIPL believes that the use of personal information and privacy can most effectively be regulated at the federal level, and puts forward ten principles that should be included in any new federal privacy framework to ensure appropriate protection for consumers while facilitating the digital economy, innovation and the responsible use of data.