Privacy & Information Security Law Blog

On May 27, 2019, the Irish government announced that Helen Dixon, who currently serves as Irish Data Protection Commissioner, was appointed to a second five-year term in her position. Her reappointment was approved by a May 27 Cabinet vote.

On May 24, 2019, the Cyberspace Administration of China (the “CAC”), together with eleven other relevant government authorities, jointly released the draft Cybersecurity Review Measures for public comment. The deadline for public comment is June 24, 2019.

On May 27, 2019, Thailand’s Personal Data Protection Act B.E. 2562 (A.D. 2019) (the “PDPA”), which was passed by the National Legislative Assembly on February 28, 2019, was finally published in the Government Gazette, and thus became effective on May 28, 2019. Although now effective, the main operative provisions concerning personal data protection (including requests for data subjects’ consent; collection/use and disclosure of personal data; rights of data subjects; complaints; civil liabilities and penalties) will not come into force until one year after their ...

As reported by Bloomberg Law, on May 24, 2019, the Office of the Privacy Commissioner of Canada (the “OPC”) suspended its public consultation on transborder data flows (the “Consultation”). The suspension follows the announcement of the Digital Charter by the Canadian government, which puts forward principles for digital reform, including improvements to Canadian privacy law.

On May 16, 2019, the California State Senate Appropriations Committee did not approve SB 561, a bill that would have amended the California Consumer Privacy Act (“CCPA”) to expand the private right of action to permit consumers to sue for any violations of the CCPA. The Committee’s decision to hold the bill means it will not pass out of the Senate this session.

On May 10, 2019, New Jersey Governor Phil Murphy signed into law a bill that amends New Jersey’s data breach notification law to expand the definition of personal information to include online account information. The amendment goes into effect September 1, 2019.

On May 6, 2019, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) announced that it had entered into a resolution agreement and $3 million settlement with Touchstone Medical Imaging (“Touchstone”). The settlement is the first OCR HIPAA enforcement action in 2019, following an all-time record year of HIPAA enforcement in 2018.

As reported by Bloomberg Law, on May 7, 2019, Washington State Governor Jay Inslee signed a bill (HB 1071) amending Washington’s data breach notification law. The new requirements include the following:

• Expanded Definition of Personal Information. HB 1071 expands the definition of “personal information.” Washington’s breach notification law previously defined personal information as an individual’s name in combination with the individual’s Social Security number, state identification card number, or financial account or credit or debit card number in combination with any required security code, access code or password that would permit access to an individual’s financial account. HB 1071 adds the following data elements to the definition, when compromised in combination with an individual’s name:
  • full date of birth;
  • private key that is unique to an individual and that is used to authenticate or sign an electronic record;
  • student, military or passport identification number;
  • health insurance policy number or health insurance identification number;
  • any information about a consumer’s medical history or mental or physical condition or about a health care professional’s medical diagnosis or treatment of the consumer; or
  • biometric data generated by automatic measurements of an individual’s biological characteristics such as a fingerprint, voiceprint, eye retinas, irises or other unique biological patterns or characteristics that is used to identify a specific individual.

On May 3, 2019, the International Association of Privacy Professionals (“IAPP”) honored Centre for Information Policy Leadership (“CIPL”) President Bojana Bellamy with the 2019 IAPP Privacy Vanguard Award during its Global Privacy Summit in Washington, D.C. The IAPP also honored European Data Protection Supervisor Giovanni Buttarelli with its 2019 Privacy Leadership Award. Since the early 2000s the IAPP has recognized professionals and organizations making a difference in the world of privacy through these yearly awards.

On May 6, 2019, the Federal Trade Commission announced that Meet24, FastMeet and Meet4U—three dating apps owned by Ukrainian-based company Wildec LLC—were removed from the Apple App Store and Google Play Store following an FTC letter alleging that the apps potentially violated the Children’s Online Privacy Protection Act (“COPPA”) and the Federal Trade Commission Act (“FTC Act”). According to the letter and contrary to what was claimed in their privacy policies, the apps, which collect dates of birth, email addresses, photographs and real-time location date, failed to block users who indicated they were under the age of 13.

In late April, the California state legislature’s Privacy and Consumer Protection Committee held hearings on nine bills that seek to refine the California Consumer Privacy Act of 2018 (“CCPA”) by clarifying the legislation and limiting its scope. Eight bills advanced to the Assembly Appropriations Committee; the ninth is non-fiscal and will next be heard by the full Assembly. Last week, the California Assembly Appropriations Committee approved three of the bills. These bills, now on the Assembly’s “Consent Calendar,” will be heard this week. The Appropriations Committee will hold hearings on the other five bills in the next two weeks.

From the Assembly’s Appropriations Committee, bills must go through the full Assembly, the California Senate and the California governor to be enacted as law.

At its annual conference, CYBERUK, the National Cyber Security Centre (the “NCSC”), pledged not to pass on confidential information about cyberattacks to the UK Information Commissioner’s Office (the “ICO”) without the consent of the affected organization. This commitment is an attempt to reassure organizations, encouraging them to report and seek assistance in the event of a cybersecurity incident.