Privacy & Information Security Law Blog

On July 29, 2019, the UK Information Commissioner’s Office (“ICO”) announced the 10 projects that it has selected, out of 64 applicants, to participate in its sandbox. The sandbox, for which applications opened in April 2019, is designed to support organizations in developing innovative products and services with a clear public benefit. The ICO aims to assist the 10 organizations in ensuring that the risks associated with the projects’ use of personal data is mitigated. The selected participants cover a number of sectors, including travel, health, crime, housing and artificial intelligence.

On July 25, 2019, the French Data Protection Authority (the “CNIL”) published new template records of data processing activities pursuant to Article 30 of the EU General Data Protection Regulation (“GDPR”). This provision requires organizations subject to the GDPR to maintain internal records of data processing activities. The CNIL recalled that such records are a key accountability tool under the GDPR for identifying, understanding and controlling data processing activities. Setting up and maintaining these records provide businesses with the opportunity to ask the right questions and limit privacy risks under the GDPR. According to the CNIL, this is also a useful moment to set up a data protection compliance action plan.

The European Data Protection Board (the “EDPB”) recently adopted its Guidelines 3/2019 on processing of personal data through video devices (the “Guidelines”). Although the Guidelines provide examples of data processing for video surveillance, these examples are not exhaustive. The Guidelines aim to provide guidance on how to apply the EU General Data Protection Regulation (“GDPR”) in all potential areas of video device use.

On July 25, 2019, New York Governor Andrew Cuomo signed into law Senate Bill S5575B (the “Bill”), an amendment to New York’s breach notification law (the “Act”). The Bill expands the Act’s definition of “breach of the security of the system” and the types of information (i.e., “private information”) covered by the Act, and makes certain changes to the Act’s requirements for breach notification.

On July 23, 2019, New York City Council members introduced Int. 1632-2019 (the “Bill”), an amendment to the administrative code of New York City that would prohibit telecommunications carriers and mobile applications from sharing a customer’s location data if such data was collected from a device in the five boroughs.

On July 16, 2019, the European Data Protection Board (the “EDPB”) published its Annual Report for 2018 (the “Report”). The Report highlights that the EDPB (1) endorsed 16 guidelines previously adopted by the Article 29 Working Party; (2) adopted four additional guidelines to clarify provisions of the GDPR; (3) adopted 26 consistency opinions to guarantee the consistent application of the EU General Data Protection Regulation (“GDPR”) by the EU data protection authorities; and (4) issued two opinions in the context of the legislative consultation process, as well as a statement on its own initiative and on the draft ePrivacy Regulation.

In addition to Facebook’s record-breaking Federal Trade Commission penalty and settlement order, on July 24, 2019, the Securities and Exchange Commission announced charges against Facebook for inadequate and misleading disclosures over its privacy practices. Facebook, without admitting or denying the SEC’s allegations, has agreed to the entry of a final judgment ordering a fine of $100 million.

As previously reported on July 12, 2019, Facebook will pay a $5 billion penalty to the Federal Trade Commission to resolve a privacy probe into whether Facebook violated a prior FTC consent decree requiring the company to better protect user privacy. The $5 billion penalty is the largest imposed on any company for violating consumers’ privacy – nearly 20 times the largest privacy or data security penalty to date.

On July 23, 2019, APEC issued a press release announcing the recent appointment of the Infocomm Media Development Authority (“IMDA”) as Singapore’s Accountability Agent for the APEC Cross-Border Privacy Rules (“CBRP”) and APEC Privacy Recognition for Processors (“PRP”). This makes Singapore the third APEC economy that has fully operationalized its participation in the CBPR system, following the United States, which has two CBPR Accountability Agents, and Japan, which has one CBPR Accountability Agent.

On July 18, 2019, the French Data Protection Authority (the “CNIL”) published new guidelines on cookies and similar technologies (the “Guidelines”). As announced by the CNIL in its action plan on targeted advertising for 2019-2020, its 2013 cookie guidance is no longer valid in light of the strengthened consent requirements of the EU General Data Protection Regulation (“GDPR”). The Guidelines therefore repeal the CNIL’s 2013 recommendations on cookies and reconceive the rules applicable to the use of cookies and similar technologies in France, as they take shape from (1) the provisions of the EU ePrivacy Directive as implemented under French law, and (2) the GDPR consent requirements.

On July 16, 2019, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, the “Dutch DPA”), announced that it had imposed a fine of €460,000 on a Dutch hospital, HagaZiekenhuis, for insufficient security measures under Article 32 of the EU General Data Protection Regulation (“GDPR”).

On July 22, 2019, the Federal Trade Commission announced that Equifax Inc. (“Equifax”) agreed to pay at least $575 million, and potentially up to $700 million, as part of a global settlement agreement with the FTC, the Consumer Financial Protection Bureau (“CFPB”), and 48 U.S. states and territories to resolve investigations into the colossal data breach the company suffered in 2017. This is the largest data breach settlement in U.S. history.

According to media reports, the Federal Trade Commission has approved a multimillion dollar fine as part of a settlement with Google related to the FTC’s investigation into YouTube’s children’s data privacy practices. The FTC found that, in violation of COPPA, Google had failed to adequately protect children under 13 who used the video-streaming service and improperly collected their data.

On July 17, 2019, the Federal Trade Commission published a notice in the Federal Register announcing an accelerated review of its Children’s Online Privacy Protection Rule (“COPPA Rule” or “Rule”), seeking feedback on the effectiveness of the 2013 amendments to the Rule, and soliciting input on whether additional changes are needed. Citing questions regarding the Rule’s application to the educational technology sector, voice-enabled connected devices, and general audience platforms that host child-directed content, the FTC indicated that it was moving up its review from a standard 10-year timeframe. The Commission vote to conduct the Rule review was unanimous, 5-0.

The UK Information Commissioner’s Office (“ICO”) published its 2018-19 Annual Report on July 9, 2019. This is the first Annual Report published by the ICO since the EU General Data Protection Regulation (“GDPR”) took effect on May 25, 2018.

The Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP recently published a Q&A document on organizational accountability in data protection (the “Q&A”).

While CIPL has written extensively about the concept of organizational accountability over many years, the Q&A is designed to clarify frequently raised questions about accountability and provide greater context and understanding of the concept, including for law and policy makers considering data privacy legislation around the globe.

On July 9, 2019, the European Data Protection Board (the “EDPB”) adopted Opinion 8/2019 on the Competence of a Supervisory Authority in Case of a Change in Circumstances Relating to the Main or Single Establishment (the “Opinion”) at the request of the French and the Swedish data protection authorities (“DPAs”).

Background – The French and Swedish DPAs’ Initial Request

The Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP recently published a white paper on Organizational Accountability’s Existence in U.S. Regulatory Compliance and its Relevance for a Federal Data Privacy Law (the “White Paper”).

A number of bills to amend the California Consumer Privacy Act of 2018 (“CCPA”) are still pending before the California legislature. Of particular interest to many businesses is AB 25. AB 25 would exempt from the CCPA’s application “[p]ersonal information collected by a business about a natural person in the course of the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of that business” if the personal information is collected and used by the business solely within the context of the person’s role or former role as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or a contractor of that business. The bill also would exempt from the CCPA’s application emergency contact information of these exempted categories of individuals and information necessary to administer benefits for persons related to such individuals.  Notably, AB 25 does not appear to exempt business-to-business customer representatives or representatives of other third-party business partners.  AB 25 also would authorize a business to require authentication of a consumer that is reasonable in light of the nature of the personal information requested. The bill further would authorize a business to require a consumer to submit the consumer’s verifiable request through the consumer’s account, where the consumer maintains an account with the business.

According to media reports, the Federal Trade Commission has approved a roughly $5 billion settlement with Facebook, Inc. to resolve a privacy probe investigating whether Facebook had violated a prior FTC consent decree requiring the company to better protect user privacy. The investigation followed reports that Cambridge Analytica improperly accessed the personal data of 87 million Facebook users.

Simon McDougall, Executive Director for Technology Policy and Innovation for the UK Information Commissioner’s Office (“ICO”), has stated that “change is needed” in the adtech sector. In a speech delivered on July 11, 2019, at the Westminster Media Forum, focusing on the future of online advertising regulation, McDougall commented that “heads are still firmly in the sand” in some pockets of the digital advertising industry, and that many real-time bidding practices are currently being conducted in an unlawful manner, whether or not industry players are aware of it.

On July 11, 2019, Washington Attorney General Bob Ferguson announced that his office had entered into a consent decree and $10 million settlement with Premera Blue Cross (“Premera”) that stems from a 2014-2015 breach that affected more than 11 million individuals. The settlement, which includes a payment of roughly $5.4 million to Washington state and $4.6 million to a coalition of 29 other state Attorneys General (the “Multistate AGs”), is one of the largest ever for a breach involving protected health information (“PHI”) and comes just one month after another notable HIPAA settlement involving a similar coalition of state AGs.

On July 9, 2019, the hearing in the so-called Schrems II case (case C-311/18) took place at the Court of Justice of the European Union (“CJEU”) in Luxembourg. The main parties involved in the proceedings, the Irish Data Protection Commissioner (“Irish DPA”), Facebook Ireland Ltd. and the Austrian activist Max Schrems, presented their arguments to the court. In addition, a number of other stakeholders intervened during the hearing, including representatives of the European Parliament, the European Commission, the European Data Protection Board, several EU Member States (including Austria, France, Germany, Ireland, the Netherlands and the UK) and the U.S. government, as well as a number of industry lobby groups and the Electronic Privacy Information Center.

On July 4, 2019, the European Commission published a factsheet on artificial intelligence (“AI”) for Europe (the “Factsheet”). In the Factsheet, the European Commission underlines the importance of AI and its role in improving people’s lives and bringing major benefits to the society and economy. In addition, the Factsheet also describes the EU’s role in AI and the financial investments the Commission is planning to make in AI. The factsheet also includes some examples of projects conducted by the Commission in AI (including in agriculture, data and eHealth, public administration and services, and transport and manufacturing).

On July 9, 2019, the UK Information Commissioner’s Office (“ICO”) announced its intention to fine Marriott International, Inc. (“Marriott”) £99,200,396 (approximately $124 million) for infringements of the EU General Data Protection Regulation (“GDPR”). The ICO’s announcement followed Marriott’s notification of the proposed fine to the U.S. Securities and Exchange Commission (“SEC”).

On July 1, 2019, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, (the “Dutch DPA”)) announced that it had expanded its guidance on data breaches. The updates aim to answer questions about data breaches received by the Dutch DPA from organizations since 2016.

On July 8, 2019, the UK Information Commissioner’s Office (“ICO”) announced that it intends to fine British Airways (“BA”), which is owned by International Consolidated Airlines Group, S.A., £183,390,000 (approximately $230,000,000) for violating the EU General Data Protection Regulation (“GDPR”). This is the first fine to be announced publicly by the ICO under the GDPR and hints at the tough stance it is likely to take with regard to future breaches.

On June 14, 2019, the United States Court of Appeals for the Ninth Circuit affirmed summary judgment in favor of Facebook, holding that the company did not violate the Illinois Biometric Information Privacy Act (“BIPA”) (740 ICLS ¶¶ 15, 20).

On July 2, 2019, the Federal Trade Commission announced a case involving the operator of an online rewards website who allegedly failed to take reasonable steps to secure consumers’ personal data.

On June 28, 2019, the French data protection authority (the “CNIL”) published its action plan for 2019-2020 to specify the rules applicable to online targeted advertising and to support businesses in their compliance efforts.

The UK Information Commissioner’s Office (“ICO”) recently published an updated report on adtech, following a Fact Finding Forum held in March 2019 and consultation with industry players. The report focuses on whether and how organizations in the adtech sector can comply with the EU General Data Protection Regulation (“GDPR”) and the UK’s implementation of the e-Privacy Directive, known as the Privacy and Electronic Communications Regulations (“PECR”).

On June 19, 2019, the National Institute of Standards and Technology (“NIST”) issued its draft SP 800-171B guidelines (the “draft”), which outlines enhanced measures to protect controlled unclassified information (“CUI”) held by government contractors.