Privacy & Information Security Law Blog

On April 29, 2020, the Brazilian President issued Provisional Measure #959/2020, which provisionally delays the applicability date of the Brazilian data protection law (Lei Geral de Proteção de Dados Pessoais – “LGPD”) to May 3, 2021.

The Cyberspace Administration of China (“CAC”), together with 11 other authorities, has jointly issued the Measures for Cybersecurity Review (the “Measures”), which will take effect on June 1, 2020, and the currently-effective Measures for Examining the Security of Network Products and Services will be repealed simultaneously.

In part 2 of an S4x20 video on Cybersecurity Law and Governance, Lisa Sotto, Chair of Hunton Andrews Kurth’s Privacy and Cybersecurity practice, addresses the U.S. Securities and Exchange Commission’s (“SEC’s”) expectations of public companies with respect to robust and timely disclosures of cyber incidents and risks. Despite being inactive in the early years of cybersecurity incidents, the SEC is now quite active in pursing appropriate cybersecurity disclosure, and the agency formed a cyber unit in 2018. In this video, Sotto highlights the uptick in enforcement ...

California Attorney General (“AG”) Xavier Becerra recently issued an alert emphasizing the rights of California consumers under the California Consumer Privacy Act (“CCPA”) during the COVID-19 pandemic. The alert follows media reports that the AG’s office is “committed to enforcing the law upon finalizing the rules or [by] July 1, whichever comes first,” even with the “new reality created by COVID-19.”

On April 16, 2020, the Centre for Information Policy Leadership (“CIPL”), in collaboration with the Centro de Estudos de Direito, Internet e Sociedade of Instituto Brasiliense de Direito Público (“CEDIS-IDP”), published a White Paper (the “White Paper”) on the Role of the Brazilian Data Protection Authority (“ANPD”) under Brazil’s New Data Protection Law (“LGPD”). The White Paper is accompanied by two infographics: 1) the priorities of the Agência Nacional de Proteção de Dados, and 2) the case for an effective Brazil DPA - the ANPD.

As the COVID-19 outbreak continues to unfold, businesses are dealing with new and unprecedented operational and legal challenges. There also are key data protection considerations for businesses in connection with the COVID-19 pandemic, including compliance with the requirements around the processing of personal data for health monitoring purposes, crisis management issues and steps to be implemented to ensure the continuity of privacy compliance programs.

In Part 1 of an S4x20 video on Cybersecurity Law and Governance, Lisa Sotto, Chair of Hunton Andrews Kurth’s Privacy and Cybersecurity practice, speaks to cyber risk as one of the top risk issues for senior executives in the current digital landscape.

On April 21, 2020, the European Data Protection Board (“EDPB”) adopted Guidelines on the processing of health data for scientific purposes in the context of the COVID-19 pandemic. The aim of the Guidelines is to provide clarity on the most urgent matters relating to health data, such as legal basis for processing, the implementation of adequate safeguards and the exercise of data subject rights.

On April 13, 2020, the New York Department of Financial Services (“NYDFS”) issued guidance (“April guidance”) to all New York State entities covered under NYDFS’s cybersecurity regulation regarding assessing and addressing heightened cybersecurity risks due to the COVID-19 pandemic. In asking regulated entities to address risks “appropriately,” the April guidance references NYDFS’s earlier March 10, 2020 guidance calling on regulated institutions to submit to the agency (within 30 days of the guidance) plans “to address operational risks posed by the outbreak of a novel coronavirus,” including “assessment[s] of potential increased cyber-attacks and fraud.”

On April 16, 2020, the European eHealth Network—a voluntary network connecting national authorities responsible for eHealth designated by EU Member States—published a common EU toolbox for the use of contact tracing and warning apps in response to the coronavirus pandemic (the “Toolbox”). The Toolbox is part of the common EU coordinated approach to using COVID-19 mobile apps, as set out in the European Commission’s Recommendation of April 8, 2020. The Toolbox was accompanied by guidance from the European Commission on data protection and privacy aspects of the use of such apps (the “Guidance”).

On April 9, 2020 the U.S. Senate Committee on Commerce, Science and Transportation held a “paper hearing” entitled Enlisting Big Data in the Fight Against Coronavirus. A “paper hearing” consists of the committee members submitting opening statements and witnesses submitting testimony, which were posted on the Committee’s website. Witnesses were required to submit answers to member questions last week.

Elizabeth Denham, the UK Information Commissioner, has released an opinion in response to the joint effort announced by Apple Inc. (“Apple”) and Google LLC (“Google”) to enable the use of Bluetooth technology to help governments and health agencies reduce the spread of COVID-19 by building contact-tracing technology into iOS and Android smartphones. In the opinion, the Information Commissioner concludes that the "Contact Tracing Framework" (“CTF”) being developed supports data protection principles.

On April 15, 2020, the French Data Protection Authority (the “CNIL”) published the final version of its standard (“Referential”) concerning the processing of personal data for core Human Resources (“HR”) management purposes. That Referential was adopted following a public consultation launched by the CNIL on April 11, 2019. The CNIL also published a set of questions and answers (“FAQs”), which aim to answer some practical questions that the CNIL are regularly asked regarding HR data processing activities.

On April 14, 2020, the Indiana Attorney General’s office announced that the state had reached a settlement agreement with Equifax in connection with Equifax’s 2017 data breach. Under the terms of the settlement, Equifax will pay a $19.5 million penalty. Indiana previously elected not to participate in a July 2019 multistate and Federal Trade Commission settlement with Equifax regarding the same data breach.

On April 14, 2020, the European Data Protection Board (“EDPB”) adopted a letter concerning the European Commission's (the “Commission”) draft Guidance on apps supporting the fight against the COVID-19 pandemic. This letter was written to the Commission following the Commission’s adoption of a recommendation to develop a common European approach to using mobile applications and mobile location data in response to the pandemic on April 8, 2020.

On April 3, 2020, the Brazilian Senate approved Bill of Law (“PL 1179/2020”), which includes a number of emergency measures intended to address the COVID-19 pandemic. Importantly, one provision delays the effective date of the Brazilian Data Protection Law (Lei Geral de Proteção de Dados Pessoais, “LGPD”) until January 2021. Fines and sanctions for companies that fail to comply with the LGPD are now scheduled to become effective August 2021.

On April 9, 2020, the Belgian Data Protection Authority (the “Belgian DPA”) released guidance and a set of frequently asked questions (“FAQs”) regarding the use of cookies and other tracking technologies.

On April 14, 2020, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP published an article entitled “COVID-19 Meets Privacy: A Case Study for Accountability” (the “Article”).

On April 7, 2020, the European Data Protection Board (the “EDPB”) announced that it had assigned mandates to its expert subgroups to develop guidance on several aspects of data processing amidst the COVID-19 crisis.

On April 8, 2020, the European Commission adopted a recommendation to develop a common European approach to using mobile applications and mobile location data in response to the coronavirus pandemic (the “Recommendation”).

A Canadian maker of Internet-connected padlocks, Tapplock, Inc. (“Tapplock”), settled Federal Trade Commission (“FTC”) allegations that the company violated Section 5 of the FTC Act by falsely claiming that its “smart locks” were secure. The FTC alleged that Tapplock “did not take reasonable measures to secure its locks, or take reasonable precautions or follow industry best practices for protecting consumers’ personal information.” The FTC further alleged that Tapplock did not have a security program in place prior to security researchers discovering vulnerabilities in the design and function of the smart locks.

As of early April, hundreds of millions of workers around the world have been affected by “stay-at-home” or “station-in-place” orders issued by governments in response to the COVID-19 pandemic. To cope, transaction processors are shifting work out of their high-security delivery centers and into the spare bedrooms and home offices of their personnel. That shift creates security challenges that have chief information security officers’ (“CISOs’”) heads spinning. Specifically, special challenges are created when work-from-home (“WFH”) orders affect payment cardholder data that is subject to the Payment Card Industry’s Data Security Standard (“PCI DSS”).

Join us on April 20, 2020, for an in-depth webinar on Business Continuity and COVID-19 from a GDPR Perspective. Our featured speakers, Hunton Brussels lawyers David Dumont and Anna Pateraki, will discuss key considerations with respect to ensuring business continuity and management of your GDPR compliance program amidst the COVID-19 pandemic.

On April 6, 2020, the Irish Data Protection Commission (the “DPC”) published a report summarizing the DPC’s findings following a cookie sweep of select websites across a range of sectors, as well as a new guidance note on the use of cookies and other tracking technologies.

On March 31, 2020, the Belgian Data Protection Authority (the “Belgian DPA”) published a short statement on its website (the “Statement”) regarding health-related apps. The Belgian DPA indicated that the Statement is in response to numerous questions regarding the use of personal data in the context of the COVID-19 pandemic.

Listen as Phyllis H. Marcus, partner at Hunton Andrews Kurth and Co-Chair of the ABA Antitrust Law Section’s Privacy and Information Security Committee, speaks about the privacy concerns over using smart devices on the ABA’s Our Curious Amalgam podcast, Is Your Assistant Spying on You? Understanding the Privacy Law Issues Involving In-Home Assistants.

On April 2, 2020, the French Data Protection Authority (the “CNIL”) published a press release highlighting the importance of the ISO/IEC 27701 standard for the protection of personal data. The CNIL reminds that this is an international standard that defines the management system and security measures that need to be implemented for the processing of personal data (“personally identifiable information” under the ISO/IEC 27701 standard), by extending the requirements of two well-known information security standards.

On March 31, 2020, the Federal Trade Commission (“FTC”) announced that it will hold a workshop on data portability on September 22, 2020. Data portability allows consumers to obtain a copy of the data an organization holds about them (e.g., emails, photos, contacts, calendar, social media content), in a format that can easily be downloaded and transferred to another entity or to themselves. Data portability has been embraced as a consumer right in the EU General Data Protection Regulation (“GDPR”), California Consumer Privacy Act (“CCPA”), and several recent privacy bills at both the state and federal level.

On April 1, 2020, the French Data Protection Authority (the “CNIL”) released guidance for employers on how to implement teleworking (the “Guidance”) as well as best practices for their employees in this context (the “Best Practices”).

On March 26, 2020, Washington D.C. enacted bill number B23-0215, amending D.C.’s data breach notification law (the “Bill”). Among other requirements, the Bill requires the provision of identity theft prevention services in certain data breaches, establishes a new regulatory reporting requirement in the event of a cognizable data breach affecting 50 or more residents of D.C., and imposes certain data security requirements on covered businesses.

The Conference of German Data Protection Authorities (“DSK”), the body of the federal and state Data Protection Authorities (“DPAs”) in Germany, recently issued joint recommendations regarding employers’ processing of employee personal data in the context of the coronavirus (“COVID-19”) pandemic. The DSK makes it clear that data protection does not hinder measures to fight COVID-19. According to DSK, employers can collect personal data of employees in order to prevent the spreading of the virus at the workforce. Employers also may process personal data of workplace visitors for COVID-19 related purposes. However, all measures must be proportionate.

Join us on April 7, 2020, for an in-depth webinar on Managing Critical Infrastructure Workforce During the COVID-19 Pandemic. Our featured group of speakers will discuss the legal, medical and practical issues that critical infrastructure companies are facing during the current COVID-19 pandemic. The speakers include Hunton lawyers Kevin Jones, Paul Tiao, Andrea Gardner, Susan Wiltsie and Lorie Masters, with special guests Myles Spar, MD, MPH, and Ashley Koff, RD.