Privacy & Information Security Law Blog

On October 30, 2020, the UK Information Commissioner’s Office (“ICO”) announced its fine of £18.4 (approximately $23.9 million) issued to Marriott International, Inc., (“Marriott”) for violations of the EU General Data Protection Regulation (“GDPR”). This is a significant decrease from the proposed fine of £99,200,396 (approximately $124 million) announced by the ICO in July 2019. The ICO’s fine only relates to the breach from the point at which the GDPR came into force in May 2018, and is the second largest fine levied by the ICO thus far under the GDPR. Marriott has not admitted liability for the breach, but has indicated that it does not plan to appeal.

On October 27, 2020, the UK Information Commissioner’s Office (“ICO”) published its enforcement notice against credit reference agency Experian Limited (“Experian”) under Section 149 of the Data Protection Act 2018 (“DPA”) (the “notice”). The notice requires Experian to make fundamental changes to its offline direct marketing practices, and was issued after the ICO undertook a two-year investigation into the use of personal data by data broking businesses Experian, Equifax and TransUnion.

On October 21, 2020, China issued a draft of Personal Information Protection Law (“Draft PIPL”) for public comments. The Draft PIPL marks the introduction of a comprehensive system for the protection of personal information in China.

On November 2, 2020, the comment period for the Federal Acquisition Security Council’s (“FASC”) interim final rule (the “Interim Final Rule”) implementing the Federal Acquisition Supply Chain Security Act of 2018 (the “2018 Act”) will close.

On October 21, 2020, the UK Information Commissioner’s Office (“ICO”) released its updated guidance on the data subject right of access under Article 15 of the EU General Data Protection Regulation (“GDPR”). The ICO provided a draft of the guidance for consultation in December 2019, and in response to the feedback it received, supplemented the guidance with additional content. The guidance provides more in-depth advice for organizations than what was provided in the ICO’s previous guide and includes examples designed to demonstrate how the GDPR’s requirements will apply in practice.

On October 22, 2020, the Consumer Financial Protection Bureau (“CFPB”) issued a notice of proposed rulemaking (the “Proposed Rule”) to implement Section 1033 of the Dodd-Frank Act (the “Act”) regarding consumers’ access to their financial information.

On October 13, 2020, France’s highest administrative court (the “Conseil d’État”) issued a summary judgment that rejected a request for the suspension of France’s centralized health data platform, Health Data Hub (the “HDH”), currently hosted by Microsoft. However, the Conseil d’État recognized that there is a risk of U.S. intelligence services requesting the data and called for additional guarantees under the control of the French data protection authority (the “CNIL”).

On October 15, 2020, Brazil’s President Bolsonaro officially nominated the five Directors of the new Brazilian data protection authority (Agência Nacional de Proteção de Dados, “ANPD”), as published in the Brazilia Official Journal. The Decree establishing the ANPD, on which we reported earlier, is now fully in effect. All five nominations, however, must still be approved by the Brazilian Senate, which means there are further steps before the ANPD is fully established and operational.

On October 16, 2020, the UK Information Commissioner’s Office (“ICO”) announced its fine of £20,000,000 (approximately $25,850,000) for British Airways (“BA”), which is owned by International Consolidated Airlines Group, S.A, for violations of the EU General Data Protection Regulation (“GDPR”). This is a significant (approximately 90%) decrease from the proposed fine of £183,390,000 (approximately $230,000,000) announced by the ICO in July 2019, but is the largest fine imposed to date by the ICO.

During its 39th plenary session on October 8, 2020, the European Data Protection Board (“EDPB”) adopted guidelines on relevant and reasoned objection under the General Data Protection Regulation (“GDPR”) (the “Guidelines”). The Guidelines relate to the cooperation and consistency provisions set out in Chapter VII of the GDPR, under which a lead supervisory authority (“LSA”) has a duty to cooperate with other concerned supervisory authorities (“CSAs”) in order to reach a consensus.

On October 6, 2020, the Court of Justice of the European Union (“CJEU”) handed down Grand Chamber judgments determining that the ePrivacy Directive (the “Directive”) does not allow for EU Member States to adopt legislation intended to restrict the scope of its confidentiality obligations unless they comply with the general principles of EU law, particularly the principle of proportionality, as well as fundamental rights under the Charter of Fundamental Rights of the European Union (the “Charter”).

On October 1, 2020, the UK Information Commissioner’s Office (“ICO”) launched a public consultation on its draft Statutory Guidance (the “Guidance”). The Guidance provides an overview of the ICO’s powers and how it intends to regulate and enforce data protection legislation in the UK, including its approach to calculating fines.

The increasing development and use of AI technology is raising several compliance questions, particularly in the context of the EU General Data Protection Regulation (“GDPR”). The European Commission has already begun working on future AI legislation. Join us on October 14, 2020, for a webinar on Artificial Intelligence: Key Considerations for GDPR Compliance Today and Tomorrow.

On September 30, 2020, the Belgian Data Protection Authority (the “Belgian DPA”) released its 2019 Annual Report (the “Report”). Notably, 2019 was the year of the Belgian DPA’s first fines under the EU General Data Protection Regulation (the “GDPR”) and the release of the Belgian DPA’s 2019-2025 Strategic Plan.

On October 1, 2020, the Hamburg Data Protection Authority (“DPA”) fined Hennes & Mauritz AB (“H&M”) € 35.3 million for unlawful employee monitoring practices in the company’s service center concerning several hundred employees. According to the DPA’s press release, H&M was maintaining excessive details about employees’ private lives since 2014. This includes notes taken by managers regarding (1) employees’ vacation experiences, illnesses, diagnoses and symptoms as discussed with managers during welcome-back talks after employees’ vacation or sick leave, and (2) information ranging from employees’ family problems to religious beliefs obtained by managers during floor talks. The information was stored digitally and could be read by up to 50 managers throughout the company. According to the DPA, the managers’ notes were sometimes made with a high level of detail and maintained over great periods of time. The press release states that the information was used to evaluate the performance of employees, create employee profiles and make other employment-related decisions.

On October 1, 2020, the French Data Protection Authority (the “CNIL”) published a revised version of its guidelines on cookies and similar technologies (the “Guidelines”), its final recommendations on the practical modalities for obtaining users’ consent to store or read non-essential cookies and similar technologies on their devices (the “Recommendations”) and a set of questions and answers on the Recommendations (“FAQs”).

On September 30, 2020, Anthem, Inc. (“Anthem”) entered into an assurance of voluntary compliance (the “Agreement”) with the attorneys general of 42 states and the District of Columbia to settle claims under state and federal law relating to Anthem’s 2015 data breach (the “Breach”).

On October 1, 2020, the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) issued an advisory alerting companies of potential sanctions risks related to facilitating ransomware payments.  The five-page advisory states that ransomware victims who pay ransom amounts, and third-party companies that negotiate or pay ransom on their behalf, “not only encourage future ransomware payment demands but also may risk violating OFAC regulations.”

On September 25, 2020, the District Court of New Mexico granted Google’s motion to dismiss a lawsuit filed on February 20, 2020, by New Mexico Attorney General Hector Balderas alleging, among other claims, that the company violated the federal Children’s Online Privacy Protection Act (“COPPA” or the “Act”) by using G Suite for Education to “spy on New Mexico students’ online activities for its own commercial purposes, without notice to parents and without attempting to obtain parental consent.”