Privacy & Information Security Law Blog

On June 28, 2021, the European Commission (the “Commission”) adopted two adequacy decisions for the United Kingdom, one under the General Data Protection Regulation (“GDPR”) and another under the Law Enforcement Directive. Their adoption means organizations in the EU can continue to transfer personal data to organizations in the UK without restriction, and will not need to rely upon data transfer mechanisms, such as the EU Standard Contractual Clauses, to ensure an adequate level of protection. The adoption comes just before the conditional interim regime under the EU-UK Trade and Cooperation Agreement, under which data could flow freely from the EU to the UK, was set to expire on June 30, 2021.

On June 24, 2021, Google announced that it will delay its plan to replace the use of third-party cookies on its Chrome web browser with new technologies. This delay comes amid antitrust and privacy concerns, as well as scrutiny from the advertising industry that the changes will strengthen Google’s own advertising business.

On June 17, 2021, Senator Kirsten Gillibrand (D-NY) announced the reintroduction of the Data Protection Act of 2021 (the “bill”), which would create an independent federal agency, the Data Protection Agency, to “regulate high-risk data practices and the collection, processing, and sharing of personal data.” The bill was first introduced in 2020 and has since been revised to include updated provisions intended to protect against privacy harms, oversee the use of “high-risk data practices” and examine the social, ethical, and economic impacts of data collection.

On June 21, 2021, following a public consultation, the European Data Protection Board (“EDPB”) published the final version of its recommendations on supplementary measures in the context of international transfer safeguards, such as Standard Contractual Clauses (“SCCs”) (the “Recommendations”).

On June 16, 2021, the UK Government’s Taskforce on Innovation, Growth and Regulatory Reform published an independent report containing recommendations to the Prime Minister on how the UK can reshape its approach to regulation in the wake of Brexit (the “Report”). Among wide-ranging proposals across a range of areas, the Report recommends replacing the UK General Data Protection Regulation (“UK GDPR”) with a new UK Framework of Citizen Data Rights. The proposed approach would aim to give individuals greater control over their personal data while also allowing increased data flows and driving growth in the digital economy. The Report will be considered by the Government’s Better Regulation Committee.

On June 14, 2021, Texas Governor Greg Abbott signed HB 3746, a bill amending Texas’s data breach notification law. Texas’s breach notification law requires notice to affected residents in the event of a data breach affecting certain sensitive personal data, including Social Security numbers, driver’s license or other government-issued ID numbers, account numbers or payment card numbers in combination with any required security code, access code or password, or certain information about an individual’s health or medical condition or treatment. The law also requires businesses to notify the Texas Attorney General of any data breach affecting at least 250 Texas residents.

On June 14, 2021, the Baltimore City Council passed a bill that would ban the use of facial recognition technology by private entities and individuals within the city limits. If signed into law, Baltimore, Maryland would become the latest U.S. city to enact stringent regulations governing the use of facial recognition technology in the private sector.

After two rounds of public comments, the Data Security Law of the People’s Republic of China (the “DSL”) was formally issued on June 10, 2021, and will become effective on September 1, 2021.

Compared to previous drafts of the law, the final version of the DSL differs with respect to:

• establishing a work coordination mechanism and clarifying the duties of each governmental authority;
• establishing an administration system for state core data;
• encouraging data development and use to make public service more intelligent and requiring consideration of the needs of the elderly and people with disabilities when providing intelligent public services;
• protecting the security of government data; and
• increasing the punishment dynamics for violations of the law. 

On June 15, 2021, the Court of Justice of the European Union (the “CJEU”) released its judgment in case C-645/19 of Facebook Ireland Limited, Facebook Inc., Facebook Belgium BVBA v. the Belgian Data Protection Authority (“Belgian DPA”). We previously reported on the background of the case and the Advocate General’s opinion.

On June 15, 2021, the SEC announced it settled charges against real estate services company First American Financial Corporation (“First American”) for alleged violation of Rule 13a-15(a) of the Exchange Act. The SEC charged First American with failure to maintain disclosure controls and procedures designed to ensure that all available, relevant information concerning a software vulnerability that led to a cybersecurity incident was filed with the Commission.

On June 15, 2021, the U.S. Senate confirmed Lina Khan to the Federal Trade Commission by a vote of 69-28. Khan will fill the vacancy left by former Chairman Joseph Simons (R) who resigned from the FTC in January 2021.

On June 11, 2021, the Belgian Data Protection Authority (“Belgian DPA”) released its 2020 Annual Report (the “Report”). Notably in 2020, the Belgian DPA focused on the supervision of initiatives to fight the COVID-19 pandemic involving data processing, while not losing sight of its other priorities, as identified in its Strategic Plan 2020-2025.

Due to the increased awareness of the importance of the protection of personal data, 2020 had a significant increase in the number of complaints, which were up 290.64%, and data breach notifications, which were up 25.09%, received by the Belgian DPA.

On June 9, 2021, President Biden signed an Executive Order on Protecting Americans’ Sensitive Data from Foreign Adversaries (the “EO” or “Biden EO”). The Biden EO elaborates on measures to address the national emergency regarding the information technology supply chain declared in 2019 by the Trump administration in Executive Order 13873. Simultaneously, the Biden EO also revokes three Trump administration orders (Executive Orders 13942, 13943 and 13971) that sought to prohibit transactions with TikTok, WeChat, their parent companies and certain other “Chinese connected software applications.” In their place, the Biden EO provides for (1) cabinet-level assessments and future recommendations to protect against risks from foreign adversaries’ (a) access to U.S. persons’ sensitive data and (b) involvement in software application supply and development; and (2) the continuing evaluation of transactions involving connected software applications that threaten U.S. national security.

July 1, 2021 marks the deadline for certain businesses to comply with the metrics reporting obligations under the California Consumer Privacy Act of 2018 (“CCPA”) regulations. Section 999.317(g) of the regulations applies to any business that is subject to the CCPA and that knows or reasonably should know that it, alone or in combination, buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes the personal information of 10,000,000 or more California residents in a calendar year.

As reported on the Hunton Retail Law Resource blog, this week, the Federal Trade Commission voted 3 to 1 to accept a settlement agreement with MoviePass, Inc., its parent company, and two of the now-defunct company’s former employees, after allegations of failure to take reasonable measures to secure consumers’ data and deceptive trade practices. The Commission brought an enforcement action against MoviePass pursuant to the FTC Act and the Restore Online Shoppers’ Confidence Act (“ROSCA”), the latter of which requires disclosure of all material terms, a consumer’s informed consent, and a simple mechanism to stop recurring charges when marketing negative option services.

On June 3, 2021, the U.S. Supreme Court in Van Buren v. United States reversed the U.S. Court of Appeals for the Eleventh Circuit’s decision to uphold the conviction of Nathan Van Buren, a former Georgia police sergeant alleged to have violated the Computer Fraud and Abuse Act of 1986 (“CFAA”) when accessing a law enforcement database for a non-law-enforcement purpose against his department’s policy. Van Buren, the target of an FBI sting operation, had accessed the database to look up license plate information in exchange for money. The Court addressed a split in authority among the circuits regarding the scope of liability under the CFAA.

On May 25, 2021, the Grand Chamber of the European Court of Human Rights handed down its judgement in the case of Big Brother Watch and Others v. the United Kingdom, determining that the former surveillance regime in the UK violated Article 8 of the European Convention on Human Rights (“ECHR”), i.e., the right to respect for private and family life.

On June 4, 2021, the European Commission published the final version of the implementing decision on standard contractual clauses for transfers of personal data to third countries under the EU General Data Protection Regulation (“GDPR”), as well as the final version of the new standard contractual clauses (the “SCCs”). The European Commission had previously published draft versions of the implementing decision and the SCCs in November 2020.

On June 2, 2021, Nevada’s governor approved SB 260 (the “Amendment Bill”), which expands on the previously amended Nevada Privacy of Information Collected on the Internet from Consumers Act (the “Act”). Specifically, the Amendment Bill broadens the definition of key terms along with providing several new exemptions.

On June 3, 2021, Google informed app developers that beginning in late 2021, when Android 12 OS users opt out of personalized ads, the advertising ID provided by Google Play services (the Google Ad ID, or “GAID”) will not be made available to app developers for any purpose.

Hunton Andrews Kurth LLP partner Lisa J. Sotto, chair of the firm’s Global Privacy and Cybersecurity practice, has been recognized by Chambers and Partners with the 2021 Outstanding Contribution to the Legal Profession award. This honor is given to one lawyer each year for exceptional achievements.

On May 25, 2021, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP submitted its response (in English and in Mandarin) to the Standing Committee of the National People’s Congress (“NPC”) of the People’s Republic of China on the updated version of the Draft Personal Information Protection Law (“PIPL”).