Privacy & Information Security Law Blog

On October 13, 2021, the European Data Protection Board (“EDPB”) adopted Guidelines 10/2020 on restrictions under Article 23 of the EU General Data Protection Regulation (“GDPR”) (the “Guidelines”) following public consultation. Article 23 of the GDPR permits EU Member States to impose restrictions on data subject rights as long as the restrictions respect the essence of the fundamental rights and freedoms of individuals, and are necessary and proportionate measures in a democratic society to safeguard, for example, national security, defense or public security. The data subject rights to which the restrictions may apply are those set out in Articles 12-22 (e.g., rights of access, erasure), Article 34 (communication of a data breach to individuals) and Article 5 (the data processing principles) to the extent that its provisions correspond to data subject rights.

As reported on the Hunton Retail Resource Blog, on October 20, 2021, a new wave in the fight against “robocalls” is targeting telemarketing text messages. In the past six months, there has been an uptick in activity at both the state and federal level to reign in telemarketing text messages.

On October 6, 2021, Deputy Attorney General Lisa Monaco announced the launch of the new Civil Cyber-Fraud Initiative. Led by the Department of Justice (“DOJ”) Civil Division’s Commercial Litigation Branch, Fraud Section, the initiative will seek to “utilize the False Claims Act (“FCA”) to pursue cybersecurity related fraud by government contractors and grant recipients.”

On September 29, 2021, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth published a paper on the Draft ePrivacy Regulation (“ePR”), in the context of the Trilogue Discussions between the EU Commission, EU Council and EU Parliament (the “Paper”).

On October 7, 2021, Federal Trade Commission Chair Lina Khan appointed Olivier Sylvain as a senior advisor on rulemaking and emerging technology. As announced by Fordham University School of Law, where Sylvain serves as a professor of communications, information and administrative law, Sylvain is an expert in the Communications Decency Act and also has focused his work on artificial intelligence and community-owned networked computing.

The Irish Data Protection Commissioner (“DPC”) has submitted a draft decision on Facebook Ireland Limited’s (“Facebook”) data protection compliance to other European regulators under the cooperation mechanism of the EU General Data Protection Regulation (“GDPR”) (the “Draft Decision”). The DPC proposes a fine between €28 and €36 million (i.e., up to $42 million) for infringements of the transparency obligations under the GDPR, specifically with respect to the legal basis upon which Facebook relied. In addition, the Draft Decision proposes imposing an order on Facebook to bring its terms of service and Data Policy into compliance within three months. However, the DPC indicates in its Draft Decision that Facebook is permitted to rely on contractual necessity as a legal basis for its personalized advertising, taking the view that this constitutes a core element of Facebook’s service.

On October 15, 2021, the U.S. District Court for the District of Massachusetts entered a final order approving a $14 million class action settlement resolving claims against HelloFresh for alleged violations of the Telephone Consumer Protection Act (“TCPA”), 47 U.S.C. § 227, et seq. The named plaintiffs alleged that HelloFresh violated the TCPA by (1) placing telemarketing calls to consumers whose phone numbers were listed on the federal Do Not Call registry; (2) placing telemarketing calls to consumers using an automatic telephone dialing system (“ATDS”) without prior express written consent; and (3) placing telemarketing calls to consumers who had requested to be placed on Hello Fresh’s internal Do Not Call list. According to plaintiffs’ attorneys, this settlement is the largest TCPA class action settlement in Massachusetts state history.

On October 12, 2021, New Jersey Acting Attorney General Andrew J. Bruck and the Division of Consumer Affairs announced a settlement with Diamond Institute for Infertility and Menopause, LLC, over a data breach that compromised the personal information of 14,663 patients, including 11,071 New Jersey residents. The Division of Consumer Affairs alleged that the fertility clinic violated the New Jersey Consumer Fraud Act and the federal Health Insurance Portability and Accountability Act’s (“HIPAA”) Privacy and Security Rules by removing protected health information (“PHI”) safeguards.

During the week of October 4, 2021, California Governor Gavin Newsom signed into law bills amending the California Privacy Rights Act of 2020 (“CPRA”), California’s data breach notification law and California’s data security law. Additional bills, amending the California Confidentiality of Medical Information Act (“CMIA”) and the California Insurance Code, also were also signed into law. The Governor also signed into law a bill protecting the privacy and security of genetic data processed by direct-to-consumer genetic testing companies and a bill designed to prevent the sale, purchase and use of data obtained by illegal means.

On October 8, 2021, Senator Ed Markey (D-Mass) and Representatives Kathy Castor (D-Fla) and Lori Trahan (D-Mass) penned a letter to Chair of the Federal Trade Commission Lina Khan, urging the agency to ensure that companies uphold the commitments made in their children’s privacy notices and “hold them accountable if they fail to do so.” In the letter, the lawmakers noted that many technology companies have recently announced updates to their respective platforms’ policies that are intended to enhance children and teen protections in compliance with the UK’s Age Appropriate Design Code (“AADC”), which took effect on September 2, 2021.

On October 12, 2021, the Oxford County Court determined that a homeowner had breached the Data Protection Act 2018 (“DPA”) and UK General Data Protection Regulation (“UK GDPR”) by using Ring security cameras around his property. In Dr Mary Fairhurst v Mr Jon Woodard, Fairhurst claimed harassment, nuisance and breach of UK data protection law based on her former neighbor, Woodard’s, use of security cameras and lights around his property. While the claim in nuisance failed, the judge found for the claimant on the claims of harassment and breach of data protection law.

On September 27, 2021, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth published a white paper on the “GDPR Enforcement Cooperation and the One-Stop-Shop (“OSS”) - Learning from the First Three Years” (the “Paper”). The Paper identifies the challenges faced by the OSS, defines CIPL’s position, and proposes possible solutions to improve the OSS mechanism, taking into account the European Data Protection Board’s (“EDPB”) recent work and decisions by the Court of Justice of the European Union (“CJEU”).

On October 1, 2021, Florida’s Protecting DNA Privacy Act (the “Act”), took effect. The Act, signed into law by Governor Ron DeSantis on June 29, restricts certain willful collection, retention, analysis and disclosure of the DNA samples or DNA analysis results of persons in Florida without their express consent.

On October 6, 2021, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth published a white paper on “Organizational Accountability in Data Protection Enforcement – How Regulators Consider Accountability in their Enforcement Decisions” (the “Paper”).

On September 14, 2021, the Securities and Exchange Commission (“SEC”) announced that analytics firm, App Annie Inc., and its co-founder and former CEO and Chairman Bertrand Schmitt, agreed to pay approximately $10 million to settle securities fraud charges for engaging in deceptive practices and making material misrepresentations about “alternative data” sold by the company. Notably, this is the SEC’s first enforcement action charging an alternative data provider with securities fraud.

On September 28, 2021, Senators Gary Peters (D-MI) and Rob Portman (R-OH), Chairman and Ranking Member of the Homeland Security and Government Affairs Committee, respectively, introduced a bipartisan bill (the “Bill”) that would require owners and operators of critical infrastructure to notify the Director of the Cybersecurity and Infrastructure Security Agency (“CISA”) within 72 hours of having a reasonable belief that a covered cyber incident has occurred. Additionally, the Bill would require most entities (including businesses with 50 or more employees) that make ransom payments following ransomware attacks to report those payments to the CISA within 24 hours of payment. Notably, any entity required to submit a ransom payment report would first be required to conduct a due diligence review of alternatives to paying ransom, including an analysis of whether recovery from the ransomware attack is possible through other means, before making such a ransom payment. Critical infrastructure owners and operators also would be required to provide supplemental reports to the CISA in light of new or different information becoming available. All entities subject to these requirements would face data preservation obligations.

On October 4, 2021, the California Privacy Protection Agency (“CPPA”) appointed Ashkan Soltani as its first Executive Director. Soltani, a former chief technologist for the Federal Trade Commission and senior advisor to the White House, began his new role on Monday. He also is a distinguished fellow at the Georgetown Law Institute for Technology Law and Policy and the Georgetown Center on Privacy and Technology.

On September 30, 2021, the U.S. Department of Health and Human Services’ (“HHS”) Office for Civil Rights (“OCR”) issued guidance regarding when the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy Rule applies to disclosures and requests for information about a person’s COVID-19 vaccination status.

On September 29 and 30, 2021, the U.S. Senate Committee on Commerce, Science and Transportation convened hearings on how to better protect consumer and children’s privacy.

On September 27, 2021, the transition period allowing companies to continue using the old EU Standard Contractual Clauses (“SCCs”) for new transfers from the EU to a third country ended. Companies entering into new transfer agreements incorporating the SCCs must now use those published by the European Commission on June 4, 2021 (the “new SCCs”). Transfers from the UK that rely on SCCs must continue to use the old SCCs.

On September 22, 2021, Secretary of Homeland Security Alejandro N. Mayorkas and Secretary of Commerce Gina Raimondo released a joint statement on the Department of Homeland Security’s (“DHS’s”) issuance of preliminary Critical Infrastructure Control Systems Cybersecurity Performance Goals and Objectives (the “Preliminary Goals”). As we previously reported, on July 28, 2021, the Biden Administration signed a National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems (the “Memo”), which instructed DHS to lead the development of cybersecurity performance goals for critical infrastructure firms. The Memo described the initiative as “a voluntary, collaborative effort between the Federal Government and the critical infrastructure community to significantly improve the cybersecurity of these critical systems.”

On September 27, 2021, the European Data Protection Board (“EDPB”) announced that it had adopted an opinion on the European Commission’s draft adequacy decision for the Republic of Korea (the “Opinion”).

On September 27, 2021, the European Data Protection Board (the “EDPB”) announced that it established a taskforce to coordinate the response to complaints filed with several EU data protection authorities (“DPAs”) by the non-governmental organization None of Your Business (“NOYB”) in relation to cookie banners.

On October 1, 2021, Connecticut’s two new data security laws become effective. As we previously reported, the new laws modify Connecticut’s existing breach notification requirements and establish a safe harbor from certain Connecticut Superior Court assessed damages for businesses that create and maintain a written cybersecurity program.