Privacy & Information Security Law Blog

On June 7, 2024, following a public consultation, the French Data Protection Authority published the final version of the guidelines addressing the development of AI systems from a data protection perspective.

On May 23, 2024, the European Data Protection Board adopted an Opinion on the use of facial recognition technologies by airport operators and airline companies to streamline the passenger flow at airports.

On May 1, 2024, the UK Information Commissioner’s Office (“ICO”) and the UK regulator for communications and online safety, Ofcom, issued a joint statement regarding their collaboration on the regulation of online services where online safety and data protection intersect. This statement builds on the joint statement published in 2022. The latest statement outlines several areas of collaboration between the ICO and Ofcom.

On April 12, 2024, the UK Information Commissioner’s Office launched the third installment in its consultation series examining how data protection law applies to the development and use of generative AI. 

On March 26, 2024, the French data protection authority (the “CNIL”) published the 2024 edition of its Practice Guide for the Security of Personal Data (the “Guide”). The Guide is intended to support organizations in their efforts to implement adequate security measures in compliance with their obligations under Article 32 of the EU General Data Protection Regulation. In particular, the Guide targets DPOs, CISOs, computer scientists and privacy lawyers.

On March 18, 2024, the UK Information Commissioner’s Office (“ICO”) published new data protection fining guidance on how the ICO determines penalties and calculates fines. The guidance was subject to a consultation process in 2023, and covers a variety of topics and considerations relevant to penalties and fines, including:

On March 7, 2024, the Court of Justice of the European Union (“CJEU”) issued its judgment in the case of IAB Europe (Case C‑604/22). In this judgment, the CJEU assessed the role of the Interactive Advertising Bureau Europe (“IAB Europe”) in the processing operations associated with its Transparency and Consent Framework (“TCF”) and further developed CJEU case law on the concept of personal data under the EU General Data Protection Regulation (“GDPR”).

On March 1, 2024, the UK Information Commissioner’s Office (“ICO”) announced that it had issued an enforcement notice and a warning to the UK Home Office for failing to sufficiently assess the privacy risks posed by the electronic monitoring of people arriving in the UK via unauthorized means. The Home Office is the ministerial department of the UK government responsible for immigration, security, and law and order.

On February 23, 2024, the UK Information Commissioner’s Office (the “ICO”) reported that it had ordered public service providers Serco Leisure, Serco Jersey and associated community leisure trusts (jointly, “the Companies”) to stop using facial recognition technology (“FRT”) and fingerprint scanning (“FS”) to monitor employee attendance.

On February 13, 2024, the European Data Protection Board (“EDPB”) adopted Opinion 04/2024 on the notion of the main establishment of a controller in the Union under Article 4(16)(a) of the EU General Data Protection Regulation (“GDPR”) (the “Opinion”).

On February 9, 2024, Hunton Andrews Kurth attorneys, David Dumont and Laura Léonard, and Centre for Information Policy Leadership Director of Privacy and Data Policy, Natascha Gerlach, published an op-ed discussing the implications of the European Commission’s proposal for a Regulation laying down additional procedural rules relating to the enforcement of Regulation (EU) 2016/679 (the “Draft GDPR Procedural Regulation”) and the draft report on the Draft GDPR Procedural Regulation by the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (the “Draft LIBE Report”).

On January 18, 2024, the European Data Protection Board published a thematic one-stop-shop (“OSS”) case digest titled, “Security of Processing and Data Breach Notification” (the “Digest”). The Digest analyzes a selection of decisions adopted by EU data protection authorities on data security and data breaches. 

On January 15, 2024, the UK Information Commissioner’s Office (“ICO”) announced that it has launched a consultation series on generative AI. The series will examine how aspects of UK data protection law should apply to the development and use of the technology, with the first chapter of the series focusing on when it is lawful to train generative AI models on personal data scraped from the web. The ICO invites all stakeholders with an interest in generative AI to respond to the consultation, including developers and users of generative AI, legal advisors and consultants working ...

On October 11, 2023, the French Data Protection Authority (the “CNIL”) published a new set of guidelines addressing the research and development of AI systems from a data protection perspective (the “Guidelines”).

On October 3, 2023, the UK Information Commissioner's Office ("ICO") published new Guidance on lawful monitoring in the workplace, designed to help employees comply with their obligations under the UK General Data Protection Regulation ("UK GDPR") and the Data Protection Act 2018 ("DPA").

On August 24, 2023, 12 data protection authorities published a joint statement calling for the protection of personal data from unlawful data scraping. The statement was issued by the authorities of Argentina, Australia, Canada, Colombia, Hong Kong, Jersey, Mexico, Morocco, New Zealand, Norway, Switzerland and the UK. The joint statement reminds organizations that personal data that is publicly accessible is still subject to data protection and privacy laws in most jurisdictions, and highlights the risks facing such data, including increased risk of social engineering or phishing attacks, identify fraud, and unwanted direct marketing or spam.

On July 14, 2023, the Norwegian Data Protection Authority (“DPA”) ordered Meta Platforms Ireland Limited and Facebook Norway AS (jointly, “Meta”) to temporarily cease the processing of personal data of data subjects in Norway for the purpose of targeting ads on the basis of “observed behavior,” when relying on either the contractual necessity legal basis (Article 6(1)b)) or the legitimate interests legal basis (Article 6(1)(f)) of the GDPR.

Pablo A. Palazzi from Allende & Brea in Argentina reports that on June 30, 2023, the Argentine Executive Branch sent the new proposed Personal Data Protection Bill (the “Bill”) to the National Congress for consideration. The Bill was drafted by the Argentine Data Protection Authority (Agencia de Acceso a la Información Pública, or “AAIP”) and seeks to amend the current Personal Data Protection Act (Law No. 25,326 of 2000).

On June 19, 2023, the UK Information Commissioner’s Office (“ICO”) recommended that organizations start using privacy enhancing technologies (“PETs”) to share personal information safely, securely and anonymously. The ICO also has issued new guidance on PETs which is aimed at those using large data sets in finance, healthcare, money laundering and cybercrime. The guidance contains information on how PETs can be used to help organizations with data protection compliance and technical detail on the different types of PETs currently available.

The Brazilian law firm BMA Advogados reports that the Brazilian National Data Protection Authority (“ANPD”) adopted a landmark and long-awaited regulation for the enforcement of the Brazilian General Data Protection Law (“LGPD”).

On February 16, 2023, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP held a virtual roundtable to discuss the role of age assurance and age verification tools as part of its Children’s Data Privacy Project. Representatives from CIPL member companies, data protection authorities, civil society and experts exchanged views on the effectiveness of different methodologies and emerging best practices to shield minors from harmful or inappropriate content.

This is an excerpt from Centre for Information Policy Leadership (“CIPL”) President Bojana Bellamy’s recently published piece in the IAPP “Privacy Perspectives” blog, and are the views of the author.

On January 20, 2023, The Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth published “Digital Assets and Privacy,” a discussion paper compiling insights from workshops with CIPL member companies that explored the intersection of privacy and digital assets, with a particular focus on blockchain technology. The paper includes recommendations for developing coherent, tech-friendly, future-focused, and pragmatic regulations and policies.

On January 11, 2023, the Belgian Data Protection Authority (“Belgian DPA”) announced that it has approved the Interactive Advertising Bureau Europe’s (“IAB Europe”) action plan with respect to its Transparency and Consent Framework (“TCF”).

On  December 15, 2022, the UK government and the Dubai International Financial Centre Authority (“DIFC”) issued a joint statement on the shared commitment to deepening the UK-DIFC data partnership. The statement explains that “[t]here are over 5,000 UK companies operating in the UAE, many of which depend on the free and secure flow of safe data across borders.” Further, the UK and the DIFC have strong links in the financial sector, following the DIFC’s establishment in 2004, with 16% of the DIFC’s financial services companies originally based in the UK.

On November 25, 2022, Ireland’s Data Protection Commission (“DPC”) released a decision fining Meta Platforms, Inc. (“Meta”) €265 million for a 2019 data leak involving the personal information of approximately 533 million Facebook users worldwide.

On November 15, 2022, the Italian Supreme Court held that an Italian court or competent data protection authority has jurisdiction to issue a global delisting order. A delisting order requires a search engine to remove certain search results about individuals if the data subject’s privacy interests prevail over the general right to expression and information, and the economic interest of the search engine. The case was brought by an Italian individual, who requested a worldwide delisting order, concerning all versions of the search engine, due to potential damage to the applicant's professional interests outside of the European Union.

On November 25, 2022, the UK Information Commissioner’s Office (“ICO”) and the UK’s communications regulator, Ofcom, issued a joint statement setting out how they intend to work together to “ensure coherence between the data protection and the new online safety regimes.” The regulators noted that the statement is primarily intended for online service providers that are likely to be regulated under the online safety regime, but it also will be of interest to other stakeholders as an indication of their joint direction.

On November 17, 2022, the UK data protection regulator, the Information Commissioner’s Office (“ICO”), published updated guidance on international transfers that includes a new section on transfer risk assessments (“TRAs”) and a TRA tool.

In its statement regarding the updated guidance, the ICO describes the TRA guidance as “an alternative approach to the one put forward by the European Data Protection Board” and says its aim is “to find an alternative, achievable approach delivering the right protection for the people the data is about, whilst ensuring that the assessment is reasonable and proportionate.”

On October 20, 2022, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth published a white paper entitled Protecting Children’s Data Privacy, Policy Paper I, International Issues and Compliance Challenges. The paper identifies and explores the key issues and challenges that organizations and data protection authorities face in the context of globally divergent legal standards and policy approaches relating to children’s data.

On October 24, 2022, the UK Information Commissioner’s Office (“ICO”) issued a £4.4 million fine to Interserve Group Limited for failing to keep employee personal data secure, which violates Article 5(1)(f) and Article 32 of the EU General Data Protection Regulation (“GDPR”), during the period of March 2019 to December 2020. The ICO determined that such violations rendered Interserve vulnerable to the cyber attack which took place between March 2020 and May 2020, affecting the personal data of up to 113,000 Interserve employees. The compromised data included contact details, national insurance numbers and bank account details, as well as special category data, including ethnic origin, religion, details of any disabilities, sexual orientation and health information.

On September 26, 2022, the UK Information Commissioner’s Office (“ICO”) confirmed in a statement that it issued TikTok Inc. and TikTok Information Technologies UK Limited (together, “TikTok”) a notice of intent to potentially impose a £27 million fine for failing to protect children’s privacy. This notice of intent follows an investigation by the ICO finding that TikTok may have breached UK data protection law between May 2018 and July 2020 by failing to protect children’s privacy when using the TikTok platform.

On September 21, 2022, Denmark’s data protection authority Datatilsynet (“Danish DPA”) announced its guidance that Google Analytics, Google’s audience measurement tool, is not compliant with the EU General Data Protection Regulation (“GDPR”), as the tool transfers personal data to the United States which, following Schrems II, does not offer an adequate level of data protection.

On September 5, 2022, the Irish Data Protection Commissioner (the “DPC”) imposed a €405,000,000 fine on Instagram (a Meta-owned social media platform) for violations of the EU General Data Protection Regulation’s (“GDPR’s”) rules on the processing of children’s personal data.

On July 7, 2022, the Irish Data Protection Commission (the “DPC”) sent a draft decision to other EU data protection authorities, proposing to block Meta’s transfers of personal data from the EU to the United States.

On June 23, 2022, Italy’s data protection authority (the “Garante”) determined that a website’s use of the audience measurement tool Google Analytics is not compliant with the EU General Data Protection Regulation (“GDPR”), as the tool transfers personal data to the United States, which does not offer an adequate level of data protection. In making this determination, the Garante joins other EU data protection authorities, including the French and Austrian regulators, that also have found use of the tool to be unlawful.

On May 11, 2022, the French Data Protection Authority (the “CNIL”) published its Annual Activity Report for 2021 (the “Report”). The Report provides an overview of the CNIL’s enforcement activities in 2021. The report notably shows a significant increase in the CNIL’s activity.

On March 16, 2022, Google announced the launch of its new analytics solution, “Google Analytics 4.” Google Analytics 4 aims, among other things, to address recent developments in the EU regarding the use of analytics cookies and data transfers resulting from such use.

On February 15, 2022, the French Data Protection Authority (the “CNIL”) published its enforcement priority topics for 2022. Each year, the CNIL conducts numerous investigations in response to complaints, data breach notifications and ongoing events, or based on previously established enforcement priorities.

On February 2, 2022, the Litigation Chamber of the Belgian Data Protection Authority (the “Belgian DPA”) imposed a €250,000 fine against the Interactive Advertising Bureau Europe (“IAB Europe”) for several alleged infringements of the EU General Data Protection Regulation (the “GDPR”), following an investigation into IAB Europe Transparency and Consent Framework (“TCF”).

The Austrian data protection authority (the “Austrian DPA”) recently published a decision in a case brought against an Austrian website provider and Google by the non-governmental organization co-founded by privacy activist Max Schrems, None of Your Business (“NOYB”). The Austrian DPA ruled that the use of Google Analytics cookies by the website operator violates both Chapter V of the EU General Data Protection Regulation (“GDPR”), which establishes rules on international data transfers, and the Schrems II judgment of the Court of Justice of the European Union.

On January 12, 2022, the French Data Protection Authority (the “CNIL”) published guidelines on the re-use of personal data by data processors for their own purposes (such as product improvement or the development of new products and services) under the EU General Data Protection Regulation (“GDPR”) (the “Guidelines”). This post outlines key takeaways from the Guidelines.

On December 31, 2021, the French Data Protection Authority (the “CNIL”) imposed a €150,000,000 fine on Google and a €60,000,000 fine on Facebook (now Meta) for violations of French rules on the use of cookies.

In a letter addressed to certain members of the European Parliament (“MEPs”), European Commissioner for Justice Reynders refuted some of the criticism that has been raised against the Irish Data Protection Commissioner (“DPC”).

Stephen Mathias from Kochhar & Co. reports that on December 16, 2021, the Indian Joint Parliamentary Committee (the “JPC”) submitted its report on India’s draft Data Protection Bill (the “Bill”). The Bill is now likely to be passed by Parliament in its next session, beginning in February 2022, and likely will enter into force in the first half of 2022. In its report, the JPC recommended a phased approach to implementing the law, beginning with the appointment of various government officers, such as the Data Protection Authority (“DPA”), with full implementation of the law to be completed within 24 months. The JPC’s report also contained a revised draft of the Bill. Certain key aspects of the revised Bill are summarized below.

Last month, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth submitted a response to the UK Department for Digital, Culture, Media & Sport (“DCMS”) on its Consultation on Reforms to the Data Protection Regime (the “Response”). The Response also reflects views gathered from CIPL members during two industry roundtables organized in collaboration with DCMS to obtain feedback on the reform proposals. Key takeaways from the Response include the following:

On December 6, 2021, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP published a white paper on “Bridging the DMA and the GDPR – Comments by the Centre for Information Policy Leadership on the Data Protection Implications of the Draft Digital Markets Act” (the “White Paper”).

On November 5, 2021, IAB Europe (“IAB EU”) announced that, in the coming weeks, the Belgian Data Protection Authority plans to share with other data protection authorities a draft ruling on the IAB EU Transparency & Consent Framework (“TCF”). The TCF is a GDPR consent solution built by IAB EU that has become a widely used approach to collecting consent to cookies under the GDPR. The draft ruling is expected to find that the TCF does not comply with the GDPR, in part because IAB EU acts as a controller, and the digital signals the TCF creates to capture individuals’ consent to cookies are personal data under the GDPR. Because IAB EU does not consider itself a controller with respect to the TCF, it does not currently comply with the GDPR’s controller obligations.

On September 29, 2021, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth published a paper on the Draft ePrivacy Regulation (“ePR”), in the context of the Trilogue Discussions between the EU Commission, EU Council and EU Parliament (the “Paper”).

The Irish Data Protection Commissioner (“DPC”) has submitted a draft decision on Facebook Ireland Limited’s (“Facebook”) data protection compliance to other European regulators under the cooperation mechanism of the EU General Data Protection Regulation (“GDPR”) (the “Draft Decision”). The DPC proposes a fine between €28 and €36 million (i.e., up to $42 million) for infringements of the transparency obligations under the GDPR, specifically with respect to the legal basis upon which Facebook relied. In addition, the Draft Decision proposes imposing an order on Facebook to bring its terms of service and Data Policy into compliance within three months. However, the DPC indicates in its Draft Decision that Facebook is permitted to rely on contractual necessity as a legal basis for its personalized advertising, taking the view that this constitutes a core element of Facebook’s service.

On October 6, 2021, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth published a white paper on “Organizational Accountability in Data Protection Enforcement – How Regulators Consider Accountability in their Enforcement Decisions” (the “Paper”).

On September 27, 2021, the European Data Protection Board (“EDPB”) announced that it had adopted an opinion on the European Commission’s draft adequacy decision for the Republic of Korea (the “Opinion”).

On September 27, 2021, the European Data Protection Board (the “EDPB”) announced that it established a taskforce to coordinate the response to complaints filed with several EU data protection authorities (“DPAs”) by the non-governmental organization None of Your Business (“NOYB”) in relation to cookie banners.

On August 27, 2021, the Federal Data Protection and Information Commissioner (“Swiss DPA”) announced that the new EU Standard Contractual Clauses (the “SCCs”) may be relied on to legitimize transfers of personal data from Switzerland to countries without an adequate level of data protection, provided that the necessary amendments and adaptations are made for use under Swiss data protection law.

On September 2, 2021, Ireland’s Data Protection Commission (“DPC”) announced a fine of €225 million ($266 million) against WhatsApp Ireland Ltd (“WhatsApp”) for failure to meet the transparency requirements of Articles 12-14 of the EU General Data Protection Regulation (“GDPR”). This fine represents a more than four-fold increase in the €30-50 million fine that was proposed in a draft decision issued by the DPC in December 2020. Due to the cross-border nature of WhatsApp’s data processing activities, the DPC’s draft decision was reviewed by other relevant supervisory authorities, as required by the cooperation and consistency mechanism under Chapter VII of the GDPR. Eight other EU regulators objected to the DPC’s draft decision. Their objections were referred to the European Data Protection Board (“EDPB”), in accordance with the dispute resolution procedure under Article 65(1)(a) of the GDPR, after the DPC failed to reach a consensus with the objecting regulators.

On September 1, 2021, the South Korean Personal Information Protection Commission (“PIPC”) issued fines against Netflix and Facebook for violations of the Korean Personal Information Protection Act (“PIPA”).

Laura Liguori of Portolano Cavallo reports that on June 10, 2021, the Italian Data Protection Authority (Garante or “DPA”) adopted a new version of its guidelines for cookies and other tracking mechanisms (the “Guidelines”).

On August 2, 2021, the Italian Data Protection Authority (Garante per la protezione dei dati personali, “Garante”) announced that it had levied a €2,500,000 fine on Deliveroo Italy s.r.l. for the unlawful processing of personal data of approximately 8,000 Deliveroo riders, and various infringements of the EU Genera Data Protection Regulation (the “GDPR”).

On July 16, 2021, the Luxembourg data protection authority (Commission nationale pour la protection des donées, “CNPD”) imposed a record-breaking €746 million fine on Amazon Europe Core S.à.r.l. for alleged violations of the EU General Data Protection Regulation (“GDPR”). The CNPD also ordered Amazon to revise certain of its practices. As Amazon has its EU headquarters in Luxembourg, the CNPD acts as Amazon’s lead supervisory authority in the EU.

On June 29, 2021, the UK Department for Digital, Culture, Media and Sport (“DCMS”) published guidance for businesses on child online safety, which includes guidance on data protection and privacy, age-appropriate content, positive user interactions, and protecting children from online sexual exploitation and abuse.

On July 22, 2021, the Dutch Data Protection Authority (“Dutch DPA”) announced that it had imposed a €750,000 fine on TikTok for violating the privacy of young children namely for the company’s alleged lack of transparency.

On July 6, 2021, it was reported that British Airways (“BA”), which is owned by International Consolidated Airlines Group, S.A, had settled a UK class action lawsuit relating to its 2018 data breach, in which approximately 430,000 data subjects were affected. The UK Information Commissioner’s Office (“ICO”) previously fined BA £20 million for the same breach, after finding that BA had failed to process the personal data of its customers in a manner that ensured appropriate security, as required under Article 5(1)(f) and Article 32 of the EU General Data Protection Regulation. This amount was significantly reduced from the ICO’s proposed fine of more than £183 million.

On June 30, 2021, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth submitted its comments on the Irish Data Protection Commissioner’s (“DPC”) consultation on its Draft Regulatory Strategy for 2021-2026, in which the DPC sets out its vision for the next five years.

On June 17, 2021, Senator Kirsten Gillibrand (D-NY) announced the reintroduction of the Data Protection Act of 2021 (the “bill”), which would create an independent federal agency, the Data Protection Agency, to “regulate high-risk data practices and the collection, processing, and sharing of personal data.” The bill was first introduced in 2020 and has since been revised to include updated provisions intended to protect against privacy harms, oversee the use of “high-risk data practices” and examine the social, ethical, and economic impacts of data collection.

On June 15, 2021, the Court of Justice of the European Union (the “CJEU”) released its judgment in case C-645/19 of Facebook Ireland Limited, Facebook Inc., Facebook Belgium BVBA v. the Belgian Data Protection Authority (“Belgian DPA”). We previously reported on the background of the case and the Advocate General’s opinion.

On June 11, 2021, the Belgian Data Protection Authority (“Belgian DPA”) released its 2020 Annual Report (the “Report”). Notably in 2020, the Belgian DPA focused on the supervision of initiatives to fight the COVID-19 pandemic involving data processing, while not losing sight of its other priorities, as identified in its Strategic Plan 2020-2025.

Due to the increased awareness of the importance of the protection of personal data, 2020 had a significant increase in the number of complaints, which were up 290.64%, and data breach notifications, which were up 25.09%, received by the Belgian DPA.

On June 4, 2021, the European Commission published the final version of the implementing decision on standard contractual clauses for transfers of personal data to third countries under the EU General Data Protection Regulation (“GDPR”), as well as the final version of the new standard contractual clauses (the “SCCs”). The European Commission had previously published draft versions of the implementing decision and the SCCs in November 2020.

On May 25, 2021, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP submitted its response (in English and in Mandarin) to the Standing Committee of the National People’s Congress (“NPC”) of the People’s Republic of China on the updated version of the Draft Personal Information Protection Law (“PIPL”).

On May 20, 2021, the Belgian Data Protection Authority (“Belgian DPA”), as the lead authority (in collaboration with two co-reviewing authorities), announced that it had approved the EU Data Protection Code of Conduct for Cloud Service Providers (the “EU Cloud CoC”). The EU Cloud CoC is the first transnational EU code of conduct since the entry into force of the EU General Data Protection Regulation (the “GDPR”).

On May 12, 2021, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, the “Dutch DPA”) imposed a €525,000 fine on Locatefamily.com for failure to comply with the obligation imposed under Article 27 of the EU General Data Protection Regulation (“GDPR”) to appoint a representative in the EU.

On May 14, 2021, the Irish High Court dismissed Facebook Ireland’s (“Facebook”) challenge to the Irish Data Protection Commissioner’s (“DPC”) investigation into Facebook’s international transfers of personal data.

On May 2, 2021, the Norwegian data protection authority, Datatilsynet, notified Disqus Inc. (“Disqus”), a U.S. company owned by Zeta Global, of its intention to issue a fine of 25 million Norwegian Krone (approximately 2.5 million Euros). The preliminary fine was issued for failure to comply with the General Data Protection Regulation’s (“GDPR”) accountability, lawfulness and transparency requirements, primarily due to Disqus’ tracking of website visitors.

On April 23, 2021, the National Information Security Standardization Technical Committee of China published a draft standard (in Chinese) on Security Requirements of Facial Recognition Data (the “Standard”). The Standard, which is non-mandatory, details requirements for collecting, processing, sharing and transferring data used for facial recognition.

On April 27, 2021, the Portuguese Data Protection Authority (Comissão Nacional de Proteção de Dados, the “CNPD”) ordered the National Institute of Statistics (the “INE”) to suspend, within 12 hours, any international transfers of personal data to the U.S. or other third countries that have not been recognized as providing an adequate level of data protection.

On April 23, 2021, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth submitted its response to the European Data Protection Board (“EDPB”) consultation on draft guidelines on virtual voice assistants (the “Guidelines”). The Guidelines were adopted on March 12, 2021 for public consultation.

On April 21, 2021, the European Commission (the “Commission”) published its Proposal for a Regulation on a European approach for Artificial Intelligence (the “Artificial Intelligence Act”). The Proposal follows a public consultation on the Commission’s white paper on AI published in February 2020. The Commission simultaneously proposed a new Machinery Regulation, designed to ensure the safe integration of AI systems into machinery.

On April 9, 2021, the First-Tier Tribunal of the General Regulatory Chamber stayed proceedings in Ticketmaster UK Limited’s (“Ticketmaster’s”) appeal against a fine issued by the UK Information Commissioner’s Office (“ICO”) until 28 days after a judgment in civil litigation brought by 795 customers against Ticketmaster. The group action, which relates to the breach for which Ticketmaster was fined by the ICO, is currently before the High Court in England. As a result of the stay in proceedings, the appeal likely will not be heard before the Tribunal until mid to late 2023.

On April 8, 2021, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth submitted comments in response to the Ministry of Public Security (“MPS”) of Vietnam’s Draft Decree on Personal Data Protection (“Draft Decree”).

On March 31, 2021, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, the “Dutch DPA”), announced a fine of €475,000 for Dutch headquartered online travel agency Booking.com for failure to report a data breach within 72 hours of becoming aware of the incident in 2019.

On March 25, 2021, the Centre for Information Policy Leadership at Hunton Andrews Kurth organized an expert roundtable on the EU Approach to Regulating AI–How Can Experimentation Help Bridge Innovation and Regulation? (the “Roundtable”). The Roundtable was hosted by Dragoș Tudorache, Member of Parliament and Chair of the Artificial Intelligence in the Digital Age (“AIDA”) Committee of the European Parliament.  The Roundtable gathered industry representatives and data protection authorities (“DPAs”) as well Axel Voss, Rapporteur of the AIDA Committee.

On March 15, 2021, China’s State Administration for Market Regulation (“SAMR”) issued Measures for the Supervision and Administration of Online Transactions (the “Measures”) (in Chinese). The Measures implement rules for the E-commerce Law of China and provide specific rules for addressing registration of an online operation entity, supervision of new business models (such as social e-commerce and livestreaming), platform operators’ responsibilities, protection of consumers’ rights and protection of personal information.

On March 30, 2021, the European Commission (the “Commission”) announced the successful conclusion of the adequacy talks with the Republic of Korea.

On March 26, 2021, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth submitted its comments on the Irish Data Protection Commissioner’s (“DPC”) draft guidance on safeguarding the personal data of children when providing online services, “Children Front and Centre—Fundamentals for a Child-Oriented Approach to Data Processing” (the “Draft Guidance”).

On March 15, 2021, the state Data Protection Authority of Bavaria (“Bavarian DPA”) declared the use of U.S. e-mail marketing service Mailchimp by a fashion magazine (acting as controller) in Bavaria impermissible due to non-compliance with Schrems II mitigation steps in relation to the transfer of e-mail addresses to Mailchimp in the U.S.

On March 12, 2021, France’s highest administrative court (the “Conseil d’État”) issued a summary judgment that rejected a request for the suspension of the partnership between the French Ministry of Health and Doctolib, a leading provider of online medical consultations in Europe, for the management of COVID-19 vaccination appointments.

On March 2, 2021, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth submitted its response to the European Data Protection Board (“EDPB”) consultation on draft guidelines on examples regarding data breach notification (the “Guidelines”). The Guidelines were adopted on January 14, 2021 for public consultation.

On March 1, 2021, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth submitted a response to the new Brazilian data protection authority’s (Agência Nacional de Proteção de Dados, the “ANPD’s”) public consultation (in Portuguese) on the impact of the Brazilian data protection law (Lei Geral de Proteção de Dados, the “LGPD”) on small and medium-sized enterprises (“SMEs”), which will inform the ANPD’s upcoming special rules for SMEs.

The concept of regulatory sandboxes has gained traction in the data protection community. Since the UK Information Commissioner’s Office (the “ICO”) completed its pilot program of regulatory sandboxes in September 2020, two European Data Protection Authorities (“DPAs”) have created their own sandbox initiatives following the ICO’s framework.

On February 10, 2021, the European Data Protection Supervisor (“EDPS”) published two opinions on the European Commission’s proposals for a Digital Services Act (“DSA”) and a Digital Markets Act (“DMA”). The proposed DSA and DMA are part of a set of measures announced in the 2020 European Strategy for Data and have two main goals: (1) creating a safer digital space in which the fundamental rights of all users of digital services are protected, and (2) establishing a level playing field to foster innovation, growth and competitiveness in the European Single Market and globally.

On February 5, 2020, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth submitted a response to the European Commission’s (the “Commission’s”) public consultation on the Commission’s Proposal for a Regulation on European Data Governance (the “Data Governance Act,” or “DGA”). This proposal is the first set of initiatives announced under the broader European Data Strategy.

On January 28, 2021, international Data Privacy Day, the newly formed Brazilian data protection authority (Agência Nacional de Proteção de Dados, the “ANPD”) published its regulatory strategy for 2021-2023 and work plan for 2021-2022 (in Portuguese).

On February 4, 2021, the French Data Protection Authority (the “CNIL”) announced (in French) that it sent letters and emails to approximately 300 organizations, both private and public, to remind them of the new cookie law rules and the need to audit sites and apps to comply with those rules by March 31, 2021.

On January 27, 2021, the French Data Protection Authority (the “CNIL”) announced (in French) that it imposed a fine of €150,000 on a data controller, and a fine of €75,000 on its data processor, for failure to implement adequate security measures to protect customers’ personal data against credential stuffing attacks on the website of the data controller. The CNIL decided not to make its decisions public, thereby not disclosing the name of the companies sanctioned.

On January 19, 2021, the UK Information Commissioner’s Office (“ICO”) published its analysis of the application of the UK General Data Protection Regulation (the “UK GDPR”) to transfers from UK-based firms or branches that are registered, required to be registered or otherwise regulated by the U.S. Securities and Exchange Commission (“SEC”).

On January 26, 2021, BBB National Programs announced that it has been endorsed as an Accountability Agent for the APEC Cross-Border Privacy Rules (“CBPR”) and Privacy Recognition for Processors (“PRP”) systems. This makes BBB National Programs the seventh CBPR and PRP Accountability Agent worldwide and the first ever U.S. non-profit to be approved by APEC.

On January 18, 2021, the European Data Protection Board (“EDPB”) released draft Guidelines 01/2021 on Examples regarding Data Breach Notification (the “Guidelines”). The Guidelines complement the initial Guidelines on personal data breach notification under the EU General Data Protection Regulation (“GDPR”) adopted by the Article 29 Working Party in February 2018. The new draft Guidelines take into account supervisory authorities’ common experiences with data breaches since the GDPR became applicable in May 2018. The EDPB’s aim is to assist data controllers in deciding how to handle data breaches, including by identifying the factors that they must take into account when conducting risk assessments to determine whether a breach must be reported to relevant supervisory authorities and/or the affected data subjects.

On January 15, 2021, the European Data Protection Board (“EDPB”) and European Data Protection Supervisor (“EDPS”) adopted joint opinions on the draft Standard Contractual Clauses (“SCCs”) released by the European Commission in November 2020, for both international transfers (“International SCCs”) and controller-processor relationships within the EEA (“EEA Controller-Processor SCCs”). 

On December 16, 2020, the Committee of Experts within India’s Ministry of Electronics and Information Technology (MeitY) (the “Committee”) issued a revised report on the Non-Personal Data Governance Framework (the “NPDF”) for India (the “Revised Committee Report”).

On January 13, 2021, Advocate General (“AG”) Michal Bobek of the Court of Justice of the European Union (“CJEU”) issued his Opinion in the Case C-645/19 of Facebook Ireland Limited, Facebook Inc., Facebook Belgium BVBA v. the Belgian Data Protection Authority (“Belgian DPA”).

On January 13, 2021, the FTC announced that fertility-app developer Flo Health, Inc. (“Flo”) agreed to a settlement over allegations that the company shared app users’ health information with third-party data analytics providers despite representations that Flo would keep such information private.