Privacy & Information Security Law Blog

On June 25, 2020, the European Commission launched a public consultation on the revision of the Directive on Security of Network and Information Systems (the “NIS Directive”). According to the Commission, a revision is needed because cybersecurity capabilities in EU Member States remain unequal despite progress made with the NIS Directive, and the level of protection in the EU is insufficient. In addition, the rapid digitalization of society has expanded the threat landscape and presents new challenges requiring adaptive and innovative responses.

On June 23, 2020, the German Federal Court of Justice (the Bundesgerichtshof, or “BGH”) issued a decision confirming the enforceability, in preliminary proceedings, of the order of the German Federal Cartel Office (the “Bundeskartellamt”) against Facebook’s data practices.

On June 25, 2020, the European Data Protection Board (“EDPB”) published a new register containing decisions by national supervisory authorities (“SAs”) based on the One-Stop-Shop cooperation procedure set forth under Article 60 of the EU General Data Protection Regulation (the “GDPR”). Under Article 60 of the GDPR, SAs have the duty to cooperate on cross-border cases to ensure consistent application of the GDPR. In this context, the lead SA is responsible for preparing draft decisions and working together with the concerned SAs to reach a consensus.

Zeyn Bhyat of ENSafrica reports that on June 22, 2020, it was announced that South Africa’s comprehensive privacy law known as the Protection of Personal Information Act, 2013 (the “POPIA”) will become effective on July 1, 2020. POPIA acts as the more detailed framework legislation supporting South Africa’s constitutional right to privacy.

The UK Prime Minister, Boris Johnson, announced on June 23, 2020, that restrictions relating to COVID-19 would be eased as of July 4. Although many measures remain in place to prevent the virus’ spread, certain businesses, including restaurants and pubs, will be able to reopen in the UK, with the recommendation that staff-customer contact be minimized.

On June 18, 2020, Senator Sherrod Brown (OH) released a discussion draft of a privacy bill entitled the Data Accountability and Transparency Act of 2020 (“the Bill”). The Bill would provide individuals with several new rights regarding their personal data; implement rules limiting how personal data is collected, used or shared; and establish a new federal agency called the Data Accountability and Transparency Agency to protect individuals’ privacy and enforce those rules.

On May 13, 2020, Senator Alessandro Vieira presented Bill n. 2630/2020 (“Bill”) to the Brazilian Senate, which the Senate is calling the “Fake News Law.” Officially, this Bill establishes the Brazilian law of “freedom, responsibility and transparency on the internet.” It was introduced in the context of the alleged use of fake news by political parties and other public sector stakeholders in Brazil.

On June 11, 2020, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth submitted its response (the “Response”) to the European Commission’s consultation regarding its white paper on “a European Approach to Excellence and Trust” on artificial intelligence (the “White Paper”).

On June 24, 2020, the European Commission (“the Commission”) submitted its first report on the evaluation and review of the EU General Data Protection Regulation (“GDPR”) to the European Parliament and Council. The report is required under Article 97 of the GDPR and will be produced at four year intervals going forward.

On June 19, 2020, France’s Highest Administrative Court (the “Conseil d’Etat”) issued a decision partially annulling the guidelines of the French Data Protection Authority (the “CNIL”) on cookies and similar technologies (the “Guidelines”). The Conseil d’Etat annulled the provision of the Guidelines imposing a general and absolute ban on ‘cookie walls’ that prevent users who do not consent to the use of cookies from accessing a site or mobile app. However, the Conseil d’Etat upheld the main part of the Guidelines. On the day of the Conseil d’Etat’s decision, the CNIL published a statement (the “Statement”) announcing that they took note of the decision and will strictly comply with it.

The UK Information Commissioner’s Office (“ICO”) has released guidance to assist employers in implementing appropriate safeguards as workplaces reopen, titled “Coronavirus Recovery - Six Data Protection Steps for Organisations” (the “guidance”). This guidance sets out the key principles of data protection that should be kept in mind as employers put measures in place to prevent the spread of COVID-19.

On June 19, 2020, France’s Highest Administrative Court (“Conseil d’Etat”) upheld the decision of the French Data Protection Authority (the “CNIL”) to impose a €50 million fine on Google LLC (“Google”) under the EU General Data Protection Regulation (the “GDPR”) for its alleged failure to (1) provide notice in an easily accessible form, using clear and plain language, when users configure their Android mobile devices and create Google accounts, and (2) obtain users’ valid consent to process their personal data for ad personalization purposes. Google had appealed this decision before the Conseil d’Etat. Because the Conseil d’Etat hears cases on appeal from the CNIL in both the first and last instances, the CNIL’s fine is now final. This fine against Google was the first fine imposed by the CNIL under the GDPR and is the highest fine imposed by an EU supervisory authority under the GDPR to date.

On June 16, 2020, the European Data Protection Board (the “EDPB”) released a statement on the processing of personal data in the context of reopening borders following the COVID-19 outbreak (the “Statement”).

On July 1, 2020, amendments to Vermont’s data breach notification law, signed into law earlier this year, will take effect along with Vermont’s new student privacy law.

On June 16, 2020, the European Data Protection Board (the “EDPB”) released a statement on the data protection impact of the interoperability of contact tracing apps within the EU (the “Statement”). The EDPB issued this Statement following the publication of “Interoperability guidelines for approved contact tracing mobile applications in the EU” by the eHealth Network on May 13, 2020. In its guidelines, the eHealth Network calls for an interoperable framework in the EU that would enable users to rely on a single contact tracing application regardless of the Member State or region in which they reside.

On June 12, 2020, the Brazilian President Jair Bolsonaro approved Law #14,010/2020 (the “Law”). This Law was created to establish an urgent legal framework for the private sector in the context of the COVID-19 crisis. Among other topics, it delays until August 1, 2021 the applicability of the provisions relating to sanctions for non-compliance with the new Brazilian data protection law (Lei Geral de Proteção de Dados Pessoais, “LGPD”).

On June 11, 2020, the California Senate amended AB-713 to the California Consumer Privacy Act of 2018 (“CCPA”). The Senate’s recent amendments impose new contractual obligations on the use or sale of de-identified information and modify the exemption from the CCPA for information used for public health purposes. The California Assembly had originally passed AB-713 in 2019 to (1) explicitly carve out from coverage by the CCPA information de-identified pursuant to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy Rule, and (2) expand the CCPA exemption for information used for research purposes. AB-713 is intended to “preserv[e] access to information needed to conduct important health-related research that will benefit Californians.” The revised version of AB-713 containing the Senate’s recent amendments has not yet passed either house of the California legislature.

On June 9, 2020, the Federal Communications Commission (“FCC”) announced a proposed $225 million fine, the largest in the history of the FCC, against several individuals for telemarketing violations.

On May 29, 2020, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth submitted formal comments to the European Commission’s Consultation on a European Strategy for Data (the “Strategy”).

On June 9, 2020, the French Data Protection Authority (the “CNIL”) published its Annual Activity Report for 2019 (the “Report”).

On June 5, 2020, the Belgian Data Protection Authority (the “Belgian DPA”) published guidance on its website (the “Guidance”) regarding temperature checks during the COVID-19 crisis. The Guidance aims to provide advice to organizations looking to control access to their premises by restricting individuals with fevers in order to prevent further spread of the virus.

On June 3, 2020, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP published its report, What Good and Effective Data Privacy Accountability Looks Like: Mapping Organizations’ Practices to the CIPL Accountability Framework (“Report”). The Report consolidates the findings of CIPL’s Accountability Mapping Project launched in September 2019, which is part of CIPL’s broader work on the central role of organizational accountability in data privacy.

On June 1, 2020, U.S. Senators Maria Cantwell (WA) and Bill Cassidy (LA) introduced the Exposure Notification Privacy Act (the “Act”), bipartisan legislation that would impose requirements and restrictions on operators of automated exposure notification services. The bill defines automated exposure notification service as “a website, online service, online application, mobile application, or mobile operating system that is offered in commerce in the U.S. and that is designed, in part or in full, specifically to be used for, or marketed for, the purpose of digitally notifying, in an automated manner, an individual who may have become exposed to an infectious disease (or the device of such individual, or a person or entity that reviews such disclosures).” These services are commonly referred to as “contact tracing technology” because they are designed to provide alerts when a user comes in near-contact with someone who tested positive for an infectious disease, such as COVID-19.

On June 2, 2020, the European Data Protection Board (the “EDPB”) announced that it had released a statement on restrictions on data subject rights in connection with the state of emergency in EU Member States amid the COVID-19 pandemic (the “Statement”).

On May 29, 2020, the Litigation Chamber of the Belgian Data Protection Authority (the “Belgian DPA”) imposed a fine of €1,000 on a non-profit organization. The decision followed a complaint filed by an individual who continued to receive promotional materials from the organization after he had objected to the processing of his contact details for direct marketing purposes and had requested that the organization erase his data from its database.

On June 3, 2020, the Presidency of the Council of the European Union (“the Presidency”) published a progress report on the proposed Regulation concerning the Respect for Private Life and the Protection of Personal Data in Electronic Communications and Repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications), better known as “the Draft ePrivacy Regulation” (the “Progress Report”).

The Federal Trade Commission (“FTC”) announced its latest Children’s Online Privacy Protection Act (“COPPA”) settlement with California-based app developer HyperBeard and its individual principals. According to the FTC, since at least 2016, HyperBeard has offered a number of child-directed mobile apps, with names like BunnyBuns, KleptoCats and NomNoms that featured brightly colored, animated characters, such as cats, dogs, bunnies, chicks, monkeys and other cartoon characters, and that are described in child-friendly terms like “super cute” and “silly.” These apps are free to download and play, but they generate revenue through in-app advertising and purchases. The FTC alleges that the defendants were aware that children were using their apps, and that they promoted them to child audiences on a kids’ entertainment website, through children’s books and through the merchandizing of officially licensed plush stuffed animals and toys. Defendants allowed third-party ad networks to collect persistent identifiers from children in order to serve them with interest-based ads without parental notice or consent, in violation of COPPA.

On June 1, 2020, the Office of the California Attorney General submitted the final California Consumer Privacy Act (“CCPA”) proposed regulations to the California Office of Administrative Law (“OAL”). Notably, the final proposed regulations are the same as the draft issued in March. The OAL must review the rulemaking package for procedural compliance with California’s Administrative Procedure Act. The OAL’s typical 30-day review period has been extended by 60 calendar days under an executive order related to the COVID-19 pandemic. Assuming OAL approves the regulations, the final text will be filed with the Secretary of State.

On May 29, 2020, the German Federal Court of Justice (Bundesgerichtshof, “BGH”), Germany’s highest court for civil and criminal matters, issued its ruling on case Planet49 (I ZR 7/16) regarding consent requirements for the use of cookies and telemarketing activities. In October 2017, the BGH suspended its proceedings and submitted questions to the Court of Justice of the European Union (“CJEU”) for a preliminary ruling regarding the effectiveness of obtaining consent for the use of cookies through a pre-ticked checkbox. As we have previously reported, the CJEU answered these questions in its judgement in Planet49 GmbH v. Verbraucherzentrale Bundesverband e.V. (C-673/17), which was issued on October 1, 2019.

The Global Privacy Assembly (“GPA”), a forum for data protection and privacy authorities, has established a COVID-19 Taskforce (“the Taskforce”) to advise on best practices, provide insight and drive practical responses regarding privacy issues raised by the pandemic. It aims to provide a balance between enabling governmental responses to the crisis and protecting individuals’ privacy.