Regulatory—Policy, Best Practices, and Standards
FTC Submits Comment on the Preliminary Draft for the NIST Privacy Framework
On October 24, 2019, the Federal Trade Commission ("FTC") announced that it submitted a comment on the National Institute of Standards and Technology's ("NIST") Preliminary Draft for Privacy Framework. The FTC's comment proposed five changes to the Framework, including clarifying procedures for managing privacy risks and explaining the analysis that companies should undertake to evaluate their data practices.
Regulatory—Consumer and Retail
FTC Announces Calls for Research Presentation for PrivacyCon 2020
On October 11, 2019, the FTC announced a call for research presentations on consumer and security issues for PrivacyCon 2020. The FTC's fifth annual PrivacyCon will take place on July 21, 2020, and will focus on the privacy of health data collected, stored, and transmitted by mobile apps.
Senators Introduce Consumer Data Protection Bill Proposing Privacy Rights
On November 26, 2019, four senators sponsored a bill that would create a "duty of loyalty" for companies that handle or process consumer data. The bill, named the Consumer Online Privacy Rights Act, would establish strict standards for the collection, use, sharing, and protection of consumer data. The bill also would give individual consumers the right to access and request the deletion of data.
CFTC Proposes Amendment to Safeguards Regulation
On November 12, 2019, the Commodity Futures Trading Commission ("CFTC") proposed a rule that would clarify the types of policies and procedures covered entities must use to safeguard customer records and information. The proposed rule would require policies and procedures reasonably designed to protect the security and confidentiality of customer information and would protect against any anticipated threats or unauthorized access to or use of customer information that could result in substantial harm or inconvenience.
SEC Announces Cyber Unit Chief
On December 2, 2019, the Securities and Exchange Commission ("SEC") announced Kristina Littman as the chief of the Division of Enforcement's Cyber Unit. The Cyber Unit is "a national, specialized unit that focuses on protecting investors and markets from cyber-related misconduct." Ms. Littman previously served as a senior advisor to SEC Chairman Jay Clayton.
House Bill Makes It Easier to Target Equipment Posing National Security Risks
On September 24, 2019, members of the House Energy and Commerce Committee introduced a bill that prohibits the use of federal funds to purchase equipment that poses national security risks. According to the bill, the Committee would determine whether communications equipment or services pose an unacceptable risk to national security. If so, the bill would prohibit the use of federal funds to purchase, rent, lease, or otherwise obtain such equipment.
DOE Announces Selections to Reduce Cyber Risks
On October 18, 2019, the Department of Energy's ("DOE") Office of Cybersecurity, Energy Security, and Emergency Response selected multiple projects for enhancing the cybersecurity of energy delivery systems and optimizing grid security. The selections are part of the DOE Multiyear Plan for Energy Sector Cybersecurity, which aims to reduce cyber risks through coordination between DOE offices, federal agencies, key private sector stakeholders, and energy owners and operators.
FERC Staff Details Cybersecurity Efforts
On November 21, 2019, Federal Energy Regulatory Commission ("FERC") staff presented FERC's efforts to address cybersecurity challenges in the energy sector. The presentation detailed the creation of a new security-focused group within the Office of Energy Projects' Division of Dam Safety and Inspections. FERC stated that the group will address cyber and physical security concerns at jurisdictional hydropower facilities. This group will work with other FERC groups to help regulated entities reduce cyber security risks.
TSA to Test Facial Recognition System at Las Vegas Airport
On August 26, 2019, the Transportation Security Administration ("TSA") announced plans to test a facial recognition system at McCarran International Airport in Las Vegas, Nevada. The TSA previously tested facial recognition at Los Angeles International Airport. Information derived from the test will be used to develop a Privacy Impact Assessment to address the privacy risks inherent in the use of facial recognition technology.
USDOT Awards Grants to Research Safety, Data Collection of Automated Vehicles
On September 18, 2019, the U.S. Department of Transportation ("USDOT") announced that it had awarded Automated Driving System Demonstration Grants to eight projects in seven states to test automated driving systems, gather safety data to inform rulemaking, and address privacy concerns.
OCR Settles First Case Concerning HIPAA's Right of Access
On September 9, 2019, the Department of Health and Human Service's Office for Civil Rights ("OCR") announced the settlement of the first enforcement action arising from a violation of patients' right to receive, inspect, and review medical records within 30 days of making a request. The investigation arose after a medical provider failed to provide a mother with timely access to records about her unborn child. The settlement requires the provider to pay $85,000 to OCR, adopt a corrective action plan, and undergo one year of monitoring by OCR.
FDA Warns of Vulnerabilities in Medical Device Software
On October 1, 2019, the U.S. Food and Drug Administration ("FDA") warned that vulnerabilities in a software component found in medical devices may allow third parties to remotely take control of the devices and stop or alter their function. Affected products include imaging systems, infusion pumps, and anesthesia machines. While there have been no confirmed adverse events caused by the vulnerabilities, the FDA encouraged manufacturers to conduct risk assessments and work with their operating system vendors to mitigate risks.
OCR Settles Social Media Disclosure Claim
On October 2, 2019, OCR announced the settlement of a claim that arose when a medical provider publicly disclosed patients' last names and medical conditions in response to unfavorable online reviews. OCR Director Roger Severino encouraged holders of protected healthcare information to think carefully before responding to online reviews and stressed that "social media is not the place for providers to discuss a patient's care." The settlement requires the provider to pay a $10,000 fine, adopt a corrective action plan, and undergo two years of monitoring by OCR.
Regulatory—Defense and National Security
DOD Releases Draft Cybersecurity Maturity Model Certification
On August 30, 2019, the Office of the Assistant Secretary of Defense released the most recent draft of the Cybersecurity Maturity Model Certification ("CMMC"). The CMMC combines cybersecurity "best practices" for Department of Defense contractors and "maps these practices and processes across several maturity levels that range from basic cyber hygiene to advanced."
Agencies Issue Joint Statement on Election Security
On November 5, 2019, multiple agencies issued a joint statement on improving the cybersecurity of local election infrastructure. The agencies announced that they are working with private sector partners to identify threats, share information, and monitor cybersecurity threats.
Senate Bill to Block U.S. Companies From Storing Data in China
On November 18, 2019, Missouri Senator Josh Hawley introduced the National Security and Personal Data Protection Act to limit the flow of personal data to China and other countries that threaten America's national security. The bill aims to prohibit the transfer or storage of user data or encryption keys in designated countries. It would also restrict covered companies from collecting more data than necessary to provide a service to their customers in the United States.
Litigation, Judicial Rulings, and Agency Enforcement Actions
New York Attorney General Settles Case Concerning Violations of Children's Online Privacy
On September 4, 2019, the New York attorney general and the FTC jointly filed a proposed settlement agreement with an internet company and its subsidiary. This settlement represents the largest monetary payment ever obtained under the Children's Online Privacy Protection Rule ("COPPA"). The complaint alleged that the companies tracked users of children-oriented online video channels using cookies and advertising identifiers and then tailored the viewers' ads according to inferred interests. Under the settlement agreement, the companies are required to pay $34 million to New York and $136 million to the FTC; additionally, they are required to implement a mechanism to allow channel owners to identify child-directed content and provide those channel owners applicable COPPA rules. Finally, they must obtain parental consent before collecting personal information from children.
Pharmacy to Pay $4.4 Million for Violating Privacy Rights of 6,000 Patients
On September 10, 2019, a pharmacy agreed to pay $4.35 million to resolve a class action lawsuit after it divulged protected health information of 6,000 Ohio residents by mailing letters in envelopes that disclosed names and HIV diagnoses. In addition to financing the settlement fund, the pharmacy also promised to enhance privacy protections, remove the word "HIV" from its system of identification codes, and provide medical privacy training to their employees.
FTC Hosts Public Workshop on COPPA Rule
On October 7, 2019, the FTC hosted a public workshop to review 2013 amendments to COPPA and consider the need for additional changes. The 2013 amendments addressed children's increased use of mobile devices and social networking and included an expanded definition of "children's personal information."
FTC Reaches Settlement With Developers of "Stalking Apps"
On October 22, 2019, the FTC announced a proposed settlement with the developers of three "stalking apps" that permitted monitoring of mobile devices on which the apps were installed without the knowledge or permission of the device users. The applications were marketed for the monitoring of employees and children. As part of the settlement, the developers agreed to stop selling the applications and delete data collected from the applications.
Court Rejects Argument Related to Preemption of BIPA
On October 31, 2019, the Northern District of Illinois rejected a railway company's argument that provisions of federal transportation laws preempted a putative class's Illinois Biometric Information Privacy Act ("BIPA") claims. In addition, the court found that the plaintiff had adequately alleged that the defendant had collected biometric identifiers without making the required disclosures or obtaining informed written consent and permitted the BIPA claims to proceed.
Technology Company Settles FTC Data Security Claim
On November 12, 2019, the FTC announced a proposed settlement with a Utah-based technology company over allegations that the company failed to use reasonable security practices to safeguard personal information. As part of the proposed settlement, the company must implement an information security program before it is permitted to collect, sell, share, or store personal information.
Revised Data Breach Class Settlement Deal Receives Preliminary Approval
On November 15, 2019, the Northern District of Illinois preliminarily approved a revised $1.6 million data breach settlement arising from a retailer's 2013 payment card data breach. The district court rejected the first proposed settlement agreement in September 2018 because it created conflicts between class members. The revised settlement agreement addresses this issue by providing monetary relief to one group of class members and revising the definition of eligible class members.
FTC Finds That Data Analytics Company Deceived Social Media Users
On November 25, 2019, the FTC issued an opinion finding that a data analytics and consulting company engaged in deceptive practices that violated the FTC Act. The FTC found that the company falsely represented to social media users that its company's quiz app did not collect users' personal information and that the company participated in and complied with the EU-U.S. Privacy Shield Framework. The FTC's final order prohibits the company from making misrepresentations concerning these issues, requires deletion of certain personal information collected about users, and requires the company to meet continuing obligations under the Privacy Shield Framework for previously collected information about EU users.
Major CEOs Press Congress for Nationwide Data Privacy Legislation
On September 10, 2019, 51 CEOs from major companies wrotea letter to Congressional leaders urging them to pass a comprehensive consumer data privacy law as soon as possible. The letter also included a proposed framework for consumer privacy legislation. Specifically, the letter stated that a comprehensive, national consumer data privacy law should be implemented to allow consumers to have purposeful rights over their personal information.
Senate Approves Cybersecurity Bill Encouraging Coordination With States
On November 26, 2019, the Senate unanimously approved a bipartisan bill encouraging coordination between federal and nonfederal entities on cybersecurity issues. The bill, named the State and Local Government Cybersecurity Act of 2019, would allow federal departments and agencies to provide operational and technical assistance to nonfederal entities. The bill also would allow them to provide these entities with tools, products, resources, policies, guidelines, controls, and procedures on information security.
California Legislature Expands Definition of "Personal Information" in Data Breach Notification Law
On September 6, 2019, the California Legislature passed AB 1130 to expand the definition of "personal information." Under the bill, the definition of "personal information" will now include biometric information and government-issued identification numbers, such as tax identification numbers and passport numbers.
California Legislature Passes Data Broker Registration Law
On September 13, 2019, the California Legislature passed A.B. 1202, which creates a new class of data processors, or "data brokers," who must register with the attorney general every year. A "data broker" is "a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship." A data broker will need to provide its name, primary physical address, and electronic contact information. The attorney general will make the information available on a public website.
Maryland Expands Data Breach Notification Requirements to Insurers
On October 1, 2019,SB 30 took effect. The bill requires insurance carriers and other health service organizations to notify the Maryland insurance commissioner, the attorney general, and affected individuals within 45 days of a data breach.
California Attorney General Issues Proposed Regulations Implementing CCPA
On October 10, 2019, the California attorney general issued proposed regulations implementing the CCPA. Among other provisions, the regulations provide specific guidance on the notices businesses must provide to consumers under the CCPA, practices for handling consumer requests, identity verification practices, and the offer of financial incentives. For more information, please see our Jones Day Alert.
California Governor Signs Into Law CCPA Amendments
On October 11, 2019, California Governor Newsom signed into law five bills amending the CCPA, which passed the California legislature on September 13.
- A.B. 25: Excludes employee data from a consumer's rights to access, deletion, and opt-out. Employers are still required to comply with disclosure requirements and are subject to the private right of action for employee data.
- A.B. 874: Clarifies that "publicly available information" and "deidentified or aggregate" information are not considered "personal information."
- A.B. 1146: Excludes vehicle and ownership data from the right to opt out in the context of vehicle repair relating to warranty or recall.
- A.B. 1355: Clarifies various provisions of the CCPA, including modifying the definition of "personal information," clarifying that deidentified and aggregate information are exempt from the statute, modifying the Fair Credit Reporting Act exemption, and excluding personal information collected on another business's employees in certain B2B contexts.
- A.B. 1564: Provides that businesses that operate exclusively online need to provide only an email address for consumer requests.
The exclusions in both A.B. 25 and A.B. 1355 are subject to a one-year moratorium. For more information, please see our Jones Day Alert.
California Governor Signs Amendment to Data Breach Notification Law Expanding Definition of "Personal Information"
On October 11, 2019, the California governor signed into law AB 1130, which expands the definition of "personal information." Under the bill, the definition of "personal information" will now include biometric information and government-issued identification numbers, such as tax identification numbers and passport numbers. The law went into effect on January 1, 2020.
Privacy Commissioner Shares Lessons Learned on Mandatory Breach Reporting
On October 31, 2019, the Privacy Commissioner of Canada shared lessons learned after one year of mandatory data breach reporting under the Personal Information Protection and Electronic Documents Act. The commissioner received 680 breach reports, mostly involving unauthorized access, and provided compliance recommendations.
Privacy Commissioner Issues Annual Report
On December 10, 2019, the Privacy Commissioner of Canada issued an annual report on Canada's privacy laws. The report contains a blueprint for how to modernize Canadian privacy laws. The commissioner recommends adopting rights-based privacy laws to provide better privacy protections in light of serious risks created by data-driven technologies.
The following Jones Day lawyers contributed to this section: Shirley Chan, Meredith Christian, Meredith Collier, David Coogan, Jennifer Everett, Levent Hergüner, Jay Johnson, Daniel Lopez, Christopher Markham, Mallory McKenzie, Marina Moreno, Katherine Nugent, Christina O'Tousa, Clinton Oxford, Nicole Perry, Kerianne Tobitsch, Jackie Triggs, and Jenny Whalen-Ball.
Justice Ministry Investigates U.S. Tech Company's Use of Children's Data in Marketing
On September 6, 2019, a department of the Brazilian Justice Ministry notified a U.S. technology company that it may have violated Brazilian privacy law by collecting data from children and teens without parental knowledge and by using that data for targeted advertising (source document in Portuguese).
Brazilian Government to Create Citizen Database
On October 10, 2019, Brazilian President Jair Bolsonaro signed Decree No. 10,046/2019, which creates a single database containing personal information of more than 200 million Brazilian citizens available to governmental agencies (source document in Portuguese). The decree aims to improve data sharing between governmental agencies. The database will be managed by different agencies. Data will be categorized as broad, restricted, or specific, and the database will be implemented in two stages: the first stage will include citizens' names, dates of birth and Social Security numbers; the second will include citizens' biometric data, such as fingerprints, voice, walking pattern, and face recognition.
Proposal to Delay Brazil's General Law on Personal Data Protection
On October 30, 2019, Brazilian Deputy Carlos Bezerra proposed Bill 5762/2019, which would delay implementation of the Brazilian General Data Protection Law from August 2020 to August 2022 (source document in Portuguese). Bezerra argued that August 2020 is too soon to begin enforcement since most companies have not adapted the law's requirements, and the country's data protection authority is not yet fully established.
Data Protection Authority Investigates Misuse of Data by Political Parties and Candidates
On October 30, 2019, the Superintendence of Industry and Commerce (Superintendencia de la Industria y el Commercio, or "SIC") issued an official communication stating that it had initiated 29 investigations for possible violations of the country's data protection regulations (source document in Spanish). This decision was prompted by 38 complaints filed with the SIC and evidence that social networks were misused by the political parties and government candidates.
Data Breach Affects Up to 20 Million People
On September 9, 2019, Ecuadorian authorities announced an investigation of an internet consulting firm after it notified the government of a data breach affecting up to 20 million people. The leaked data included identifying personal information, such as full names, gender, and taxpayer identification numbers.
Ecuador Announces Law to Protect Personal Data
On September 16, 2019, Minister of Telecommunications Andrés Michelena Ayala announced a forthcoming law on personal data protection to prevent data leakage and information theft (source document in Spanish). The law was drafted in response to a concern that government officials in a former administration stole citizens' data and stored it on an unsecured server in Miami.
El Salvador's Legislative Assembly Approves Electronic Law
On October 31, 2019, El Salvador's Legislative Assembly approved the Electronic Commerce Law (source document in Spanish). The law applies to natural and legal persons established in El Salvador that perform, personally or through intermediaries, commercial transactions using any kind of technology or interconnected communication network. The law gives electronically-executed contracts the same legal force as other contracts and electronically- issued invoices the same accounting and tax validity as conventional invoices.
Public Information Authority Weighs In on Proposed Data Protection Laws
On November 5, 2019, the Institute of Access to Public Information ("IAIP") issued an official communication stating that IAIP authorities attended the Economy Commission of the Legislative Assembly ("Commission") to discuss recently filed data protection laws modeled after European laws (source document in Spanish). The IAIP will participate in Commission roundtables on designing privacy laws for the Latin American contest.
Modifications Proposed to Law Protecting Personal Data Held by Private Parties
On September 18, 2019, lawmakers proposed modifications to the Federal Law on the Protection of Personal Data held by Private Parties (Ley Federal de Protección de Datos Personales en Posesipon de los Particulares) (source document in Spanish). The proposed modifications would incorporate data subjects' rights of access, rectification, cancellation, and opposition (known as ARCO rights) and introduce new security requirements.
Data Protection Authority Reaffirms Commitment to Protecting Personal Data
On December 2, 2019, the National Institute for Transparency, Access to Information and Personal Data Protection (Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales, or "INAI") announced that Commissioner Josefina Román Vergara participated in the 52nd Asia Pacific Privacy Authorities Forum ("APPA Forum"). At the APPA Forum, the commissioner summarized the steps taken by the Ibero-American Data Protection Network ("RIPD") in recent months to strengthen its relationships with other international organizations and announced forthcoming RIPD guidelines on artificial intelligence projects.
Peru Publishes Draft Regulation on Video Surveillance
On August 26, 2019, the Peruvian National Authority for Personal Data Protection published a draft regulation regarding personal data processing carried out with video surveillance systems, such as cameras and drones (source document in Spanish). Under the draft regulation, companies that engage in improper processing of personal data—such as photos or recordings of people without their authorization—could be fined up to USD $126,000. The regulation also establishes rules for the processing of personal data, including the placement of informative posters in recorded areas and data retention limits of 60 days. The draft regulation was open for comment until the end of September.
Data Protection Authority Hosts Fourth National Week of Personal Data Protection
On September 21, 2019, the Uruguayan Personal Data Regulation and Control Unit (Unidad Reguladora y de Control de Datos Personales)hosted the fourth National Week of Personal Data Protection, where panelists discussed ethics, citizen profiling, democracy, and data protection (source document in Spanish). The Control Unit also conducted two workshops on the importance of data protection officers and personal data risk assessments.
The following Jones Day lawyers contributed to this section: Guillermo Larrea, Daniel D'Agostini, Juan Carlos Quinzaños, and Gabriela C. Samanez.
Multiple Countries Sign Protocol Amending Convention 108+
On July 16, September 6, and September 19, 2019, respectively, San Marino, Greece, and Argentina became the most recent signatories to the protocol amending the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data ("Convention 108+"). Through a declaration of territorial extension by the United Kingdom, the Convention 108+ was made applicable to Gibraltar, which went into effect on November 1, 2019. Talks with Colombiato join Convention 108+ were initiated on August 28, 2019. Convention 108+ requires signatories to implement domestic laws to implement fundamental human rights of all individuals with regard to processing of personal data. The protocol modernizes Convention 108+, which was adopted in 1980, to reflect evolving technology and the new challenges it poses to protecting individual privacy.
Council of European Union Debates Policies for Ethical Data Use
On November 18, 2019, the Council of the European Union conducted a policy debate on steps European authorities should take to promote ethical data use. The council emphasized the need for the continued promotion, development, and deployment of the European data economy through balanced data sharing, human centricity, and proper structures.
Council of European Union Adopts New Draft of ePrivacy Regulation
On November 27, 2019, the Council of the European Union adopted a new version of the draft ePrivacy Regulation ("EPR"). The Internal Market Chief of the Commission, Thierry Breton, has called for a new proposal since governments have failed to agree on the different drafts of the EPR.
Court of Justice of the European Union
CJEU Limits Geographic Scope of Right to Be Forgotten
On September 24, 2019, the Court of Justice of the European Union ("CJEU") announced its opinion that the so-called "right to be forgotten" only requires the operator of a search engine to dereference content from versions of the search engine used in the Member States but not on a global basis. The announcement followed a decision by the French data protection authority to fine a search engine operator €100,000 for its refusal to dereference content from all versions of its search engines globally.
CJEU Addresses Processing of Sensitive Personal Data by Search Engine Operators
On September 24, 2019, the CJEU announced that search engine operators are responsible for ensuring that their processing of special categories of personal data satisfies European law. The court also stated that operators handling dereferencing requests must determine whether the data subject's fundamental right to privacy is outweighed by internet users' interest in freedom of information, based on the facts of each request.
CJEU Rules That Preticked Checkbox Is Not Valid Consent
On October 1, 2019, the CJEU ruled, in Case C‑673/17, that a preticked "I agree" checkbox does not constitute valid consent for processing personal data. In its decision, the CJEU ruled that consent must be provided in the form of a statement or by a clear affirmative action and must be unambiguous, regardless of whether the cookie collected qualifies as personal data.
European Union and United States Conduct Third Annual Privacy Shield Review
On September 12, 2019, the EU and United States began their yearly review of the EU-U.S. Privacy Shield. The Privacy Shield protects personal information included in commercial data transfers between the European Union and United States. Approximately 5,000 companies are currently registered under the Privacy Shield framework.
Commission Publishes Report on EU Cybersecurity Industry
On November 5, 2019, the European Commission published a report entitled "Strengthening Strategic Value Chains for a future-ready EU Industry," which includes recommendations to boost Europe's competitiveness and global leadership in the cybersecurity sector. The report highlights the need for a stronger and more competitive EU cybersecurity industry by 2030.
European Data Protection Board
EDPB Adopts Final Guidelines on Processing Personal Data for Online Services
On October 8, 2019, the European Data Protection Board ("EDPB") adopted the final version of guidelines for processing personal data during the provision of online services to data subjects. The guidelines refer to data protection principles and the interaction of Article 6(1)(b) of the GDPR with other provisions. The guidelines also address the applicability of Article 6(1)(b) to the bundling of separate services and termination of contracts.
EDPB Adopts Final Version of Guidelines on Territorial Scope
On November 12, 2019, the EDPB adopted the final version of the Guidelines 3/2018 on the territorial scope of the GDPR, which provides a common interpretation of the GDPR's scope for EEA Data Protection Authorities.
EDPB Adopts Third Annual Privacy Shield Review
On November 12, 2019, the EDPB adopted its report on the Privacy Shield from its third annual joint review with the United States. In the report, the EDPB welcomed efforts made by U.S. authorities to implement the Privacy Shield but noted concerns that still need to be addressed.
EDPB Adopts Additional Protocol to Budapest Convention on Cybercrime
On November 13, 2019, the EDPB adopted a contribution to the consultation on a draft second additional protocol to the Council of Europe Convention on Cybercrime (Budapest Convention). The EDPB highlighted the importance of data protection and legal certainty to cross-border data sharing for law enforcement purposes.
EDPB Adopts Draft Guidelines on Data Protection by Design and by Default
On November 13, 2019, the EDPB adopted draft Guidelines 4/2019 on Article 25 Data Protection by Design and by Default for public consultation until January 16, 2020. These draft guidelines provide recommendations for controllers and processors to effectively implement the data protection principles.
European Data Protection Supervisor
EDPS Expresses Concerns Over Privacy Risks From Digital Currency
On August 5, 2019, the European Data Protection Supervisor ("EDPS") released a joint statement with UK, Australian, Canadian, and U.S. authorities concerning the privacy practices of members of a proposed cryptocurrency network built on blockchain. The statement instructs members to disclose the steps they have taken to protect personal information and comply with international privacy laws.
EDPS Addresses Court of Justice on Data Retention
On September 9 and 10, 2019, the EDPS addressed the Court of Justice of the European Union at a hearing for four joined cases. The EDPS was asked to clarify the scope of EU law in relation to data retention practices and the ability of IP addresses to reveal the content of electronic communications.
EDPS and SPDA Issue Joint Paper on Hash Techniques
On November 4, 2019, the EDPS and the Spanish Data Protection Authority ("SDPA") issued a joint paper on the introduction of the hash function as a personal data pseudonymisation technique. This joint paper is intended for controllers willing to use hash techniques in their data processing activities as a tool for personal data pseudonymisation. The paper outlines the risk of reidentification and necessary steps to mitigate this risk.
European Union Agency for Network and Information Security
ENISA Publishes Report to Guide Incident Response Teams
On September 25, 2019, the European Network and Information Security Agency ("ENISA") published a report responding to the rising number of cybersecurity incidents. The report provides strategies to improve information exchange among incident response teams.
ENISA Publishes Report on Good Practices for Security of Internet of Things
On November 19, 2019, ENISA published a report on Good Practices for Security of Internet of Things ("IoT"). The report introduces good practices for IoT security and focuses on software development guidelines to ensure that IoT products and services are secured throughout their lifetime.
ENISA Publishes Report on Cybersecurity for Connected Cars
On November 25, 2019, ENISA published a report on Good Practices for Security of Smart Cars. Taking into account all existing standardization, legislative, and policy initiatives, this report aims to serve as a reference point to promote cybersecurity for smart cars (connected and automated cars) across Europe and raise awareness on relevant threats and risks with a focus on "cybersecurity for safety."
ENISA Publishes Report on Operational Incident Response
On November 27, 2019, ENISA published the EU Member States Incident Response Development Status Report. The study provides insight into Network and Information Security Directive ("NIS") sectoral incident response capabilities, procedures, processes, and tools.
ENISA Launches Tool for Security Measures for Operators of Essential Services
On November 28, 2019, ENISA launched a tool that maps Minimum Security Measures for Operators of Essentials Services ("OES"). The tool maps security measures for OES entities onto international standards used by operators in the business sectors. The tool does not replace existing standards, frameworks, or best practices already used by OES entities.
BDPA Fines Merchant 10,000 Euros for Disproportionate Use of Electronic Identity Card
On September 19, 2019, the Belgian Data Protection Authority ("BDPA")imposed an administrative fine of EUR 10,000 on a merchant for violating the GDPR's data minimization and consent requirements of the GDPR (source document in Dutch). The merchant's loyalty program required use of an electronic identity card, which contained large amounts of customer information. The BDPA concluded that the data was processed without valid consent and that its collection was disproportionate to the service offered.
Constitutional Court Refers Questions to CJEU
On October 17, 2019, the Belgian Constitutional Court referred preliminary questions on the validity and interpretation of the directives 2016/681/EU on the use of passenger name record data and 2004/82/EC on the use of advanced passenger information data to the CJEU.
BDPA Issues Two Fines of 5,000 Euros
On November 28, 2019, the BDPA fined two Belgian politicians € 5,000 each for misuse of personal data in local elections in 2018 (press releases available in French and English). The politicians used personal data provided in a customer database to distribute campaign materials.
CNIL Orders Modification of School's Video Surveillance Procedure
On September 3, 2019, the Commission nationale de l'informatique et des libertés ("CNIL") ordered a private university to amend its surveillance policy, which included video monitoring of students and personnel in classrooms (source document in French). The CNIL's order required the school to reduce the number of recording devices, remove or reorient cameras from workspaces, display more comprehensive notices within buildings, and limit access to the recordings.
CNIL Releases List of Processing That Does Not Require DPIA
On September 12, 2019, the CNIL released a list of 12 types of processing activities for which a data protection impact assessment ("DPIA") is not required (source document in French). This includes data processing by human resources (for entities having less than 250 employees) or for the purpose of managing service providers.
CNIL Provides Guidance on Employee Monitoring at Work
On September 17, 2019, the CNIL provided guidance on data protection when implementing employee evaluation and training measures (source document in French). The guidance stressed that recording employee phone calls and computer screens would be permitted only in certain conditions, such as implementing monitoring measures for training purposes, informing employees of the monitoring, limiting the video recording to the computer screen and the duration of the relevant phone call, and limiting access to the video recording.
CNIL Releases Guide on GDPR Compliance for Public Region Administration Services
On September 19, 2019, the CNIL released a guide on GDPR compliance intended for public region administration services (source document in French). The CNIL stressed that public region administration services process a large amount of personal data and therefore should comply with GDPR as part of the transparency principle. The guide provides explanations of GDPR principles and a list of basic steps to ensure compliance.
CNIL Releases Guidelines on Home Use of IoT
On November 26, 2019, the CNIL issued guidelines on the use of connected TVs and kitchen robots (source document in French). The CNIL emphasized limitations on the amount of data such devices may collect and process and urged data subjects to request information on the purposes for which their data will be used.
CNIL Provides Guidance for Health Data Processing
On November 28, 2019, the CNIL released guidance on the legal frameworks governing the processing of health data for research purposes and for the creation of warehouse databases (source document in French). The CNIL emphasized that consent of data subjects or CNIL authorization is required before health data may be stored in a database. In contrast, only a declaration of compliance with CNIL guidelines is required for health data processing for research purposes.
Council Approves Amendment to German GDPR Implementation Law
On September 20, 2019, the German Federal Council approved an amendment to the German GDPR Implementation Law (source document in German). Under the new bill, a data protection officer will be required only if 20 or more people are regularly involved in processing personal data. The bill also abolishes the requirement of written consent for data processing in the employment context; under the new bill, an electronic form will suffice.
DSK Publishes Guidelines for Determining Fines
On October 14, 2019, the Conference of the German "Independent Data Protection Supervisory Authorities of the Federal Government and the States," Datenschutzkonferenz ("DSK"), published guidelines for determining fines pursuant to Article 83 of the GDPR. The guidelines are not binding on domestic courts, in cross-border cases, or on EU data protection supervisory authorities. Until the European Data Protection Board issues final guidelines, the DSK guidelines provide the basis for fines levied by German authorities.
Berlin Commissioner Fines Real Estate Company
On October 30, 2019, the Berlin Commissioner for Data Protection and Freedom of Information issued a press release announcing a fine on a real estate company for infringing GDPR Article 5 (data processing principles) and Article 25 (privacy by design and default principle) for nine months. The company used an archiving system for tenant data that did not allow removal of unnecessary data and did not verify whether data storage was necessary or permissible. Pursuant to the DSK guidelines published on October 14, 2019, the fine was based on the company's worldwide turnover for the previous year.
Court Rules That Data Protection Rules Apply in Antitrust Case
On November 9, 2019, the Higher Regional Court of Naumburg ruled that the sale of over-the-counter, pharmacy-only medicines through a large online retailer violated competition law. The court also held that data protection rules may regulate market conduct. In this case, data protection rules applied because the retailer's record of consumers' pharmacy purchases could enable conclusions about the consumers' health information. The court held that the processing of such data without the consent of the customer is an infringement of Article 9 of the GDPR.
DPA Issues Statement Regarding Third Party Website Analytics Services
Federal Commissioner Fines Telecommunication Service Provider for Insufficient Authorization Procedure
On December 9, 2019, the Federal Commissioner for Data Protection and Freedom of Information ("Federal Commissioner") announced a EUR 9.55 Mio. fine on a telecommunication service provider for infringing GDPR Article 32 because callers to the company's customer service could obtain extensive information about others simply by providing the name and date of birth of a customer. The Federal Commissioner considered this a violation of the company's obligation to take appropriate technical and organizational measures to systematically protect the processing of personal data. The fine was at the lower end of the possible penalty framework and took into account the cooperation of the company throughout the proceedings.
DPA Issues Resolution on Data Protection Inquiries
On September 12, 2019, the Italian Data Protection Authority ("DPA") issued a resolution announcing that 65 inquiries were conducted within the first part of 2019 and that further inquiries were ongoing. The DPA indicated that ongoing inquiries are focused primarily on financial institutions, food delivery companies, marketing services providers, apps for the management of whistleblowing procedures, and profiling of loyalty card holders.
DPA Chairman Issues Statement on Strasbourg Court Ruling
On October 17, 2019, the chairman of the Italian DPA issued an official statement on the judgment by the European Court of Human Rights regarding monitoring of employees by closed-circuit television. The court had allowed closed-circuit television surveillance under the circumstances, which included employee theft of company property, the limited scope of surveillance, and the difficulty of obtaining other evidence. The chairman cautioned that remote monitoring should never become standard practice.
DDPA Report Shows Sharp Increase in Privacy Complaints
On September 9, 2019, the Dutch Data Protection Authority ("DDPA") published its annual report. The report indicated a sharp increase in privacy complaints, with more than 15,000 people filing complaints with the DDPA in the first half of 2019 (source document in Dutch). This represents close to a 60% increase since the second half of 2018. The report attributed the change to increased awareness of privacy rights and the ability to file complaints with the DDPA.
DDPA Addresses Data Breaches in Healthcare Sector
On September 19, 2019, the DDPA announced that in the first half of 2019, the healthcare sector once again accounted for the majority of reported data breaches (source document in Dutch). If this trend continues, the DDPA expects an increase of 14% in healthcare breaches for the whole of 2019 as compared to 2018. The DDPA prepared a list of recommendations for healthcare institutions to prevent the most common causes of data breaches.
Insurance Provider Announces Personal Data Breach
On September 19, 2019, an insurance provider announced that the theft of a safe containing backups of the personal data of 2.3 million insurance consumers was stolen (source document in Dutch). This personal data included contact details, bank accounts, insurance data, and vehicle registration numbers.
DDPA Declines to Investigate Healthcare Processor
On September 30, 2019, the DDPA announced that it would not further investigate possible GDPR infringements by a data processor engaged by a number of Dutch healthcare providers for the cloud storage of medical data (source document in Dutch). Although the processor engaged a non-EU subprocessor, the DDPA found that it had implemented contractual safeguards prohibiting the transfer of the personal data outside of the EU.
DDPA Fines Health Insurance Company
On November 4, 2019, the DDPA announced that it had imposed a EUR 50,000 penalty on a health insurance companyfor failure to implement timely technical measures to prevent unauthorized access to medical data (source document in Dutch).
DDPA Publishes List of Processing Activities That Require DPIAs
On November 27, 2019, the DDPA published its definitive list of data processing activities that require a DPIA (source document in Dutch). The DDPA consulted with the other European data protection authorities. The list is available on the DDPA's website and includes activities, such as the processing of biometric data.
SDPA Clarifies When Data Protection Impact Assessment Is Required
On September 4, 2019, the Spanish Data Protection Agency ("SDPA") published a list of data processing activities that do not require a DPIA. The GDPR requires DPIAs when data processing is deemed to be high risk.
SPDA Publishes Guidelines for Developers of Education and Wellness Mobile Applications
On September 17, 2019, the SDPA published guidelines for developers of education and wellness mobile applications. The guidelines identify and discourage practices that may endanger user privacy and provide alternatives.
SDPA Publishes Guide on Cookies
SDPA Publishes Privacy Recommendations for DNS Protocols
On November 29, 2019, the SDPA published a technical note analysing the possible implications of the Domain Name System ("DNS") on consumer privacy (source document in Spanish). The document is primarily aimed at software developers, network administrators, DNS service providers, and internet access providers.
UK High Court Rules on Police Use of Facial Recognition Technology
On September 4, 2019, the High Court ruled that use of facial recognition technology by the South Wales Police did not breach human rights, equality, or data privacy laws.
ICO Announces Agreement With Social Media Company
On October 30, 2019, the Information Commissioner's Office ("ICO") announced that it reached a settlement with a social media company regarding alleged data processing violations. The company agreed to pay a £500,000 fine and made no admission of liability.
ICO Appoints First Data Ethics Advisor
On November 18, 2019, the ICO announced the appointment of its first data ethics advisor. The role will involve examining where data protection and data ethics overlap, such as in the area of data ownership.
The following Jones Day lawyers contributed to this section: Laurent De Muyter, Undine von Diemar, Olivier Haas, Jörg Hladjk, Bastiaan Kout, Jonathon Little, Martin Lotz, Hatziri Minaudier, Selma Olthof, Sara Rizzon, Irene Robledo, Elizabeth Robertson, Lucia Stoican, Ludovica Terenzi, Rhys Thomas, and Lucie Fournier.
Telecommunications Company Receives Record Fine for Direct Marketing Offense
On September 12, 2019, a telecommunications company received 23 charges related to its failure to comply with a data subject's request that it cease using personal data in direct marketing. The company was found guilty of 14 violations of the Privacy Ordinance and fined HK$6,000 for each charge (HK$84,000 in total). The fine is the second highest fine imposed since changes to the Privacy Ordinance went into effect on April 1, 2013.
Privacy Commissioner Addresses Disclosure of CCTV Footage
On October 15, 2019, the privacy commissioner responded to questions regarding the disclosure of closed-circuit television footage for a criminal investigation. The commissioner declined to comment on the particular case but emphasized that all individuals and organizations are bound by the Privacy Ordinance.
Privacy Commissioner Provides Updates on Doxxing and Cyberbullying
On October 21, 2019, the privacy commissioner published a statement on doxxing and cyberbullying. The statement announced 2,683 doxxing and cyberbullying cases as of October 21, involving 13 online social platforms and 2,145 web links. The commissioner referred 1,297 cases to the police for criminal investigation, and five people were arrested in connection with the cases. The privacy commissioner wrote to the platforms urging them to remove a total of 1,632 web links.
Privacy Commissioner Introduces 2018-19 Annual Report in Legislative Council
On November 27, 2019, the 2018-19 Annual Report of the Privacy Commissioner was introduced in the legislative council. The report noted that the number of complaints related to information technology increased by 102% since 2017-18, particularly complaints related to disclosures of personal data on the internet. The privacy commissioner carried out more compliance checks and compliance investigations in 2018-19 than in 2017-18.
People's Republic of China
Provisions to Protect Children's Personal Information Go Into Effect
On October 1, 2019, the Provisions on the Cyber Protection of Children's Personal Information went into effect (source document in Chinese). These provisions apply to the collection, storage, use, transfer, and disclosure of personal information from and about children under age 14 through the internet. Network operators must develop specific rules and user agreements, assign dedicated personnel responsible for protecting children's information, and obtain informed consent from guardians prior to data collection.
Central Bank Releases Draft Guidelines Related to Personal Information
On October 9, 24, and 25, 2019, the Central Bank released draft guidelines related to banks' collection and security of personal information. The banking regulation addresses collecting, processing, using, and providing personal financial information on the basis of a general authorization (source in Chinese). The security guideline updates definitions, descriptions of principles, and requirements for authorized consent (source in Chinese). The apps guideline updates management and technical requirements, including the minimum personal information required for services like online payments.
China Passes New Encryption Law
On October 26, 2019, China officially issued the Encryption Law of the People's Republic of China, which will went into effect on January 1, 2020 (source in Chinese). The law regulates the use and management of cryptography, promotes development of the cryptography field, and protects network and information security. The law also requires all levels of government to follow the principle of nondiscrimination, including with respect to foreign investors.
More Than 320 App Operators Receive Rectification Order
PIPC Issues First Guidance Since Its Creation
On August 26, 2019, the Personal Information Protection Commission of Japan ("PIPC") issued its first set of guidance since PIPC was established under the Personal Information Protection Act (source document in Japanese). PIPC issued the guidance in connection with its determination that a recruitment services company violated the act by providing personal data to client companies without obtaining prior consent from the data subjects and by failing to implement sufficient data protection policies.
PIPC Issues Guidance to Transportation Company
On September 17, 2019, the PIPC announced that it provided guidance to a transportation company regarding its collection and use of passengers' facial images without sufficient advance notification (source document in Japanese).
PDPC Signs MOU With Philippines' NPC
On September 9, 2019, Singapore's Personal Data Protection Commission ("PDPC") signed a Memorandum of Understanding ("MOU") with the Philippines' National Privacy Commission ("NPC"). The MOU memorializes a commitment between the organizations to share information, assist in joint investigations, and facilitate cross-border data flows. This is the first MOU that Singapore has signed with a data protection organization in the Association of Southeast Asian Nations ("ASEAN").
PDPC Revises Advisory Guidelines on Key Concepts and Cloud Services
On October 9, 2019, the PDPC issued revisions to the advisory guidelines chapters "Organisations" and "Access and Correction Obligations" in the Personal Data Protection Act ("PDPA"). The revisions clarify organizations' obligations with respect to overseas data transfers and explain when organizations may refuse access requests. The PDPA's new chapter on cloud services clarifies the responsibilities of both service providers and organizations when processing personal data in the cloud.
The following Jones Day lawyers contributed to this section: Michiru Takahashi, Sharon Yiu, and Grace Zhang.
ACCC Continues Developing Statutory Framework for Consumer Data Right
On September 2, 2019, the Australian Competition and Consumer Commission ("ACCC") published the final draft of new regulations to protect consumer data. The regulations address the Consumer Data Right ("CDR"), which was created by the Treasury Laws Amendment (Consumer Data Right) Act 2019 (Cth) on August 1, 2019.
OAIC Consults on CDR Privacy Safeguard Guidelines
On October 17, 2019, the Office of the Australian Information Commissioner ("OAIC") commenced consultation on guidelines for the safeguarding of privacy in information shared under the Consumer Data Right ("CDR") regime, which consists of 13 privacy safeguards. The OAIC's CDR privacy safeguards will apply to data under the control of accredited data recipients under the CDR regime, instead of the Australian Privacy Principles which otherwise apply to personal information. Industry participants will need to review their privacy compliance frameworks to ensure that all relevant obligations are met, particularly those in the banking sector, which is the first sector to be subject to the CDR regime. The OAIC published the final CDR privacy safeguard guidelines on December 16, 2019.
OAIC Releases Annual Report
On October 21, 2019, the OAIC released its annual report for the year ending June 30, 2019. The OAIC reported that it received 12% more privacy complaints than the previous period. The majority of complaints the OAIC received related to six sectors of the Australian economy: finance, government, health, telecommunications, retail, and online services. The OAIC also received 950 data breach notifications. The OAIC initiated fewer independent investigations in the period: 15 investigations were opened in the period up to June 30, 2019—down from 21 investigations in the previous period.
The following Jones Day lawyers contributed to this section: Adam Salter and Drew Broadfoot.
Recent and Upcoming Speaking Engagements
Southwest Securities Conference, U.S. Securities and Exchange Commission, Financial Industry Regulatory Authority, Dallas, Texas (March 2020). Jones Day Speaker: Jay Johnson
Accommodating Data Subjects When They Exercise Their Rights, IAPP Data Protection Intensive: Germany, Munich, Germany (September 2019). Jones Day Speaker: Undine von Diemar
Global Privacy & Cybersecurity Law Update, Dallas Bar Association Technology Summit, Dallas, Texas (September 2019). Jones Day Speaker: Jay Johnson
Current Risks & Attack Trends, 3rd Annual Cybersecurity and Data Privacy Law Conference, Plano, Texas (September 2019). Jones Day Speaker: Jay Johnson
Keynote Luncheon Presentation, 3rd Annual Cybersecurity and Data Privacy Law Conference, Plano, Texas (September 2019). Jones Day Speakers: Jay Johnson, Shamoil Shipchandler
European Data Protection (CIPP/E training), IAPP Data Protection Intensive: Germany, Munich, Germany (September 2019). Jones Day Speaker: Undine von Diemar
Handling a Cybersecurity Investigation, Information Systems Security Association Fort Worth Chapter Meeting, Fort Worth, Texas (September 2019). Jones Day Speakers: Jay Johnson, Shamoil Shipchandler
Inside the Insider Threat, CISO Executive Network, Houston, Texas (October 2019). Jones Day Speaker: Nicole Perry
Securing User Behavior, CISO Executive Network, Dallas, Texas (October 2019). Jones Day Speaker: Jay Johnson
FBI Event, Conversations in Cyber, Boston, Massachusetts (October 2019). Jones Day Speaker: Lisa Ropple
European Cybersecurity Forum 2019, Amsterdam, Netherlands (October 2019). Jones Day Speaker: Jörg Hladjk
Big Data and GDPR, IDACON Conference 2019, Munich, Germany (October 2019). Jones Day Speaker: Jörg Hladjk
Employee Personal Data Protection: Companies' Trends and Relevant Resolutions, Mexico City, Mexico (October 2019). Jones Day Speaker: Guillermo Larrea
A Conversation With U.S. Attorney Andrew Lelling: Federal Law Enforcement Priorities, Jones Day, Boston, Massachusetts (October 2019). Jones Day Speaker: Lisa Ropple
Inside the Insider Threat, CISO Executive Network, Houston, Texas (October 2019). Jones Day Speaker: Nicole Perry
Privacy Law, Guest Lecturer at Internet Law Class, University of Houston Law Center, Houston, Texas (October 2019). Jones Day Speaker: Nicole Perry
Cybersecurity Issues in M&A Transactions, Southern Methodist University, Dallas, Texas (November 2019). Jones Day Speaker: Jay Johnson
Employee Tracking and Monitoring in Germany, U.K. and in Poland Under the GDPR, IAPP European Data Protection Congress, Brussels, Belgium (November 2019). Jones Day Speaker: Undine von Diemar
The EU General Data Protection Regulation 18 Months On, Lecture at the Jones Day Course at Beijing University, Beijing, China (November 2019). Jones Day Speaker: Undine von Diemar
Developments in US privacy law, Lecture at the Jones Day Course at Beijing University, Beijing, China (November 2019). Jones Day Speaker: Undine von Diemar
Cyber Security Risk and Strategy, Cyber Law Consortium, Dallas, Texas (November 2019). Jones Day Speakers: Jay Johnson, Shamoil Shipchandler
How to Close the Deal: Data Protection Risks and Solutions for M&A Transactions, IAPP European Data Protection Congress, Brussels, Belgium (November 2019). Jones Day Speaker: Jörg Hladjk
California Consumer Privacy Act of 2018: What You Need to Know, CISO Executive Network, Houston, Texas (November 2019). Jones Day Speaker: Nicole Perry
ECTA Regulatory Conference 2019, Panel Chair on 5G Without All Vendors! What Are the Consequences for Operators, Customers and Society?, Brussels, Belgium (December 2019). Jones Day Speaker: Laurent De Muyter
Privacy by Design and Privacy by Default—on the Ground, IAPP Data Protection Intensive France 2020, Paris, France (February 2020). Jones Day Speaker: Olivier Haas
Artificial intelligence and GDPR, Law, Cognitive Technologies & Artificial Intelligence study program organized by Federation of enterprises in Belgium, Brussels, Belgium (January 2020). Jones Day Speaker: Laurent De Muyter
Recent and Upcoming Publications
French and German Joint Report on Threats Entailed with Blockchain and AI, DataGuidance (August 2019). Jones Day Authors: Olivier Haas, Undine von Diemar
Trouble in Paradise: No Privilege for Stolen Documents (September 2019). Jones Day Authors: Kenneth Hickman, Michael Lishman, Simon Bowden, Douglas Johnson
Companies Are Now Getting Ready for Brazil's New Data Protection Law (September 2019). Jones Day Authors: Mauricio Paez, Artur Badra, Guillermo Larrea
Scraping the Web: Practical Implications From the hiQ v. LinkedIn Opinion (September 2019). Jones Day Authors: Aaron Charfoos, Jennifer Everett, Samir Jain, Clinton Oxford
The CCPA Amendments that Survived the California Legislature (September 2019). Jones Day Authors: Jeff Rabkin, Todd McClelland, Mauricio Paez, Jennifer Everett
Data Protection: Reducing the Risk of Disruption on a "No Deal" Brexit (September 2019).
Jones Day Authors: Jonathon Little, Olivier Haas, Jörg Hladjk, Undine von Diemar
California Attorney General Issues Draft CCPA Regulations (October 2019). Jones Day Authors: Various
Updates to the CCPA: Draft Regulations and New Amendments (October 2019). Jones Day Authors: Various
The Stakes for Complying With DoD Cybersecurity Requirements Are Higher Than Ever (October 2019). Jones Day Authors: Samir Jain, Schuyler Schouten, Grayson Yeargin, Kendall Lucas
China Cybersecurity Law Continues to Bring Enforcement Crackdown (November 2019). Jones Day Authors: Chiang Ling Li, Haifeng Huang, Mauricio Paez, Todd McClelland