Jones Day Global Privacy & Cybersecurity Update | Vol. 23

Jones Day

Jones Day


Regulatory—Policy, Best Practices, and Standards

NIST Produces Roadmap for Improving Critical Infrastructure Cybersecurity Version 1.1

On April 25, the National Institute of Standards and Technology produced a roadmap for improving critical infrastructure cybersecurity version 1.1. The roadmap outlined several areas of focus for future development of the framework, including authentication methods, automated indicator sharing, conformity assessments, data analytics, and supply chain risk management.

Regulatory—Consumer and Retail

FTC Takes Action Against Companies Falsely Claiming to Comply with Privacy Shield

Federal Trade Commission ("FTC") On June 14, the announced that it had reached a settlement with a company that provides employment background checks for falsely claiming participation in the EU–U.S. Privacy Shield and Swiss–U.S. Privacy Shield frameworks. The FTC also sent warning letters to 13 companies that claimed to participate in expired U.S.–EU Safe Harbor and the U.S.–Swiss Safe Harbor frameworks. The FTC instructed the companies to remove any "public documents or statements that might be construed as claiming participation or involvement" in the privacy frameworks.


NYDFS Creates New Fintech Division

Consistent with New York's status as a financial services and technology hub, the New York State Department of Financial Services ("NYDFS") announced on July 23 a new Research and Innovation Division focusing on fintech innovation and consumer protection. The Division will also assume responsibility for licensing and supervising entities engaged in virtual currency business activity under the NYDFS's BitLicense Regulation. As the NYDFS explained, the Division is intended to make the NYDFS "the regulator of the future" by reviewing the use of technology in financial services, safeguarding consumer data rights, and fostering fintech innovation.


FCC Complaint Alleges Wireless Carriers Violated Privacy Laws

On June 14, several public interest groups filed with the Federal Communications Commission ("FCC") against prominent wireless carriers, alleging that the carriers sold customers' real-time location data to third parties without informed consent. The complaint highlighted the public safety risk associated with the sale of such data. The groups urged the FCC to investigate these practices and enforce Sections 201(b) and 222 of the Communications Act against the carriers. an informal complaint


FERC Strengthens Electric Grid Cybersecurity Standards

On June 20, the Federal Energy Regulatory Commission ("FERC") signed that expands the reporting requirements for incidents involving attempts to compromise operation of the electric grid. The new standards require that entities report cybersecurity incidents that compromise electronic security perimeters, electronic access control or monitoring systems, and physical security perimeters associated with cyber systems. Furthermore, the standards require that entities develop criteria for identifying an attempt to compromise a cyber asset and then apply the criteria during their cybersecurity incident identification process. an order


California Proposes Limiting Access of Local Authorities to Scooter Data

On May 22, the California State Assembly passed legislation that would allow providers of shared mobility devices, such as bicycles and motorized scooters, to withhold individual trip data from local governments. Local authorities could still require providers to share de-identified and aggregated trip data as a condition for operating a shared mobility device program. The proposed legislation comes as some cities have begun implementing regulations requiring shared mobility providers to share individual trip data with local authorities.

House Representatives Raise Privacy Concerns over Use of Facial Recognition at Airports

On June 13, 23 members of the House of Representatives sent a letter to the Department of Homeland Security to raise privacy and security concerns over reports that U.S. Customs and Border Protection ("CBP") is using facial recognition technology at airports to scan U.S. citizens. According to the reports, CBP has partnered with the Transportation Security Administration and commercial airlines to use facial recognition technology on U.S. citizens, potentially in violation of the Biometric Exit Program, which permits CBP to collect biometric data on foreign nationals entering and exiting the United States.

Regulatory—Health Care/HIPAA

Medical Records Service Settles HIPAA Breach

On May 23, the U.S. Department of Health and Human Services ("HHS") announced that a medical records service paid the Office for Civil Rights $100,000 to settle a breach that exposed the electronic protected health information ("ePHI") of approximately 3.5 million people in violation of the Health Insurance Portability and Accountability Act ("HIPAA") Privacy and Security Rules. The breach occurred when hackers used a compromised user ID and password to access the ePHI. The investigation found that the record service did not conduct a comprehensive risk analysis prior to the breach.

Breach of Third-Party Collections Vendor Affects Millions of Patients

On June 3–4, two health care diagnostics companies eachfiled a report with the SEC reporting unauthorized activity on the webpage of their third-party collections service provider between August 1, 2018, and March 30, 2019, which affected up to 11.9 and 7.7 million patients, respectively.

FDA Warns of Dangerous Cybersecurity Hacking Risk with Connected Medical Devices

On June 27, the Food and Drug Administration ("FDA") warned that a company's internet-connected insulin pumps have potential cybersecurity risks and suggested that patients switch to a different model. The devices are vulnerable to malicious use of radiofrequencies to change device settings impacting insulin delivery. The FDA was not aware of any reports of harm caused by the cybersecurity risk.

Regulatory—Defense and National Security

Executive Order Declares Network Security National Emergency

On May 15, President Trump issued an executive order that declares a national emergency with respect to foreign threats against information and communications technology and services in the United States. The executive order delegates authority to the U.S. Secretary of Commerce to establish, within 150 days, a regulatory regime to mitigate or prohibit transactions with a "foreign adversary" if the agency determines those transactions pose risk of sabotage to U.S. networks, critical infrastructure, the digital economy, or other national security risks.

Litigation, Judicial Rulings, and Agency Enforcement Actions

FTC Settles Data Breach Allegations with Website Operators

On April 24, the FTC announced settlements with website operators for failure to take reasonable steps to protect consumer data in light of a breach of each website. The FTC alleged that one company failed to implement readily available security measures, despite falsely claiming to use the latest security and encryption measures. This enabled a hacker to download a document with clear text information about 6.6 million consumers, including 500,000 in the United States. The FTC alleged that the second company failed to implement reasonable security measures to protect the personal information of children under the age of 13 and collected personal information from children without parental consent, in violation of the Children's Online Privacy Protection Act ("COPPA").

FTC Warns Dating App Operator about Potential COPPA, FTC Act Violations

On May 1, the FTC sent a letter to a Ukraine-based operator of an online dating application warning it about potential violations of COPPA by failing to block users who indicated they were under 13 years old from using the apps.

Indiana Attorney General Brings Data Breach Claim Against Credit Reporting Agency

On May 6, Indiana's attorney general sued a consumer credit reporting agency over claims that it violated the state's Disclosure of Security Breach Act and Deceptive Consumer Sales Act by failing to protect consumers' personal information. The complaint alleged that the agency failed to implement adequate security measures or disclose security deficiencies, resulting in a data breach in 2017. The attorney general is seeking penalties, injunctive relief, restitution, costs, and attorneys' fees.

Vermont Attorney General Settles Failure to Secure Information Charge Against Software Supplier

On May 23, Vermont's attorney general settled against a third-party provider of municipal management software to municipalities in Vermont for failing to secure municipal employees' personal information in violation of the state's Consumer Protection Act. According to the complaint, the company failed to adequately encrypt the employees' personally identifiable information or maintain basic data security programs such as antivirus software or endpoint security, log attempts to access its server, and review its security programs. Under the settlement, the company must pay a penalty of $30,000, implement a specified security program, and provide information security risk training to employees. charge a

Sixteen Attorneys General Settle Data Breach Charge with Electronic Health Records Company

On May 23, 16 state attorneys general reached a settlement with a health care service provider related to a data breach that affected 3.9 million people. The company provides patients with access to their personal electronic heath records. The state attorneys general concluded that the company failed to protect patient data because the hackers exploited vulnerabilities, such as poor password and security management protocols. The company must pay a penalty of $900,000, maintain a data security program, implement multifactor authentication to access electronic personal health information, implement a program to detect and respond to data breaches, train employees on cybersecurity policies, and implement stronger password security policies.

Three Attorneys General Investigate Medical Testing Vendor Over Data Breach

On June 5–7, Connecticut, Illinois, and Michigan attorneys general initiated investigations into a data breach of a collections service provider that exposed the medical and financial information of 19.7 million patients. The attorneys general have issued letters to the service provider requesting information about the breach, including what cybersecurity measures the company had in place, the categories of information compromised, and how the company planned to inform affected patients and prevent future breaches.

New York Attorney General Settles Data Breach Notification Charge Against Online Clothing Retailer

On June 6, the New York attorney general settledagainst an online clothing retailer for allegedly failing to timely notify consumers about a breach of its website that led to unauthorized access to customer payment information. Under the settlement, the company must pay a penalty of $65,000, implement policies for investigating data breaches, and provide compliance training to breach claim a

FTC Hosts Fourth Annual PrivacyCon

On June 27, the FTC hosted the fourth annual PrivacyCon, which focused on the latest academic research related to consumer privacy and data security. A video recording of the conference is available on the FTC website.

Software and Data Services Provider Settles Allegations of Data Security Violations

In June, the FTC Commission voted 5–0 in favor of a settlement with a third-party provider of auto dealer software and data services regarding allegations that the provider failed to employ reasonable measures to protect personal information. The FTC alleged that the provider stored and transmitted personal data about customers and employees from auto dealers in clear text, without any access controls or authentication protections. The settlement prohibits the provider from transferring, selling, sharing, collecting, maintaining, or storing personal information unless it implements and maintains a comprehensive information security program.


Senate Staff Report Finds Federal Agencies Left Sensitive Data Vulnerable
On June 25, the Senate Homeland Security and Governmental Affairs Subcommittee released detailing system vulnerabilities that left America's sensitive personal information unsafe and vulnerable to theft. The report highlighted that the federal government holds extensive amounts of highly personal information on most Americans but found that eight government agencies have outdated, vulnerability-laden systems. The report made several recommendations, including the consolidation of security processes and capabilities across federal agencies.a 99-page report


Hawaii Adopts Resolution Authorizing Study on Internet Privacy

On April 30, the Hawaii legislature adopted Concurrent Resolution 225, which convenes a task force that will examine and recommend laws and regulations relating to internet privacy, the processing and protection of personal information, data breaches, and other related subjects. The task force will comprise members of the Senate and House, the attorney general, the director of Commerce and Consumer Affairs, the chief information officer, and the prosecuting attorney of the City and County of Honolulu. A report of the task force's findings and recommendations, including any proposed legislation, is due by December 1.

Maryland Expands Applicability of Data Breach Law

On April 30, the Maryland governor signed into law HB 1154, a bill amending the Maryland Personal Information Protection Act. The bill expands the applicability of the Act to those businesses that maintain personal information of Maryland residents. Prior to this bill, the investigatory requirement applied only to businesses that own or license personal information. The bill also shifts the responsibility of notification from businesses to "the owner or licensee of the computerized data." The law goes into effect October 1.

Washington Expands Data Breach Notification Law

On May 7, Washington's governor signed that will expand the definition of "personal information" under the state's data breach notification law to include information such as health and genetic information, student and military identification numbers, usernames and passwords, biometric data, and electronic signatures. The law will also reduce the time period in which to notify consumers and the attorney general's office of a data breach from 45 to 30 days. The law will go into effect March 1, 2020.bill into law a

New Jersey Amends Data Breach Law to Expand Definition of "Personal Information"

On May 10, New Jersey's governor signed into law S52, which amends New Jersey's data breach notification law by expanding the definition of "personal information" to include a resident's "user name, email address, or any other account holder identifying information, in combination with any password or security question and answer that would permit access to an online account." The bill also allows businesses to provide notification of a data breach electronically for data breaches involving the resident's username or password, in combination with any password or security question and answer that would permit access to an online account, except for a data breach involving the resident's email account. The law goes into effect September 1.

CCPA Amendments Progress in California Legislative Process

On May 16, the California State Senate Appropriations Committee declined to advance SB 561, which, among other requirements, would have expanded the California Consumer Privacy Act's ("CCPA") private right of action to include any violation of the CCPA, out of the Committee by the legislative deadline. However, several other key amendments passed their originating chamber and are still under consideration, including:

  • AB 25: This amendment would revise the CCPA's definition of "consumer" to exclude a covered business's job applicant, employee, contractor, or agent, provided that the personal information is collected and used within the course of the consumer acting in that role.
  • AB 1416: This amendment would, among other requirements, make clear that aggregate information and de-identified information do not qualify as "personal information" as defined by the CCPA.
  • AB 846: This amendment makes clear that the CCPA's prohibition on nondiscrimination would not apply to loyalty and rewards programs to which consumers voluntarily participate, provided that such programs meet certain requirements.
  • AB 1564: This amendment clarifies that covered businesses may provide consumers with an email address, in addition to a physical address, for purposes of exercising consumers' CCPA rights.

Oregon Extends Data Breach Notification Requirements to Vendors

On May 24, Oregon's governor signed into law SB 684, a bill amending the Oregon Consumer Identity Theft Protection Act. Under the bill, vendors must notify the covered entity and the Oregon attorney general following a data breach unless the covered entity has already provided notice to the attorney general. The bill also expands the definition of "personal information" to include a consumer's "user name or other means of identifying a consumer for the purpose of permitting access to the consumer's account." The law goes into effect January 1, 2020.

Illinois Amends Data Breach Law to Add Attorney General Notification Requirement

On May 27, the Illinois legislature passed SB 1624, amending the Personal Information Protection Act. Under the bill, "data collectors," as defined under the Act, must provide notice to the attorney general "in the most expedient time possible and without unreasonable delay" if more than 500 Illinois residents are affected by a data breach. The bill now awaits the governor's approval. If signed by the governor, the law goes into effect October 1.

Nevada Amends Online Privacy Law to Add "Do Not Sell" Requirement

On May 29, Nevada's governor signed into law SB 220, which amends the state's existing online privacy law by requiring operators of websites and online services to provide consumers a new right to opt out of the sale of their covered information. The amended law also requires covered entities to provide a "designated request address" where consumers can submit opt-out requests. Covered entities will have 60 days to respond to such requests, with the possibility of a 30-day extension when "reasonably necessary." SB 220 preserves the law's existing enforcement mechanism, which affords the Nevada attorney general exclusive authority for enforcing the law. The law becomes operative October 1.

Oregon Adopts Law Requiring Security Features on Internet-Connected Devices

On May 30, Oregon's governor signedto protect the devices and information stored on them from unauthorized access, destruction, modification, use, or disclosure. Failure to do so will result in a violation of the state's Unlawful Trade Practices Act. The new law will go into effect January 1, 2020. that will regulate internet-connected devices—including things like video streaming devices, digital cameras, or garage door openers. Under the new law, manufacturers must give internet-connected devices "reasonable security features"bill into law a

Maine Passes Internet Privacy Protection Law

On June 6, Maine's governor signed into law LD 946, which requires broadband internet service providers ("ISPs") to obtain a customer's express, affirmative consent before using, disclosing, selling, or permitting access to the customer's personal information. LD 946 covers only ISPs that provide services to customers "physically located and billed for service received in the State." The law broadly protects information that customers generate when using internet services, including their web browsing history, personal identifying information, and geolocation information.

Texas Amends Data Breach Notification Requirements

On June 14, Texas Governor Greg Abbott signed into law HB 4390 amending the state's data breach notification law. Specifically, the bill requires that notice of a data breach be provided to consumers within 60 days. The bill also adds a requirement to notify the Texas attorney general if the entity must notify at least 250 Texas residents following a data breach. The bill also creates the Texas Privacy Protection Advisory Council, which is charged with studying privacy laws in Texas, other states, and in relevant jurisdictions outside the United States. The law goes into effect September 1, 2019 (privacy council amendment) and January 1, 2020 (notification amendment).

New York Passes SHIELD Act

On July 25, New York Governor Andrew M. Cuomo signed into law the Stop Hacks and Improve Electronic Data Security Act ("SHIELD Act"), which heightens data breach notification and data security requirements. The law contains four key requirements: (i) broadens the definition of "private information," which now includes biometric information and a username and corresponding password or security questions and answers; (ii) expands the definition of "data breach" to include "access" to private information; (iii) expands the territorial scope to any business that owns or licenses private information, not just companies that conduct business in New York; and (iv) requires companies to implement reasonable safeguards to protect private information. The breach notification amendments take effect October 23, 2019, while the data security requirements take effect March 21, 2020. For more information, please see our Jones Day Alert.

New York Passes Identity Theft Mitigation Law

On July 25, New York Governor Cuomo signed into law the Identity Theft Prevention and Mitigation Services Act, which requires a credit reporting agency that suffers a data breach containing consumer Social Security numbers to offer consumers certain identity theft prevention and mitigation services.


Canadian Centre for Cyber Security Issues Guidance on Protecting High-Value Information for Small and Medium Organizations

On April 30, the Canadian Centre for Cyber Security issued advice to small and medium organizations seeking to protect sensitive business, employee, and customer information. The Centre's advice included identifying threats and vulnerabilities within the organization, including cybersecurity as part of the organization's business processes. It also advised organizations on how to secure high-value information through a variety of steps, including encryption, applying anti-virus software, training employees on responses to incidents, and regularly backing up information.

Canadian Privacy Commissioner Reframes its Transborder Dataflow Consultation Document

On June 11, the Office of the Privacy Commissioner of Canada ("OPC") announced that it would change its approach to its consultation "on transfers for processing, including transborder dataflows." The OPC made this decision following the publication of the Canadian federal government's Digital Charter on May 21, in which the government suggested that "transborder data flows may be dealt with in an eventual new federal privacy law." The OPC invited stakeholders to submit comments and questions by August 6.

The following Jones Day lawyers contributed to this section: Shirley Chan, Meredith Collier, David Coogan, Jennifer Everett, Levent Hergüner, Jay Johnson, Daniel Lopez, Christopher Markham, Mallory McKenzie, Marina Moreno, Katherine Nugent, Clinton Oxford, Nicole Perry, Kerianne Tobitsch, and Jenny Whalen-Ball.



Data Protection Agency Meets With United Nations Special Rapporteur on Right to Privacy

On May 7, the Director of Argentina's Data Protection Agency met with the United Nations Special Rapporteur on the Right to Privacy to evaluate the status of personal data protection in Argentina and discuss proposals to strengthen it (source document in Spanish). The Special Rapporteur is an independent expert appointed by the UN Human Rights Council to examine and report on a country situation or a specific issue—in this case, data privacy.

Argentina Participates in Plenary Meeting of Convention Committee of 108 Agreement

On June 13, the Access to Public Information Agency of Argentina participated in the Plenary Meeting of the Convention Committee of the 108 Agreement for the first time as a state party (source document in Spanish). The meeting took place at the headquarters of the Council of Europe in Strasbourg, France. Previously, Argentina had participated in the plenary meetings as an observer state. However, this was the first time that Argentina participated as a plenary country.


Brazilian Congress Approves Final Draft of General Data Protection Law

On May 29–30, both houses of the Brazilian National Congress approved) (source document in Portuguese). The ANPD was designed to strengthen the enforceability of the LGPD and regulate the use of personal information in Brazil. After consolidating amendments, the Brazilian Congress sent the final bill of law to President Bolsonaro for approval. All obligations created by the LGPD will go into effect by August 2020.", "LGPDLei Geral de Proteção de Dados Pessoais) and made changes to the General Data Protection Law (""ANPD,Autoridade Nacional de Proteção de Dados the creation of the National Data Protection Authority (

Bill of Law Plans on Criminalizing Data Privacy Violations

On May 30, a congressman presented a bill of law aimed to criminalize data privacy violations (source document in Portuguese). The bill of law would regulate the act of disclosing, providing, or granting access to personal data to third parties without authorization and/or lawful purposes. The potential sanctions would include two to six years of imprisonment and monetary fines. The bill of law will now be submitted to a vote by members of the Brazilian Congress.


Director of Chilean Council for Transparency Participates in Privacy Panel at RIPD Meeting in Mexico

On June 19–20, Andre Ruiz, director of the Council for Transparency, discussed challenges to personal data protection in Chile at the Meeting of the Ibero-American Data Protection Network ("RIPD") in Mexico (source document in Spanish). The director participated in a panel called "Challenges to Privacy and the Protection of Personal Data in the Governments of the Digital Era," in which she shared her experiences and the initiatives that Chile had developed at the national level.


Colombian Data Protection Agency Punishes Companies for Failure to Comply with Data Protection Law

, "SIC") issued resolution Superintendencia de la Industria y el ComercioOn April 25, Andrés Barreto, the Superintendent of Industry and Commerce (9766/2019, imposing a fine of $496,899,600 pesos (approximately US$154,640) to a bank and ordering it to adopt measures regarding the rights of individuals in connection with the processing of personal information (source documents in Spanish). On the same day, the Agency also issued resolution 9800/2019, imposing a fine of $298,121,760 pesos (approximately US$92,778) on another company for violating the Colombian data protection law.


Jones Day Hosts Fourth Annual Latin America Privacy & Cybersecurity Symposium

On May 15–16, Jones Day produced and hosted the Fourth Annual Latin America Privacy & Cybersecurity Symposium in Mexico City. The Symposium brought together private practitioners, government officials, and experts to discuss regional trends in privacy and cybersecurity law. More than 300 attendees joined the event this year, which welcomed an impressive set of panels that included representatives from the Cyber Division of the U.S. Federal Bureau of Investigations, regional banking regulators, data protection agencies, and other similar agencies from Chile, Brazil, Costa Rica, and Mexico. The event covered many current topics in cybersecurity and privacy regulations, including the evolving nature of regulation, management of cyberattacks, and challenges in data privacy compliance posed by emerging technologies such as intelligent systems.

INAI Participates in 108th Convention of Council of Europe

On June 18, the Mexican National Institute for Transparency, Access to Information and Personal Data Protection ("INAI") participated in the 38th Plenary Session of the Consultative Committee of the Council of Europe Convention 108 held in Strasbourg, France (source document in Spanish). The participants discussed issues related to the protection of personal data and privacy and the agenda of the Consultative Committee for 2020–2021, which will focus on issues of facial recognition, processing of personal data in the context of education systems, and automated profiling.

Mexican Data Protection Agency Considers Challenges of Blockchain Technology

On June 19, the INAIissued official communication No. INAI/2017/19 regarding the participation of the INAI's commissioner in the meeting of the Ibero-American Data Protection Network (source document in Spanish). The commissioner expressed that new technologies, such as blockchain, present both opportunities and risks with regard to the privacy of personal data. The commissioner expressed that these technologies simplify and reduce transaction costs, including those associated with access, rectification, cancellation, and opposition rights ("ARCO rights"). But he cautioned that there are risks in implementing technology and emphasized the necessity of prioritizing privacy rights.

Mexico Hosts 17th Ibero-American Data Protection Meeting

On June 19–20, the 17th meeting of the Ibero-American Data Protection Network was held in Mexico, where dozens of experts and national and international authorities addressed issues relating to privacy and personal data protection, the use of new technologies, blockchain, data ethics, and cooperation between government authorities and companies in assessing the impact and challenges to data protection from the use of new technologies (source document in Spanish).


Panama Publishes New Law on Protection of Personal Data

On March 29, Panama published a new law on the protection of personal data, establishing principles, rights, obligations, and procedures to regulate the protection of sensitive private information (source document in Spanish). The new law regulates matters such as: storage or transfer of personal data; consent; definition of "sensitive data"; access, rectification, cancellation, opposition, and portability rights; database custodians; and the creation of the Personal Data Protection Council. The law will go into effect in 2021.


Uruguayan Data Protection Authority Hosts "Coffee Talk" on Artificial Intelligence and Personal Data Protection

) Unidad Reguladora y de Control de Datos PersonalesOn June 5, the Uruguayan Personal Data Regulation and Control Unit (hosted a new "Coffee Talks" event where the panelists discussed the use of artificial intelligence ("AI") and AI's implications for personal data protection (source document in Spanish). They also exchanged views on the impact of AI on people's lives, especially the relationship between "innovation" and "privacy." In this context, the panelists agreed that the protection of personal data does not hinder innovation; to the contrary, it allows the technologies to develop within a framework of guarantees.

The following Jones Day lawyers contributed to this section: Guillermo Larrea, Daniel D'Agostini, Juan Carlos Quinzaños, and Gabriela C. Samanez


European Council

Council of the European Union Adopts Sanctions Regime for Cyberattacks

On May 17, the Council of the European Union adopted Regulation (EU) 2019/796 concerning restrictive measures against cyberattacks threatening the European Union or its Member States. The Regulation establishes a framework allowing the European Union to impose targeted restrictive measures, such as a travel ban or asset freeze, and deter and respond to cyberattacks that constitute an external threat to the European Union or its Member States.

European Parliament

European Parliament Releases Briefing on European Union's Data Protection Achievements

In April, the European Parliament published a briefing on personal data protection

achievements during the 2014–2019 legislative term, highlighting the EU General Data Protection Regulation, Regulation 2018/1725, and the adequacy decision as some of its notable achievements.

European Parliament Adopts Regulation Strengthening European Union's Cybersecurity and Cyber-Resilience

On April 17, the European Parliament adopted Regulation (EU) 2019/881, which strengthens the mandate of the European Union Agency for Cybersecurity ("ENISA"), the EU cybersecurity watchdog, to support EU Member States with tackling cybersecurity threats and attacks. It also establishes an EU-wide cybersecurity certification framework in which ENISA plays a key role. Under the new Framework, ENISA will coordinate the preparation of candidate cybersecurity certification schemes to be submitted to the European Commission for adoption.

European Commission

EC Issues Recommendation on Cybersecurity in Energy Sector

On April 3, the European Commission ("EC") issued Recommendation (EU) 2019/553 on cybersecurity in the energy sector. The Recommendation provides guidance to network operators and technology suppliers on how to address the specific cybersecurity challenges of the energy sector, including concerns related to the combination of legacy and state-of-the-art technologies.

EC Presents Next Steps on Building Trust in Artificial Intelligence

On April 8, the European Commission presented next steps for building trust in AI. The Commission set forth seven key requirements for "trustworthy" AI, including human agency and oversight; technical robustness and safety; privacy and data governance; transparency; diversity, nondiscrimination, and fairness; societal and environmental well-being; and accountability.

EC Issues Guidance on Free Flow of Non-Personal Data

On May 29, the European Commission issued a Communication that provides guidance on the Regulation on a framework for the free flow of non-personal data ("FFD Regulation") in the European Union. This guidance aims to help users understand the interaction between the FFD Regulation and the General Data Protection Regulation, particularly when data sets comprise personal and non-personal data.

European Data Protection Board

EDPB Releases Draft Guidelines on Data Processing of Online Services for Public Consultation

On April 10, the European Data Protection Board ("EDPB") released draft guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects. The guidelines provide practical guidance for relying on a contract as the legal basis for processing personal data in the context online services. The guidelines also discuss how using a contract as a legal basis for processing personal data applies in specific situations, such as fraud prevention and online behavioral advertising.

EDPB Designates Representatives for Third Annual Review of EU–U.S. Privacy Shield

On May 15, during the 10th plenary session of the EDPB, the EDPB designated representatives for the third annual review of the EU–U.S. Privacy Shield. Austria, Bulgaria, France, Germany, Hungary, and the EDPS will represent the Board during the review.

EDPB Issues Statistics on Cases at GDPR's One-Year Anniversary

On May 22, the EDPB took stock of the GDPR on its one-year anniversary. According to the EDPB's summary, a total of 446 cross-border cases have been registered to date, 205 of which led to One-Stop-Shop procedures. In addition, more than 144,000 queries and complaints and more than 89,000 data breaches have been logged by the supervisory authorities.

EDPB Adopts Final Version of Annex 2 to Guidelines on Certification

On June 4, the EDPB adopted the final version of Annex 2 to the Guidelines on Certification. These guidelines identify overarching criteria, which may be relevant to all types of certification mechanisms issued in accordance with Article 42 and Article 43 of the GDPR. Annex 2 sets forth a list of minimum requirements that the EDPB and data protection authorities ("DPAs") will consider when approving certifications.

EDPB Adopts Final Version of Guidelines on Accreditation of Certification Bodies

On June 4, the EDPB adopted the final version of Guidelines 4/2018 on the accreditation of certification bodies under Article 43 of Regulation 2016/679. These guidelines convey the purpose of accreditation in the context of the GDPR, explain available routes to accredit certification bodies, and provide a framework for establishing additional accreditation requirements.

EDPB Adopts Final Version of Guidelines on Codes of Conduct and Monitoring Bodies

On June 4, the EDPB adopted the final version of Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679. These guidelines aim to provide practical guidance and interpretative assistance in relation to the application of Articles 40 and 41 of the GDPR, along with clarifying the procedures and rules involved in the submission, approval, and publication of codes of conduct.

European Data Protection Supervisor

EDPS Adopts Opinion in Context of Budapest Cybercrime Convention

On April 2, the European Data Protection Supervisor ("EDPS") adopted Opinion 3/2019 regarding participation in negotiations of a Second Additional Protocol to the Budapest Cybercrime Convention. The EDPS supports the adoption of a Council Decision giving a clear mandate to the European Commission to participate in the ongoing negotiations. It also stressed the need for detailed safeguards regarding international data transfers and the respect of fundamental rights.

EDPS Releases Opinion on EU–U.S. Agreement for Cross-Border Access to e-Evidence

On April 2, the EDPS adopted Opinion 2/2019 on an EU–U.S. agreement on cross-border access to electronic evidence. This follows the European Commission's adoption of a recommendation to negotiate with the United States on access to electronic evidence in criminal matters. The EDPS welcomed the need for data protection safeguards and suggested adding compliance with Article 16 Treaty on the Functioning of the EU as a substantive legal basis for the processing of personal data in the future EU–U.S. agreement.

European Union Agency for Cybersecurity

ENISA Issues Recommendations on Industry 4.0 and Cybersecurity Challenges

On May 20, the European Union Agency for Cybersecurity ("ENISA") published Industry 4.0—Cybersecurity Challenges and Recommendations. The Recommendations identify the main challenges to the adoption of security measures in the context of Industry 4.0 and Industrial IoT. Moreover, ENISA lists high-level recommendations for different stakeholder groups to promote Industry 4.0 cybersecurity and facilitate wider adoption of relevant innovations in a secure manner.

ENISA Publishes Annual Report on Telecom Security Incidents

On June 5, ENISA published its annual report on telecom security incidents. The incident report stressed that in 2018, natural phenomena and system failures were the dominant causes of security incidents.


Belgian DPA Publishes 2018 Annual Report

On April 25, the Belgian Data Protection Authority ("DPA") published its 2018 annual report (source document in French and Dutch). The report highlights the DPA's notable actions, which include new implementing legislation and the transition from the Privacy Commission to the Belgian DPA. The report canvasses the main activities of the DPA and offers several figures for 2018, including the number of data breaches (445 in 2018, compared to 25 in 2017), opinions on draft legislation (215), files of all types (7,182 cases), and investigations (73).

Brussels Court of Appeal Rejects Jurisdiction in Data Privacy Case Involving Social Media Company

On May 8, the Brussels Court of Appeal ruled on jurisdiction in a longstanding case concerning a social media company's noncompliance with the Belgian privacy and European privacy rules (source document in Dutch). The Brussels Court of Appeal ruled that it had no jurisdiction in relation to the company. Although the court stated that it had jurisdiction with respect to the company's Belgian affiliate, it referred preliminary questions to the Court of Justice of the European Union with respect to the interest of the Belgian DPA to act against the entity before national courts.

Belgian DPA Issues its First GDPR Fine

On May 28, the Belgian DPA imposed its first financial penalty since the GDPR's establishment (source document in Dutch). The administrative fine amounts to €2,000 and relates to the misuse of personal data by a mayor for election purposes.

Belgian DPA Launches a Consultation on Direct Marketing

On July 12, 2019, the Belgian DPA launched a consultation to update its direct marketing recommendation, which was released on January 30, 2013 (source document in French and Dutch). The Consultation was available online until July 31, 2019, and sought input on the most prevalent issues facing organizations since the implementation of the GDPR as well as the technologies data controllers use when conducting their marketing activities.


CNIL Releases Best Practices for Developers

On May 13, the French Data Protection Authority ("CNIL") released a "Developer Kit," which offers a series of best practices to help developers choose their work tools, manage source codes, understand how to use software libraries, and document coding activities (source document in French).

CNIL Reports on First Year of GDPR Implementation

On May 23, the CNIL issued a report on the implementation of the GDPR (source document in French). The CNIL highlighted the increase in complaints filed by data subjects (11,900) and noted that 19,000 data protection officers were appointed by data processing entities. The CNIL also stated that it received 2,044 notifications of data breaches.

CNIL Launches Fourth Edition of CNIL–INRIA Privacy Award

On May 29, the CNIL launched the fourth edition of the CNIL–INRIA privacy award, which is intended to promote research on the protection of personal data and privacy. For example, submissions may cover issues related to privacy by design, algorithm transparency, anonymization, privacy risk analysis, and accountability.

CNIL Releases Action Plan for Targeted Online Advertising

On June 28, the CNIL released its 2019–2020 action plan on the use of targeting technologies in online advertising (source document in French). The CNIL stated that it will issue new guidelines on the rules applicable to the use of targeting technologies and will provide operators with a 12-month period to implement the new guidelines. The CNIL will also initiate a consultation with stakeholders on operational methods to obtain a data subject's consent.

CNIL Provides for Transition Period on Legal Framework Applicable to Online Consent

On June 28, the CNIL published a press release where it stated that "scrolling down or swiping through a website or application" is not considered as a valid expression of consent. Therefore, after the publication of the new guidelines on online consent, the CNIL announced a 12-month transition period for entities to adopt new practices for obtaining online consent. The CNIL is also implementing relevant changes on its own website.


DSK Issues Guide on Data Protection Requirements for Telemedia Service Providers

("DSK"), which is the consensus body of the German Data Protection Authorities, issued a DatenschutzkonferenzIn March, the guideline on data protection requirements for the processing of users' data through telemedia services (source document in German). The lawfulness of the data processing may be based on Article 6 para. 1 (f) (legitimate interests), and if the legitimate interest justification is not available, Article 6 para. 1 (a) GDPR (consent). The guide addresses these requirements in detail and provides for examples related to websites, cookies, and tracking.

DSK Publishes Guideline on Access Protection for Online Service Providers

On March 29, the DSK published a guideline on access protection for online service providers (source document in German). It provides for, inter alia, a list of measures regarding the secure transmission and storage of passwords, the course of action in the event that services are compromised, and password security requirements.

DSK Releases Position Paper on Biometric Analysis

On April 3, the DSK released a position paper on biometric analysis (source document in German). The paper describes various biometric systems and sensors as well as different "use cases" for them. The paper also evaluates the processing of biometric data under the GDPR and sets forth factors that should be taken into account when using biometric systems.

Data Protection Officer Imposes First Fine on Police Officer

On May 9, the data protection officer of Baden-Wűrttemberg imposed a fine of €1,400 on a member of the police force (source document in German). The officer used the internal databases of the Federal Motor Transport Authority to obtain the telephone number of a casual acquaintance in order to call her. This was, according to our knowledge, the first published German case of a fine imposed on a public servant pursuant to the GDPR.

German Parliament Passes Second GDPR Implementation Bill

On June 27, the German Parliament passed the second GDPR implementation bill (source document in German). The bill addressed changes in 154 laws. The main changes included, inter alia, the adaptation of definitions and legal bases for data processing as well as regulations regarding data subjects' rights. Furthermore, the threshold in the German Federal Data Protection Act for private companies to designate a data protection officer was increased from 10 to 20 persons involved in data processing. Consents in the employment relationship may now be obtained in writing and electronically.


Italian DPA Facilitates Transfer of Data Among Financial Supervisors Within and Outside EEA

In May, the Italian Data Protection Authority ("DPA") authorized the Italian financial supervisor to enter into an administrative agreement for the transfer of personal data between the financial supervisors of the European Economic Area ("EEA") and those outside the EEA (source document in Italian). This agreement seeks to prevent illegal activities and to increase the quality of international cooperation. This action marks the first time the DPA has authorized the Italian financial supervisor to transfer data to other financial supervision authorities in accordance with Article 46 of the GDPR. The DPA established additional conditions, including a requirement that the Italian Companies and Exchange Commission ("CONSOB") must inform the DPA of any suspension of data transfers, as well as any revision or suspension of participation in the agreement.

Italian DPA Clarifies Consent to Marketing in Context of Prize Contests

On June 12, the Italian DPA issued an order clarifying that a data subject's consent to marketing activity cannot be a condition to participate in a prize contest (source document in Italian). The DPA reviewed a company's registration practices for a prize contest. As a condition for completing registration for the contest, the company required registrants to join the customer loyalty program and consent to marketing activity. The DPA determined that this did not provide customers with the opportunity to express free and specific consent for promotional activity. The DPA ordered the company to change the data collection form on its website so that users may express a free and informed consent for promotional uses of their data.

The Netherlands

NCSC Publishes Transport Layer Security Guidelines

On April 23, the Dutch National Cyber Security Centre ("NCSC") published an update to its transport layer security ("TLS") protocol guidelines (source document in Dutch). The updated guidelines aim to improve TLS configuration security, so that organizations can prioritize certain threats requiring daily attention. The guidelines assist entities with procurement, setup, and review of TLS configurations.

EDPB Elects Aleid Wolfsen as New Deputy Chair

On May 15, the European Data Protection Board ("EDPB") elected Aleid Wolfsen as the new deputy chair (source document available in Dutch and in English). Along with fellow Deputy Chair Ventsislav Karadjov, Aleid Wolfsen will support the EDPB Chair Andrea Jelinek in her work for the Board over the coming years.


SPDA Publishes Guide Addressing Data Protection Impact of DronesOn May 30, the Spanish Data Protection Agency ("SDPA") published a guide called "Drones and Data Protection," which addresses the impact of various types of drone operations, including those with the capability of processing personal data and those whose operations actually process personal data, such as video surveillance (source document in Spanish). The guide offers a series of recommendations for amateurs and professional drone operators.

SPDA Publishes Recommendations for Anonymization ProcessesOn June 14, the SDPA published a technical note addressing anonymization processes performed on data sets (source document in Spanish). The publication addresses the limitations on effectiveness of anonymization processes, the extent to which information is actually anonymized, and how the risk of re-identification can be managed. In light of the GDPR, the SDPA cautions that entities must analyze the risks of data processing, including those arising from potential re-identification derived from the anonymization processes, and those risks generated in the subsequent enrichment of data sets.

United Kingdom

UK Government Launches Consultation on Regulation of Consumer Internet of Things

On May 1, the UK government launched a on privacy and security issues raised by IoT devices, including regulatory proposals for a security labelling scheme to evidence compliance with the voluntary Code of Practice for Consumer Internet of Things Security. consultation

ICO Closes Its "Regulatory Sandbox"

On May 24, the ICO closed its regulatory sandbox that allows selected organizations with products and services using personal data in innovative ways access to ICO expertise, support, and a way to test how data protection frameworks may apply.

ICO Fines Hotel Chain £99 Million Under GDPR for Data Breach

On July 9, the ICO announced its intention to fine a hotel chain £99 million for GDPR violations in relation to a data breach that compromised the personal information of customers. The hotel chain acquired a company whose systems had been compromised, but the hotel chain did not discover the exposure of customer information until two years after the acquisition. The ICO's investigation found that the hotel chain failed to conduct sufficient due diligence when it bought the company.

The following Jones Day lawyers contributed to this section: Laurent De Muyter, Undine von Diemar, Olivier Haas, Jörg Hladjk, Bastiaan Kout, Jonathon Little, Martin Lotz, Hatziri Minaudier, Selma Olthof, Sara Rizzon, Irene Robledo, Elizabeth Robertson, Lucia Stoican, Ludovica Terenzi, and Rhys Thomas


Hong Kong

Insurance Agent Receives Conviction Related to Direct Marketing

On April 3, an insurance agent was convicted of two charges under the Personal Data Ordinance. The first charge related to its use of the personal data of a data subject in direct marketing without obtaining her consent, in contravention of section 35C of the Ordinance. The second charge related to its failure to inform the data subject of her right to request that her personal data not be used in direct marketing, in contravention of section 35F of the Ordinance. The insurance agent pleaded guilty to both charges and was fined HK$8,000 in total.

Privacy Commissioner Responds to Suspected Clandestine Photographing in Taxis

On April 21, Hong Kong's Privacy Commissioner for Personal Data announced guidance on the suspected incident of artists being photographed inside taxis (source document in Chinese). The Privacy Commissioner has also issuedand will continue to strengthen educational campaigns. The Commissioner is proceeding with caution as he considers new restrictions and regulations, so as not to unduly hinder economic and technological development. s" "Guidance on CCTV Surveillance and Use of Drone

Privacy Commissioner Releases Compliance Checks Report Regarding Hong Kong Shopping Mall Membership Programs

On April 25, the Privacy Commissioner released a compliance checks report called "Overview of Personal Data Collection in Shopping Mall Membership Programs and Online Promotion Activities." The report provides guidance on personal data collection in shopping malls and online promotion activities, particularly membership programs. In general, the Privacy Commissioner accepts the collection of contact information for the purposes of identification and communication, but the collection of national HKID Card numbers by membership programs is generally considered excessive due to the sensitive nature of the data and the associated risk of identity theft.

Bank Receives HK$10,000 Fine for Direct Marketing Offense

On May 21, a bank was convicted under section 35G(3) of the Privacy Ordinance for failing to comply with a request from a data subject to cease using his personal data in direct marketing. The bank pleaded guilty to the charge and received a HK$10,000 fine.

Auction Company Receives HK$20,000 Fine for Direct Marketing Offense

On May 27, a company was convicted of two charges under the Privacy Ordinance. The first charge relates to the company's failure obtain a data subject's consent before using her personal data in direct marketing, in contravention of section 35C of the Privacy Ordinance. The second charge relates to the failure to inform the data subject of her right to request not to use her personal data in direct marketing in contravention of section 35F of the Privacy Ordinance. The company pleaded guilty to both charges, and was fined HK$20,000 in total.

Hong Kong and Singapore Sign MOU to Strengthen Cooperation in Personal Data Protection

On May 31, the data protection authorities of Hong Kong and Singapore signed a Memorandum of Understanding ("MOU") to strengthen cooperation on personal data protection between the two jurisdictions. Under the MOU, the authorities will share experiences and best practices, conduct joint research projects, and exchange information on potential or ongoing data breach investigations. Hong Kong and Singapore are also releasing a jointly developed "Guide to Data Protection by Design ("DPbD") for Information and Communications Technology ("ICT") Systems," which provides organizations with practical guidance for all phases of software development and good data protection practices in ICT system design.

Privacy Commissioner Issues Enforcement Notice Related to Data Breach

On June 6, the Privacy Commissioner published an investigation report on the breach of personal data of approximately 9.4 million airline passengers. The Privacy Commissioner found that the airline violated the data protection principles under the Privacy Ordinance relating to personal data security and retention, and served an Enforcement Notice directing the company to remedy and prevent any recurrence of the contraventions. It ordered the company to engage an independent data security expert to overhaul its systems containing personal data, implement effective multifactor authentication for remote access, conduct effective vulnerability scans, and destroy all unnecessary HKID Card numbers collected, among other measures.

Beauty Product Company Receives HK$8,000 Fine for Direct Marketing Offense

On June 18, a beauty product company was convicted under section 35C of the Privacy Ordinance for failing to obtain consent prior to using the personal data of a customer in direct marketing. The company pleaded guilty and was fined HK$8,000. The Privacy Commissioner reiterated the importance of small and medium enterprises' compliance with the requirements of the Privacy Ordinance on the protection of personal data in Hong Kong, and it emphasized the need for organizations to adopt proper data stewardship when handling customers' data.

People's Republic of China

Agency Issues Draft Measures to Complement E-Commerce LawOn April 30, the State Administration for Market Regulation publishednotice a announcing("Draft Measures") were open for public comments until May 29 (source documents in Chinese). The Draft Measures were "Internet Transaction Supervision and Management Measures" that the drafted, which came into effect January 1 (source document in Chinese). The goal of the Draft Measures was to resolve issues regarding the collection and use of consumers' personal information by requiring network transaction operators to clearly indicate the purpose, manner, and scope of information collected and obtain consumer consent on a case-by-case basis. E-Commerce Law of the People's Republic of China to complement the

Agency Issues Notice to Solicit Opinions on Collection and Use of Personal Information by Apps On May 5, the Office of the Central Cyberspace Affairs Commission published(source document in Chinese). The purpose of the Appraisal is to commence security assessments on apps that collect and use personal information in violation of the law and regulation, and to identify apps that force users to provide consent or collect personal information in excess or out of scope of the consent."Applicable Appraisal Methods for the Unlawful and Illegal Collection and Use of Personal Information by Apps" a notice to solicit opinions on the draft of

Zhejiang Police Crack Down on Malicious Registration of Online AccountsOn May 12, the Office of the Central Cyberspace Affairs Commission publishedEnforcement action has been taken in 262 criminal cases. on enforcement actions in Zhejiang based on the "Clean Internet Campaign 2019" (source document in Chinese). Investigations and enforcement activity focused on companies that allegedly engaged in the use of personal information for malicious registration of internet accounts or illegal fourth-party update a

Agency Publishes Cybersecurity Review Measures On May 24, the Office of the Central Cyberspace Affairs Commission published for the purpose of improving the safety and management of key information structures and maintaining national security (source document in Chinese). "Cybersecurity Review Measures (Draft for Comment)"the

Agency Issues Notice on Measures for Data Security ManagementOn May 28, the Office of the Central Cyberspace Affairs Commission published (source document in Chinese). The measures govern the way network operators (owners, administrators, and service providers) collect personal information, obtain data subject consent, correct or remove personal information, deregister users' accounts, and handle data breaches. The measures aim to protect national security and the legitimate interests of citizens, among other goals."Measures for Data Security Management" draft

Agency Issues Notice on Regulations to Protect Children's Personal InformationOn May 31, the Office of the Central Cyberspace Affairs Commission publishedThe Regulations aim to protect the legitimate interests of children by governing the collection, storage, use, and removal of personal information of minors under 14 years old. Among its proposed provisions, the Regulations stipulate that network operators should set up protection rules and user agreements dedicated specifically to children's personal information and should appoint a personal data protection officer to be responsible for the protection of children's personal information. Network operators are also required to inform and obtain the express consent of children's guardians when collecting or using children's personal information. (source document in Chinese)."Regulations on the Protection of Children's Personal Information on the Internet" a notice seeking public comments on the

Technical Committee Publishes Guidelines for Mobile App ProvidersOn June 1, the National Information Security Standardization Technical Committee published"Guidelines for Network Security Practices—Essential Information Specification for Basic Business Functions of Mobile Internet Applications" to provide the types of personal information commonly required by 16 basic categories of mobile applications (source document in Chinese). The Guidelines regulate the collection of personal information by mobile internet application providers.

Agency Issues Notice Related to Transfer of Personal Information On June 13, the Office of the Central Cyberspace Affairs Commission published (source document in Chinese). The Measures aim to restrict the transfer of personal information outside China and were issued for purposes of protecting personal information security, safeguarding cyberspace sovereignty, and national security interests. "Measures for Assessment of Personal Information Exit Security" a notice seeking public comments on the draft

Government Issues 2019 Plan of Special Action for Online Market RegulationOn June 23, several government departments published which aims to protect personal information collected in e-commerce (source document in Chinese). The Plan aims to promote fair competition in e-commerce, protect consumers and the legitimate interests of businesses, and ensure sustainable development of e-commerce.


PDPC Signs MOU with United Kingdom's ICO

On June 14, Singapore's Personal Data Protection Commission ("PDPC") signed a Memorandum of Understanding ("MOU") with the United Kingdom's Information Commissioner's Office ("ICO"). The MOU establishes a working relationship between the two regulatory bodies for cross-sharing of experiences, exchanging best practices, engaging in joint research projects, and exchanging information on regulatory approaches and activities.

PDPC and IMDA Release First Comprehensive Trusted Data-Sharing Framework

On June 28, the PDPC and the Infocomm Media Development Authority ("IMDA") released the first comprehensive Trusted Data-Sharing Framework to facilitate data sharing between organizations. The framework establishes a set of baseline practices by providing a common data-sharing language and includes resources that enables data sharing.

PDPC Releases DPO Competency Framework and Training Roadmap

On July 17, the PDPC released the Data Protection Officer ("DPO") Competency Framework and Training Roadmap. The purpose of the roadmap is to provide information on the core competencies and proficiency levels a DPO needs and to serve as a resource for companies in their hiring and training of DPOs.

The following Jones Day lawyers contributed to this section: Michiru Takahashi, Sharon Yiu, and Grace Zhang.


Fair Work Commission Clarifies Employee Records Exception in Privacy Act

On May 1, the Fair Work Commission handed down a decision clarifying the application of the Privacy Act 1998 (Cth) to the collection of personal information from employees. The case involved an employer that sought to institute a fingerprint scanning system to record employees' site attendance. The company terminated an employee who repeatedly refused to use the system. The Commission held that the employee's fingerprint was "sensitive information" under the Privacy Act, and therefore the company was required to obtain the employee's consent before soliciting or collecting his fingerprint. The Commission found that the company had no privacy policy as required by Australian Privacy Principle (APP) 1, and the company provided the employee with some, but not all, of the information required by a privacy collection notice under APP 5. The Commission also held that the "employee records exception" to the APPs in section 7B(3) of the Privacy Actdid not apply, since the exception applies to records already held by an employer, and does not relieve employers from the obligation to obtain consent from employees before collecting new forms of "personal information."

Liberal/National Coalition Wins Federal Election

On May 18, the coalition of the Liberal Party and the National Party, led by Prime Minister Scott Morrison, won reelection in the federal election. Many of the legislative changes with respect to privacy and cybersecurity announced by the Morrison government before the election will likely progress. These changes include amending the Privacy Act 1998 (Cth) to increase penalties for breaches and amending the Telecommunications and Other Legislation (Assistance and Access) Act 2018 (Cth), which requires designated communications providers to grant access to communications when requested by law enforcement agencies. Work has already begun. On August 1, the Federal Parliament passed the Treasury Laws Amendment (Consumer Data Right) Bill 2019 which creates the Consumer Data Right, a legislative framework to compel data holders to share nominated consumer data with individuals and businesses. We reported on these developments in the March 2019 and May 2019 Global Privacy & Cybersecurity Updates.

The following Jones Day lawyers contributed to this section: Adam Salter and Drew Broadfoot.

Recent and Upcoming Speaking Engagements

Accommodating Data Subjects Exercising Their Rights, IAPP Data Protection Intensive Germany 2019(September 2019). Jones Day Speaker: Undine von Diemar

Global Privacy & Cybersecurity Law Update, Dallas Bar Association Technology Summit, Dallas, Texas (September 2019). Jones Day Speaker: Jay Johnson

Current Risks & Attack Trends, 3rd Cybersecurity and Data Privacy Law Conference, Plano, Texas (September 2019). Jones Day Speaker: Jay Johnson

Industrial IoT, Privacy, Security, Risk, 2019, Las Vegas, Nevada (September 2019). Jones Day Speaker: Mauricio Paez

Data Protection in Europe (CIPP/E preparation training course), IAPP Data Protection Intensive Germany 2019 (September 2019). Jones Day Speaker: Undine von Diemar

Overview on Developments in US Privacy Law (July 2019), IAPP KnowledgeNet Summer Event, Munich, Germany (July 2019). Jones Day Speaker: Undine von Diemar

The GDPR One Year On: A Look at the Lessons From Implementation and the Next Steps for Compliance and Enforcement (June 2019). Jones Day Speakers: Undine von Diemar, Jörg Hladjk, Olivier Haas, Jonathon Little

Jones Day Speaker: The GDPR—A Catalyst for Digital Transformation? European Association for Identity and Security (EEMA) Annual Conference 2019, London, UK (June 2019). Jörg Hladjk

Combatting Insider Threat, Ernst & Young event (June 2019). Jones Day Speaker: David Coogan

Building a Cybercrime Prosecution: Law Enforcement and Corporate Perspectives (with DOJ and FBI), MIT Applied Cybersecurity Professional Education Program, Cambridge, Massachusetts (June 2019). Jones Day Speaker: Lisa Ropple

Cybersecurity Issues Facing the Drone Community, ABA 2019 Drone Law Conference, Washington, D.C. (June 2019). Jones Day Speaker: Samir Jain

Advising Boards of Directors About Cyberattacks and Incident Response, Boston Bar Association, Privacy and Cybersecurity Conference, Boston, Massachusetts (May 2019). Jones Day Speaker: Lisa Ropple

Fourth Annual Latin America Privacy & Cybersecurity Symposium, Mexico City, Mexico (May 2019). Jones Day Speakers: Various

Security Orchestration, Automation, and Incident Response, CISO Executive Network, Washington, DC (May 16, 2019). Jones Day Speaker: Samir Jain

Reorienting How the Private Sector and Government Defend Against Data Breaches, IAPP Global Privacy Summit, Washington, D.C. (May 2019). Jones Day Speaker: Samir Jain

Recent and Upcoming Publications

Whistleblower Receives First False Claims Act Payout for Cybersecurity Claim (August 2019). Jones Day Authors: Jay Johnson, Jennifer Everett, Shamoil Shipchandler, Patrick Boyd

New York Passes SHIELD Act Amending Data Breach Notification Law: Jones Day Authors (August 2019). Mauricio Paez, Kerianne Tobitsch, Clinton Oxford

The EU Cybersecurity Act is Now Applicable (June 2019). Jones Day Authors: Undine von Diemar, Jörg Hladjk, Olivier Haas, Jonathon Little

Proposed Algorithmic Accountability Act Targets Bias in Artificial Intelligence (June 2019). Jones Day Authors: Various Authors

HHS Releases Guidance on Direct Liability for Business Associates Under HIPAA (June 2019). Jones Day Authors: Mauricio Paez, Kristen McDonald, Courtney Carrell

French Blocking Statute: A Renewed Interest?(June 2019). Jones Day Authors: Various

"Pretext Theory" as Applied to Unsolicited TCPA Fax Advertisement Claims (June 2019). Jones Day Authors: Todd Kennard, Bill Dolan

New York Department of Financial Services Announces Creation of Cybersecurity Division(June 2019). Jones Day Authors: Mauricio Paez, Kerianne Tobitsch

Current Trends: Discovery of Electronically Stored Information on Mobile Devices and Social Media (June 2019). Jones Day Authors: Jennifer Del Medico, Tiffany Lipscomb-Jackson

IRS Summons for Law Firm Client Data Is Enforceable (May 2019). Jones Day Authors: Kathy Keneally, Frank Jackson, Michael Scarduzio

Data Breach Class Actions in Australia (May 2019). Jones Day Authors: Various

How Does Australia's New Consumer Data Right Work? (May 2019). Jones Day Authors: Adam Salter, Prudence Smith

Key Lessons From Australia's Notifiable Data Breach Scheme (April 2019). Jones Day Authors: Adam Salter, Prudence Smith

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Jones Day | Attorney Advertising

Written by:

Jones Day

Jones Day on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide

JD Supra Privacy Policy

Updated: May 25, 2018:

JD Supra is a legal publishing service that connects experts and their content with broader audiences of professionals, journalists and associations.

This Privacy Policy describes how JD Supra, LLC ("JD Supra" or "we," "us," or "our") collects, uses and shares personal data collected from visitors to our website (located at (our "Website") who view only publicly-available content as well as subscribers to our services (such as our email digests or author tools)(our "Services"). By using our Website and registering for one of our Services, you are agreeing to the terms of this Privacy Policy.

Please note that if you subscribe to one of our Services, you can make choices about how we collect, use and share your information through our Privacy Center under the "My Account" dashboard (available if you are logged into your JD Supra account).

Collection of Information

Registration Information. When you register with JD Supra for our Website and Services, either as an author or as a subscriber, you will be asked to provide identifying information to create your JD Supra account ("Registration Data"), such as your:

  • Email
  • First Name
  • Last Name
  • Company Name
  • Company Industry
  • Title
  • Country

Other Information: We also collect other information you may voluntarily provide. This may include content you provide for publication. We may also receive your communications with others through our Website and Services (such as contacting an author through our Website) or communications directly with us (such as through email, feedback or other forms or social media). If you are a subscribed user, we will also collect your user preferences, such as the types of articles you would like to read.

Information from third parties (such as, from your employer or LinkedIn): We may also receive information about you from third party sources. For example, your employer may provide your information to us, such as in connection with an article submitted by your employer for publication. If you choose to use LinkedIn to subscribe to our Website and Services, we also collect information related to your LinkedIn account and profile.

Your interactions with our Website and Services: As is true of most websites, we gather certain information automatically. This information includes IP addresses, browser type, Internet service provider (ISP), referring/exit pages, operating system, date/time stamp and clickstream data. We use this information to analyze trends, to administer the Website and our Services, to improve the content and performance of our Website and Services, and to track users' movements around the site. We may also link this automatically-collected data to personal information, for example, to inform authors about who has read their articles. Some of this data is collected through information sent by your web browser. We also use cookies and other tracking technologies to collect this information. To learn more about cookies and other tracking technologies that JD Supra may use on our Website and Services please see our "Cookies Guide" page.

How do we use this information?

We use the information and data we collect principally in order to provide our Website and Services. More specifically, we may use your personal information to:

  • Operate our Website and Services and publish content;
  • Distribute content to you in accordance with your preferences as well as to provide other notifications to you (for example, updates about our policies and terms);
  • Measure readership and usage of the Website and Services;
  • Communicate with you regarding your questions and requests;
  • Authenticate users and to provide for the safety and security of our Website and Services;
  • Conduct research and similar activities to improve our Website and Services; and
  • Comply with our legal and regulatory responsibilities and to enforce our rights.

How is your information shared?

  • Content and other public information (such as an author profile) is shared on our Website and Services, including via email digests and social media feeds, and is accessible to the general public.
  • If you choose to use our Website and Services to communicate directly with a company or individual, such communication may be shared accordingly.
  • Readership information is provided to publishing law firms and authors of content to give them insight into their readership and to help them to improve their content.
  • Our Website may offer you the opportunity to share information through our Website, such as through Facebook's "Like" or Twitter's "Tweet" button. We offer this functionality to help generate interest in our Website and content and to permit you to recommend content to your contacts. You should be aware that sharing through such functionality may result in information being collected by the applicable social media network and possibly being made publicly available (for example, through a search engine). Any such information collection would be subject to such third party social media network's privacy policy.
  • Your information may also be shared to parties who support our business, such as professional advisors as well as web-hosting providers, analytics providers and other information technology providers.
  • Any court, governmental authority, law enforcement agency or other third party where we believe disclosure is necessary to comply with a legal or regulatory obligation, or otherwise to protect our rights, the rights of any third party or individuals' personal safety, or to detect, prevent, or otherwise address fraud, security or safety issues.
  • To our affiliated entities and in connection with the sale, assignment or other transfer of our company or our business.

How We Protect Your Information

JD Supra takes reasonable and appropriate precautions to insure that user information is protected from loss, misuse and unauthorized access, disclosure, alteration and destruction. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. You should keep in mind that no Internet transmission is ever 100% secure or error-free. Where you use log-in credentials (usernames, passwords) on our Website, please remember that it is your responsibility to safeguard them. If you believe that your log-in credentials have been compromised, please contact us at

Children's Information

Our Website and Services are not directed at children under the age of 16 and we do not knowingly collect personal information from children under the age of 16 through our Website and/or Services. If you have reason to believe that a child under the age of 16 has provided personal information to us, please contact us, and we will endeavor to delete that information from our databases.

Links to Other Websites

Our Website and Services may contain links to other websites. The operators of such other websites may collect information about you, including through cookies or other technologies. If you are using our Website or Services and click a link to another site, you will leave our Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We are not responsible for the data collection and use practices of such other sites. This Policy applies solely to the information collected in connection with your use of our Website and Services and does not apply to any practices conducted offline or in connection with any other websites.

Information for EU and Swiss Residents

JD Supra's principal place of business is in the United States. By subscribing to our website, you expressly consent to your information being processed in the United States.

  • Our Legal Basis for Processing: Generally, we rely on our legitimate interests in order to process your personal information. For example, we rely on this legal ground if we use your personal information to manage your Registration Data and administer our relationship with you; to deliver our Website and Services; understand and improve our Website and Services; report reader analytics to our authors; to personalize your experience on our Website and Services; and where necessary to protect or defend our or another's rights or property, or to detect, prevent, or otherwise address fraud, security, safety or privacy issues. Please see Article 6(1)(f) of the E.U. General Data Protection Regulation ("GDPR") In addition, there may be other situations where other grounds for processing may exist, such as where processing is a result of legal requirements (GDPR Article 6(1)(c)) or for reasons of public interest (GDPR Article 6(1)(e)). Please see the "Your Rights" section of this Privacy Policy immediately below for more information about how you may request that we limit or refrain from processing your personal information.
  • Your Rights
    • Right of Access/Portability: You can ask to review details about the information we hold about you and how that information has been used and disclosed. Note that we may request to verify your identification before fulfilling your request. You can also request that your personal information is provided to you in a commonly used electronic format so that you can share it with other organizations.
    • Right to Correct Information: You may ask that we make corrections to any information we hold, if you believe such correction to be necessary.
    • Right to Restrict Our Processing or Erasure of Information: You also have the right in certain circumstances to ask us to restrict processing of your personal information or to erase your personal information. Where you have consented to our use of your personal information, you can withdraw your consent at any time.

You can make a request to exercise any of these rights by emailing us at or by writing to us at:

Privacy Officer
JD Supra, LLC
10 Liberty Ship Way, Suite 300
Sausalito, California 94965

You can also manage your profile and subscriptions through our Privacy Center under the "My Account" dashboard.

We will make all practical efforts to respect your wishes. There may be times, however, where we are not able to fulfill your request, for example, if applicable law prohibits our compliance. Please note that JD Supra does not use "automatic decision making" or "profiling" as those terms are defined in the GDPR.

  • Timeframe for retaining your personal information: We will retain your personal information in a form that identifies you only for as long as it serves the purpose(s) for which it was initially collected as stated in this Privacy Policy, or subsequently authorized. We may continue processing your personal information for longer periods, but only for the time and to the extent such processing reasonably serves the purposes of archiving in the public interest, journalism, literature and art, scientific or historical research and statistical analysis, and subject to the protection of this Privacy Policy. For example, if you are an author, your personal information may continue to be published in connection with your article indefinitely. When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize it, or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.
  • Onward Transfer to Third Parties: As noted in the "How We Share Your Data" Section above, JD Supra may share your information with third parties. When JD Supra discloses your personal information to third parties, we have ensured that such third parties have either certified under the EU-U.S. or Swiss Privacy Shield Framework and will process all personal data received from EU member states/Switzerland in reliance on the applicable Privacy Shield Framework or that they have been subjected to strict contractual provisions in their contract with us to guarantee an adequate level of data protection for your data.

California Privacy Rights

Pursuant to Section 1798.83 of the California Civil Code, our customers who are California residents have the right to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes.

You can make a request for this information by emailing us at or by writing to us at:

Privacy Officer
JD Supra, LLC
10 Liberty Ship Way, Suite 300
Sausalito, California 94965

Some browsers have incorporated a Do Not Track (DNT) feature. These features, when turned on, send a signal that you prefer that the website you are visiting not collect and use data regarding your online searching and browsing activities. As there is not yet a common understanding on how to interpret the DNT signal, we currently do not respond to DNT signals on our site.

Access/Correct/Update/Delete Personal Information

For non-EU/Swiss residents, if you would like to know what personal information we have about you, you can send an e-mail to We will be in contact with you (by mail or otherwise) to verify your identity and provide you the information you request. We will respond within 30 days to your request for access to your personal information. In some cases, we may not be able to remove your personal information, in which case we will let you know if we are unable to do so and why. If you would like to correct or update your personal information, you can manage your profile and subscriptions through our Privacy Center under the "My Account" dashboard. If you would like to delete your account or remove your information from our Website and Services, send an e-mail to

Changes in Our Privacy Policy

We reserve the right to change this Privacy Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our Privacy Policy will become effective upon posting of the revised policy on the Website. By continuing to use our Website and Services following such changes, you will be deemed to have agreed to such changes.

Contacting JD Supra

If you have any questions about this Privacy Policy, the practices of this site, your dealings with our Website or Services, or if you would like to change any of the information you have provided to us, please contact us at:

JD Supra Cookie Guide

As with many websites, JD Supra's website (located at (our "Website") and our services (such as our email article digests)(our "Services") use a standard technology called a "cookie" and other similar technologies (such as, pixels and web beacons), which are small data files that are transferred to your computer when you use our Website and Services. These technologies automatically identify your browser whenever you interact with our Website and Services.

How We Use Cookies and Other Tracking Technologies

We use cookies and other tracking technologies to:

  1. Improve the user experience on our Website and Services;
  2. Store the authorization token that users receive when they login to the private areas of our Website. This token is specific to a user's login session and requires a valid username and password to obtain. It is required to access the user's profile information, subscriptions, and analytics;
  3. Track anonymous site usage; and
  4. Permit connectivity with social media networks to permit content sharing.

There are different types of cookies and other technologies used our Website, notably:

  • "Session cookies" - These cookies only last as long as your online session, and disappear from your computer or device when you close your browser (like Internet Explorer, Google Chrome or Safari).
  • "Persistent cookies" - These cookies stay on your computer or device after your browser has been closed and last for a time specified in the cookie. We use persistent cookies when we need to know who you are for more than one browsing session. For example, we use them to remember your preferences for the next time you visit.
  • "Web Beacons/Pixels" - Some of our web pages and emails may also contain small electronic images known as web beacons, clear GIFs or single-pixel GIFs. These images are placed on a web page or email and typically work in conjunction with cookies to collect data. We use these images to identify our users and user behavior, such as counting the number of users who have visited a web page or acted upon one of our email digests.

JD Supra Cookies. We place our own cookies on your computer to track certain information about you while you are using our Website and Services. For example, we place a session cookie on your computer each time you visit our Website. We use these cookies to allow you to log-in to your subscriber account. In addition, through these cookies we are able to collect information about how you use the Website, including what browser you may be using, your IP address, and the URL address you came from upon visiting our Website and the URL you next visit (even if those URLs are not on our Website). We also utilize email web beacons to monitor whether our emails are being delivered and read. We also use these tools to help deliver reader analytics to our authors to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

Analytics/Performance Cookies. JD Supra also uses the following analytic tools to help us analyze the performance of our Website and Services as well as how visitors use our Website and Services:

  • HubSpot - For more information about HubSpot cookies, please visit
  • New Relic - For more information on New Relic cookies, please visit
  • Google Analytics - For more information on Google Analytics cookies, visit To opt-out of being tracked by Google Analytics across all websites visit This will allow you to download and install a Google Analytics cookie-free web browser.

Facebook, Twitter and other Social Network Cookies. Our content pages allow you to share content appearing on our Website and Services to your social media accounts through the "Like," "Tweet," or similar buttons displayed on such pages. To accomplish this Service, we embed code that such third party social networks provide and that we do not control. These buttons know that you are logged in to your social network account and therefore such social networks could also know that you are viewing the JD Supra Website.

Controlling and Deleting Cookies

If you would like to change how a browser uses cookies, including blocking or deleting cookies from the JD Supra Website and Services you can do so by changing the settings in your web browser. To control cookies, most browsers allow you to either accept or reject all cookies, only accept certain types of cookies, or prompt you every time a site wishes to save a cookie. It's also easy to delete cookies that are already saved on your device by a browser.

The processes for controlling and deleting cookies vary depending on which browser you use. To find out how to do so with a particular browser, you can use your browser's "Help" function or alternatively, you can visit which explains, step-by-step, how to control and delete cookies in most browsers.

Updates to This Policy

We may update this cookie policy and our Privacy Policy from time-to-time, particularly as technology changes. You can always check this page for the latest version. We may also notify you of changes to our privacy policy by email.

Contacting JD Supra

If you have any questions about how we use cookies and other tracking technologies, please contact us at:

- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.