Regulatory—Policy, Best Practices, and Standards
NIST Releases Revision to Security Standard
On September 23, the National Institute of Standards and Technology ("NIST") released Revision 5 to NIST SP 800-53, Security and Privacy Controls for Information Systems and Organizations. According to NIST, "[t]he update represents a multi-year effort to develop the first comprehensive catalog of security and privacy controls that can be used to manage risk for organizations of any sector and size."
Regulatory—Consumer and Retail
FTC Hosts Workshop on Proposed Amendments to GLBA Safeguards Rule
On July 13, the Federal Trade Commission ("FTC") hosted a workshop to discuss public comments raised in response to the FTC's proposed amendments to the Gramm-Leach-Bliley Act's ("GLBA") Safeguards Rule, which requires financial institutions to maintain a comprehensive information security program. Topics discussed during the workshop included the cost, availability, and implementation of information security for different sized institutions; penetration and vulnerability testing; and the costs of and possible alternatives to encryption and multifactor authentication.
FTC Hosts PrivacyCon
On July 21, the FTC hosted its fifth annual PrivacyCon to discuss privacy issues concerning health applications, bias in artificial intelligence algorithms, IoT, international privacy, and other privacy-related topics. The transcript and video from that workshop are available on the FTC's website.
FTC Seeks Comments on Proposed Changes to Rules Implementing FCRA
On August 24, the FTC sought public comments on its proposed amendments to five rules implementing the Fair Credit Reporting Act ("FCRA"). The FTC's proposed amendments would modify the five implementing rules to properly reflect their application only to motor vehicle dealers after FTC's broader rulemaking authority transferred to the Consumer Financial Protection Bureau under the Dodd-Frank Act.
SEC OCIE Warns of Increased Use and Sophistication of Ransomware
On July 10, the Securities and Exchange Commission ("SEC") Office of Compliance Inspections and Examinations ("OCIE") issued an alert to financial firms about emerging threats from ransomware. The OCIE warned SEC registrants and their service providers that the OCIE has observed an increase in the sophistication of ransomware attacks on these entities.
NYDFS Pursues First Enforcement Action Under Cybersecurity Regulation
On July 22, the New York Department of Financial Services ("NYDFS") filed a statement of charges against an insurance company alleging violations of its Cybersecurity Regulation, 23 NYCRR 500. NYDFS alleges that tens of millions of documents containing consumers' sensitive personal information were exposed through a vulnerability on the company's website from October 2014 through May 2019, and that the company failed to take reasonable remedial steps after discovering the issue. NYDFS stated that it can assess fines of up to $1,000 per violation, and considers each instance of exposed nonpublic information to be a separate violation.
FinCEN Alerts Financial Institutions to Red Flags of Cybercrime During the Pandemic
On July 30, the Financial Crimes Enforcement Network ("FinCEN") issued an Advisory alerting financial institutions to potential indicators of cybercrime and other cyber-enabled crime observed during the pandemic. The Advisory highlights red flags relating to: (i) attacks on financial institutions' remote systems, including digital manipulation of identity documentation and attempts to compromise private account login credentials; (ii) phishing, malware, and extortion schemes relating to COVID-19 themes, such as payments relating to the Coronavirus Aid, Relief, and Economic Security Act, or CARES Act; and (iii) business email compromise schemes in which criminals use spoofed or compromised email accounts to communicate with unsuspecting employees.
OCC Fines Bank $80 Million for Data Breach
On August 6, the Department of the Treasury's Office of the Comptroller of the Currency ("OCC") assessed an $80 million penalty against a bank for a 2019 data breach involving the personal information of 106 million customers who applied for credit cards. The OCC stated in the consent order that the bank's internal audit did not identify weaknesses and gaps in its cloud operating environment. The OCC also found that the board did not take effective actions to hold management accountable, particularly with regard to internal control gaps and weaknesses. The OCC and the Federal Reserve Bank also issued cease-and-desist orders to the bank imposing various requirements related to risk assessment and management, board and management oversight, and ongoing regulatory supervision.
OFAC Warns That Ransomware Payments May Violate OFAC Sanctions
On October 1, the U.S. Department of the Treasury's Office of Foreign Assets Control ("OFAC") issued an advisory warning that companies that make or facilitate ransomware payments could face potential penalties for engaging with sanctioned entities, countries, or regions. OFAC warns that negotiating or paying ransoms "not only encourage future ransomware payment demands but also may risk violating OFAC regulations." OFAC encourages companies to implement a risk-based compliance program to mitigate potential exposure to sanctions-related violations, including taking into account the risk that a ransomware payment may involve a person on the Specially Designated Nationals and Blocked Persons List.
FinCEN Issues Advisory on Ransomware Payments
On October 1, FinCEN issued an Advisory on Ransomware and the Use of the Financial System to Facility Ransom Payments. The Advisory addressed trends related to ransomware operations, including targeting larger companies for higher payments, requiring payments using cryptocurrencies, and sharing exploit kits to facilitate attacks. The Advisory provides "red flag" indicators of illicit activity related to ransomware to assist financial institutions in detecting, preventing, and reporting suspicious transactions associated with ransomware attacks. FinCEN reminded financial institutions to determine if filing a suspicious activity report is required or appropriate when the institution knows, suspects, or has reason to suspect that a transaction relates to a ransomware incident. For more information, please see our Jones Day Alert.
FERC Outlines Incident Response Best Practices
On September 14, the joint staffs of the Federal Energy Regulatory Commission ("FERC") and the North American Electricity Reliability Corporation published a report on cyber planning for incident response for the electric utility industry. The report identifies common elements and best practices for incident response plans, including defining computer security events and incidents, outlining staff roles and responsibilities and levels of authority for response, providing reporting requirements and guidelines for external communications and information sharing, and implementing procedures to evaluate performance.
FERC Releases Cybersecurity Recommendations
On October 2, FERC released recommendations to help owners and operators of the bulk-power system improve their compliance with the mandatory Critical Infrastructure Protection reliability standards and their overall cybersecurity posture. These recommendations include: (i) ensuring that all cyber assets are properly identified and that all substation cyber systems are properly categorized as high, medium, or low impact; (ii) inspecting all physical security perimeters periodically for unidentified physical access points; (iii) updating backup and recovery procedures; and (iv) evaluating security controls implemented by third parties engaged to manage cyber system information.
OCR Settles Breach Investigation with Covered Entity for $1.5 Million
On September 21, the Health and Human Services Office for Civil Rights ("OCR") announced a $1.5 million settlement with a covered entity for potentially violating the Health Insurance Portability and Accountability Act ("HIPAA"). The covered entity allegedly received notice in June 2016 that patient records were available for sale online, but the hacker continued to access protected health information for another month. The breach resulted in the disclosure of names, dates of birth, social security numbers, medical procedures, test results, and health insurance information of 208,557 individuals. The OCR found longstanding systemic noncompliance, including failure to conduct a risk analysis or implement and audit controls, HIPAA policies and procedures, or workforce training.
OCR Settles Breach Investigation With Business Associate for $2.3 Million
On September 23, the OCR announced a $2.3 million settlement with a business associate for violating HIPAA. The Federal Bureau of Investigation allegedly notified the company of an advanced persistent threat to the company's information system in April 2014, but the hackers continued to access and exfiltrate protected health information of about six million individuals using compromised administrative credentials until August 2014. The OCR found longstanding systemic noncompliance, including failure to conduct a risk analysis or implement an information system activity review, incident response procedures, or access controls.
OCR Settles Ninth Enforcement Action for HIPAA Right of Access Initiative
On October 9, the OCR announced a settlement of its ninth enforcement action as part of its HIPAA Right of Access Initiative, which supports patients' rights to timely access their health records at a reasonable cost under the HIPAA Privacy Rule. The OCR announced this initiative as an enforcement priority in 2019 and recently settled its eighth enforcement action for $160,000 and ninth for $100,000.
Regulatory—Defense and National Security
DoD Implements New Cybersecurity Requirements for Contractors
On September 29, the Department of Defense ("DoD") issued an interim rule to initiate the five-year rollout of the Cybersecurity Maturity Model Certification ("CMMC") framework. The purpose of the CMMC is to strengthen the defense contractor supply chain by assessing contractors' cybersecurity. The interim rule defines five cybersecurity levels implementing controls from NIST SP 800-171. On November 30, the DoD will begin requiring compliance with a specified CMMC level in certain solicitations, and contractors will need to obtain a third-party cybersecurity assessment and certification. The results of the assessment will be recorded in the Supplier Performance Risk System. For more information, please see our Jones Day Commentary.
NCSC Releases New Supply Chain Risk Management Guidance
On October 1, the National Counterintelligence and Security Center ("NCSC") released new guidance on supply chain risk management designed to help the private sector and U.S. government stakeholders mitigate risks to critical U.S. supply chains, a goal of the National Counterintelligence Strategy of the United States 2020-2022. The guidance focuses on three areas: (i) enhance capabilities to detect and respond to supply chain threats; (ii) advance supply chain integrity and security across the federal government; and (iii) expand outreach on threats, risk management, and best practices.
DoD Issues New Data Strategy
On October 8, the DoD issued a new data strategy to transition the department into a data-centric organization. The strategy treats data as a strategic asset and focuses on the automation of data pipelines, data ethics, and artificial intelligence, among other principles. The strategy is part of the department's Digital Modernization program, which focuses on investments in cloud technology, artificial intelligence, and cybersecurity.
Litigation, Judicial Rulings, and Enforcement Actions
Massachusetts Attorney General Establishes Data Privacy and Security Division
On August 13, the Massachusetts Attorney General announced the creation of a Data Privacy and Security Division. The Division will enforce the Massachusetts Consumer Protection Act and the state's data breach notification law.
Social Media Company Settles BIPA Class Action
On August 19, a California federal court granted preliminary approval of a $650 million settlement agreement related to claims against a social media company under the Illinois Biometric Information Privacy Act ("BIPA"). The court explained that the company "has agreed to set the Face Recognition default user setting to 'off' and to delete all existing and stored face templates for class members unless [the company] obtains a class member's express consent after a separate disclosure about how Facebook will use the face templates." Silence or inaction by the user will be deemed a withholding of consent. The company also will delete the face templates of any class members who have had no activity on the company's platform for three years. A final approval hearing is set for January 7, 2021.
DOJ Files Criminal Complaint Against Chief Security Officer for Failure to Disclose Breach
On August 20, the U.S. Attorney's Office for the Northern District of California announced that it filed a criminal complaint against the former Chief Security Officer and Deputy General Counsel of a ride-sharing company in connection with his role in responding to a data breach in which attackers obtained the personal information of 57 million users and drivers. Among other concerns, the complaint alleges that the officer deliberately failed to disclose the incident in response to the FTC's investigation into the company's cybersecurity practices from a prior breach.
Court Finds Bank Does Not Need to Produce Data Breach Report
On August 21, a Virginia federal judge handling discovery disputes in a multidistrict litigation related to a bank's 2019 data breach rejected the plaintiffs' request that the bank produce a third-party forensic analysis of the incident. The judge found the timing of the company's retention of the forensic provider in mid-September when lawsuits were being filed to be a significant factor in its decision.
District Court Dismisses HIPAA Class Action
On September 4, an Illinois district court judge dismissed a putative class action accusing a technology company and university of violating patient privacy under HIPAA in connection with a research partnership in which they allegedly used "machine-learning techniques to create predictive health models aimed at reducing hospital readmissions and anticipating future medical events." As part of the research, the university disclosed to the technology company "the 'de-identified' electronic health records of all adult patients treated at its hospital from January 1, 2010 through June 30, 2016." The plaintiff claimed that the university did not inform patients or obtain consent for sharing data with the company, and alleged the records were not sufficiently anonymized (e.g., records did not remove the provider's free-text notes). The court determined that while the university may have breached a contractual agreement, the plaintiff did not suffer economic damages.
New York Attorney General Settles Data Breach Investigation
On September 15, the New York Attorney General announced a Consent and Stipulation with a coffee chain company regarding the compromise of its customer accounts between 2015 and 2018. The stipulation mandated that the company "notify customers impacted in the attacks, reset those customers' passwords, and provide refunds for unauthorized use of customers' stored value cards." The stipulation also required the company to pay $650,000 in penalties and costs to the state of New York.
Court Dismisses New Mexico Attorney General's COPPA Suit Against Internet Company
On September 25, the District Court of New Mexico granted an internet company's motion to dismiss a lawsuit filed by the New Mexico Attorney General in February 2020 alleging violations of the Children's Online Privacy Protection Act ("COPPA") through its web-based education service. The Attorney General alleged that the company used the service to spy on students' online activities for its own commercial purposes without parental notice and consent. The court dismissed the suit for failure to state a claim that the company violated COPPA by relying on schools to serve as intermediaries or the parent's agent.
Health Insurer Settles Data Breach Claims for $39.5 Million With 42 States
On September 30, a health insurance company entered into an assurance of voluntary compliance with the attorneys general of 42 states and the District of Columbia to settle claims related to the company's data breach in 2014-15. The breach involved the harvesting of personal information of about 78.8 million Americans after hackers accessed the company's systems using malware installed through a phishing email. The company will pay $39.5 million, conduct an annual SOC 2 Type 2 assessment for three years, obtain annual independent third-party security assessments for three years, and implement a written information security program with controls for segmentation, logging and monitoring, remote access, multifactor authentication, encryption, risk assessments, and vulnerability testing.
House Unanimously Passes IoT Cybersecurity Improvement Act
On September 14, the House of Representatives unanimously passed the IoT Cybersecurity Improvement Act. The bill would require NIST to develop minimum cybersecurity standards for IoT devices purchased by the federal government. Federal agencies would not be able to procure IoT devices that fail to meet minimum security unless a waiver applies. The bill is still pending in the Senate.
Senate Committee Holds Hearing on Need for Federal Data Privacy Legislation
On September 23, the Senate Committee on Commerce, Science, and Transportation held a hearing to examine the current state of consumer data privacy and legislative efforts to guide data protection. The hearing examined U.S. state privacy laws, the GDPR, and COVID-19 legislation as case studies for the federal government.
Vermont Data Breach Notification Law Amendments Take Effect
On July 1, amendments to Vermont's Security Breach Notice Act went into effect. The amendments expand the definition of personally identifiable information to include individual taxpayer identification numbers, passport numbers, biometric data, genetic information, and health records, among other changes. The amendments also expand the definition of a data breach to include a breach of login credentials.
Vermont Student Privacy Law Takes Effect
On July 1, Vermont's student data privacy law went into effect. The law applies to "operators" of online services, applications, and websites designed, marketed, and primarily used for school purposes. The law prohibits operators from knowingly using covered data to engage in targeted advertising and from selling or renting student data. Operators also are required to implement and maintain reasonable security procedures and practices, delete data at a school's request, and provide public notices regarding their collection, use, and disclosure of covered data.
California OAL Approves the California Attorney General's CCPA Regulations
On August 14, the California Office of Administrative Law ("OAL") approved the final regulations issued by the California Attorney General under the CCPA of 2018. The regulations went into effect on the same day they were approved. The California Attorney General submitted the draft regulations to the OAL on June 1, and the OAL made additional revisions to the regulations prior to final approval.
California Legislature Extends CCPA Moratorium on Employment and B2B Data
On August 30, the California legislature passed a bill that would extend the moratorium on employment-related data and B2B data from certain CCPA requirements. Originally, this moratorium was set to expire on January 1, 2021. This bill would extend the expiration date for this moratorium to January 1, 2022. The Governor approved the measure on September 29, though it will not take effect if the California Privacy Rights Act ("CPRA") passes in November on the California ballot. The CPRA would extend the moratorium to January 1, 2023.
California Legislature Approves CCPA Amendment for Certain Health-Related Information
On September 25, the California Governor signed into law AB 713, which amends the CCPA's exceptions for certain entities and information regulated under HIPAA and the California Confidentiality of Medical Information Act. AB 713 makes an exception for "business associates" under HIPAA; expands the scope of the CCPA's research exceptions to cover studies other than clinical trials; clarifies that the CCPA does not apply to data that was de-identified pursuant to HIPAA standards and derived from patient information originally collected by a HIPAA-regulated entity; prohibits re-identification of de-identified patient information; and imposes new contracting and notice requirements for certain disclosures of de-identified patient information. AB 713 became operative immediately, except for the law's new contractual requirements that will go into effect on January 1, 2021.
Texas Privacy Protection Advisory Council Publishes Interim Report
On September 4, the Texas Privacy Protection Advisory Council issued its interim report providing five recommendations for future privacy legislation in the state. The Council underscored that "Texans have the right to know how their personal information is being used and the Legislature should consider ways to strengthen that right." The Texas legislature created the Council in 2019 in lieu of adopting comprehensive privacy legislation. Instead, the legislature tasked the Council with studying data privacy laws in Texas, other states, and relevant foreign jurisdictions to make recommendations to the legislature on proposed statutory changes for privacy and data protection.
California Attorney General Releases Third Set of Proposed Modifications to CCPA Regulations
On October 12, the California Attorney General released a third set of proposed modifications to the regulations under the CCPA, which went into effect on August 14. The proposed modifications would revise portions of the regulations that relate to providing notice of the right to opt-out, methods for submitting opt-out of sale requests, and verifying requests submitted by authorized agents. For more information, please see our Jones Day Alert.
Privacy Commissioner Publishes Privacy Guide for Businesses
On August 13, the Privacy Commissioner of Canada published an updated Privacy Guide for Businesses to guide companies on how to protect customers' privacy under the Personal Information Protection and Electronic Documents Act ("PIPEDA"). The guide includes requirements for mandatory breach reporting, guidelines for obtaining meaningful consents, and best practices for email marketing under Canada's anti-spam legislation.
Privacy Commissioner Publishes IoT Guidance
On August 20, the Privacy Commissioner of Canada published guidance for manufacturers of IoT devices on how to comply with federal privacy law. The guidance contains a compliance checklist that addresses transparency, technical safeguards, data deletion, risk assessments, and data sharing.
Commissioner Issues Privacy Guidance for Communications During Emergencies
On October 8, the Privacy Commissioner submitted his Annual Report to Parliament on the Privacy Act and PIPEDA. The report primarily addressed the gaps in the legislative framework raised by the pandemic. The report highlighted new risks raised by the increased pace of digitization and the need for updated laws to protect privacy in a digital environment.
The following Jones Day lawyers contributed to this section: Jennifer Everett, Jay Johnson, Daniel Lopez, Dan Ongaro, Christina O'Tousa, Clinton Oxford, Molly Russell, Ben Sanchez, Kerianne Tobitsch, and Jenny Whalen-Ball.
Agency Issues Guidelines on Temperature Register During Pandemic
On September 3, the Argentine National Public Information Service Agency (Agencia de Acceso a la Información Pública―"AAIP") issued guidelines regarding the processing of personal data in connection with body temperature registers (source document in Spanish). These guidelines permit the processing of body temperature data when it is relevant and needed to fulfill the purpose of processing, and the data must be erased when it is no longer necessary for the purpose for which it was collected.
Brazil Creates National Data Protection Authority
On August 26, Brazil's president issued a decree creating the National Data Protection Authority (Autoridade Nacional de Proteção de Dados―"ANPD"), as authorized by Brazil's new data protection law (source document in Portuguese). The ANPD is responsible for enforcing compliance with the LGPD, developing guidelines, and cooperating with other data protection authorities.
Superior Court of Justice Overturns Rulings on Disclosure of Personal Data
On September 14, the Brazilian Superior Court of Justice issued two resolutions in connection with appeals filed by a social media company and a technology company against judicial resolutions that required the companies to disclose users' personal data. The lower courts' decisions would have required the companies to disclose user profile data, such as username, national identification number, address, and email communications. The Superior Court overturned these decisions and ruled that companies providing services through the internet are not required to disclose users' personal data, though the court noted that the companies should find ways to identify users in court cases.
Brazil's Data Protection Law Goes into Effect with Retroactive Application
On September 18, the LGPD, Brazil's data protection law, went into effect retroactively as of August 16, 2020 (source document in Portuguese). Brazil's legislature rejected a provisional measure that would have postponed applicability of the LGPD until next year. The LGPD addresses extraterritorial jurisdiction, processing of sensitive personal data, data owners' rights, data processing principles to protect personal data, data processing restrictions in certain enumerated scenarios, data breach notifications, and data protection officer requirements. The LGPD permits penalties of up to 2% of income with a limit of R$50,000,000 (approximately US$9,136,760), though administrative sanctions will be delayed until August 1, 2021.
Ministry Files First Civil Action Under LGPD Against Company for Selling Personal Data
On September 22, the Brazilian Public Ministry of Federal Districts and Territories issued a press release regarding its first civil action under the LGPD (source documents in Portuguese). Though administrative sanctions under the LGPD are delayed until next year, civil enforcement may proceed. The Ministry alleges that the company violated the LGPD by operating a website that sold personal data without the data owners' consent. The personal data included names, e-mail addresses, postal addresses, and zip codes of more than 500,000 individuals in São Paulo. The Ministry requested an urgent preliminary injunction from the Brazilian Superior Court Of Justice due to the damage that this unlawful data processing may have caused to the data owners.
Council Addresses Controversy Involving Regulator's Data Request to Telecommunication Companies
On August 6, the Council for Transparency (Consejo para la transparencia―"CPLT") issued a press release regarding the conflict generated by two requests of the Subsecretary of Telecommunications to regulated companies, which would have required the companies to disclose large amounts of users' personal data, including geolocation and other sensitive personal data (source document in Spanish). The president of the CPLT dismissed the requests because they were only indirectly related to the fulfillment of the Subsecretary of Telecommunications functions.
Council Addresses Cyberattack on Chilean State Bank
On September 10, the CPLT issued a press release after the most important ransomware cyberattacks in the history of the Chilean State Bank (source document in Spanish). The press release urged an investigation into the incident, continued monitoring of affected users' personal data, and the need for authorities to provide information about any loss or theft of the users' personal data.
Superintendence Issues Statement on Processing Personal Data During Pandemic
On August 18, the Superintendence of Industry and Commerce (Superintendencia de Industria y Comercio) issued a statement of mandatory compliance for all commercial establishments that have collected personal data during the COVID-19 pandemic (source document in Spanish). Among other requirements, the statement reminds companies to collect only the data expressly required by the Ministry of Health and Social Protection, comply with the Ministry's biosecurity protocols, avoid collecting or processing personal data in a misleading or fraudulent manner, and register applicable databases with the Superintendence of Industry and Commerce.
Superintendence Finds Internet Company Noncompliant with National Data Protection Standard
On September 4, the Superintendence issued a press release announcing its finding in Resolution 53593 that a U.S. internet company's Information Processing Policy did not comply with Colombian data protection regulations (source documents in Spanish). The Superintendence ordered the company to implement specific measures, including updating notification procedures, revising its information policy, and registering databases in the National Registry of Databases.
Superintendence Fines Telecommunications Company for Using Credit History for Marketing Purposes
On September 9, the Superintendence fined a telecommunications company COP$263,349,372 (approximately US$69,209.80) through Resolution 49336 of 2020 for consulting a user's credit history for commercial and sales purposes without the user's consent (source documents in Spanish). The decision arose from the user's complaint that the company consulted his credit history at least five times for the purpose of offering him new contract plans, and that a financial entity denied him credit based on the number of credit inquiries made by the company.
Mexican Senate Receives New Cybersecurity Bill
On September 1, Senator Miguel Angel Mancera Espinosa filed a bill with the Mexican Senate to propose a General Cybersecurity Law to protect both individuals and government entities from cyberattacks (source document in Spanish). Key aspects of the bill include: (i) new criminal offences on cybersecurity; (ii) the right to access information and communication technologies, including broadband and internet services, in a secure environment; (iii) creation of a Permanent Commission on Cybersecurity; (iv) creation of a National Center for Cybersecurity; and (v) development of a National Cybersecurity Strategy.
INAI Considers Personal Data Protection as a Tool to Promote Commercial Exchange
On September 17, the National Institute of Transparency, Access to Information and Personal Data Protection ("INAI") issued official communication No. INAI/291/20 addressing the possibility of using personal data protection as a tool to promote economic investment and trade among Mexico, the United States, and Canada (source document in Spanish).
URCDD Issues Recommendations on Teleworking
On August 10, the Uruguayan Personal Data Regulatory and Control Unit (Unidad Reguladora y de Control de Datos Personales―"URCDD") issued recommendations regarding personal data protection for teleworking in both public and private organizations (source document in Spanish). These recommendations are part of a set of documents issued by the URCDD to provide guidance on the processing of personal data in the context of health emergencies. The document also highlighted the importance of ensuring compliance with the rights of data owners.
URCDD Issues Recommendations on Web Applications
On August 21, the URCDD issued recommendations for public bodies to apply when producing web applications that collect personal data (source document in Spanish). The document includes recommendations on: (i) system choices; (ii) authentication mechanisms; (iii) management of the collected data; (iv) data conservation periods; and (v) the need to prepare an impact assessment.
The following Jones Day lawyers contributed to this section: Guillermo Larrea, Daniel D'Agostini, and Juan Carlos Quinzaños.
German Presidency Releases Draft ePrivacy Regulation Discussion Paper
On July 6, the Presidency of the Council released a Discussion Paper on the draft ePrivacy Regulation. The goal of the Presidency is to reach a general approach or mandate to start negotiations with the European Parliament regarding the draft ePrivacy Regulation. The Discussion Paper states that agreement is required on the core provisions of the proposal, which include the rules for the processing of electronic communications data and protection of end users' terminal equipment information.
Court of Justice of the European Union
CJEU Confirms Validity of EU SCCs, but Invalidates EU–U.S. Privacy Shield
On July 16, the European Union Court of Justice ("CJEU") confirmed the validity of the EU Standard Contractual Clauses ("SCCs") for the transfer of personal data to processors outside the EU/EEA ("SCCs") in Case C-311/18 Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems (called "Schrems II"), while invalidating the EU–U.S. Privacy Shield. The CJEU determined that the EU SCCs provide appropriate safeguards for international transfers of personal data, subject to stringent conditions. These conditions include implementing additional safeguards or supplementary measures when the data importer is located in a third country that does not offer an adequate level of personal data protection, such as the United States. In contrast, the CJEU ruled that the EU-U.S. Privacy Shield does not include satisfactory limitations to protect EU personal data from access and use by U.S. public authorities on the basis of U.S. domestic law.
European Commission Unveils EU Security Union Strategy for 2020-2025
On July 24, the European Commission published a Communication regarding its EU Security Union Strategy for 2020-2025 (the "Strategy"). The purpose of the Strategy is to foster security in the EU by preventing and detecting hybrid threats, increasing the resilience of EU critical infrastructure and promoting cybersecurity. The Strategy provides tools and measures to be developed over the next five years.
European Data Protection Board
EDPB Adopts Draft Guidelines on Targeting Social Media Users
On September 2, the European Data Protection Board("EDPB") adopted draft Guidelines on the targeting of social media users (the "Guidelines"). The Guidelines address risks associated with targeting social media users, a description of the different roles (e.g., processor, controller, and joint-controllership) and actors (e.g., users and social media providers) involved in data processing, and an analysis of different mechanisms to target social media users.
EDPB Adopts Draft Guidelines on Concepts of Controller and Processor
On September 2, the EDPB adopted draft Guidelines on the Concepts of Controller and Processor in the GDPR (the "Guidelines"). The Guidelines provide guidance on the concepts of controllers, joint controllers, processors, third parties, and recipients under the GDPR. Furthermore, the Guidelines address the specific information that must be included in data processing agreements between controllers and processors.
EDPB Adopts Guidelines on Data Protection by Design and Default
On October 20, the EDPB adopted a final version of its Guidelines on Data Protection by Design and Default, following a public consultation period. The guidelines address data protection by design and default under Article 25 of the GDPR and provide use-case scenarios. The EDPB also set up a Coordinated Enforcement Framework to coordinate activities by the national supervisory authorities ranging from raising joint awareness to conducting joint investigations.
European Union Agency for Cybersecurity
ENISA Publishes Report on New Cybersecurity Strategy
On July 17, the European Union Agency for Cybersecurity ("ENISA") published a report laying out its New Strategy towards a Trusted and Cyber Secure Europe (the "Strategy"). The Strategy was developed to fulfill ENISA's permanent mandate and includes ENISA's goals (e.g., ensuring a high level of trust in secure digital solutions), along with the means to achieve these goals (e.g., providing proactive advice and support to all relevant EU-level actors).
DPA Imposes EUR 600.00 Fine on Search Engine Company
On July 14, the Belgian Data Protection Authority ("DPA") imposed a € 600.000 fine on a search engine company for: (i) failing to honor the right to be forgotten of a data subject; (ii) not providing information to the data subject justifying the rejection of the request; and (iii) lacking transparency in the application form provided by the search engine company to request the erasure of personal data.
CNIL Updates Guidelines on Access to National Database
On August 7, the French Data Protection Authority("CNIL") updated its guidelines on access to a national database containing information on the socio-demographic and medical characteristics of the beneficiaries of the French health care system (source document in French). This access is permitted for data processing purposes that are considered to have a low impact on data subjects' privacy.
CNIL Publishes Revised Cookies Guidelines
On October 5, the CNIL published revised guidelines on cookies and other tracking technologies (source document in French). The guidelines address principles for how to obtain user consent to the use of these technologies in online advertising and the withdrawal of consent.
German DPAs Issue Guidance on International Data Transfers
In July, a number of German Data Protection Authorities ("DPAs") expressed their views on the future of international transfers of personal data in the aftermath of the CJEU judgment in Schrems II invalidating the EU–U.S. Privacy Shield.
- On July 17, the Berlin DPA (Berliner Beauftragte für Datenschutz und Informationsfreiheit) was first to publish a press release calling upon all data exporters in Berlin to transfer personal data stored in the United States back to the European Union and immediately relocate to service providers based in the EU or in another country with an adequate level of data protection (source document in German).
- On July 16, Hamburg's DPA (Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit) published a press release stating that the CJEU's decision in Schrems II to uphold the SCCs while tearing down the EU-U.S. Privacy Shield was "not consistent" (source document in German).
- On July 24, the DPA of Rhineland-Palatinate (Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Rheinland-Pfalz) published frequently asked questions on next steps and the future of the SCCs following the CJEU's decision (source document in German).
- On August 25, the DPA of Baden-Wuerttemberg (Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg) issued guidance on its interpretation of the Schrems II decision (source document in German). The document includes a Schrems II compliance checklist and in-depth recommendations on how to amend the SCCs. The guidance also contains insight into "supplementary measures" for companies with cross-border data flows from the EU/EEA to the United States.
German Federal Constitutional Court Publishes Decision on Subscriber Data
On July 17, the Federal Constitutional Court (Bundesverfassungsgericht) published a press release on its decision invalidating legal provisions set out in the German Telecommunications Act related to providing and obtaining subscriber data by law enforcement authorities on constitutional grounds. This decision came at a time when Germany is already undergoing a comprehensive reform of its telecommunications law to implement the European Electronic Communications Code.
DPA Issues Checklist on GDPR Codes of Conduct
On August 19, the DPA North Rhine-Westphalia (Die Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen) provided a checklist for the approval of Codes of Conduct under Article 40 of the GDPR in accordance with the corresponding Guidelines 1/2019 v2.0 issued by the European Data Protection Board (source document in German). Codes of Conduct together with binding and enforceable commitments of all parties may serve as an appropriate safeguard for data transfers to third countries.
DSK Publishes Guidelines on Use of Electronic Temperature Measurement
On September 9, the German Conference of Data Protection Authorities (Datenschutzkonferenz or "DSK") published Guidance on the use of thermographic cameras and electronic temperature measurement during the COVID-19 pandemic (source document in German). In its Guidance, the DSK took a closer look at the legal bases for electronic body temperature measurement in airports, stores, public authorities, and workplaces. In the DSK's view, less invasive measures should be considered, such as adhering to hygiene and distance rules and employee interviews in certain circumstances.
DPA Fines Retail Company €35 Million Under GDPR for Employee Surveillance
On October 1, the DPA of Hamburg announced a fine of €35 million (approximately USD $41.3 million) against a multinational retail company for violations of the GDPR related to the surveillance of several hundred employees at a service center in Germany since 2014. The DPA found that the company had engaged in extensive recording of the private lives of employees. The recording, collection, and storage of this data was discovered in October 2019 when a configuration error made these notes accessible across the company for a few hours.
ICO Reopens Regulatory Sandbox
On August 19, the Information Commissioner's Office ("ICO") announced that it was reopening its regulatory sandbox to support organizations using personal data to develop innovative products and services. The sandbox this year will focus on the themes of children's privacy and data sharing.
ICO Releases Accountability Framework
On September 17, the ICO released its "Our Accountability Framework" to assist organizations in developing a data protection roadmap and embedding accountability into its operations. The purpose of the framework is to assist organizations with the accountability requirements of data protection legislation, including employee training and risk assessments.
ICO Publishes Guidance on Data Collection from Customers
On September 18, the ICO published data protection guidance for organizations mandated to collect customer or visitor information. This guidance applies to the hospitality sector, leisure and tourism sector, and close contact businesses.
ICO Launches Public Consultation on Statutory Guidance
On October 1, the ICO launched a public consultation on its draft Statutory Guidance, which provides an overview of the ICO's powers and how it intends to regulate and enforce data protection legislation in the United Kingdom, including its approach to the calculation of fines. The guidance is required by the UK Data Protection Act 2018.
ICO Fines Airline £20 Million for Data Breach
On October 16, the ICO fined an airline £20 million for failing to protect the personal and financial information of customers in connection with a 2018 data breach affecting more than 400,000 customers. The ICO found that the company lacked adequate security measures commensurate with the significant amount of personal data it was processing and that the company failed to identify and resolve weaknesses in its security using readily-available security measures.
The following Jones Day lawyers contributed to this section: Laurent De Muyter, Undine von Diemar, Olivier Haas, Jörg Hladjk, Bastiaan Kout, Jonathon Little, Martin Lotz, Hatziri Minaudier, Selma Olthof, Sara Rizzon, Irene Robledo, and Lucie Fournier.
Privacy Commissioner and UK's ICO Sign MOU for Data Protection Cooperation
On July 29, the Privacy Commissioner and the United Kingdom's Information Commissioner's Office ("ICO") signed a Memorandum of Understanding ("MOU") to share experiences and best practices, share information on regulatory approaches and activities, and collaborate on joint investigations, enforcement actions, and research initiatives. The MOU forms the basis of the working relationship between the authorities going forward in matters of mutual regulatory interest.
People's Republic of China
China Publishes Guidelines on Use of Internet Applications
In September, the National Information Security Standardization Technical Committee issued two guidelines on the use of mobile internet applications. The first set of guidelines set forth basic principles and security requirements related to system permissions and avoiding data privacy risks arising from inappropriate use of system permission (source in Chinese). The second set of guidelines set forth 10 common problems for the protection of personal information on mobile internet applications and recommendations to reduce these risks (source in Chinese). These problems include excessive data collection, forced and bundled consent, repeated requests for consent, no specification of data collection purpose, lack of means to correct and delete personal information, lack of complaint channels, and the deregistration of user accounts.
China Launches Global Data Security Initiative
On September 8, China launched a global data security initiative at an international seminar on global digital governance (source in Chinese). The initiative focuses on the protection of the supply chain of global information technology products and services, measures to prevent the use of information technology for large-scale surveillance, and cross-border data storage, among other issues.
China Amends Personal Information Security Specification
On October 1, the Information Security Technology—Personal Information Security Specification (GB/T 35273-2020) took effect and superseded the Information Security Technology—Personal Information Security Specification (GB/T 35273-2017) from May 1, 2018. The amended specification strengthened measures for the protection of personal information by data controllers at various stages of processing, including collection, storage, use, transfer, public disclosure, and deregistration of user accounts. The amended specification also requires data controllers to retain log files on the handling of personal information and implement measures to manage third-party products and services collecting personal information via data controllers.
China Considers Draft of First "Personal Information Protection Law"
On October 14, the draft of the first ever "Personal Information Protection Law" in China was presented in the Standing Committee of the National People's Congress of the People's Republic of China for discussion (source in Chinese). Key highlights of the draft law include provisions to: (i) provide extraterritorial protection to personal information of Chinese citizens; (ii) establish fundamental principles for the legal and proper processing of personal information; (iii) refine the rules for assessing and appraising personal information transferred outside the territory of China; (iv) specify rights of individuals, such as a right to know, inquire, correct, and delete personal information; and (v) strengthen the role of the Cyberspace Administration of China in the overall planning and coordination of personal information protection in China.
Commission Issues First Enforcement Order
On July 29, the Personal Information Protection Commission issued an order against two entities to cease and delete their websites that unlawfully disclosed personal information of bankrupt persons without obtaining consent (source document in Japanese). This is the first order that has been issued since the enactment of the Personal Information Protection Act. In another sign of strengthening privacy enforcement, the Japanese Diet passed a law to amend the Personal Information Protection Act on June 5, 2020 (source document in Japanese). The amendment will take effect within two years from the date of promulgation on June 12, 2020. Among other requirements, the amendment will impose a data breach reporting obligation, expand individuals' right to request that data holders cease using and erase data, increase the amount of available fines, and establish more stringent requirements for cross-border transfers.
PDPC Publishes Guide on Outsourcing to Data Intermediaries
On September 21, the Personal Data Protection Commission ("PDPC") published a new guide highlighting relevant obligations under the Personal Data Protection Act of 2012 ("PDPA") and key considerations for organizations when outsourcing data processing activities to data intermediaries. The guide addresses governance and risk assessments, policies and practices, service management, and exit management.
PDPC Summarizes Public Comments to Proposed PDPA Amendments
On October 5, the PDPC issued a summary of public comments to the draft Personal Data Protection (Amendment) Bill which would amend the PDPA. The public commented on the proposed increase in financial penalties for data breaches, the business transaction exception, data portability obligation, and offenses for the knowing or reckless unauthorized disclosure of personal data.
The following Jones Day lawyers contributed to this section: Elizabeth Cole, Michiru Takahashi, Sharon Yiu, and Grace Zhang.
Federal Government Releases Cyber Security Strategy 2020
On August 6, the Australian Federal Government released Australia's Cyber Security Strategy 2020. This 2020 Strategy replaces the 2016 Cyber Security Strategy, and pledges to invest AUD $1.67 billion over 10 years to achieve a vision of a "more secure online world for Australians." The strategy promotes actions by businesses to protect personal data, including minimum cybersecurity requirements for operators of critical infrastructure, improvements in cybersecurity of subject matter experts, security of IoT devices through a voluntary Code of Practice, upskilling cyber security workers, and implementation of automatic threat blocking.
OAIC Highlights Privacy Risks in Health Sector
Between August 19 and September 14, the Office of the Australian Information Commissioner ("OAIC") published five privacy determinations following complaints by individuals under Part V of the Privacy Act 1988 (Cth) ("Privacy Act"). The OAIC found that all respondents breached the Privacy Act and the Australian Privacy Principles, and highlighted unique risks for the handling of personal information by health service providers. While the OAIC imposed pecuniary penalties in a number of cases, the maximum penalty issued was less than AUD $7,000.
ASIC Brings First Court Action Alleging Inadequate Cybersecurity
On August 21, the Australian Securities & Investments Commission ("ASIC"), Australia's corporate regulator, commenced proceedings in the Federal Court of Australia against a financial advisor for allegedly breaching its obligations as an Australian financial services license holder by failing to implement adequate cybersecurity protections. This action represents the first time that ASIC has taken a corporation to court for cybersecurity failures. ASIC seeks a declaration of a breach of the Corporations Act 2001 (Cth), pecuniary penalties, and compliance orders requiring the implementation of appropriate corporate policies. The action represents a new regulatory risk for corporations in Australia, as prior proceedings alleging breaches of cybersecurity and privacy obligations were typically commenced by the OAIC or the Australian Competition and Consumer Commission.
The following Jones Day lawyers contributed to this section: Adam Salter and Drew Broadfoot.