Privacy & Information Security Law Blog

On June 11, 2020, the California Senate amended AB-713 to the California Consumer Privacy Act of 2018 (“CCPA”). The Senate’s recent amendments impose new contractual obligations on the use or sale of de-identified information and modify the exemption from the CCPA for information used for public health purposes. The California Assembly had originally passed AB-713 in 2019 to (1) explicitly carve out from coverage by the CCPA information de-identified pursuant to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy Rule, and (2) expand the CCPA exemption for information used for research purposes. AB-713 is intended to “preserv[e] access to information needed to conduct important health-related research that will benefit Californians.” The revised version of AB-713 containing the Senate’s recent amendments has not yet passed either house of the California legislature.

On June 9, 2020, the Federal Communications Commission (“FCC”) announced a proposed $225 million fine, the largest in the history of the FCC, against several individuals for telemarketing violations.

On May 29, 2020, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth submitted formal comments to the European Commission’s Consultation on a European Strategy for Data (the “Strategy”).

On June 9, 2020, the French Data Protection Authority (the “CNIL”) published its Annual Activity Report for 2019 (the “Report”).

On June 5, 2020, the Belgian Data Protection Authority (the “Belgian DPA”) published guidance on its website (the “Guidance”) regarding temperature checks during the COVID-19 crisis. The Guidance aims to provide advice to organizations looking to control access to their premises by restricting individuals with fevers in order to prevent further spread of the virus.

On June 3, 2020, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP published its report, What Good and Effective Data Privacy Accountability Looks Like: Mapping Organizations’ Practices to the CIPL Accountability Framework (“Report”). The Report consolidates the findings of CIPL’s Accountability Mapping Project launched in September 2019, which is part of CIPL’s broader work on the central role of organizational accountability in data privacy.

On June 1, 2020, U.S. Senators Maria Cantwell (WA) and Bill Cassidy (LA) introduced the Exposure Notification Privacy Act (the “Act”), bipartisan legislation that would impose requirements and restrictions on operators of automated exposure notification services. The bill defines automated exposure notification service as “a website, online service, online application, mobile application, or mobile operating system that is offered in commerce in the U.S. and that is designed, in part or in full, specifically to be used for, or marketed for, the purpose of digitally notifying, in an automated manner, an individual who may have become exposed to an infectious disease (or the device of such individual, or a person or entity that reviews such disclosures).” These services are commonly referred to as “contact tracing technology” because they are designed to provide alerts when a user comes in near-contact with someone who tested positive for an infectious disease, such as COVID-19.

On June 2, 2020, the European Data Protection Board (the “EDPB”) announced that it had released a statement on restrictions on data subject rights in connection with the state of emergency in EU Member States amid the COVID-19 pandemic (the “Statement”).

On May 29, 2020, the Litigation Chamber of the Belgian Data Protection Authority (the “Belgian DPA”) imposed a fine of €1,000 on a non-profit organization. The decision followed a complaint filed by an individual who continued to receive promotional materials from the organization after he had objected to the processing of his contact details for direct marketing purposes and had requested that the organization erase his data from its database.

On June 3, 2020, the Presidency of the Council of the European Union (“the Presidency”) published a progress report on the proposed Regulation concerning the Respect for Private Life and the Protection of Personal Data in Electronic Communications and Repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications), better known as “the Draft ePrivacy Regulation” (the “Progress Report”).