Privacy & Information Security Law Blog

On August 14, 2020, the California Attorney General announced that the California Office of Administrative Law (“OAL”) approved the final regulations issued under the California Consumer Privacy Act of 2018 (“CCPA”) and filed them with the California Secretary of State. As we previously reported, the California Attorney General submitted the draft regulations to the OAL on June 1, 2020, and requested that the regulations become effective on the same day they are filed with the Secretary of State. The OAL has complied with that request, and the regulations go into effect ...

Earlier this year, The Retail Equation, a loss prevention service provider, and Sephora were hit with a class action lawsuit in which the plaintiff claimed Sephora improperly shared consumer data with The Retail Equation without consumers’ knowledge or consent. The plaintiff claimed The Retail Equation did so to generate risk scores that allegedly were “used as a pretext to advise Sephora that attempted product returns and exchanges are fraudulent and abusive.”

On August 6, 2020, President Trump signed executive orders imposing new economic sanctions under the International Emergency Economic Powers Act (50 U.S.C. § 1701 et seq.) and the National Emergencies Act (50 U.S.C. § 1601 et seq.) against TikTok, a video-sharing mobile application, and WeChat, a messaging, social media and mobile payments application. The orders potentially affect tens of millions of U.S. users of these applications and billions of users worldwide.

On August 11, 2020, the Court of Appeal of England and Wales overturned the High Court’s dismissal of a challenge to South Wales Police’s use of Automated Facial Recognition technology (“AFR”), finding that its use was unlawful and violated human rights.

On August 5, 2020, the French Data Protection Authority (the “CNIL”) announced that it has levied a fine of €250,000 on French online shoe retailer, Spartoo, for various infringements of the EU General Data Protection Regulation (“GDPR”). This is the first penalty under the GDPR enforced by the CNIL as the lead supervisory authority (“Lead SA”) in cooperation with other EU supervisory authorities (“SAs”).

On August 10, 2020, European Commissioner for Justice Didier Reynders and U.S. Secretary of Commerce Wilbur Ross released a joint press statement (the “Statement”) following the ruling of the Court of Justice of the European Union (“CJEU”) in the Schrems II case.

On July 13, 2020, a Committee of Experts within India’s Ministry of Electronics and Information Technology (“the Committee”) published the first draft of a Non-Personal Data Governance Framework for India for public consultation.

On August 4, 2020, Senators Jeff Merkley (OR) and Bernie Sanders (VT) introduced the National Biometric Information Privacy Act of 2020 (the “bill”). The bill would require companies to obtain individuals’ consent before collecting biometric data. Specifically, the bill would prohibit private companies from collecting biometric data—including eye scans, voiceprints, faceprints and fingerprints—without individuals’ written consent, and from profiting off of biometric data. The bill provides individuals and state attorneys general the ability to institute legal proceedings against entities for alleged violations of the act.

On July 30, 2020, the Council of the European Union (the “Council”) imposed for the first time restrictive measures against six individuals and three entities responsible for or involved in various cyber attacks, including the “WannaCry,” “NotPetya” and “Operation Cloud Hopper” attacks and the attack against the Organization for the Prohibition of Chemical Weapons. Sanctions imposed by the Council include a travel ban, an asset freeze and a prohibition against making funds available to the sanctioned EU individuals and entities.

On July 30, 2020, the Litigation Chamber of the Belgian Data Protection Authority (the “Belgian DPA”) imposed a €20,000 fine on Belgian telecommunications provider Proximus N.V. (“Proximus”) for several data protection infringements related to Proximus’ public directory. In particular, the claimant requested that Proximus remove his contact details from the public directory and inform other publishers of public directories not to publish his personal data. Despite informing the claimant that it was going to proceed accordingly, Proximus still published his personal data in its public directory and shared it with other publishers of public directories.