Privacy & Information Security Law Blog

On March 26, 2020, Washington D.C. enacted bill number B23-0215, amending D.C.’s data breach notification law (the “Bill”). Among other requirements, the Bill requires the provision of identity theft prevention services in certain data breaches, establishes a new regulatory reporting requirement in the event of a cognizable data breach affecting 50 or more residents of D.C., and imposes certain data security requirements on covered businesses.

The Conference of German Data Protection Authorities (“DSK”), the body of the federal and state Data Protection Authorities (“DPAs”) in Germany, recently issued joint recommendations regarding employers’ processing of employee personal data in the context of the coronavirus (“COVID-19”) pandemic. The DSK makes it clear that data protection does not hinder measures to fight COVID-19. According to DSK, employers can collect personal data of employees in order to prevent the spreading of the virus at the workforce. Employers also may process personal data of workplace visitors for COVID-19 related purposes. However, all measures must be proportionate.

Join us on April 7, 2020, for an in-depth webinar on Managing Critical Infrastructure Workforce During the COVID-19 Pandemic. Our featured group of speakers will discuss the legal, medical and practical issues that critical infrastructure companies are facing during the current COVID-19 pandemic. The speakers include Hunton lawyers Kevin Jones, Paul Tiao, Andrea Gardner, Susan Wiltsie and Lorie Masters, with special guests Myles Spar, MD, MPH, and Ashley Koff, RD.

On March 25, 2020, the European Data Protection Supervisor (“EDPS”) sent a letter to the Directorate-General for Communications Networks, Content and Technology (“DG CONNECT”) addressing the various initiatives involving telecommunications providers at the Member State level to monitor the spread of the COVID-19 outbreak using location data.

In GIR’s recently published Guide to Cyber Investigations, Hunton Andrews Kurth partner Aaron Simpson and associate Adam Solomon are featured as contributing authors to the chapter on Complying with Breach Notification Obligations in a Global Setting: A Legal Perspective.

On March 12, 2020, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP submitted formal comments to the Office of the Privacy Commissioner of Canada (“OPC”) in response to its proposals for ensuring appropriate regulation of artificial intelligence (“AI”).

On April 2, 2020, Hunton Andrews Kurth LLP will host a webinar on the California Consumer Privacy Act (“CCPA”): The CCPA Is Here—Are You Litigation-Ready? Most companies have now developed a framework for compliance with the CCPA. Having a compliance program in place is critical, and that includes preparing for the inevitable onslaught of class action litigation that is coming.

On March 18, 2020, Washington Governor Jay Inslee signed into law a bill amending Washington State’s Agency Breach Notification Law (“Agency Breach Law”). The Agency Breach Law applies to all state and local agencies, including state and municipal offices, departments, bureaus and commissions.

The Dutch Data Protection Authority (Autoriteit Persoonsgegevens, the “Dutch DPA”) recently published materials regarding the COVID-19 crisis, including recommendations and FAQs for employers and recommendations for employees. In the materials, the Dutch DPA emphasizes that, while fighting the virus and saving lives is the top priority, privacy must not be overlooked and the crisis should not become a prelude to a “Big Brother” society.

On March 9, 2020, the APEC Cross-Border Privacy Rules (“CBPR”) system Joint Oversight Panel approved the Philippines’ application to join the APEC CBPR system. The Philippines becomes the ninth APEC economy to join the CBPR system, joining the United States, Mexico, Canada, Japan, South Korea, Singapore, Chinese Taipei and Australia.