Privacy & Information Security Law Blog

On March 12, 2020, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP submitted formal comments to the Office of the Privacy Commissioner of Canada (“OPC”) in response to its proposals for ensuring appropriate regulation of artificial intelligence (“AI”).

On April 2, 2020, Hunton Andrews Kurth LLP will host a webinar on the California Consumer Privacy Act (“CCPA”): The CCPA Is Here—Are You Litigation-Ready? Most companies have now developed a framework for compliance with the CCPA. Having a compliance program in place is critical, and that includes preparing for the inevitable onslaught of class action litigation that is coming.

On March 18, 2020, Washington Governor Jay Inslee signed into law a bill amending Washington State’s Agency Breach Notification Law (“Agency Breach Law”). The Agency Breach Law applies to all state and local agencies, including state and municipal offices, departments, bureaus and commissions.

The Dutch Data Protection Authority (Autoriteit Persoonsgegevens, the “Dutch DPA”) recently published materials regarding the COVID-19 crisis, including recommendations and FAQs for employers and recommendations for employees. In the materials, the Dutch DPA emphasizes that, while fighting the virus and saving lives is the top priority, privacy must not be overlooked and the crisis should not become a prelude to a “Big Brother” society.

On March 9, 2020, the APEC Cross-Border Privacy Rules (“CBPR”) system Joint Oversight Panel approved the Philippines’ application to join the APEC CBPR system. The Philippines becomes the ninth APEC economy to join the CBPR system, joining the United States, Mexico, Canada, Japan, South Korea, Singapore, Chinese Taipei and Australia.

The Spanish Data Protection Authority (the “AEPD”) recently published a report on data processing activities carried out by data controllers in the private and public sectors as a result of the spread of the COVID-19 virus (the “Report”).

On March 21, 2020, the data security provisions of New York’s Stop Hacks and Improve Electronic Data Security Act (“SHIELD Act”) went into effect. The SHIELD Act requires any person or business owning or licensing computerized data that includes the private information of a resident of New York (“covered business”) to implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information.

The Office for Civil Rights (“OCR”) at the U.S. Department of Health and Human Services (“HHS”) issued a Bulletin on sharing and protecting patients’ protected health information (“PHI”) in compliance with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) during the COVID-19 national emergency. The Bulletin emphasizes that the HIPAA Privacy Rule is still in effect during this national emergency, but that HIPAA-covered entities may use or disclose patients’ PHI when necessary to treat a patient, to protect the nation’s public health and for other critical purposes.

The International Trade Administration at the U.S. Department of Commerce recently announced that NCC Group has been approved as a U.S. Accountability Agent under the APEC Cross-Border Privacy Rules (“CBPR”) system. NCC Group joins TrustArc and Schellman as the third U.S. Accountability Agent under the CBPR and the sixth Accountability Agent approved under the system overall. NCC Group will now be able to independently assess and certify the compliance of U.S. companies under the APEC CBPR system and under the APEC Privacy Recognition for Processors (“PRP”), a corollary system to the CBPR specifically for processors.
On March 19, 2020, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP published a Q&A on the APEC CBPR and PRP systems. The Q&A is designed to explain the workings of both systems, who is currently participating in them and how interested companies can certify.

On March 13, 2020, the Belgian Data Protection Authority (the “Belgian DPA”) released a statement regarding workplace-related processing of personal data in the context of the COVID-19 crisis (the “Statement”).