Privacy & Information Security Law Blog

On March 3, 2020, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, the “Dutch DPA”) announced that it had imposed a €525,000 fine on the Royal Dutch Tennis Association (De Koninklijke Nederlandse Lawn Tennisbond, “KNLTB”) for an illegal sale of personal data.

On February 27, 2020, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP published the second report in its project on Artificial Intelligence (“AI”) and Data Protection: Delivering Sustainable AI Accountability in Practice.

On March 4, 2020, the UK Information Commissioner’s Office (“ICO”) fined the international airline Cathay Pacific Airways Limited (“Cathay Pacific”) £500,000 for failing to protect the security of its customers’ personal data. The fine was issued under the Data Protection Act 1998 (the “DPA”) and represents the maximum fine available. The ICO found that between October 2014 and May 2018, Cathay Pacific’s computer systems lacked appropriate security measures which led to customers’ personal details being exposed. Of the approximately 9.4 million customers affected worldwide, 111,578 were from the UK.

On February 24, 2020, the European Data Protection Board (“EDPB”) published general policy messages and a synthesis of the contributions and replies by its members - national data protection authorities (“DPAs”) - to the Questionnaire on the Evaluation of the EU General Data Protection Regulation (“GDPR”) sent by the European Commission (the “Contribution”).

On March 2, 2020, the UK Information Commissioner’s Office (“ICO”) fined CRDNN Limited, a lead generation company, £500,000—the maximum amount available for a breach of the Electronic Communications Regulations (“PECR”). The fine was imposed after CRDNN carried out over 193 million unsolicited automated direct marketing calls relating to window scrappage, window and conservatory sales, boiler sales, and debt management between June and October 2018.

On March 1, 2020, the Provisions on the Governance of Network Information Content Ecology (the “Provisions”) took effect. The Provisions govern China’s network information content ecology—including content producers (the “Producers”), content service platforms (the “Platforms”), content service users (the “Users”), industry organizations and Departments of Cyberspace Administration at all levels.

The District Court for the District of Columbia recently invalidated certain Department of Health and Human Services (“HHS”) rules regarding an individual’s access to their protected health information (“PHI”). The Court held that: (1) individuals can only direct their electronic PHI to third parties (and not hard copy PHI); and (2) the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Omnibus Rule provisions regarding the caps on fees that HIPAA-covered entities may charge for such requests did not follow relevant administrative law procedures.

The meaning of an “automatic telephone dialing system” (“ATDS”) as defined by the Telephone Consumer Protection Act (“TCPA”) has been hotly contested since the D.C. Circuit invalidated the prior Federal Communications Commission (“FCC”) rulings interpreting the TCPA in 2018. The Ninth Circuit has held that merely calling numbers from a stored list is sufficient to meet the definition of an ATDS, while the Third Circuit has at least indicated that the ability to generate numbers randomly or sequentially is the defining characteristic.

On March 5, 2020 the Cybersecurity Law Report will host a webinar with panelists, Hunton Andrews Kurth LLP partner Bridget Treacy and Refinitiv’s chief privacy officer Vivienne Artz, on the General Data Protection Regulation’s (“GDPR”) territorial scope entitled, “Gauging GDPR’s Global Reach.” This webinar will explore the global effect of the GDPR in both the digital and geographic arenas.

On February 21, 2020, the Presidency of the Council of the European Union (“EU Council Presidency”) published a revised part of the proposed Regulation concerning the Respect for Private Life and the Protection of Personal Data in Electronic Communications and Repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications), better known as “the Draft ePrivacy Regulation.”