Privacy & Information Security Law Blog

On November 13, 2019, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth issued a discussion paper on “Organizational Accountability in Light of FTC Consent Orders” (the “Discussion Paper”). The Discussion Paper examines the recent $5 billion FTC settlement with Facebook, which resulted from Facebook’s alleged violation of a prior 2012 FTC consent order, and the recent $575 million FTC settlement with Equifax, related to its 2017 data breach.

On November 7, 2019, the Office for Civil Rights (“OCR”) of the U.S. Department of Health and Human Services (“HHS”) announced a $1.6 million civil penalty imposed against the Texas Health and Human Services Commission (“TX HHSC”), a state agency, for violations of HIPAA Privacy and Security Rules in connection with the unauthorized disclosure of electronic protected health information (“ePHI”). The ePHI breach – which exposed names, addresses, Social Security numbers, and treatment information of at least 6,617 individuals – was first reported to OCR on June 11, 2015, by Texas’s Department of Aging and Disability Services (“DADS”).

On October 22, 2019, the drafting group of China’s National Information Security Standardization Technology Committee (“NISSTC”) released a third set of draft amendments to the Information Security Technology - Personal Information Security Specification (GB/T 35273 – 2017) (the “Updated Draft Specification”). The original Specification, first issued on December 29, 2017, became effective May 1, 2018, and saw earlier draft amendments on February 1, 2019 and June 25, 2019. The NISSTC received more than 400 public comments on the proposed June amendments. The latest draft amendment was issued without a public comment period.

On November 18, 2019, Hunton Andrews Kurth will host a networking luncheon in the firm’s Brussels office. The luncheon will feature Isabelle Vereecken, Head of the Secretariat of the European Data Protection Board ("EDPB"), and will focus on the role of the EDPB and cooperation between supervisory authorities ("SAs") in cross-border matters.

The European Data Protection Board recently published on its website that the Austrian Data Protection Authority (“Austrian DPA”) imposed an €18 million fine (approximately $20 million) on the Austrian Postal Service, Österreichische Post AG (“ÖPAG”), for various violations of the EU General Data Protection Regulation (“GDPR”). After conducting an investigation, the Austrian DPA established that ÖPAG unlawfully processed and sold data with respect to its customers’ alleged political affinities. Another GDPR violation was related to the ÖPAG’s ...

On November 5, 2019, Representatives Anna G. Eshoo (CA) and Zoe Lofgren (CA) introduced the Online Privacy Act (the “Act”), which proposes sweeping legislation that would create federal privacy rights for individuals, require companies to adhere to data minimization and establish a federal Digital Privacy Agency (“DPA”).

On November 5, 2019, the Berlin Commissioner for Data Protection and Freedom of Information (“the Berlin Commissioner,” Berliner Beauftragte für Datenschutz und Informationsfreiheit) announced that it had imposed a fine of €14.5 million (approximately $16 million) on Deutsche Wohnen SE, a prominent real estate company. This is the highest fine issued in Germany since the EU General Data Protection Regulation (“GDPR”) became applicable.

On October 30, 2019, Facebook reached a settlement with the UK Information Commissioner’s Office (“ICO”) under which it agreed to pay (without admission of liability) the £500,000 fine imposed by the ICO in 2018 in relation to the processing and sharing of its users’ personal data with Cambridge Analytica.

On November 19, 2019, Hunton Andrews Kurth will host an in-person breakfast briefing in the firm’s London office to explore the California Consumer Privacy Act (“CCPA”), against the backdrop of the EU General Data Protection Regulation (“GDPR”).

In the seminar, we will discuss:

• The CCPA in the context of the GDPR, covering the similarities and differences between the frameworks
•  Key CCPA obligations
• The CCPA’s approach to enforcement and penalties
• How businesses are approaching CCPA compliance, and leveraging their GDPR work

The event will be led by Hunton partners ...

On October 21, 2019, the Federal Trade Commission took action against two companies alleged to have engaged in the business of false online reviews and social media influence. In the first case, the FTC entered into a consent decree with cosmetics marketer Sunday Riley, LLC, and the company’s owner, who sell products at Sephora stores and online at Sephora.com. According to the FTC’s complaint, disguised as ordinary consumers, Sunday Riley employees and Ms. Riley herself posted fake 5-star reviews of the company’s products on Sephora’s website. Under the terms of the FTC’s agreement, the company and its principal are barred from posting fake reviews, must clearly identify endorsers, and must instruct staff on their disclosure obligations. The FTC vote on the action was 3-2, with Commissioners Chopra and Slaughter dissenting on the grounds that the settlement did not include a monetary payment or an admission of guilt.