Privacy & Information Security Law Blog

On October 22, 2019, the French Data Protection Authority (the “CNIL”) published a list of processing operations (in French) that it considers not requiring a data protection impact assessment (“DPIA”). The CNIL had previously adopted and published a final list of processing operations requiring a DPIA on November 6, 2018. The final list includes 12 types of processing operations for which a DPIA is not considered mandatory. The CNIL provided concrete examples for each type of processing operation, including:

On October 22, 2019, the Federal Trade Commission announced that, for the first time, it has brought a case against a developer of “Stalking” Apps. The agency alleges that Retina-X Studios, and its owner, James N. Johns, Jr., developed and marketed three apps that allowed purchasers to surreptitiously monitor the movements and online activities of users of devices on which the apps were installed without the knowledge or permission of the device’s user. The FTC also alleges that the app developer took steps to ensure that a device user would not be aware that the app had been installed, bypassing mobile device manufacturers’ security restrictions and leaving the device vulnerable to cybersecurity risks. The apps were marketed as tools for monitoring the behavior of employees and children. The FTC further alleges that the app developer issued policies that made inaccurate representations regarding the security of their online systems, which were recently found to have been hacked twice during earlier incidents.

Hunton Andrews Kurth LLP announced today that former Virginia Gov. Terry McAuliffe has joined the firm as global strategy advisor at the Centre for Information Policy Leadership (“CIPL”), the firm’s global privacy and cybersecurity think tank.

On October 4, 2019, the Presidency of the European Council published its revised text (the “Revised Draft”) of the Proposal for a Regulation Concerning the Respect for Private Life and the Protection of Personal Data in Electronic Communications (the “Draft ePrivacy Regulation”). The Revised Draft was released in preparation for the Working Party on Telecommunications and Information Society’s meeting, which took place on October 11, 2019 (the “WP Tele”) and introduces limited amendments compared to the draft amendments proposed by the Presidency of the European Council last month.

On October 11, 2019, California Governor Gavin Newsom signed into law AB 1130, which expands the types of personal information covered by California’s breach notification law to include, when compromised in combination with an individual’s name: (1) additional government identifiers, such as tax identification number, passport number, military identification number, or other unique identification number issued on a government document commonly used to verify the identity of a specific individual; and (2) biometric data generated from measurements or technical analysis of human body characteristics (e.g., fingerprint, retina, or iris image) used to authenticate a specific individual. Biometric data does not include a physical or digital photograph unless used or stored for facial recognition purposes.

Recent headlines underscore the security challenges faced by public-facing businesses. From physical threats to cyber attacks targeting a wide range of critical infrastructure, companies in diverse sectors, such as the financial, retail, entertainment, energy, transportation, real estate, communications and other areas, face a challenging landscape of risks and potential liabilities. Join us on October 28, 2019, at 12:00 p.m. EST, for a webinar to discuss these issues, including why companies should consider SAFETY Act protection and how to obtain it.

On October 11, 2019, California Governor Gavin Newsom announced that he signed all five of the California Legislature’s September 2019 amendments to the California Consumer Privacy Act of 2018 (“CCPA”) into law: AB-25, AB-874, AB-1146, AB-1355 and AB-1564. The Governor had until October 13, 2019, to sign or veto the amendments, which were passed at the end of the Legislature’s 2019 legislative session. This news came just a day after California Attorney General Xavier Becerra released proposed regulations implementing the CCPA.

On October 10, 2019, the California Attorney General (“AG”) announced Proposed Regulations implementing the California Consumer Privacy Act of 2018 (“CCPA”). Along with a Notice of Proposed Rulemaking Action and the Text of Proposed Regulations, the AG issued an Initial Statement of Reasons elaborating on the purposes of the proposed regulations.

On September 17, 2019, the German Conference of Data Protection Authorities (Datenschutzkonferenz, (“DSK”) examined a proposal for calculating administrative fines under the EU General Data Protection Regulation (“GDPR”).  The press release of the DSK states that this initiative aims to ensure a calculation of fines against violations of the GDPR that is “systematic, transparent and understandable.” However, the press release refrains from describing the criteria of the fining model officially, as the fining model has not yet been adopted by the DSK.

On October 1, 2019, China’s Provisions on Cyber Protection of Children’s Personal Information (“Provisions”) became effective. The Cyberspace Administration of China had released the Provisions on August 23, 2019, and they are the first rules focusing on the protection of children’s personal information in China.