Privacy & Information Security Law Blog

Recent headlines underscore the security challenges faced by public-facing businesses. From physical threats to cyber attacks targeting a wide range of critical infrastructure, companies in diverse sectors, such as the financial, retail, entertainment, energy, transportation, real estate, communications and other areas, face a challenging landscape of risks and potential liabilities. Join us on October 28, 2019, at 12:00 p.m. EST, for a webinar to discuss these issues, including why companies should consider SAFETY Act protection and how to obtain it.

On October 11, 2019, California Governor Gavin Newsom announced that he signed all five of the California Legislature’s September 2019 amendments to the California Consumer Privacy Act of 2018 (“CCPA”) into law: AB-25, AB-874, AB-1146, AB-1355 and AB-1564. The Governor had until October 13, 2019, to sign or veto the amendments, which were passed at the end of the Legislature’s 2019 legislative session. This news came just a day after California Attorney General Xavier Becerra released proposed regulations implementing the CCPA.

On October 10, 2019, the California Attorney General (“AG”) announced Proposed Regulations implementing the California Consumer Privacy Act of 2018 (“CCPA”). Along with a Notice of Proposed Rulemaking Action and the Text of Proposed Regulations, the AG issued an Initial Statement of Reasons elaborating on the purposes of the proposed regulations.

On September 17, 2019, the German Conference of Data Protection Authorities (Datenschutzkonferenz, (“DSK”) examined a proposal for calculating administrative fines under the EU General Data Protection Regulation (“GDPR”).  The press release of the DSK states that this initiative aims to ensure a calculation of fines against violations of the GDPR that is “systematic, transparent and understandable.” However, the press release refrains from describing the criteria of the fining model officially, as the fining model has not yet been adopted by the DSK.

On October 1, 2019, China’s Provisions on Cyber Protection of Children’s Personal Information (“Provisions”) became effective. The Cyberspace Administration of China had released the Provisions on August 23, 2019, and they are the first rules focusing on the protection of children’s personal information in China.

On September 25, 2019, the Centre for Information Policy Leadership at Hunton Andrews Kurth (“CIPL”) and the Instituto Brasiliense de Direito Público (“IDP”) had the first of a series of workshops for their joint project on “Brazilian Data Protection Implementation and Effective Regulation.” This is an exclusive project that aims to contribute to the debates around the Brazilian Data Protection Law (Lei Geral de Proteção de Dados Pessoais (“LGPD”)), including the development of good practices for data governance and the implementation and enforcement of this law. As part of this project, CIPL will organize additional multi-stakeholder workshops, webinars and training sessions, and prepare white papers on key topics for data protection in Brazil.

The U.S. Chamber’s Technology Engagement Center (“C_TEC”) and Center for Global Regulatory Cooperation (“GRC”) recently released a set of ten principles essential for attaining the full potential of AI technologies.

The principles, drafted with input from more than 50 Chamber member companies, stress the importance of creating a sensible and innovation-forward approach to addressing the challenges and opportunities presented by AI.

On October 2, 2019, the UK Court of Appeal handed down its judgment on the appeal in Richard Lloyd v. Google LLC, in which Richard Lloyd, a consumer protection advocate, seeks to bring a representative action on behalf of four million Apple iPhone users against Google LLC in the United States. Previously, the High Court had refused to grant permission for the proceedings to be served outside the UK. The Court of Appeal reversed the High Court’s judgment, granting permission for service outside the UK and allowing the representative action to proceed. The judgment is significant as it paves the way for representative actions (equivalent to class actions) for data protection infringements in the UK.

On October 15, 2019, Hunton Andrews Kurth will host a luncheon seminar in our Brussels office on Addressing GDPR Challenges: An Interactive Session on Handling Data Breaches. In this roundtable discussion, our speakers will lead a dialogue to share experiences on handling data breaches under the EU General Data Protection Regulation (“GDPR”).

On October 1, 2019, the Court of Justice of the European Union (“CJEU”) issued its decision in an important case involving consent for the use of cookies by a German business called Planet49. Importantly, the Court held that (1) consent for cookies cannot be lawfully established through the use of pre-ticked boxes, and (2) any consent obtained regarding cookies cannot be sufficiently informed in compliance with applicable law if the user cannot reasonably comprehend how the cookies employed on a given website will function.