Privacy & Information Security Law Blog

On September 17, 2019, the Belgian Data Protection Authority (the “Belgian DPA”) imposed a fine of EUR 10,000 on a shop for the disproportionate use of customers’ electronic identity cards (the “eIDs ”) – a national identification card.

On September 27, 2019, the Centre for Information Policy Leadership at Hunton Andrews Kurth LLP submitted comments on Innovation, Science and Economic Development Canada’s Proposals to Modernize the Personal Information Protection and Electronic Documents Act (“PIPEDA”) (the “Comments”).

On September 24, 2019, the Court of Justice of the European Union (the “CJEU”) released its judgments in cases C-507/17, Google v. CNIL and C-136/17, G.C. and Others v. CNIL regarding (1) the territorial scope of the right to be forgotten, referred to in the judgement as the “right to de-referencing,” and (2) the conditions in which individuals may exercise the right to be forgotten in relation to links to web pages containing sensitive data. The Court’s analysis considered both the EU Data Protection Directive and the EU General Data Protection Regulation (“GDPR”).

On September 23, 2019, the Office of the Privacy Commissioner of Canada (“OPC”) announced that it completed its consultation on transfers for processing and that the OPC’s current guidelines for processing personal data across borders remain unchanged. Under these guidelines, consent for transfers to data processors generally is not required.

On September 24, 2019, Alastair Mactaggart, drafter of the 2018 California ballot initiative that served as the basis for the California Consumer Privacy Act of 2018 (“CCPA”), announced that he is filing a new initiative for California’s November 2020 ballot, the California Privacy Enforcement Act (“CPEA”).

On September 20, 2019, the Philippines National Privacy Commission (“NPC”) announced it has filed its notice of intent to join the APEC Cross-Border Privacy Rules (“CBPR”) system. The Philippines would be the ninth member of the CBPR system, joining the U.S., Mexico, Canada, Japan, South Korea, Singapore, Australia and Chinese Taipei.

On September 20, 2019, Bloomberg Law reported that California Attorney General Xavier Becerra anticipates that draft regulations implementing the California Consumer Privacy Act of 2018 (“CCPA”) will be published this October. According to Bloomberg’s reporting, the Attorney General aims to issue final regulations by January 1, 2020, the CCPA’s compliance deadline. Under the CCPA, the Attorney General may begin enforcement of the law six months after the publication of final regulations or July 1, 2020, whichever is sooner ...

On September 9, 2019, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, the “Dutch DPA”) published a report on the privacy complaints it received between January 2019 and June 2019 (the “Report”).

Ecuador is seeking to pass a data protection bill in the wake of a massive data breach that resulted in the personal data of up to 20 million people being made available online. According to reports, the bill draws on the EU General Data Protection Regulation (“GDPR”) in certain ways—for example, as relates to international data transfers—but diverges in other respects. The data protection bill headed to Ecuador’s national assembly today.

On September 18, 2019, the Presidency of the European Council published its proposed amendments to the Proposal for a Regulation Concerning the Respect for Private Life and the Protection of Personal Data in Electronic Communications (the “Draft ePrivacy Regulation”). The Draft ePrivacy Regulation will replace the ePrivacy Directive and will complete the EU’s framework for data protection and confidentiality of electronic communications.