Privacy & Information Security Law Blog

On August 2, 2019, New Hampshire Governor Chris Sununu signed into law SB 194 (the “Bill”), which requires insurers licensed in the state (“licensees”) to put in place data security programs and report cybersecurity events. Although the Bill takes effect January 1, 2020, licensees have one year from the effective date to implement relevant cybersecurity requirements and two years from the effective date to ensure that their third-party vendors also implement appropriate safeguards to protect and secure the information systems and nonpublic information accessible to, or held by, the third-party service providers.

On July 29, 2019, the Court of Justice of the European Union (the “CJEU”) released its judgment in case C-40/17, Fashion ID GmbH & Co. KG vs. Verbraucherzentrale NRW eV. The Higher Regional Court of Düsseldorf (Oberlandesgericht Düsseldorf) requested a preliminary ruling from the CJEU on several provisions of the former EU Data Protection Directive of 1995, which was still applicable to the case since the court proceedings had started before the implementation of the EU General Data Protection Regulation (“GDPR”).

On July 29, 2019, the UK Information Commissioner’s Office (“ICO”) announced the 10 projects that it has selected, out of 64 applicants, to participate in its sandbox. The sandbox, for which applications opened in April 2019, is designed to support organizations in developing innovative products and services with a clear public benefit. The ICO aims to assist the 10 organizations in ensuring that the risks associated with the projects’ use of personal data is mitigated. The selected participants cover a number of sectors, including travel, health, crime, housing and artificial intelligence.

On July 25, 2019, the French Data Protection Authority (the “CNIL”) published new template records of data processing activities pursuant to Article 30 of the EU General Data Protection Regulation (“GDPR”). This provision requires organizations subject to the GDPR to maintain internal records of data processing activities. The CNIL recalled that such records are a key accountability tool under the GDPR for identifying, understanding and controlling data processing activities. Setting up and maintaining these records provide businesses with the opportunity to ask the right questions and limit privacy risks under the GDPR. According to the CNIL, this is also a useful moment to set up a data protection compliance action plan.

The European Data Protection Board (the “EDPB”) recently adopted its Guidelines 3/2019 on processing of personal data through video devices (the “Guidelines”). Although the Guidelines provide examples of data processing for video surveillance, these examples are not exhaustive. The Guidelines aim to provide guidance on how to apply the EU General Data Protection Regulation (“GDPR”) in all potential areas of video device use.

On July 25, 2019, New York Governor Andrew Cuomo signed into law Senate Bill S5575B (the “Bill”), an amendment to New York’s breach notification law (the “Act”). The Bill expands the Act’s definition of “breach of the security of the system” and the types of information (i.e., “private information”) covered by the Act, and makes certain changes to the Act’s requirements for breach notification.

On July 23, 2019, New York City Council members introduced Int. 1632-2019 (the “Bill”), an amendment to the administrative code of New York City that would prohibit telecommunications carriers and mobile applications from sharing a customer’s location data if such data was collected from a device in the five boroughs.

On July 16, 2019, the European Data Protection Board (the “EDPB”) published its Annual Report for 2018 (the “Report”). The Report highlights that the EDPB (1) endorsed 16 guidelines previously adopted by the Article 29 Working Party; (2) adopted four additional guidelines to clarify provisions of the GDPR; (3) adopted 26 consistency opinions to guarantee the consistent application of the EU General Data Protection Regulation (“GDPR”) by the EU data protection authorities; and (4) issued two opinions in the context of the legislative consultation process, as well as a statement on its own initiative and on the draft ePrivacy Regulation.

In addition to Facebook’s record-breaking Federal Trade Commission penalty and settlement order, on July 24, 2019, the Securities and Exchange Commission announced charges against Facebook for inadequate and misleading disclosures over its privacy practices. Facebook, without admitting or denying the SEC’s allegations, has agreed to the entry of a final judgment ordering a fine of $100 million.

As previously reported on July 12, 2019, Facebook will pay a $5 billion penalty to the Federal Trade Commission to resolve a privacy probe into whether Facebook violated a prior FTC consent decree requiring the company to better protect user privacy. The $5 billion penalty is the largest imposed on any company for violating consumers’ privacy – nearly 20 times the largest privacy or data security penalty to date.