Privacy & Information Security Law Blog

The UK Information Commissioner’s Office (“ICO”) recently published an updated report on adtech, following a Fact Finding Forum held in March 2019 and consultation with industry players. The report focuses on whether and how organizations in the adtech sector can comply with the EU General Data Protection Regulation (“GDPR”) and the UK’s implementation of the e-Privacy Directive, known as the Privacy and Electronic Communications Regulations (“PECR”).

On June 19, 2019, the National Institute of Standards and Technology (“NIST”) issued its draft SP 800-171B guidelines (the “draft”), which outlines enhanced measures to protect controlled unclassified information (“CUI”) held by government contractors.

The European Data Protection Board (the “EDPB”) recently adopted its Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679 (the “Guidelines”). The Guidelines aim to provide practical guidance with respect to Articles 40 and 41 of the EU General Data Protection Regulation (“GDPR”). In particular, the Guidelines intend to clarify the rules and procedures for the submission, approval and publication of codes of conduct.

Today marks one year since the California Consumer Privacy Act of 2018 (“CCPA”) was passed and signed into law. The CCPA signals a dramatic shift in the data privacy regime in the United States, imposing on covered businesses the most prescriptive general privacy rules in the nation. In addition, the past year has seen a legislative explosion in the form of similar proposed state laws and potential federal data privacy legislation.

Given the value of personal information as a significant corporate asset, companies seeking to acquire or merge with another business should focus carefully on the data they will obtain as a result of the transaction. In addition, as cybersecurity attacks continue unabated, companies must carefully evaluate how personal information maintained by a potential target is protected. In a recent article published by Bloomberg Law, Hunton Andrews Kurth partner Lisa J. Sotto and counsel Ryan P. Logan discuss how legal frameworks involving U.S. federal and state law, the EU General Data Protection Regulation, antitrust law and other relevant legal regimes may affect how a company can use personal information following a transaction. The article also addresses key questions companies should ask during the due diligence process, how answers to those questions impact the deal documents and offers post-closing strategies companies should consider.

Texas Governor Greg Abbott recently signed into law HB 4390 (the “Bill”), which amends the state’s data breach notification law and creates an advisory council tasked with studying and developing recommendations regarding data privacy legislation.

To mark the GDPR’s one-year anniversary, the European Commission recently published the results of two surveys meant to illuminate the public’s awareness of the GDPR and its practical applications.

The Illinois legislature recently passed the Artificial Intelligence Video Interview Act, which prohibits an Illinois employer from using artificial intelligence (“AI”) to evaluate job interview videos unless the employer complies with certain requirements.

On June 20, 2019, the Senate confirmed Keith Krach as Under Secretary of State for Economic Growth, Energy, and Environment. The former DocuSign and Ariba CEO, nominated by President Trump in January of 2019, will function as the permanent ombudsperson for the EU-U.S. Privacy Shield agreement as part of his role, addressing complaints related to U.S. protection of EU data.

On June 14, 2019, the Federal Trade Commission announced that it has taken action against a number of companies that allegedly misrepresented their compliance with the EU-U.S. and Swiss-U.S. Privacy Shield frameworks (collectively, the “Privacy Shield”) and other international privacy agreements.