Privacy & Information Security Law Blog

On February 26, 2019, the European Data Protection Board (the “EDPB”) presented its first overview of the GDPR’s implementation and the roles and means of the national supervisory authorities to the European Parliament (the “Overview”).

The Overview provides key statistics relating to the consistency mechanism among national data protection authorities (“DPAs”), the cooperation mechanism of the EDPB, the means and powers of the DPAs and enforcement of the GDPR at the national level.

On March 5, 2019, the Federal Trade Commission announced that it is seeking comment on proposed changes to the FTC’s Safeguards Rule and Privacy Rule under the Gramm-Leach-Bliley Act (“GLB”).

The proposed amendments to the Safeguards Rule, which went into effect in 2003 and imposes data security obligations on financial institutions over which the Commission has jurisdiction, are based primarily on the cybersecurity regulations issued by the New York Department of Financial Services and the insurance data security model law issued by the National Association of Insurance Commissioners. The proposed changes would add more detailed requirements on how financial institutions must protect customer information.

During the week of February 25, 2019, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP participated in the meetings of the APEC Data Privacy Subgroup (“DPS”) and Electronic Commerce Steering Group (“ECSG”) in Santiago, Chile. CIPL enjoys formal guest status and a seat at the table at these bi-annual APEC privacy meetings.

On February 25, 2019, the European Data Protection Board (the “EDPB”) issued a statement regarding the transfer of personal data from Europe to the U.S. Internal Revenue Service (the “IRS”) for purposes of the U.S. Foreign Account Tax Compliance Act (“FATCA”).

Enacted in 2010, FATCA requires that foreign financial institutions report information about financial accounts and assets held by their U.S. account holders to the IRS. Such institutions are required to register directly with the IRS to comply with FATCA or comply with intergovernmental agreements signed between the foreign country and the U.S. government. FATCA was designed to combat tax evasion by U.S. persons holding accounts and other financial assets offshore.

On February 27, 2019, the Federal Trade Commission announced a record $5.7 million civil penalty against popular video creation and sharing app Musical.ly (now known as TikTok) for violations of U.S. children’s privacy rules. According to the FTC’s complaint, Musical.ly is designed to appeal to young children (among others), and the company was aware that a significant percentage of Musical.ly users were children under the age of 13. The FTC also alleged that Musical.ly gained actual knowledge of underage use from parents who unsuccessfully sought to have their children’s ...

On February 22, 2019, California state senator Hannah Beth-Jackson introduced a bill (SB-561) that would amend the California Consumer Privacy Act of 2018 (“CCPA”) to expand the Act’s private right of action and remove the 30-day cure period requirement for enforcement actions brought by the State Attorney General. The bill would not change the compliance deadline for the CCPA, which remains January 1, 2020. California Attorney General Xavier Becerra supports the amendment bill, characterizing it as “a critical measure to strengthen and clarify the CCPA.”

The Belgian Data Protection Authority (the “Belgian DPA”) recently published the updated list of the types of processing activities which require a data protection impact assessment (“DPIA”). Article 35.4 of the EU General Data Protection Regulation (“GDPR”) obligates supervisory authorities (“SAs”) to establish a list of the processing operations that require a DPIA and transmit it to the European Data Protection Board (the “EDPB”).

On February 20, 2019, the French data protection authority (the “CNIL”) published a set of questions and answers (“FAQs”) indicating the CNIL’s recommendations, and steps that organizations should take, to prepare for a no-deal Brexit. The CNIL’s FAQs build upon guidance the European Data Protection Board (“EDPB”) provided in its Information Note on Data Transfers under the GDPR in the Event of a No-Deal Brexit.

On February 12, 2019, the European Data Protection Board (the “EDPB”) released its work program for 2019 and 2020 (the “Work Program”). Following the EDPB’s endorsement of the Article 29 Working Party guidelines and continued guidance relating to new EU General Data Protection Regulation (“GDPR”) concepts, the EDPB plans to shift its focus to more specialized areas and technologies.

At its plenary meeting on February 13, 2019, in Brussels, the European Data Protection Board (“EDPB”) adopted an Information Note on Data Transfers under the GDPR in the Event of a No-Deal Brexit, and an Information Note on BCRs for Companies Which Have ICO as BCR Lead Supervisory Authority.