Privacy & Information Security Law Blog

On July 9, 2021, President Biden signed the Executive Order on Promoting Competition in the American Economy (the “Executive Order”). The stated goal of the Executive Order is to increase competition in the United States and resolve issues related to monopolistic behaviors, including with respect to privacy and data protection.

On July 2, 2021, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth published a white paper on How the Legitimate Interest Ground for Processing for Processing Enables Responsible Data Use and Innovation (the “Paper”). The Paper explains the growing importance of the legitimate interests legal basis for organizations, whether for routine or more complex and innovative data processing activities. It provides recommendations on how this legal basis should be interpreted, used and applied to unlock the value of data in today’s global connected world. Finally, the Paper includes examples of data processing activities where organizations currently rely on the legitimate interests legal basis, illustrated by 16 case studies that describe how organizations balance the legitimate interest of the controller and individuals’ rights and freedoms.

Hunton Andrews Kurth LLP is pleased to announce that POLITICO has named Centre for Information Policy Leadership (“CIPL”) President Bojana Bellamy among its Tech 28, the news organization’s inaugural list of top “rulemakers, rulebreakers and visionaries” shaping the future of technology in Europe and beyond.

On July 13, 2021, federal bank regulators – the Board of Governors of the Federal Reserve System (the “Board”), the Federal Deposit Insurance Corporation (“FDIC”) and the Office of the Comptroller of the Currency (“OCC”) (collectively, the “Regulators”) – requested public comment on proposed joint guidance regarding banking organizations’ management of risks related to relationships with third-party support and service providers (the “Proposed Guidance”). Each of the Regulators previously issued guidance on the subject for their respective supervised banking organizations. The Proposed Guidance seeks to promote consistency in banking organizations’ third-party risk management, replacing agency-specific guidance with a framework that applies to all banking organizations supervised by the Regulators. According to the Regulators, the Proposed Guidance largely would adopt the text of the OCC’s 2013 guidance, broadening its scope to include organizations supervised by all three Regulators.

On July 12, 2021, Chris Inglis was formally sworn in as the first White House National Cyber Director. The newly established position, as well as the Office of the National Cyber Director, was created as part of the 2021 National Defense Authorization Act. Inglis, who previously served as the National Security Agency Deputy Director, was unanimously confirmed to the position by the Senate on June 17, 2021.

Read more on the Office of the National Cyber Director.

The California Attorney General has updated its CCPA FAQs to state that the newly developed Global Privacy Control (“GPC”) “must be honored by covered businesses as a valid consumer request to stop the sale of personal information.”

On June 30, 2021, the New York State Department of Financial Services (“NYDFS,” the “Department”) issued guidance to all New York state regulated entities on ransomware (the “Guidance”), identifying controls it expects regulated companies to implement whenever possible.

On July 8, 2021, Colorado Governor Jared Polis signed SB21-190, the Colorado Privacy Act (“the Act”), into law, making Colorado the third state to have a comprehensive data privacy law on the books, following California and Virginia. The Colorado House voted 57-7 in favor of the Act on June 7 after it had previously passed the Senate unanimously on May 26. The Senate voted unanimously to adopt the House’s amendments to the Act on June 8. The Act will go into effect on July 1, 2023, with some specific provisions going into effect at later dates.

In an article originally published on Practical Law, and reproduced with the permission of the publishers, Hunton Andrews Kurth London partner Bridget Treacy discusses the European Commission’s long-awaited, and now finalized, standard contractual clauses (“SCCs”) for international transfers of personal data made under the EU General Data Protection Regulation (“GDPR”).

On July 1, 2021, the Federal Trade Commission settled a complaint brought under the Children’s Online Privacy Protection Act (“COPPA”) against Toronto-based Kuuhuub Inc. and its Finnish subsidiaries Kuu Hubb Oy and Recolor Oy, operators of the online coloring book app, Recolor. The FTC alleged that the app operators violated the COPPA Rule by collecting and disclosing personal information from child users of the app without first notifying their parents or obtaining verifiable parental consent.