Privacy & Information Security Law Blog

On June 14, 2021, Texas Governor Greg Abbott signed HB 3746, a bill amending Texas’s data breach notification law. Texas’s breach notification law requires notice to affected residents in the event of a data breach affecting certain sensitive personal data, including Social Security numbers, driver’s license or other government-issued ID numbers, account numbers or payment card numbers in combination with any required security code, access code or password, or certain information about an individual’s health or medical condition or treatment. The law also requires businesses to notify the Texas Attorney General of any data breach affecting at least 250 Texas residents.

On June 14, 2021, the Baltimore City Council passed a bill that would ban the use of facial recognition technology by private entities and individuals within the city limits. If signed into law, Baltimore, Maryland would become the latest U.S. city to enact stringent regulations governing the use of facial recognition technology in the private sector.

After two rounds of public comments, the Data Security Law of the People’s Republic of China (the “DSL”) was formally issued on June 10, 2021, and will become effective on September 1, 2021.

Compared to previous drafts of the law, the final version of the DSL differs with respect to:

• establishing a work coordination mechanism and clarifying the duties of each governmental authority;
• establishing an administration system for state core data;
• encouraging data development and use to make public service more intelligent and requiring consideration of the needs of the elderly and people with disabilities when providing intelligent public services;
• protecting the security of government data; and
• increasing the punishment dynamics for violations of the law. 

On June 15, 2021, the Court of Justice of the European Union (the “CJEU”) released its judgment in case C-645/19 of Facebook Ireland Limited, Facebook Inc., Facebook Belgium BVBA v. the Belgian Data Protection Authority (“Belgian DPA”). We previously reported on the background of the case and the Advocate General’s opinion.

On June 15, 2021, the SEC announced it settled charges against real estate services company First American Financial Corporation (“First American”) for alleged violation of Rule 13a-15(a) of the Exchange Act. The SEC charged First American with failure to maintain disclosure controls and procedures designed to ensure that all available, relevant information concerning a software vulnerability that led to a cybersecurity incident was filed with the Commission.

On June 15, 2021, the U.S. Senate confirmed Lina Khan to the Federal Trade Commission by a vote of 69-28. Khan will fill the vacancy left by former Chairman Joseph Simons (R) who resigned from the FTC in January 2021.

On June 11, 2021, the Belgian Data Protection Authority (“Belgian DPA”) released its 2020 Annual Report (the “Report”). Notably in 2020, the Belgian DPA focused on the supervision of initiatives to fight the COVID-19 pandemic involving data processing, while not losing sight of its other priorities, as identified in its Strategic Plan 2020-2025.

Due to the increased awareness of the importance of the protection of personal data, 2020 had a significant increase in the number of complaints, which were up 290.64%, and data breach notifications, which were up 25.09%, received by the Belgian DPA.

On June 9, 2021, President Biden signed an Executive Order on Protecting Americans’ Sensitive Data from Foreign Adversaries (the “EO” or “Biden EO”). The Biden EO elaborates on measures to address the national emergency regarding the information technology supply chain declared in 2019 by the Trump administration in Executive Order 13873. Simultaneously, the Biden EO also revokes three Trump administration orders (Executive Orders 13942, 13943 and 13971) that sought to prohibit transactions with TikTok, WeChat, their parent companies and certain other “Chinese connected software applications.” In their place, the Biden EO provides for (1) cabinet-level assessments and future recommendations to protect against risks from foreign adversaries’ (a) access to U.S. persons’ sensitive data and (b) involvement in software application supply and development; and (2) the continuing evaluation of transactions involving connected software applications that threaten U.S. national security.

July 1, 2021 marks the deadline for certain businesses to comply with the metrics reporting obligations under the California Consumer Privacy Act of 2018 (“CCPA”) regulations. Section 999.317(g) of the regulations applies to any business that is subject to the CCPA and that knows or reasonably should know that it, alone or in combination, buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes the personal information of 10,000,000 or more California residents in a calendar year.

As reported on the Hunton Retail Law Resource blog, this week, the Federal Trade Commission voted 3 to 1 to accept a settlement agreement with MoviePass, Inc., its parent company, and two of the now-defunct company’s former employees, after allegations of failure to take reasonable measures to secure consumers’ data and deceptive trade practices. The Commission brought an enforcement action against MoviePass pursuant to the FTC Act and the Restore Online Shoppers’ Confidence Act (“ROSCA”), the latter of which requires disclosure of all material terms, a consumer’s informed consent, and a simple mechanism to stop recurring charges when marketing negative option services.