Privacy & Information Security Law Blog

On September 24, 2020, the Centre for Information Policy Leadership at Hunton Andrews Kurth (“CIPL”) released a new paper (the “Paper”) on the Path Forward for International Data Transfers under the GDPR after the CJEU Schrems II Decision.

The Centre for Information Policy Leadership at Hunton Andrews Kurth (“CIPL”) recently published a concept paper titled Why We Need Interstate Privacy Rules for the U.S.

The paper acknowledges the possibility that the U.S. may not implement a comprehensive federal privacy law in the near future, and that instead a growing patchwork of state laws will emerge. It proposes an interstate privacy interoperability code of conduct or certification as a solution to the possibility of inconsistent and disparate privacy requirements across the U.S. The paper outlines the benefits and key features of the code, as well as potential models and sources for its structure and substantive rules, such as the Asia-Pacific Economic Cooperation Cross-Border Privacy Rules (“APEC CBPR”), ISO standards, existing state privacy laws, the EU General Data Protection Regulation (“GDPR”) and key federal privacy proposals. It also discusses the process that could be used to develop the code.

On September 28, 2020, the U.S. Department of Commerce, along with the U.S. Department of Justice and the Office of the Director of National Intelligence, released a White Paper entitled Information on U.S. Privacy Safeguards Relevant to SCCs and Other EU Legal Bases for EU-U.S. Data Transfers after Schrems II (the “White Paper”). The White Paper outlines privacy safeguards in and updates to the U.S. surveillance provisions flagged by the Court of Justice of the European Union (“CJEU”) in its Schrems II decision. It is intended to serve as a resource for companies transferring personal data from the EU to the U.S. in the wake of the CJEU’s decision overturning the EU-U.S. Privacy Shield. Particularly, it focuses on companies relying on Standard Contractual Clauses (“SCCs”) for data transfers, and provides information to help them determine whether the U.S. ensures adequate privacy protections for companies’ data.

In an op-ed recently published by The Richmond Times-Dispatch, former Governor of Virginia and Global Strategy Advisor of the Centre for Information Policy Leadership at Hunton Andrews Kurth Terry McAuliffe discusses why a U.S. federal privacy law is essential to economic recovery in the wake of the COVID-19 pandemic. McAuliffe highlights how the U.S., unlike other countries, lacks a comprehensive privacy law.

On September 21, 2020, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) announced a $1.5 million settlement with Athens Orthopedic Clinic PA (“Athens Orthopedic”) for alleged violations of the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy and Security Rules.

On September 17, 2020, Senator Roger Wicker (MS), Chairman of the Senate Commerce Committee, along with Senators John Thune (SD), Deb Fischer (NE) and Marsha Blackburn (TN) introduced the Setting an American Framework to Ensure Data Access, Transparency, and Accountability (SAFE DATA) Act (“the Bill”). The Bill marks an official introduction of an update of Senator Wicker’s draft United States Consumer Data Privacy Act of 2019, which was circulated last November.

On September 18, 2020, the U.S. Department of Commerce (“Commerce”) announced detailed sanctions relating to the mobile applications WeChat and TikTok. These prohibitions were issued in accordance with President Trump’s Executive Orders issued on August 6, 2020, imposing economic sanctions against the platforms under the International Emergency Economic Powers Act (50 U.S.C. § 1701 et seq.) and the National Emergencies Act (50 U.S.C. § 1601 et seq.). These orders, if they become fully effective, will (1) prohibit mobile app stores in the U.S. from permitting downloads or updates to the WeChat and TikTok mobile apps; (2) prohibit U.S. companies from providing Internet backbone services that enable the WeChat and TikTok mobile apps; and (3) prohibit U.S. companies from providing services through the WeChat mobile app for the purpose of transferring funds or processing payments to or from parties. The sanctions do not target individual or business use of the applications but are expected to degrade the ability of persons in the United States to use the apps for the purposes they were designed to serve.

On September 18, 2020, as confirmed by Brazilian firm Mattos Filho, Veiga Filho, Marrey Jr. e Quiroga Advogados, Brazil’s President signed a bill from Brazil’s Congress bringing the new Brazilian data protection law (Lei Geral de Proteção de Dados Pessoais, “LGPD”) into effect with a retroactive applicability date of August 16, 2020. The LGPD’s sanctions provisions will apply beginning August 1, 2021, based on a previous delay passed by Brazil’s legislature. As we previously reported, on August 26, 2020, Brazil’s Senate had unexpectedly rejected the ...

On September 15, 2020, the U.S. Department of Health and Human Services’ (“HHS”) Office for Civil Rights (“OCR”) announced five more settlements under its HIPAA Right of Access Initiative. The OCR announced its Right of Access Initiative in 2019, promising vigorous enforcement of HIPAA’s access rules. The five newly announced settlements bring OCR's total to seven completed enforcement actions under the Right of Access Initiative.

On September 7, 2020, the European Data Protection Board (the “EDPB”) published Guidelines on the Targeting of Social Media Users (the “Guidelines”). The Guidelines aim to provide practical guidance on the role and responsibilities of social media providers and those using targeting services, such as for targeted advertising, on social media platforms (“targeters”).

On September 9, 2020, the UK Information Commissioner’s Office (“ICO”) published an Accountability Framework, designed to assist organizations in complying with their accountability obligations under the EU General Data Protection Regulation (“GDPR”). The GDPR’s accountability principle requires that organizations both comply with their legal requirements under the GDPR, and also demonstrate their compliance. The ICO states that its Accountability Framework “supports the foundations of an effective privacy management programme.”

UPDATE: On September 29, 2020, California Governor Gavin Newsom vetoed AB 1138.

On September 8, 2020, AB 1138, the Parent’s Accountability and Child Protection Act, was enrolled and presented to the California Governor for signature. If signed into law by the Governor, the bill would require a business that operates a social media website or application, beginning July 1, 2021, to obtain verifiable parental consent for California-based children that the business “actually knows” are under 13 years of age (hereafter, “Children”). The bill defines “social media” to mean an electronic service or account held open to the general public to post, on either a public or semi-public page dedicated to a particular user, electronic content or communication, including but not limited to videos, photos or messages intended to facilitate the sharing of information, ideas, personal messages or other content.

On September 7, 2020, the European Data Protection Board (“EDPB”) released draft Guidelines 07/2020 on the concepts of controller and processor in the EU General Data Protection Regulation (“GDPR”) (the “Guidelines”). The Guidelines aim to (1) clarify the concepts of controller, joint controllers, processor, third party and recipient under the GDPR by providing concrete examples with respect to each; and (2) specify the consequences attached to the different roles of controller, joint controllers and processor. The Guidelines replace the previous opinion of the Article 29 Working Party on these concepts.

On September 9, 2020, Portland, Oregon became the first jurisdiction in the country to ban the private-sector use of facial recognition technology in public places within the city, including stores, restaurants and hotels. The city Ordinance was unanimously passed by the Portland City Council and will take effect on January 1, 2021. The City Council cited as rationale for the Ordinance documented instances of gender and racial bias in facial recognition technology, and the fact that marginalized communities have been subject to “over surveillance and [the] disparate and detrimental impact of the use of surveillance.”

The Centre for Information Policy Leadership at Hunton Andrews Kurth (“CIPL”) and the Data Security Council of India (“DSCI”) have published a report on Enabling Accountable Data Transfers from India to the United States under India’s Proposed Personal Data Protection Bill (the “Report”).

On September 1, 2020, the Centre for Information Policy Leadership at Hunton Andrews Kurth (“CIPL”) and the Centro de Direito, Internet e Sociedade of Instituto Brasiliense de Direito Público (“CEDIS-IDP”) released a new paper (“Paper”) on the Top Priorities for Public and Private Organizations to Effectively Implement the New Brazilian General Data Protection Law (“LGPD”). This paper is part of their joint-project on effective implementation and regulation under the LGPD.

On September 8, 2020, the Swiss Data Protection Authority (the Federal Data Protection and Information Commissioner, “FDPIC”), announced in a position statement that it no longer considers the Swiss-U.S. Privacy Shield adequate for the purposes of transfers of personal data from Switzerland to the U.S. This decision follows the July 2020 ruling of the Court of Justice of the European Union (“CJEU”) in the Schrems II case, which invalidated the EU-U.S. Privacy Shield for EU-U.S. transfers of personal data. This ruling was considered as part of the annual review of the Swiss-U.S. Privacy Shield Framework by the FDPIC since, as Switzerland is not a member of the EU, it is not bound by the CJEU ruling.

On September 4, 2020, the European Data Protection Board (the “EDPB”) announced that it established two taskforces following the judgment of the Court of Justice of the European Union (“CJEU”) in the Schrems II case.

On September 3, 2020, the Committee on Civil Liberties, Justice and Home Affairs (“LIBE Committee”) of the European Parliament held a meeting to discuss the future of EU-U.S. data flows following the Schrems II judgment of the Court of Justice of the European Union (the “CJEU”). In addition to Members of the European Parliament (“MEPs”), the meeting’s participants included Justice Commissioner Didier Reynders, European Data Protection Board (“EDPB”) Chair Andrea Jelinek and Maximilian Schrems. Importantly, Commissioner Reynders stated during the meeting that the new Standard Contractual Clauses (“SCCs”) might be adopted by the end of 2020, at the earliest.

On August 24, 2020, the Data Protection Authority (“DPA”) of the German federal state of Baden-Württemberg issued guidance on international data transfers following the judgment of the Court of Justice of the European Union (“CJEU”) in the Schrems II case (decision C-311/18 of July 16, 2020). As we previously reported, the judgment of the CJEU invalidated the EU-U.S. Privacy Shield framework and confirmed the ongoing validity of the controller-to-processor EU Standard Contractual Clauses (“SCCs”), subject to an adequacy assessment and, if necessary, additional safeguards to protect the personal data transferred pursuant to the SCCs. The guidance is notable because it is the first substantive guidance from a DPA following the Schrems II judgment (although the guidance is only applicable to companies established in the federal state of Baden-Württemberg).

UPDATE: On September 25, 2020, California Governor Gavin Newsom vetoed SB-980.

On August 31, 2020, the California Senate joined the Assembly in passing SB-980, as amended, a bill to establish the Genetic Information Privacy Act (the “Act”), which would require direct-to-consumer genetic testing companies to comply with certain privacy and data security provisions, including providing consumers with prescribed notice; obtaining consumers’ express consent regarding the collection, use and disclosure of genetic data; and enabling consumers to access and delete their genetic data. The bill is pending California Governor Gavin Newsom’s signature.