Privacy & Information Security Law Blog

On March 15, 2021, China’s State Administration for Market Regulation (“SAMR”) issued Measures for the Supervision and Administration of Online Transactions (the “Measures”) (in Chinese). The Measures implement rules for the E-commerce Law of China and provide specific rules for addressing registration of an online operation entity, supervision of new business models (such as social e-commerce and livestreaming), platform operators’ responsibilities, protection of consumers’ rights and protection of personal information.

On March 30, 2021, the European Commission (the “Commission”) announced the successful conclusion of the adequacy talks with the Republic of Korea.

The U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) recently announced more settlements associated with its HIPAA Right of Access Initiative. The settlements with Village Plastic Surgery ("VPS") and The Arbour, Inc. (“Arbour”) resulted in combined civil monetary penalties of $95,000.

On March 26, 2021, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth submitted its comments on the Irish Data Protection Commissioner’s (“DPC”) draft guidance on safeguarding the personal data of children when providing online services, “Children Front and Centre—Fundamentals for a Child-Oriented Approach to Data Processing” (the “Draft Guidance”).

On March 15, 2021, the state Data Protection Authority of Bavaria (“Bavarian DPA”) declared the use of U.S. e-mail marketing service Mailchimp by a fashion magazine (acting as controller) in Bavaria impermissible due to non-compliance with Schrems II mitigation steps in relation to the transfer of e-mail addresses to Mailchimp in the U.S.

On March 12, 2021, the Cyberspace Administration of China released Provisions on the “Scope of Necessary Personal Information Required for Common Types of Mobile Internet Applications” (the “Provisions”) (available here in Chinese).

On March 30, 2021, Hunton Andrews Kurth will host a webinar examining Virginia’s new Consumer Data Protection Act.

On March 22, 2021, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth published its paper on delivering a risk-based approach to regulating artificial intelligence (the “Paper”), with the intention of informing current EU discussions on the development of rules to regulate AI.

On March 19, 2021, the Secretary of State for Digital, Culture, Media & Sport (“DCMS”) signed a Memorandum of Understanding (“MoU”) with the UK Information Commissioner’s Office (the “ICO”) with respect to new UK adequacy assessments following the UK’s departure from the European Union. The MoU sets out how DCMS and third countries will negotiate adequacy decisions, referred to under the MoU as “adequacy regulations”. These permit the free transfer of personal data collected in the UK to the relevant “adequate” jurisdiction.

As reported by Bloomberg Law, on March 17, 2021, the five board members of the California Privacy Protection Agency (“CPPA”) were announced. The CPPA was established by the California Privacy Rights Act (“CPRA”), which was approved by California voters during the November 2020 election.

On March 15, 2021, the California Attorney General (“AG”) approved additional CCPA Regulations that impact certain sections of the initial CCPA Regulations that went into effect on August 14, 2020. These amendments, which were the subject of the third and fourth sets of proposed modifications, went into effect on March 15, 2021.

On March 12, 2021, France’s highest administrative court (the “Conseil d’État”) issued a summary judgment that rejected a request for the suspension of the partnership between the French Ministry of Health and Doctolib, a leading provider of online medical consultations in Europe, for the management of COVID-19 vaccination appointments.

On March 12, 2021, the European Data Protection Board (“EDPB”) published its Guidelines 01/2021 on Virtual Voice Assistants for consultation (the “Guidelines”). Virtual voice assistants (“VVAs”) understand and execute voice commands or coordinate with other IT systems. These tools are available on most smartphones and other devices and collect significant amounts of personal data, such as through user commands. In addition, VVAs require a terminal device equipped with a microphone and transfer data to remote service. These activities raise compliance issues under both the General Data Protection Regulation (“GDPR”) and the e-Privacy Directive.

On March 3, 2020, the New York Department of Financial Services (“NYDFS”) announced it had entered into a settlement with Residential Mortgage Services, Inc. (“RMS”) related to allegations that RMS violated the NYDFS Cybersecurity Regulation in connection with a 2019 data breach.

On March 2, 2021, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth submitted its response to the European Data Protection Board (“EDPB”) consultation on draft guidelines on examples regarding data breach notification (the “Guidelines”). The Guidelines were adopted on January 14, 2021 for public consultation.

On March 1, 2021, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth submitted a response to the new Brazilian data protection authority’s (Agência Nacional de Proteção de Dados, the “ANPD’s”) public consultation (in Portuguese) on the impact of the Brazilian data protection law (Lei Geral de Proteção de Dados, the “LGPD”) on small and medium-sized enterprises (“SMEs”), which will inform the ANPD’s upcoming special rules for SMEs.

On March 2, 2021, Virginia’s Governor, Ralph Northam, signed the Consumer Data Protection Act into law without any further amendments. In addition to California, Virginia is now the second state to enact major privacy legislation of general applicability in the U.S.

On February 24, 2021, the Federal Trade Commission announced that it will hold a workshop on digital dark patterns on April 29, 2021. The workshop will aim to understand the ways in which user interfaces can have the effect, intentionally or unintentionally, of obscuring, subverting or impairing consumer autonomy, decision-making or choice.