Privacy & Information Security Law Blog

On May 27, 2021, the European Data Protection Supervisor (the “EDPS”) announced that it has opened two investigations regarding (1) the use of cloud services provided by Amazon Web Services and Microsoft under Cloud II contracts by European Union institutions, bodies and agencies; and (2) the use of Microsoft Office 365 by the European Commission.

On May 27, 2021, the U.S. Department of Homeland Security’s (“DHS”) Transportation Security Administration (“TSA”) announced a Security Directive (the “Directive”) that will impose new cybersecurity requirements on critical pipeline owners and operators.

On May 26, 2021, the Court of Appeal handed down its judgment in the case of R (Open Rights Group and the3million) v Secretary of State for the Home Department and Others [2021] EWCA Civ 800, finding that the UK 2018 Data Protection Act’s (“DPA 2018”) “immigration exemption” is unlawful.

On May 25, 2021, the Office for Civil Rights (“OCR”) of the U.S. Department of Health and Human Services (“HHS”) announced that it had reached a settlement with Peachstate Health Management, LLC (“Peachstate”) for violations of the HIPAA Security Rule. As part of this settlement, Peachstate (dba AEON Clinical Laboratories) agreed to pay OCR $25,000 and to implement a robust corrective action plan.

On May 20, 2021, the Belgian Data Protection Authority (“Belgian DPA”), as the lead authority (in collaboration with two co-reviewing authorities), announced that it had approved the EU Data Protection Code of Conduct for Cloud Service Providers (the “EU Cloud CoC”). The EU Cloud CoC is the first transnational EU code of conduct since the entry into force of the EU General Data Protection Regulation (the “GDPR”).

On May 20, 2021, the U.S. Department of the Treasury announced a proposal that would require any cryptocurrency transaction of $10,000 or more to be reported to the Internal Review Service (“IRS”). As a supplement to President Biden’s American Families Plan, which focuses on investments in American children and families, the Treasury detailed the cryptocurrency reporting requirement and other tax compliance initiatives in a new report titled The American Families Plan Tax Compliance Agenda (the “Report”).

On May 18, 2021, New York Attorney General (“AG”) Letitia James announced a settlement agreement with Filters Fast LLC (“Filters Fast”) over a data breach that compromised personal information of approximately 324,000 consumers nationwide, including over 16,500 New York state residents. The breach affected purchases made on Filters Fast website for almost a year – from July 16, 2019 to July 10, 2020.

On May 12, 2021, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, the “Dutch DPA”) imposed a €525,000 fine on Locatefamily.com for failure to comply with the obligation imposed under Article 27 of the EU General Data Protection Regulation (“GDPR”) to appoint a representative in the EU.

On May 10, 2021, the Ecuadorian National Assembly unanimously approved the Organic Law on Data Protection (the “Data Protection Law”), which President Moreno is expected to sign.

On May 14, 2021, the Irish High Court dismissed Facebook Ireland’s (“Facebook”) challenge to the Irish Data Protection Commissioner’s (“DPC”) investigation into Facebook’s international transfers of personal data.

On May 11, 2021, the European Parliament issued a press release requesting that the European Commission amend its draft decisions on UK adequacy to more closely align with EU court rulings and the opinion of the European Data Protection Board (“EDPB”). The request came after the Parliament’s Civil Liberties Committee (the “Committee”) passed a resolution evaluating the Commission’s approach regarding the adequacy of the UK’s data protection regime. The Members of European Parliament (“MEPs”) stated that if the Commission’s implementing decisions are adopted without amendment, transfers of personal data to the UK should be suspended when there is the potential for indiscriminate access to personal data.

On May 12, 2021, President Biden signed an Executive Order on Improving the Nation’s Cybersecurity. The Order outlines a number of initiatives intended to improve cybersecurity in the U.S. and protect federal government networks, including:

On April 29, 2021, the New York City Council passed the Tenant Data Privacy Act (“TDPA”), which would regulate the collection, use, safeguarding and retention of tenant data by owners of “smart access” buildings. The TDPA has been sent to the New York City Mayor’s desk for signature.

On May 11, 2021, Senators Edward Markey (D-MA) and Bill Cassidy (R-LA) introduced the Children and Teens’ Online Privacy Protection Act (the “Bill”). The Bill, which would amend the existing Children’s Online Privacy Protection Act (“COPPA”), would prohibit companies from collecting personal information from children ages 13 to 15 without their consent.

On May 2, 2021, the Norwegian data protection authority, Datatilsynet, notified Disqus Inc. (“Disqus”), a U.S. company owned by Zeta Global, of its intention to issue a fine of 25 million Norwegian Krone (approximately 2.5 million Euros). The preliminary fine was issued for failure to comply with the General Data Protection Regulation’s (“GDPR”) accountability, lawfulness and transparency requirements, primarily due to Disqus’ tracking of website visitors.

On May 6, 2021, Google announced that beginning in the second quarter of 2022, mobile app developers submitting new apps and app updates to the Google Play store will be required to disclose certain information regarding their apps’ data collection, use, sharing and security practices, as well as provide a privacy policy for their apps. This information will be displayed in a new “safety section” of Google Play.

On April 29, 2021, China issued a second version of the draft Personal Information Protection Law (“Draft PIPL”). The Draft PIPL will be open for public comments until May 28, 2021.

While the framework of this version of the Draft PIPL is the same as the prior version issued on October 21, 2020, below we summarize the material changes in the second version of the Draft PIPL.

On April 29, 2021, China issued a second draft version of the Data Security Law (“Draft DSL”). The Draft DSL will be open for public comments until May 28, 2021.

While the framework of this version of the Draft DSL is the same as the prior version issued on July 3, 2020, below we summarize the material changes in the second version of the Draft DSL.