Jones Day Global Privacy & Cybersecurity Update | Vol. 27
Jones Day Cybersecurity, Privacy & Data Protection Lawyer Spotlight: Amy Harman Burkart
Cyber threat actors target businesses of every size, in all sectors, with a variety of motivations. Many seek financial gain in the form of a ransomware payment or payout of a fraud scheme. Other threat actors seek to steal intellectual property, or to disrupt business operations. These attacks present far-reaching challenges for businesses, from navigating the immediate operational issues to assessing notification obligations and defending against ensuing regulatory investigations and litigation focused on the adequacy of businesses' data security and incident response. Amy Harman Burkart, of counsel in the Boston Office, guides businesses through each stage of responding to a cyber incident. With a decade of experience investigating and prosecuting cyber, intellectual property, and financial crimes, Amy directs internal forensic investigations, guides clients to respond effectively and efficiently to the event, and represents them in related legal challenges.
Amy is the former chief of the Cybercrime Unit at the United States Attorney's Office in Boston, Massachusetts. She is an experienced trial lawyer who directed investigative teams from the Federal Bureau of Investigation ("FBI"), Secret Service, Department of Homeland Security, U.S. Food & Drug Administration ("FDA"), and the Internal Revenue Service on computer intrusions, data breaches, network attacks, securities fraud, theft of trade secrets, insider trading, money laundering, trafficking in counterfeit goods, fraud schemes, and national security cyber activity. Amy previously worked in private practice in Boston and New York, where she represented clients in criminal matters and civil litigation related to securities, accounting, and other financial matters.
Regulatory—Policy, Best Practices, and Standard
NIST Unveils Draft Guidance to Protect Critical Infrastructure
On October 22, 2020, the National Institute of Standards and Technology ("NIST") released a draft of theCybersecurity Profile for the Responsible Use of Positioning, Navigation, and Timing ("PNT") Services ("Profile") to extend the NIST Cybersecurity Framework to the use of PNT services—e.g., the Global Positioning System—across economic sectors. Developed in response to a February 2020 Executive Order, the Profile aims "to help organizations identify systems, networks, and assets dependent on PNT services; identify appropriate PNT services; detect the disruption and manipulation of PNT services; and manage the associated risks to the systems, networks, and assets dependent on PNT services."
NIST Releases Guidelines on Information Technology and Storage Infrastructure
On October 26, 2020, NIST released the Security Guidelines for Storage Infrastructure. The guidelines "span [security focus areas] that are common to the entire IT infrastructure, such as physical security, authentication and authorization, change management, configuration control, incident response, and recovery," as well as storage-specific technologies, including network-attached storage, storage area networks, data protection, data isolation, restoration assurance, and encryption.
Regulatory—Consumer and Retail
FTC Announces Settlement With Video Conferencing Provider
On November 9, 2020, the Federal Trade Commission ("FTC") announced a proposed settlement of its administrative complaint with a video conferencing technology provider. The complaint alleged that the company misled consumers about the security of their communications on the platform when it undermined a browser's security features. The proposed settlement will require the company to establish, implement, and maintain an information security program to protect the security of its users and obtain biennial assessments of its security program.
FTC Issues Financial Report for 2020
On November 16, 2020, the FTC issued its Fiscal Year 2020 Agency Financial Report. The report includes annual audited financial statements, as well as "the Office of the Inspector General's assessment of the FTC's key management accomplishments and opportunities for performance improvements."
Security Firm Discloses Security Breach
On December 8, 2020, a security firm announced it had been attacked by a suspected state-sponsored threat actor utilizing novel techniques. The company announced that the attacker targeted the assessment tools it used to test customers' security. The company is investigating the attack together with the FBI and other partners. The company made countermeasures that can detect or block the use of compromised tools available publicly on its blog.
FINRA Alerts Firms to Phishing Scheme
On November 30, 2020, the Financial Industry Regulatory Authority ("FINRA") warned member firms of an ongoing phishing campaign involving a fraudulent email domain. FINRA asked the internet domain registrar to suspend services for this domain.
Treasury Sanctions Russian Government Institution for Developing Malware
On October 23, 2020, the Department of the Treasury's Office of Foreign Assets Control ("OFAC") sanctioned a Russian government institution for developing the Triton malware. The Triton malware was identified in a 2017 cyber attack targeting industrial safety systems at a Middle Eastern petrochemical facility, and has since been discovered probing numerous U.S. electric utilities. Pursuant to Section 224 of the Countering America's Adversaries Through Sanctions Act, OFAC has designated the entity as undermining the cybersecurity of U.S. critical infrastructure.
NERC Expands Key Cybersecurity Program
On November 31, 2020, the North America Electric Reliability Corporation ("NERC") partnered with the Department of Energy to expand the Cybersecurity Risk Information Sharing Program to include operational technology. The expansion includes two operational technology pilot programs to identify potential cyber threats to utilities' industrial control systems.
Agencies Issue Joint Advisory Warning of Cybercrime Threat to Health Care Providers
On October 28, 2020, the Cybersecurity and Infrastructure Security Agency ("CISA"), FBI, and the United States Department of Health & Human Services ("HHS") coauthored a joint cybersecurity advisory warning that the agencies "have credible information of an increased and imminent cybercrime threat to U.S. hospitals and health care providers." The advisory described tactics, techniques, and procedures used to infect target systems in the health care and public health sector with ransomware. The ransomware attacks have led to the disruption of health care services and created a heightened risk for health care organizations dealing with the COVID-19 pandemic.
HHS Proposes Changes to HIPAA Rule
On December 10, 2020, HHS proposed significant changes to the Health Insurance Portability and Accountability Act ("HIPAA") Privacy Rule. If adopted, the new rule would provide individuals with greater access to their health information, clarify permissible information sharing procedures for case coordination and management, and expand the ability to disclose protected health information under certain circumstances. The agency will accept comments on the proposed rule for 60 days following its publication in the Federal Register. For more information, please see our Jones Day Alert.
Regulatory—Defense and National Security
DoD Rolls Out New Security Requirements for Government Contracts
On November 30, 2020, the interim rule of the Department of Defense ("DoD") implementing the Cybersecurity Maturity Model Certification ("CMMC") framework went into effect. The interim rule, which the DoD issued on September 29, 2020, defines five cybersecurity levels implementing controls from NIST SP 800-171 for contractors. The DoD will begin implementing requirements for Level 3 and below in fiscal year 2021. The DoD is currently reviewing pilot nominations and anticipates contract awards in late 2021 after the contractors undergo appropriate CMMC assessments. All contractors "must achieve the required CMMC level at time of contract award, and flow down the appropriate CMMC requirement to subcontractors." For more information, please see our Jones Day Commentary.
CISA Issues Emergency Directive on Cyber Threat to Government and Businesses
On December 13, 2020, CISA issued an Emergency Directive and followed, on December 17, 2020, with Alert (AA20-352A) that reported a cyber attack on United States government agencies, critical infrastructure entities, and private sector organizations by an advanced persistent threat actor, beginning in at least March 2020. One of the initial attack vectors leveraged a supply chain compromise of a software suite. CISA ordered the affected agencies to "immediately disconnect or power down" two versions of the software products from their networks. The threat poses a grave risk to government agencies, critical infrastructure entities, and a variety of private sector organizations. The software provider, CISA, and cybersecurity industry are rapidly releasing intelligence and potential remedial countermeasures. For more information, please see our Jones Day Alert.
U.S. Government Responds to Significant Cyber Incident
On December 16, 2020, the FBI, CISA, and the Office of the Director of National Intelligence announced the formation of a Cyber Unified Coordination Group to coordinate a whole-of-government response to an ongoing cybersecurity event affecting a software provider to the U.S. government. The chairman of the House Permanent Select Committee on Intelligence said the "intrusions reinforce the need to secure our unclassified government networks and those in the private sector that partner with the government."
NHTSA Solicits Public Comment on Automated Driving System Safety Principles
On November 19, 2020, the U.S. Department of Transportation's National Highway Traffic Safety Administration ("NHTSA") published an advance notice of public rulemaking on the development of a framework of principles to govern the safe behavior of automated driving systems. The rulemaking is intended to address safety, security, and privacy "without hampering innovation in the development of automated driving systems."
Litigation, Judicial Rulings, and Enforcement Actions
State Attorneys General Ask Supreme Court for Broad Interpretation of Autodialer
On October 23, 2020, attorneys general from 36 states and the District of Columbia submitted an amicus brief asking the Supreme Court to interpret the definition of an "autodialer" broadly under the Telephone Consumer Protection Act ("TCPA"). The complaint alleged that a social media company violated the TCPA prohibition on the use of "any automatic telephone dialing system or an artificial or prerecorded voice" to send text messages to cell phones. The attorneys general challenged the company's contention that a device must use a random or sequential number generator to qualify as an autodialer, arguing that the statute encompassed "any device with the capacity to store and dial numbers automatically."
Third-Party Database Manager May Owe a Duty of Care in Hotel Data Breach
On October 26, 2020, a federal court denied in part a third-party technology provider's motion to dismiss claims in multidistrict litigation stemming from its management of hotel guest reservation databases that suffered a large data breach discovered in 2018. The data breach involved the theft of millions of unencrypted passport numbers and payment card data from the hotel's reservation database for more than four years. The provider was a named defendant in a class action lawsuit brought against the hotel chain claiming it negligently provided security consulting services. The court denied the motion with respect to certain claims after finding that the plaintiff adequately alleged a duty of care under Maryland, Connecticut, and Florida law.
Eleventh Circuit Vacates FACTA Class Action Settlement
On October 28, 2020, a split en banc Eleventh Circuit held that to establish Article III standing under the Fair and Accurate Credit Transactions Act ("FACTA"), plaintiffs must show a material risk of identity theft. Vacating the lower court's approval of a class settlement, the appeals court held that printing more credit card digits on a receipt than FACTA allows is not a concrete harm establishing Article III standing. The ruling aligns the Eleventh Circuit with the Second, Third, and Ninth Circuits in requiring concrete harm to establish standing in FACTA cases.
Judge Dismisses Data Breach Class Action for Lack of Standing
On November 5, 2020, a Massachusetts district court dismissed a class action against a department store because the plaintiff failed to allege an impending risk of identity theft from the breach or misuse of personal information. The judge found that the data exposed by a 2019 data breach "was not highly sensitive," and that immediately canceling one's credit card could mitigate risks of recurrent credit card fraud.
CCPA Lawsuit Alleges Failure to Maintain Reasonable Security Measures for Electronic Payments
On November 9, 2020, plaintiffs filed a class action alleging that a restaurant chain's use of magnetic strip technology rather than EMV chip readers for payment card transactions violated the California Consumer Privacy Act ("CCPA") because the "unsecure" payment method put customers' data at "unnecessary risk." Between May 2019 and September 2020, the chain experienced multiple breaches of its customers' unredacted and unencrypted personally identifiable information, including customers' first and last names, their payment card numbers, and security codes.
Car Manufacturer Faces Class Action Regarding Web User Tracking Software
On November 11, 2020, plaintiffs filed a class action lawsuit in federal court against a car manufacturer and its marketing analytics software provider, alleging that the companies illegally wiretapped the electronic communications of visitors to the manufacturer's websites. The software provided to the company observed and recorded website visitors' keystrokes, mouse clicks, and other web activity in real time. The complaint asserts claims under multiple sections of the California penal code and invokes the California constitutional right of privacy.
Satellite Television Provider Pays $126M Settlement for Telemarketing Violations
On December 7, 2020, a satellite television provider reached a $126 million settlement with the Department of Justice ("DOJ"), as well as the attorneys general of California, Illinois, North Carolina, and Ohio to resolve alleged violations of the FTC Act and the TCPA. The company was accused of making unsolicited calls to consumers who were either listed on the Do Not Call Registry or had previously declined to receive sales calls from the provider. The DOJ's press release stated that the settlement was "the largest civil penalty ever paid to resolve telemarketing violations under the FTC Act, and exceeds the total penalties paid to the government by all prior violators" of the FTC's Telemarketing Sales Rule.
IoT Cybersecurity Improvement Act Becomes Law
On December 4, 2020, the president signed the Internet of Things ("IoT") Cybersecurity Improvement Act ("IoT Act"). The IoT Act requires NIST to develop and publish standards and guidelines on minimum information security requirements for how the federal government should appropriately use and manage IoT devices. NIST's guidelines also may serve as a guide to state governments and the private sector. For more information, please see our Jones Day Alert.
California Voters Approve CPRA
On November 3, 2020, California voters approved the California Privacy Rights Act ("CPRA"), a consumer privacy ballot initiative that introduces significant amendments to the CCPA. The CPRA affords California residents significantly more control over their personal information, imposes heightened compliance obligations on covered businesses, and establishes a new enforcement agency dedicated to consumer privacy. The CPRA's substantive provisions become effective on January 1, 2023, and new regulations are expected to be introduced by July 1, 2022. For more information, please see our Jones Day Commentary.
Portland, Maine Enhances Facial Recognition Ban
On November 3, 2020, voters in Portland, Maine passed a ballot initiative enhancing an existing ban on the use of facial recognition software by police and other public officials. The ballot initiative enables citizens to sue the city for violations, with up to $1,000 in penalties in addition to attorneys' fees. It also requires suppression of illegally obtained evidence in any legal proceeding and allows city employees to be suspended or terminated for violations.
Michigan Amends Constitution to Protect Data From Search and Seizure
On November 3, 2020, Michigan voters approved a constitutional amendment prohibiting unreasonable searches or seizures of a person's electronic data and communications, in effect applying the same warrant requirements needed to search a person's home or seize items.
California Releases Fourth Set of Proposed Modifications to the CCPA
On December 10, 2020, the California Department of Justice released the fourth set of proposed modifications to the CCPA. These modifications relate to the sale of personal information and a uniform button to opt out of the sale of personal information. The department is accepting written comment submissions regarding the proposed changes between December 11 and December 28, 2020. For more information, please see our Jones Day Alert.
Canada Proposes New Federal Privacy Law Bill
On November 17, 2020, the Canadian government introduced the Digital Charter Implementation Act. The bill would authorize the Office of the Privacy Commissioner to order a company to cease processing activities and to impose fines up to the greater of CAD $25 million or 5% of an organization's global revenue. It also creates individual data portability and deletion rights and a private right of action. The bill would require businesses to provide algorithmic transparency and obtain customer consent through plain language before using their personal data.
The following Jones Day lawyers contributed to this section: Jennifer C. Everett, Kerianne Tobitsch, Claire Gianotti, Ruby Lang, Bailey Loverin, Daniel Lopez, Sara Lynch, Megan McKnelly, Dan Ongaro, Christina O'Tousa, Clinton Oxford, Ayesha Rasheed, Molly Russell, Ben Sanchez, and Jenny Whalen-Ball.
Council Urges Improved Data Protection Regulatory Framework for Incident Response
On November 27, 2020, the Council for Transparency ("Consejo para la transparencia," "CPLT") released a press release addressing a series of incidents involving breaches of government servers and databases (source document in Spanish). The CPLT aims to establish a model national response to cyber attacks to notify affected persons of data breaches.
Superintendence Releases Guide for Personal Data Processing in Horizontal Property
On November 20, 2020, the Columbian Superintendence of Industry and Commerce ("Superintendencia de Industria y Comercio,""SIC") published the Guide for Personal Data Processing in Horizontal Property (source documents in Spanish). The guide presents recommendations to all personal data controllers who regularly collect or process personal data in buildings or residential complexes, such as through video surveillance systems.
Superintendence Orders Social Media Company to Comply With Data Protection Standards
On November 27, 2020, the SIC ordered a social media company to implement additional data protection measures to comply with Colombian data protection standards (source document in Spanish). The SIC ordered the companies to implement a demonstrable consent mechanism, create a privacy notice, and implement special protections for the collection and processing of data of children and adolescents.
INAI Launches Site to Promote Data Protection Rights
On October 29, 2020, the National Institute of Transparency, Access to Information and Personal Data Protection ("Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales," "INAI") launched a new portal to facilitate the exercise of personal data protection rights and promote an accessible approach (source document in Spanish).
INAI Adds New Title to General Guidelines on Personal Data Protection
On November 11, 2020, the INAI issued a 10th title to the General Guidelines on Personal Data Protection for Obliged Subjects in the Federal Official Gazette (source documents in Spanish). This new title adds compliance and reporting obligations for government data controllers, including an annual evaluation program and annual report on compliance performance.
Mexican Senate Approves National Registry of Cellphone Users
On December 10, 2020, the Mexican Senate published a bill to create a national register of cellphone users (source document in Spanish). This register will be mandatory and will contain the following data: (i) cellphone number; (ii) date and time of SIM card activation; (iii) full name of the line holder; (iv) nationality; (v) official identification number with photograph and unique population number; and (vi) biometric data of the line holder.
Paraguay Publishes Regulation on Personal Credit Data Protection
On November 12, 2020, Paraguay published new regulations to protect consumer credit data (source document in Spanish). These regulations mandate that after five years, credit data may only be kept for statistical purposes. Additionally, the new rules seek to protect job seekers from discrimination based on credit history, allowing fines of up to USD $4,968,450 for data controllers or processors who carry out unlawful credit data processing, or up to USD $9,936,000 for repeat offenses.
The following Jones Day lawyers contributed to this section: Guillermo Larrea, Daniel D'Agostini, and Juan Carlos Quinzaños.
European Commission Publishes Proposal for Data Governance Act
On November 25, 2020, the EU Commission published a proposal for a regulation on data governance, also called the Data Governance Act ("Proposal"). The Proposal aims to increase trust in sharing personal and non-personal data and to lower transaction costs linked to business-to-business and consumer-to-business data sharing by creating a notification regime for data sharing providers. The Proposal includes provisions to protect non-personal commercially sensitive data (such as trade secrets or IP-protected content) and further regulate the transfer of data to third countries.
Court of Justice of the European Union
CJEU Clarifies Conditions on Data Retention
On October 6, 2020, the Court of Justice of the European Union ("CJEU") ruled in Case C-623/17 Privacy International,and joined Cases C-511/18 La Quadrature du Net and Others, C-512/18 French Data Network and Others and C-520/18 Ordre des barreaux francophones et germanophone and Others in concluding that the national security laws of the United Kingdom, France, and Belgium contravene EU law because they require that providers of electronic communications services retain traffic and location data on a general and indiscriminate basis. For more information, see our Jones Day Commentary.
Council of the European Union
Council Adopts Conclusions on Cybersecurity of Connected Devices
On December 2, 2020, the Council of the European Union ("Council") approved conclusions on the cybersecurity of connected devices. The conclusions acknowledge the increased use of consumer products and industrial devices connected to the internet and the related privacy, information security, and cybersecurity risks. The aim of the conclusions is to address this issue by setting priorities and fostering the global competitiveness of the IoT industry by ensuring high resilience, safety, and security standards.
European Data Protection Board
EDPB Adopts Recommendations on the European Essential Guarantees for Surveillance Measures
On November 10, 2020, the European Data Protection Board ("EDPB") adopted recommendations on the European Essential Guarantees for surveillance measures, following the CJEU's Schrems II ruling in July 2020. The recommendations provide guidance to companies that transfer personal data to third countries and require them to assess whether the countries to which they transfer this data adequately protect it. The recommendations summarize four European Essential Guarantees: (i) processing based on clear, precise, and accessible rules; (ii) necessity and proportionality with regard to the legitimate objectives of processing; (iii) an independent oversight mechanism; and (iv) effective remedies for individuals.
EDPB Adopts Draft Recommendations on Measures That Supplement Transfer Tools
On November 10, 2020, the EDPB adopted draft recommendations on measures that supplement transfer tools to ensure compliance with an EU level of personal data protection, following CJEU's Schrems II ruling in July 2020. The recommendations provide a roadmap of actions companies should follow prior to undertaking the transfer of personal data from the EU to third countries. In particular, the recommendations stress that companies should perform a data mapping exercise and identify the legal mechanism used for such transfers to assess whether transfer tools are effective or if supplementary measures are required.
EDPB Publishes Information Note on Data Transfers to the United Kingdom After Transition
On December 15, 2020, the EDPB published a note stating that beginning on January 1, 2021, following the United Kingdom's withdrawal from the EU, transfers of personal data between stakeholders subject to the General Data Protection Regulation ("GDPR") and UK entities will constitute a transfer of personal data to a third country and, therefore, be subject to the provisions of Chapter V GDPR. The EDPB stressed that supplementary measures might be necessary to bring the level of protection of data transferred to the United Kingdom up to the EU standard of essential equivalence. For more information, please see our Jones Day Commentary.
European Union Agency for Cybersecurity
ENISA Publishes Threat Landscape Reports for 2020
On October 20, 2020, the European Union Agency for Cybersecurity ("ENISA") published a series of reports on the threat landscape in 2020. The reports focused on, among other things, malware, data breaches, ransomware attacks, information leakage, and phishing attacks. The reports identified and evaluated the top cybersecurity threats for the period of January 2019–April 2020.
ENISA Publishes Guidelines for Securing the IoT Supply Chain
On November 9, 2020, ENISA published guidelines on securing the supply chain for the IoT. The guidelines address the entire lifespan of IoT product development by offering security measures for each step (i.e., requirements and design, end use delivery and maintenance, and disposal). The guidelines have sought to help IoT manufacturers, developers, integrators, and all stakeholders involved in the supply chain of the IoT to make better security decisions when building, deploying, or assessing IoT technologies.
Belgian DPA Issues Decision Against Hospital
On November 9, 2020, the Belgian Data Protection Authority ("DPA") issued a decision against a hospital for infringing on the principle of transparency enshrined in the GDPR by deducting trade union membership fees directly from employees' salaries (source document in French). No sanctions were issued due to the prompt intervention of the data protection officer of the hospital.
Belgian DPA Issues GDPR Compliance Toolbox
On November 17, 2020, the Belgian DPA issued a GDPR compliance toolbox for data protection officers, controllers, and processors ("Toolbox") (source document in French and Dutch). The Toolbox helps controllers and processors implement the GDPR. In particular, it provides a 13-step plan of action for companies to assess and adapt their current levels of compliance with the GDPR.
Belgian DPA Signs Cooperation Agreement on Domain Names
On November 26, 2020, the Belgian DPA signed a cooperation agreement with the organization that manages domain names in Belgium ("Agreement") (source document in French and Dutch). The Agreement authorizes the Belgian DPA to ban more quickly any websites with the domain ".be" that violate the GDPR. In addition, the Agreement highlights that the Belgian DPA, competent courts, and public authorities are responsible for assessing whether ".be" websites violate the GDPR.
CNIL Fines Ecommerce Companies
On November 26, 2020, the French Data Protection Authority ("CNIL") announced that between May and July 2019, it conducted checks on two ecommerce companies, following several complaints, which revealed violations concerning the processing of customer and potential customer data under the GDPR, French Postal and Electronic Communications Code, and French Data Protection Act (source document in French). These included violations of the obligations to (i) inform users of processing; (ii) obtain users' prior consent to use of advertising cookies; (iii) limit the data retention period; and (iv) facilitate the exercise of users' rights, among other obligations. The CNIL fined the two companies €2,250,000 and €800,000, respectively.
On December 10, 2020, the CNIL announced that it had conducted a check on a technology company's websites on March 16, 2020, and determined that the company and its Irish affiliate used advertising cookies automatically without prior consent from users and without providing information on cookies (source document in French). The CNIL also noted a partial failure of the mechanism to refuse the cookies. The CNIL fined the company and its affiliate €60 million and €40 million, respectively, and issued an injunction against both to comply with the French Data Protection Act or face a fine of €100,000 per month.
DPA Fines Retail Company €35 Million Under GDPR for Employee Surveillance
On October 1, 2020, the DPA of Hamburg announced a fine of €35 million (approximately USD $41.3 million) against a multinational retail company for violations of the GDPR related to the surveillance of several hundred employees at a service center in Germany since 2014. The DPA found that the company had engaged in extensive recording of the private lives of employees. The recording, collection, and storage of this data was discovered in October 2019 when a configuration error made these notes accessible across the company for a few hours.
Labor Court Submits Questions to CJEU
On October 21, 2020, Germany's Federal Labor Court (Bundesarbeitsgericht) submitted questions to the CJEU for a preliminary ruling on protection against the termination of data protection officers' contracts pursuant to Article 38(3) GDPR. The court is concerned not only with the question of whether employed data protection officers can be dismissed, but also with questions related to the GDPR.
DSK Publishes Guidelines on Video Conferencing Systems
On October 23, 2020, Germany's Conference of Data Protection Authorities (Datenschutzkonferenz, "DSK") published guidelines on using, hosting, and implementing video conferencing systems, accompanied by a checklist that accounts for concerns specific to the current pandemic (source documents in German). The guidelines examine the applicable legal bases and obligations under the GDPR, as well as technical and organizational requirements, distinguishing between self-hosted, externally operated, and software-as-a-service operational models.
Court Reduces Fine Against Telecommunication Services Provider
On November 11, 2020, the Bonn Regional Court reduced a €9.55 million fine issued by the German Federal Data Protection Authority (Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit, "BfDI") against a German telecommunication services provider to €900,000. The fine was issued for inadequate caller identification mechanisms, which allowed access to further personal data from customer accounts after only providing a name and date of birth.
Italian DPA Orders Search Engine Company to Honor Right to Be Forgotten
On October 15, 2020, the Italian Data Protection Authority ("Italian DPA") ordered a search engine company to remove links to research listings of articles, including links containing the personal details of two individuals involved in judicial proceedings that were terminated without any judicial consequences for the individuals (source document in Italian). According to the Italian DPA, the continued online availability of articles associated with the names of the plaintiffs created a disproportionate impact on their rights, which was not outweighed by a public interest in making the news available to the public.
Dutch DPA Questions Processing of Foreign Nationals' Biometric Data
On November 6, 2020, the Dutch Data Protection Authority ("Dutch DPA") published advice on the June 24, 2020, amendments to the Dutch Aliens Act 2000 that would extend the collection and registration of biometric data of foreign nationals by five years (source documents in Dutch). The current law allows biometric data to be collected from foreign nationals to combat identity and document fraud and is set to expire in 2021 unless extended. The Dutch DPA finds that the privacy of foreign nationals is insufficiently safeguarded because processing of their biometric data is not limited to certain categories of foreign nationals, may be processed without a basis, and may be stored for unnecessarily long periods of time, among other concerns.
Dutch DPA Issues Multiyear Budget 2021-2025
On November 19, 2020, the Dutch DPA issued its Multiyear Budget 2021-2025 (source document and full report in Dutch). To carry out its tasks properly, the Dutch DPA urged an increase in workforce from 184 to 470 full-time employees and an increase in budget to more than €66 million by 2025. The Dutch DPA specifically flagged developments in the fields of facial recognition, IoT, artificial intelligence, smartphone technology, tracking software, and trading in data as requiring adequate supervision.
Dutch DPA Investigates Companies Measuring Employees' Temperatures
On November 26, 2020, the Dutch DPA announced that, following an investigation, two large companies violated the GDPR by measuring and processing employees' temperatures before they entered the office during the COVID-19 outbreak (source document in Dutch). The Dutch DPA found that none of the exceptions for processing sensitive data applied in these cases. No fine was imposed on either company, but the Dutch DPA urged the companies to improve their compliance and will check the companies again later.
Association Takes the Dutch DPA to Court for Slow Handling of Complaint
On November 30, 2020, the Dutch Consumers' Association announced that it intends to take the Dutch DPA to court to force the DPA to make a decision on the complaint that the association filed against a technology company in 2018 (source document in Dutch). According to the association, the Dutch DPA has failed to substantively respond to repeated requests for information while the Irish DPA takes the lead.
SDPA Publishes Tool to Help Controllers Decide Whether to Communicate Security Breaches
On October 22, 2020, the Spanish Data Protection Agency ("SDPA") published "Comunica-Brecha RGPD," a tool to help data controllers decide whether to communicate a security breach to affected data subjects (source document in Spanish). This new tool aims to promote transparency and proactive responsibility from data controllers and allows data subjects affected by a security breach to know when their rights and freedoms may be at risk. The tool is free and uses a short form to determine if there is a risk associated with a security breach.
SDPA Approves First Code of Conduct Under GDPR
On November 3, 2020, the SDPA approved the Code of Conduct for Data Processing in Advertising Activity, which was presented by the Association for the Self-Regulation of Commercial Communication, whose main purpose is the establishment of an agile, effective, and free out-of-court system to process claims about data protection and advertising (source document in Spanish).
ICO Issues Updated Guidance on Access Requests
On October 21, 2020, the Information Commissioner's Office ("ICO") issued updated guidance on data subject access requests. This update clarified that the time frame to respond to an access request pauses in circumstances where the controller asks for information to clarify a request, provide guidance on what is a "manifestly excessive" request, and explain what can be included in a charge for excessive, unfounded, or repeat requests.
ICO Fines Hotel Chain for Data Breach
On October 30, 2020, the ICO issued a fine of £18.4 million against a hotel chain for a data breach involving 339 million guest records. The incident concerned an attack in 2014 against a company acquired by the hotel chain in 2016, but the hotel chain did not detect the breach until 2018. The breach affected the records of 7 million people in the United Kingdom, compromising unencrypted passport numbers and email addresses. The ICO found that the company failed to put in place appropriate technical or organizational measures to protect personal data.
UK Introduces Draft Telecommunications Security Bill
On November 24, 2020, the UK Telecommunications (Security) Bill was introduced in the House of Commons. If enacted, the bill would provide a new security framework for telecommunications-related supply chains and ban certain high-risk vendors.
The following Jones Day lawyers contributed to this section: Laurent De Muyter, Undine von Diemar, Olivier Haas, Jörg Hladjk, Bastiaan Kout, Jonathon Little, Lucie Fournier, Martin Lotz, Hatziri Minaudier, Selma Olthof, Irene Robledo, and Christopher Schmidt.
PCPD Issues Three Guidance Notes on Work-From-Home Arrangements
On November 30, 2020, the Hong Kong Office of the Privacy Commissioner for Personal Data ("PCPD") issued three guidance notes related to work-from-home arrangements: "Guidance for Organisations," "Guidance for Employees," and "Guidance on the Use of Video Conferencing Software." These are part of the series "Protecting Personal Data under Work-from-Home Arrangements," intended to provide practical advice to organizations, employees, and users of video conferencing software on enhancing data security and protecting personal data.
People's Republic of China
China Publishes Draft Personal Information Protection Law
On October 21, 2020, the draft Personal Information Protection Law was published after deliberation at the 22nd session of the Standing Committee of the 13th National People's Congress. The draft law strengthens the protection of personal information in China by restating the current legal requirements for transferring data to overseas recipients. The draft law also sets forth stricter data localization requirements.
MIIT Requires Mobile Applications to Rectify Issues
On October 22, 2020, the Ministry of Industry and Information Technology ("MIIT") announced that it had completed the technical inspection of 320,000 mobile applications, instructed more than 1,100 operators to rectify issues with their applications, publicly reported 246 applications that had not rectified issues within the prescribed time frame, and taken down 34 applications that refused to rectify related issues from application stores (source document in Chinese). On November 13, 2020, the Rectification Workforce on Collection and Use of Personal Information by Applications in Violation of Laws and Regulations published a list of 35 applications identified as having issues with the collection and use of personal information and ordered operators to rectify these issues within 30 days from the date of notice (source document in Chinese).
MIIT Announces Plans to Protect Personal Information on Mobile Applications
On October 27, 2020, MIIT announced that it had engaged a third-party testing agency to inspect the fifth batch of mobile applications that MIIT found in violation of the law this year and urged application operators to rectify personal information protection issues before November 2, 2020 (source document in Chinese). On November 9, 2020, MIIT requested to take down 60 applications that had not completed rectification (source document in Chinese).
Guide for Classifying Cybersecurity Protection Levels Goes Into Effect
On November 1, 2020, the Information Security Technology―Classification Guide for Classified Protection of Cybersecurity (GB/T 22240-2020) went into effect (source document in Chinese). The guide requires network operators to classify their systems and technology into five levels depending on their importance to national security, economic construction, and social life and their potential adverse impact on national security, social order, public interest, and the legitimate rights of citizens in the event of a breach. Network operators that are preliminarily classified as Level 2 or above must receive adjudication from an information security expert and business expert who must provide an expert opinion that the relevant public security bureau will review for approval.
China Launches Pilot Program to Implement Security Specification
On November 18, 2020, the National Information Security Standardization Technical Committee held a pilot program meeting in Beijing for the national standard "Information Security Technology and Personal Information Security Specification" (source document in Chinese). The pilot program selected targets of various forms, including applications, software development toolkits, cloud computing, mini programs, and wearable devices, with the aim of verifying the operability and applicability of the national standard in order to develop a mode of standard implementation.
China Publishes Draft Scope of Personal Information Necessary for Mobile Applications
On December 1, 2020, the Cyberspace Administration of China published the draft Scope of Necessary Personal Information Collected by General Mobile Internet Applications for public comments (source document in Chinese). The public comment period ended on December 16, 2020. The document specifies the scope of personal information necessary for 38 common types of applications. Necessary personal information refers to personal information that is necessary to ensure the normal operation of an application's basic functions.
PIPC Publishes Draft Amendment to PIPA
On December 25, 2020, Japan's Personal Information Protection Commission ("PIPC") published a draft amendment to the Cabinet Order to Enforce Personal Information Protection Act and a draft Enforcement Regulation Concerning Personal Information Protection Act ("PIPA") (original documents in Japanese). These draft amendments of cabinet order and enforcement regulation provide detailed guidance regarding the recent key amended points of the PIPA, including when and how data breach reports should be made and the additional information that needs to be provided to obtain a data subject's consent for cross-border transfer. Public comments to the draft cabinet order and regulation must be submitted by January 25, 2021.
Parliament Passes PDPA Amendments
On November 2, 2020, the Singapore Parliament passed the Personal Data Protection (Amendment) Bill ("Bill"). The amendments in the Bill to the Personal Data Protection Act ("PDPA") and related amendments to the Spam Control Act are expected to be published and come into effect in early 2021. Key amendments include: (i) expanding the concept of "deemed consent" and new consent exceptions; (ii) expanding data portability obligations; (iii) introducing mandatory data breach notification; and (iv) enhancing the enforcement regime. On November 20, 2020, the PDPC issued draft advisory guidelines on the key provisions in the Bill.
The following Jones Day lawyers contributed to this section: Elizabeth Cole, Michiru Takahashi, and Sharon Yiu.
Australian Federal Government Announces Review of Privacy Act
On October 30, 2020, the federal government announced its review of the Privacy Act 1988(Cth) ("Privacy Act") and published an issues paper related to that review. The government's review follows the Digital Platforms Inquiry conducted by the Australian Competition and Consumer Commission in 2019, which recommended amendments to the Privacy Act. The terms of reference for the Privacy Act review include considering whether individuals should have direct rights of action under the Privacy Act, whether a statutory tort of "serious invasion of privacy" should be introduced, and whether an independent certification scheme to ensure compliance with the Privacy Act should be introduced. Although the period for submissions on the government's issues paper is now closed, there will be a further opportunity for interested parties to provide feedback on an upcoming decision paper scheduled for release in 2021.
Australia Introduces Draft of Critical Infrastructure Bill
On November 9, 2020, the Australian legislature introduced a draft of the Security Legislation Amendment (Critical Infrastructure) Bill 2020. The bill would build on the existing regulatory framework—in particular, the Security of Critical Infrastructure Act 2018—by introducing a sector-specific "positive security obligation" that implements a risk management program, creating additional cybersecurity obligations for critical infrastructure entities, and providing for government assistance in the event of a significant cyber attack.
OAIC Issues Determination Against Travel Agency
On November 25, 2020, the Office of the Australian Information Commissioner ("OAIC") issued a determination that a travel agency had interfered with the privacy of approximately 6,918 individuals by disclosing customer data to third-party attendees of a "design jam" event conducted in 2017. This data contained some personal information, including credit card details and passport numbers. In response, Flight Centre implemented a number of remedial steps following the incident.
The following Jones Day lawyers contributed to this section: Adam Salter and Drew Broadfoot.
Recent and Upcoming Speaking Engagements
On Board with AI: Corporate Governance and AI Management, ABA Artificial Intelligence and Robotics Virtual National Institute 2020 (October 2020). Jones Day Speaker: Jay Johnson
Cyber Incident and Data Breach Response—Legal Considerations, Dutch & Japanese Trade Federation (Dujat) (October 2020). Jones Day Speakers: Michiru Takahashi, Undine von Diemar
Threat, Vulnerability, & Third-Party Risk Management, CISO Executive Network, Houston, Texas (October 2020). Jones Day Speaker: Jay Johnson
Attainable Analytics for Legal Compliance, 2020 Dallas Regional Compliance & Ethics Conference, Dallas, Texas (October 2020). Jones Day Speaker: Jay Johnson
University of Texas School of Law's Journal of Law and Technology webinar "JOLTT Women in Technology Law Panel" (October 2020). Jones Day Speaker: Mary Alexander Myers
Managing Cyber Risks During the COVID-19 Crisis (December 2020). Jones Day Speakers: Various Presenters
Data Protection World Forum: Know Your Requirements: Managing Data Retention Strategies Under CPRA (December 2020). Jones Day Speaker: Jennifer Everett
Two Idiots – The Breach Response Gone Wrong, Texas General Counsel Forum, Virtual (December 2020). Jones Day Speaker: Jay Johnson
Cybersecurity for Financial Institutions: Governance and Regulatory Perspectives," Three-Part Seminar (December 2020 – January 2021). Jones Day Speakers: Philippe Goutay, Olivier Haas
Recent and Upcoming Publications
Spain Issues New Royal Decree Governing Remote Work Arrangements (October 2020). Jones Day Authors: Vidal Galindo, Mercedes Fernández, Miguel Bermúdez de Castro
FinCEN Issues Guidance on Ransomware Attacks (October 2020). Jones Day Authors: Various
California Attorney General Proposes Third Set of Modifications to CCPA Regulations (October 2020). Jones Day Authors: Various
DOD Implements New Cybersecurity Requirements with Interim Rule (October 2020). Jones Day Authors: Various
Vital Signs: Digital Health Law Update | Fall 2020 (October 2020). Jones Day Authors: Various
OFAC Guidance on Ransomware Payments Highlights Sanctions Violations Risk (October 2020). Jones Day Authors: Various
Ensuring International Data Flows after Schrems II (October 2020). Jones Day Authors: Various
End of the EU's Data Retention Saga? CJEU Clarifies Conditions for State Surveillance Regimes (October 2020). Jones Day Authors: Various
COVID-19 Key EU Developments, Policy & Regulatory Update No. 24 (October 2020). Jones Day Authors: Various
COVID-19 Key EU Developments, Policy & Regulatory Update No. 25 (October 2020). Jones Day Authors: Various
California Voters Adopt the California Privacy Rights Act (November 2020). Jones Day Authors: Various
USPTO Reports Highlight Importance of AI to U.S. Invention and Innovation (November 2020). Jones Day Authors: Matthew Johnson, Carl Kukkonen, Emily Tait
COVID-19 Key EU Developments, Policy & Regulatory Update No. 26 (November 2020). Jones Day Authors: Various
COVID-19 Key EU Developments, Policy & Regulatory Update No. 27 (November 2020). Jones Day Authors: Various
Accountability for Cybersecurity in Australia—A Major Regulatory and Litigation Risk (December 2020). Jones Day Authors: Various
Strong Customer Authentication in the United States: When, Not If (December 2020). Jones Day Authors: Various
Consumer Collective Action Approved by the European Union (December 2020). Jones Day Authors: Various
California Attorney General Proposes Fourth Set of Modifications to CCPA Regulations (December 2020). Jones Day Authors: Various
No-Deal Brexit—Preventing Disruption to Data Transfers (December 2020). Jones Day Authors: Various
Internet of Things Cybersecurity Improvement Act Enacted (December 2020). Jones Day Authors: Various
2020 Cross-Border Corporate Criminal Liability Survey (December 2020). Jones Day Authors: Various
COVID-19 Key EU Developments, Policy & Regulatory Update No. 28 (December 2020). Jones Day Authors: Various
Jones Day publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our “Contact Us” form, which can be found on our website at www.jonesday.com. The mailing of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.