Jones Day Global Privacy & Cybersecurity Update Vol. 28
Jones Day Cybersecurity, Privacy & Data Protection Lawyer Spotlight: Mary Alexander Myers
As companies increasingly focus on data as a critical asset, and data becomes a driver of technology-focused transactions, companies must balance compliance obligations with the desire to commercialize and use data. Mary Alexander Myers guides clients through all aspects of data-related transactions, helping them navigate the increasingly complex legal, regulatory, and contractual requirements emerging in this area. She has an innovative transactional practice, in which she provides strategic advice concerning data-related issues at the intersection of privacy, cybersecurity, intellectual property, and licensing. She advises clients on a range of strategic technology transactions and cybersecurity and data privacy matters, with particular focus on protecting key intellectual property and data assets. She has extensive experience counseling clients on data privacy compliance, outsourcing and technology transactions, intellectual property licensing arrangements, and other related matters. Her practice includes representing buyers and sellers in domestic and cross-border corporate transactions, including mergers and acquisitions and financing arrangements. Mary Alexander has advised clients in a wide variety of industries, including financial services, healthcare, and technology, and works with public companies as well as growing technology-driven businesses and start-ups.
Mary Alexander is located in the Firm's Atlanta Office. She serves on the executive committee for the Privacy and Technology Section of the State Bar of Georgia, where she coordinates programming and outreach. She frequently speaks on issues related to technology, privacy, and security.
Regulatory—Policy, Best Practices, and Standards
President Biden Issues Cybersecurity Executive Order
On May 12, 2021, President Biden issued an executive order that placed new standards on the cybersecurity of software sold to the federal government. The order requires software purchased by the federal government to meet a series of new cybersecurity standards, calls for development of contractual language that allows service providers to share information regarding potential incidents to federal agencies, and proposes to standardize the federal government's response to critical vulnerabilities and incidents. The new order also establishes a Cybersecurity Safety Review Board, co-chaired by government and private sector leads, to analyze what happened following a cybersecurity incident and to make recommendations for improving cybersecurity.
White House Issues Best Practices for Ransomware Threats for Private Businesses
On June 2, 2021, the White House published an open letter to corporate executives and business leaders with the U.S. government's recommended best practices to mitigate and prevent ransomware threats and attacks. The letter urged private businesses to implement the five best practices from the president's executive order, back up data, regularly test the backups and keep the backups offline, update and patch systems promptly, test the incident response plan, implement third-party penetration tests of system security, and segment internal networks.
Regulatory—Consumer and Retail
FTC Settles With Photo App Developer Over Claims of Misusing Facial Recognition Technology
On May 7, 2021, a photo app developer finalized a settlement with the Federal Trade Commission ("FTC") over claims that it deceived consumers about its use of facial recognition technology and its retention of the photos and videos of users who deactivated their accounts. The FTC alleged that the developer misled users of its mobile app that it would not apply facial recognition technology to users' content unless they affirmatively chose to activate the feature, even though the facial recognition feature was activated for all users except those in three U.S. states and the European Union. The FTC also alleged that the developer falsely represented that it would delete the photos and videos of users who deactivated their accounts, even though it retained their photos and videos indefinitely.As part of the settlement, the developer is required to obtain consumers' express consent before using facial recognition technology and delete the photos and videos of users who deactivated their accounts, as well as the models and algorithms it had developed by using those consumers' photos and videos.
FTC Releases Annual Report
On May 24, 2021, the FTC released its 2020 Privacy and Data Security Update, an annual report on the agency's most significant enforcement actions, policy and advocacy initiatives, and education and outreach programs in the past year.
NYDFS Issues Report on SolarWinds Hack
In April 2021, the New York Department of Financial Services ("NYDFS") issued the "Report on the SolarWinds Cyber Espionage Attack and Institutions' Response." While the report found that, thus far, no company regulated by the NYDFS had reported that the SolarWinds hackers actively exploited their network and that financial services companies were generally not actively targeted for exploitation, it also warned that the "next great financial crisis could come from a cyber attack." The agency made several recommendations, including implementing multiple layers of security and an incident response plan.
NYDFS Issues New Guidance on Ransomware Prevention
On June 30, 2021, the NYDFS issued new guidance to regulated entities on preventing ransomware attacks. The guidance stated that regulated companies should implement the following controls whenever possible: (i) email filtering and anti-phishing training; (ii) vulnerability and patch management with regular testing and updates; (iii) multifactor authentication; (iv) disabled remote desktop access; (v) strong, unique passwords; (vi) privileged access management; (vii) system monitoring and an Endpoint Detection and Response solution. For more information, please see our Jones Day Alert.
DOE Announces RFI Focused on Protecting U.S. Supply Chain
On April 20, 2021, the Office of Electricity at the Department of Energy ("DOE") notified the public of a Request for Information ("RFI") on "ensuring the continued security of the United States critical electric infrastructure," focused on "[p]reventing exploitation and attacks by foreign threats to the U.S. supply chain." The DOE plans to use the requested recommendations to develop a long-term strategy to ensure stakeholders' procurement practices evolve to match the changing threat landscape, which currently includes exploitable vulnerabilities in foreign-sourced electric systems equipment. The RFI is part of the DOE's cybersecurity "100-day sprint" initiative aimed at enhancing the security of priority electric infrastructure control systems.
Pipeline Suffers Ransomware Attack
On May 7, 2021, an oil pipeline company reported that it suffered a ransomware attack. As a precaution to prevent the ransomware from migrating, the company chose to shut down its pipeline and did not return it to full service for several days. In response to the attack, the White House announced an initiative to enhance collaboration on cybersecurity resilience between the government and its private sector partners, while noting that the attack "put the spotlight on the fact that our nation's critical infrastructure is largely owned and operated by private-sector companies."
Medical Collection Agency Reaches Agreement With 41 States Following 2019 Data Breach
On March 11, 2021, a medical collection agency reached an agreement with 41 state attorneys general following a 2019 data breach that exposed the personal information of 21 million individuals. The agency agreed to implement and maintain a number of data security practices to strengthen consumer protections. The agency would be liable for a $21 million payment to the states if the company violates the injunctive terms of the agreement.
Clinical Laboratory Settles HIPAA Violations
On May 25, 2021, a clinical laboratory reached a $25,000 settlement with the Office for Civil Rights ("OCR") at the U.S. Department of Health and Human Services ("HHS") for alleged violations of the Health Insurance Portability and Accountability Act ("HIPAA") Security Rule. The company provides diagnostic and laboratory-developed tests, including clinical and genetic testing services. After conducting an investigation, the OCR found systemic noncompliance with HIPAA, including the failure to conduct an enterprise-wide risk analysis and implement risk management and audit controls. The OCR reiterated that "[c]linical laboratories, like other covered health care providers, must comply with the HIPAA Security Rule."
Regulatory—Defense and National Security
DHS Announces Cybersecurity Requirements for Critical Pipeline Owners
On May 27, 2021, the Department of Homeland Security ("DHS") announced new cybersecurity requirements for owners and operators of critical pipelines. Owners and operators must report confirmed and potential cybersecurity incidents to the DHS Cybersecurity and Infrastructure Security Agency and designate a cybersecurity coordinator who will be available 24/7. They also must review their current cybersecurity practices to identify gaps and remediation measures and must report the results within 30 days.
President Biden Issues Executive Order to Protect Sensitive Data
On June 9, 2021, President Biden issued an executive order to further address the ongoing national emergency with respect to the threats posed to the United States' information and communications technology and services ("ICTS") supply chain. The executive order directs the use of a criteria-based decision framework and evidence-based analysis to address threats posed by ICTS transactions involving software applications subject to a foreign adversary jurisdiction. The executive order also directs the Department of Commerce to make recommendations to protect sensitive personal data and transactions involving software applications relating to a foreign adversary.
NSA Funds Development and Release of D3FEND
On June 22, 2021, the National Security Agency ("NSA") announced the release of the NSA-funded MITRE D3FEND, "a framework for cybersecurity professionals to tailor defenses against specific cyber threats." D3FEND establishes terminology of computer network defensive techniques and provides a model of ways to counter common offensive techniques. The framework is complimentary to MITRE's ATT&CK, a knowledge base of cyber advisory behavior.
DHS Taps Transportation Systems for Cybersecurity "Sprint"
On March 31, 2021, the Department of Homeland Security ("DHS") outlined six "sprints" planned by DHS to improve federal cybersecurity across a range of areas, including the nation's transportation systems. Each sprint will play out over 60 days and endeavor to "mobilize action by elevating existing efforts, removing roadblocks, and launching new initiatives where necessary."
Litigation, Judicial Rulings, and Enforcement Actions
NYDFS Imposes Penalty and Consent Order for Cybersecurity Violations
On March 3, 2021, the NYDFS announced a consent order with a mortgage bank for violations of New York's Cybersecurity Regulation. In March 2020, the NYDFS conducted a routine compliance examination of the bank and discovered that the bank had failed to adequately investigate or report a March 2019 cybersecurity incident as required under state data breach notification laws and the NYDFS Cybersecurity Regulation. As part of the settlement, the bank agreed to pay $1.5 million in penalties and to comply with all provisions of the Cybersecurity Regulation. For more information, please see our Jones Day Alert.
District Court Finds CCPA Does Not Apply Retroactively
On March 5, 2021, the District Court for the Northern District of California found that the California Consumer Privacy Act ("CCPA") does not apply retroactively if an alleged data breach occurred before January 1, 2020. The plaintiff filed a class action suit alleging that a retailer failed to disclose a data breach. The plaintiff did not allege a date of the breach, only that his personal information "is currently available on the dark web." The court found that "absent allegation establishing that [the company's] alleged violation of the CCPA occurred after it went into effect, Plaintiff's CCPA claim is not viable." The district court granted the company's motion to dismiss, but allowed the plaintiff to file an amended complaint.
Supreme Court Clarifies TCPA Definition of "Autodialer"
On April 1, 2021, the Supreme Court resolved a key question under the Telephone Consumer Protection Act ("TCPA")—whether equipment that dials from a list of numbers qualifies as an "automatic telephone dialing system" ("ATDS") subject to the TCPA's statutory penalties. The Supreme Court held that equipment dialing from a list of numbers does not qualify as an ATDS. Instead, equipment must "use a random or sequential number generator" to qualify as an ATDS. For more information, please see our Jones Day Alert.
Supreme Court Curbs FTC's Ability to Pursue Monetary Relief
On April 22, 2021, the Supreme Court held that Section 13(b) of the FTC Act does not authorize the FTC to seek, or a court to award, equitable monetary relief such as restitution or disgorgement. While the district court and Ninth Circuit both allowed for equitable monetary relief under Section 13(b), the Supreme Court reversed, finding that the plain language of Section 13(b) authorizes only injunctive relief, and not retrospective monetary remedies as the FTC had previously and consistently relied upon. Now the FTC can seek monetary remedies only in "conditioned and limited" circumstances.
Second Circuit Provides Clarity on Data Breach Standing Threshold
On April 26, 2021, the Second Circuit clarified that the risk of identity theft after a data breach may be grounds to sue. In that case, a health services provider inadvertently disclosed personally identifiable information (e.g., social security numbers and dates of birth) of current and former employees. While the Second Circuit found that mere risk of identity theft following a data breach may allow for standing, the court held that the facts at issue here failed to show "a substantial risk of future identity theft or fraud sufficient to establish Article III standing."
Pennsylvania AG Investigates Breach of Contact Tracing Data
On April 29, 2021, an IT services company announced that some of the personal information that it had collected for COVID-19 contact tracing services in Pennsylvania had been accessed by an unauthorized party. The Attorney General of Pennsylvania remarked, "[M]y office has opened investigations into this data breach on multiple fronts," but declined to offer further comment on the investigation.
Massachusetts AG Probes Data Collection Practices of Pharmacies Offering COVID-19 Vaccines
On May 3, 2021, the Massachusetts Attorney General's Office sent a letter to major pharmacy chains, requesting that they explain their personal data collection practices for patients receiving the COVID-19 vaccine. The letter asked the pharmacies how they disclosed data collection practices, obtained consent to collect personal data, and used the personal information of those same consumers, and whether the pharmacies collected information or required the creation of accounts from consumers who sought or received the vaccine at their stores.
Retailer to Settle BIPA Class Action for $10 Million
On June 16, 2021, an Illinois court approved a settlement whereby a retailer will pay $10 million to resolve claims that it violated the Illinois Biometric Information Privacy Act ("BIPA"). The class alleging BIPA violations consisted of current and former employees who claimed that they were required to use a palm scanner system to access the cash register without first providing written consent. The company had tried to dismiss the case in 2019, arguing that plaintiffs' claims were time-barred and merely showed procedural violations of state law.
Supreme Court Narrows Article III Standing for Class Actions
On June 25, 2021, the Supreme Court decided TransUnion LLC v. Ramirez, vacating a class action judgment and holding that a plaintiff lacks Article III standing to seek damages for a private defendant's statutory violations unless the plaintiff can show an actual real-world injury. Whereas the Ninth Circuit had held that all 8,185 class members had standing on their statutory claims, the Supreme Court limited standing to only the 1,853 class members whose consumer reports had been disseminated to third-party businesses. For more information, please see our Jones Day Commentary.
Members of Congress Reintroduce Bills to Protect Energy Infrastructure
In late April and early May 2021, House lawmakers reintroduced multiple bipartisan bills, first introduced in the 116th Congress, aimed at avoiding future cyberattacks on critical energy infrastructure. The current version of the Pipeline and LNG Facility Cybersecurity Preparedness Act would require the DOE to "carry out a program relating to physical security and cybersecurity for pipelines and liquefied natural gas facilities," while this year's version of the Enhancing Grid Security through Public-Private Partnerships Act would require the DOE to implement a program that facilitates and encourages public-private partnerships to address cybersecurity vulnerabilities of the electric grid. The latest iteration of the Cyber Sense Act, which passed the House in 2020, would require the DOE to establish a program to test the cybersecurity of "products and technologies intended for use in the bulk-power system."
Virginia Passes Omnibus Consumer Privacy Law
On March 2, 2021, Virginia signed into law the Virginia Consumer Data Protection Act ("VCDPA"). The act, which goes into effect on January 1, 2023, applies to companies doing business in Virginia or marketing to Virginians that meet one of two specified thresholds. Unlike the CCPA, the VCDPA contains no private right of action, applies to fewer covered businesses, and has a narrower definition of the "sale" of data. The VCDPA also eschews the language of the CCPA in favor of the European Union's data protection terminology (e.g., adopting terms such as "controller" and "processor").
Oklahoma Adds Ransomware Language to Computer Crimes Act
On May 28, 2021, the Oklahoma Legislature amended the Oklahoma Computer Crimes Act to add "malicious computer program" as a defined term that includes "viruses, Trojan horses, spyware, worms, rootkits, backdoors, [and] ransomware." Additionally, it is now unlawful to use malicious computer programs to disclose or take possession of a computer, computer network or system, data, or any other property. The amendment becomes effective on November 1, 2021.
Connecticut Expands Data Breach Notification Requirements and Establishes a Cybersecurity "Safe Harbor"
On June 16 and July 6, 2021, the Connecticut governor signed two new cybersecurity laws. "An Act Concerning Data Privacy Breaches" amends Connecticut's existing data breach notification law to shorten the time to notify Connecticut residents of a data breach to 60 days after discovery, and expands the definition of personal information to include IRS identification numbers, certain medical information, biometric information, and online account information, among other changes. "An Act Incentivizing the Adoption of Cybersecurity Standards for Businesses" establishes a safe harbor against tort claims for companies that have implemented a written cybersecurity program that complies with an industry-recognized framework, such as the National Institute of Standards and Technology. For more information, please see our Jones Day Alert.
Colorado Becomes Third State to Enact Comprehensive Data Privacy Law
On July 7, 2021, the Colorado governor signed the Colorado Privacy Act ("Act") into law, making Colorado the third state, after California and Virginia, to enact a comprehensive data privacy law. The Act comes on the heels of the March 2021 passage of the VCDPA and appears to borrow many data protection principles from both the VCDPA and the European Union's General Data Protection Regulation. The Act takes effect on July 1, 2023. For more information, please see our Jones Day Commentary.
The following Jones Day lawyers contributed to this section: Jennifer C. Everett, Kerianne Tobitsch, Keeton Christian, Rebecca Iafrati, Ruby Lang, Bailey Loverin, Sara Lynch, Megan McKnelly, Dan Ongaro, Christina O'Tousa, Michael Phillips, Ayesha Rasheed, Molly Russell, and Jenny Whalen-Ball. Summer associate Lindsy Maglich also contributed to this section.
AAIP Issues Guidelines on Personal Data Processing During COVID-19 Pandemic
On April 20, 2021, Argentina's Public Information Access Agency (Agencia de Acceso a la Información Pública—"AAIP") issued three guidelines to reinforce the proper processing of personal data, body temperature data, and geolocation data during the COVID-19 pandemic (source document in Spanish).
ANPD and SENACON Sign Cooperation Agreement
On March 22, 2021, the Brazilian Data Protection Authority (Autoridade Nacional de Proteção de dados—"ANPD") and the Consumer Protection Agency (Secretária da Secretaria Nacional do Consumidor—"SENACON") released a press statement regarding their recent cooperation agreement, which aims to protect consumers' data and accelerate security incident investigations (source document in Portuguese).
ANPD Issues Recommendations for Social Media Privacy Policies
On May 7, 2021, the ANPD issued recommendations to social media companies regarding their privacy policies (source document in Portuguese). The recommendations suggested postponement of the new privacy policies until the Brazilian privacy recommendations are adopted, and maintenance of the current usage model and accounts.
ANPD Issues Guideline for Definition of Processing Agents and Data Protection Officers
On May 28, 2021, the ANPD issued a Guideline for the Definition of Processing Agents and Data Protection Officers (source document in Spanish). This guideline defines and provides examples of personal data agents, such as the data controller, data processor, and data protection officer. Furthermore, it differentiates between joint and separate controllerships. A joint controller refers to more than one data controller making common decisions regarding data processing, while under a separate controllership decisions are made by a single data controller.
CPLT Offers Free Online Data Protection Courses
On April 2, 2021, the Council for Transparency (Consejo para la transparencia—"CPLT") released a press statement promoting its new educational platform, which includes personal data protection-focused online trainings and educational resources (source document in Spanish).
SIC Releases Annual Survey on Data Processing Security Measures
On March 11, 2021, the Superintendence of Industry and Commerce ("SIC") issued a press release on the second annual study of security measures carried out by the 33,596 entities that registered their databases in the National Database Registry for collection, storage, or processing of personal data (source document in Spanish). The study showed that many organizations did not have efficient mechanisms to protect their users' data from security incidents.
SIC Issues Recommendations on Use of Physical or Electronic Biometric Data Readers
On March 16, 2021, the SIC issued recommendations urging companies to refrain from using fingerprint or biometric readers to collect personal data, due to the COVID-19 transmission risk posed by these devices (source document in Spanish). Furthermore, the SIC stated that if an alternative biometric data collection mechanism is not possible, a permanent cleaning and disinfection process must be implemented.
Ecuadorian Legislators Approve Data Protection Law
On May 10, 2021, Ecuadorian legislators approved the Organic Law on Data Protection, which aims to guarantee personal data protection rights, digital rights, and adequate data processing (source document in Spanish). The national data authority will be the Superintendence of Personal Data Protection, which will maintain a national data protection registry. Violators of the law are subject to fines.
INAI Issues Recommendations on Personal Data Protection During COVID-19 Vaccination Process
On March 10, 2021, the National Institute of Transparency, Access to Information and Personal Data Protection (Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales—"INAI") issued official communicationNo. INAI/083/21, which recommended data processing practices for the COVID-19 vaccination process (source document in Spanish).
INAI Issues Recommendations Regarding Banking Institutions and Clients' Geolocation
On March 20, 2021, the INAI issued official communication No. INAI/097/21, which recommends banking institutions take extreme precautions when tracking clients' geolocation (source document in Spanish). These recommendations arise from the newly released anti-money laundering guidelines, which require bank customers to give their consent prior to geolocation tracking. The INAI stated that geolocation tracking of customers is only permissible with prior consent.
INAI Challenges National Registry of Cellphone Users in Supreme Court
On April 27, 2021, the INAI issued a press release regarding its decision to file an action in Mexico's Supreme Court ("SCJN") alleging the amendment to the Federal Telecommunications and Broadcasting Law that created the National Register of Mobile Telephone Users ("PANAUT") is unconstitutional (source documents in Spanish). The INAI alleged that PANAUT violates personal data protection rights and principles of proportionality, security, and legal certainty because the registry uses sensitive biometric data, restricts the right to access information, and grants undue power to the Federal Telecommunications Institute. The SCJN has not yet determined whether the action will proceed.
Mexican Senator Proposes Bill to Create a 72-Hour Data Breach Notification Requirement
On April 29, 2021, a senator filed an initiative to modify the Federal Law on Protection of Personal Data Held by Private Parties ("LFPDPPP") by adding a requirement that entities notify data subjects and the INAI of a data breach within 72 hours (source document in Spanish). The initiative also aims to impose an obligation on foreign controllers to appoint a local representative to comply with their obligations under the LFPDPPP. The initiative was sent from the Senate to the respective commission, and awaits further approval.
Panamanian Data Protection Law Enters in Force
On March 29, 2021, Panama's data protection law (Ley 81 del 26 de marzo del 2019) took effect (source document in Spanish). The law creates principles, obligations, and procedures for lawful data processing; requires data controllers to obtain the data subject's consent prior to any data processing; and imposes sanctions on those who fail to comply, including fines ranging from USD $998 to $9,998 and database record closure.
Peru Introduces New Data Protection Authority
On June 9, 2021, Peru's Council of Ministers (Consejo de Ministros) approved the Project of Law No. 337-2021, which allows the creation of the National Authority for Transparency, Access to Public Information, and Protection of Personal Data (Autoridad Nacional de Transparencia, Acceso a la Información Pública y Protección de Datos Personales) (source in Spanish). Under current law, the National Authority for Personal Data (Autoridad Nacional de Protección de Datos Personales) is the data protection authority for Peru, but now it will be merged with the new authority to create a new hybrid authority that will have its own legal status, greater autonomy, and resources.
Agency Issues Recommendations on Use of Vaccination Center Images
On March 15, 2021, the Regulatory and Personal Data Control Unit (Unidad Reguladora y de Control de Datos Personales) issued a series of recommendations regarding the collection and dissemination of images of individuals in COVID-19 vaccination centers. These images are classified as personal data requiring the express and written consent of the data subject (source document in Spanish).
The following Jones Day lawyers contributed to this section: Guillermo Larrea, Juan Carlos Quinzaños, and Victoria Villagomez.
Commission Proposes New Rules to Regulate AI
On April 31, 2021, the European Commission ("Commission") unveiled a proposal for a "Regulation laying down harmonized rules on artificial intelligence" ("AI Regulation"), which sets out how AI systems and their outputs can be introduced to and used in the European Union ("EU"). If adopted by the EU Parliament and Council (which could take two to three years), the AI Regulation would apply alongside the EU General Data Protection Regulation ("GDPR") to ensure the protection of individuals' personal data. For more information, please see our Jones Day Alert.
Commission Adopted New Standard Contractual Clauses
On June 4, 2021, the Commission adopted new Standard Contractual Clauses ("SCCs") for the transfer of data to third countries that do not meet GDPR requirements for an adequate level of data protection. SCCs are model data transfer terms that are implemented between entities in the European Economic Area ("EEA") exporting personal data to importing entities in third countries. On the same day, the Commission adopted another decision on a set of standard contractual clauses under Article 28 GDPR for use between controllers and processors established in the EEA. These standard contractual clauses concern the provisions necessary for a data processing agreement pursuant to Article 28 of the GDPR and should not be confused with the SCCs, which are safeguards for the transfer of personal data to third countries.
Commission Adopted Two Adequacy Decisions for the United Kingdom
On June 28, 2021, the Commission adopted two adequacy decisions for the United Kingdom ("UK"), one under the GDPR and the other for the Law Enforcement Directive. The adequacy decisions allow for the free flow of personal data from the EU to the UK, where UK law provides an essentially equivalent level of data protection to that guaranteed under EU law. For the first time, both decisions include a "sunset clause," which limits the duration of adequacy to four years and allows the Commission to monitor the legal situation in the UK. As long and as far as the adequacy decisions apply, EU data exporters are not required to implement appropriate safeguards under Article 46 of the GDPR (such as SCCs) for data transfers to the UK.
Council Adopts Conclusions on EU's Cybersecurity Strategy
On March 22, 2021, the EU Council ("Council") adopted conclusions on the EU's cybersecurity strategy ("Strategy"). The Strategy outlines the framework for EU action to protect EU citizens and businesses from cyber threats, promote secure information systems, and protect a global, open, free, and secure cyberspace. In its conclusions, the Council highlighted a number of areas for action in the coming years (e.g., creating a network of security operation centers in the EU and applying the EU 5G toolbox measures).
Court of Justice of the European Union
ECJ Rules on Conditions for Access to Retained Traffic and Location Data
On March 2, 2021, the European Court of Justice ("ECJ") in H.K. v. Prokuratuur Case C-746/18 clarifiedthe conditions under which public authorities may access traffic or location data to combat serious crime or prevent serious threats to public security. In particular, the ECJ held that access may be granted "regardless of the length of the period in respect of which access to those data is sought and [regardless of] the quantity or nature of the data available in respect of such a period."
European Data Protection Board
EDPB and EDPS Adopt Joint Opinion on Data Governance Act
In March 2021, the European Data Protection Board ("EDPB") and the European Data Protection Supervisor ("EDPS") adopted a joint opinion on the proposal for a Data Governance Act ("DGA"). The DGA would promote the availability of public sector data and data sharing in the internal market. The opinion invited legislators to ensure that the DGA would be in line with EU data protection legislation.
EDPB Issues Opinions on Draft UK Adequacy Decision
On April 13, 2021, the EDPB issued two opinions (Opinion 14/2021 and Opinion 15/2021) regarding the Commission's draft implementing decision on the adequate protection of personal data in the UK. The EDPB concluded that the core provisions of the UK and EU data protection laws are aligned, but recommended that the Commission analyze the mechanism used to inform relevant EU Member States of further processing or disclosure by UK authorities to which personal data has been transferred. In addition, the EDPB advised the Commission to fulfill its monitoring role and to amend the adequacy decision to introduce specific safeguards for data transferred from the EU or to suspend the decision in case the equivalent level of protection of personal data is not maintained by the UK.
Belgian DPA Develops Practical Tools for Companies
In March 2021, the Belgian Data Protection Authority ("DPA") developed practical tools for data controllers, data processors, and data protection officers (source document in Dutch). The tools consist of simplified templates for data registers, a roadmap on exchanges of personal data by federal government agencies, and some tools for subject-matter experts (e.g., FAQs on data protection and template letters for data subjects to exercise their rights).
Belgian DPA Calls on Citizens to Take Action Against Social Media Company
In April 2021, the DPA contacted the Irish DPA regarding a social media company's data breach that affected at least three million Belgian accounts. The Belgian DPA advised affected Belgian citizens to be vigilant and, if necessary, to file a complaint with the Belgian DPA, even though the company's headquarters are in Ireland (source document in Dutch).
CNIL Warns Stakeholders of Approaching Deadline for Cookie Compliance
On April 2, 2021, the French Data Protection Authority ("CNIL") published a notice to inform stakeholders on the expiration of the deadline to comply with regulations applicable to cookies, which expired on March 31, 2021 (source document in French). The CNIL warned that it will begin carrying out assessments of website and app compliance with cookie regulations.
CNIL Publishes Provisional Recommendations for Remote Quality Control of Clinical Trials During the Health Crisis
On April 22, 2021, the CNIL released provisional recommendations for the remote quality control of clinical trials during the pandemic (source document in French). Among other things, the CNIL's recommendations provided guidance on security measures necessary to ensure the protection of health data as stakeholders were forced to conduct remote quality controls due to the pandemic.
CNIL Releases Opinion on the French "Health Pass" Bill
On May 12, 2021, the CNIL issued an opinion on the contemplated implementation by the French government of a "health pass" to regulate access to certain establishments based on vaccination or COVID-19 testing status (source document in French). The CNIL stated that the use of a health pass must be limited to the duration of the pandemic and to events involving a large number of people. The CNIL also recommended clearly defining the purposes of processing and persons authorized to verify this sensitive data to prevent any violations of data privacy regulations.
CNIL Releases Interim Recommendations on Data Processing Activities During Clinical Trials
On June 24, 2021, the CNIL updated its interim recommendations on the remote monitoring of clinical trials data, applicable until September 30, 2021 (source document in French). Further to the authorization by the French Health Security Authority of a limited list of clinical trials allowing for remote monitoring, the CNIL issued recommendations on remote monitoring, including guidance on required French formalities and security measures.
CNIL Publishes Guidance on Data Subject Rights Exercised by Power of Attorney
On June 25, 2021, the CNIL issued its guidelines and FAQ on the use of a Power of Attorney ("PoA") to exercise data subjects' rights (source documents in French). The CNIL also published a PoA template along with guidelines.
Federal Labor Court Rules on Employee's Right to Receive Copies of Their Emails
On April 27, 2021, Germany's Federal Labor Court (Bundesarbeitsgericht) held that an employee's request that their employer provide copies of the employee's entire email correspondence and any emails that contain the employee's name was not adequately specific under German civil procedural law (source document in German). The court did not clarify the material scope of the right to receive a copy of personal data processed pursuant to Art. 15(3) GDPR.
Federal Labor Court Submits Questions to ECJ on Requirements for Dismissing DPO
On April 27, 2021, Germany's Federal Labor Court submitted questions to the ECJ for a preliminary ruling on the requirements for the dismissal of a company data protection officer ("DPO") under the GDPR (source document in German). Additionally, the court sought clarification as to whether there is a conflict of interests pursuant to Article 38(6) of the GDPR if the DPO serves as the chairperson of the controller's works council.
DPAs Publish Questionnaires for Coordinated Investigation of International Data Transfers
On June 1, 2021, a number of German Data Protection Authorities ("DPAs") published their jointly developed questionnaires for the coordinated investigation of international data transfers in the wake of the Schrems II decision issued one year ago by the ECJ (source document in German). The DPAs participating in the coordinated investigation announced their intention to reach out to companies in Germany on the basis of these questionnaires. The five questionnaires available to date focus specifically on the effectiveness of transfer safeguards related to the use of applicant portals, intragroup data transfers, tracking tools, and web and email hosting.
Italian DPA Issues Negative Opinion on Video Security System Based on Facial Recognition
On March 25, 2021, the Italian DPA issued a negative opinion on the Italian Ministry of the Interior's use and public installation of a video surveillance system based on real-time facial recognition (source document in Italian). The system would have allowed for the real-time analysis of human faces, comparison with a watch-list database, and immediate alert to the police force if a match were identified. According to the DPA, the system lacked a proper legal basis for large-scale, automated data treatment of biometric data, and the system as designed would have resulted in indiscriminate mass surveillance.
Italian DPA Issues Warning to Government on COVID-19 Vaccination Pass
On April 23, 2021, the Italian DPA issued a warning to the Italian government pursuant to Article 58 of the GDPR in relation to the introduction of a COVID-19 vaccination pass to facilitate free movement within Italy (source document in Italian). The DPA underlined major data protection concerns, such as the lack of an adequate legal basis, insufficient specification of legal purposes for the processing of data, and the need for breach minimization and transparency principles. Moreover, the government failed to consult the Italian DPA before adopting the decree, as is required by applicable law.
Dutch DPA Fines Online Travel Agency for Late Breach Reporting
On March 31, 2021, the Dutch DPA announced a fine of €475,000 for a Dutch-headquartered online travel agency for failing to report a data breach within 72 hours of becoming aware of the incident in 2019 (source document in Dutch). The data breach resulted in criminals gaining open access to personal data, including names, phone numbers, login credentials, and credit card numbers. In its statement, the Dutch DPA noted that the company was informed of the breach on January 13, 2019, but did not report the incident until February 7, 2019.
Dutch DPA Fines Municipality for Wi-Fi Tracking
In April 2021, the city of Enschede was fined €600,000 by the Dutch DPA for using Wi-Fi tracking in the city center in violation of the GDPR. The Dutch DPA pointed out that "deploying Wi-Fi tracking that makes this possible is in itself a serious breach" of the Dutch privacy law. The municipality of Enschede has lodged an objection against the decision.
Spanish DPA Imposes €8.15 Million Fine on Telecom Company for GDPR Violations
On March 11, 2021, the Spanish DPA imposed a fine of €8.15 million on a telecommunications company for GDPR violations (source document in Spanish). The €8.15 million fine is the highest fine imposed to date by the Spanish DPA for violation of the GDPR. More specifically, the DPA found that the company (i) engaged in commercial communications to potential clients without express authorization; (ii) conducted advertising despite clients' objections; (iii) failed to comply with the obligation controllers to "verify the guarantees of the data processor" during the course of the assignment; and (iv) carried out data transfers without complying with the guarantees required by the GDPR.
Spanish DPA Sanctions and Fines Consumer Reporting Agency for Misuse of Personal Data
On April 26, 2021, the Spanish DPA imposed a fine of €1 million on a consumer reporting agency for violating five articles of the GDPR (source document in Spanish). After receiving 97 complaints that the company had included personal data in the File of Judicial Claims and Public Bodies ("FIJ"), without first obtaining consent, the DPA carried out an investigation. In addition to the fine, the Spanish DPA has prohibited the company from continuing to process personal data through the FIJ and required the deletion of personal data.
ICO Welcomes EU Adequacy Decision
On June 28, 2021, the Information Commissioner's Office ("ICO") issued a statement welcoming the EU Commission's decision to grant the United Kingdom an adequacy decision. This adequacy decision allows EU companies to send personal data to the United Kingdom in accordance with the GDPR.
The following Jones Day lawyers contributed to this section: Laura Baldisserra, Carla Calcagnile, Laurent De Muyter, Undine von Diemar, Olivier Haas, Jörg Hladjk, Bastiaan Kout, Jonathon Little, Lucie Fournier, Martin Lotz, Hatziri Minaudier, Selma Olthof, Irene Robledo, and Christopher Schmidt.
PCPD Issues Guidance on Use of Social Media and Instant Messaging Apps
On April 5, 2021, the Office of the Privacy Commissioner for Personal Data ("PCPD") issued its "Guidance on Protecting Personal Data Privacy in the Use of Social Media and Instant Messaging Apps," providing the public with advice on how to mitigate privacy risks with social media. The guidance highlighted that social media users often unwittingly reveal more information than anticipated, and most materials shared online can leave a perpetual digital footprint that is difficult to remove. Information shared online can also be misused by third parties, or be used for identity theft, cyberbullying, or doxxing. The guidance further advised social media users to be extra cautious about sharing photos and information of children, and to provide adequate guidance to children on the use of social media.
Government Proposes Legislation Amendments Against Doxxing
On May 11, 2021, the Hong Kong government proposed a series of legal amendments to charge anyone up to five years of imprisonment and a fine of up to HK$1 million (approximately USD$128,000) for engaging in doxxing (i.e., maliciously revealing another person's personal information without consent) with the intent to threaten, intimidate, harass, or cause psychological harm. Local staff of overseas websites could also face two years of imprisonment and a fine of up to HK$100,000 (approximately USD$13,000) if their platforms fail to comply with content removal requests. The proposal further recommended that the PCPD be granted the investigative powers to carry out criminal investigations and prosecutions and demand takedowns of internet content.
People's Republic of China
SPP Announces 11 Typical Cases of Public Interest Litigation for Personal Information Protection
On April 22, 2021, the Supreme People's Procuratorate ("SPP") announced 11 typical cases of public interest litigation regarding the protection of personal information (source document in Chinese). The announcement revealed that if internet companies fail to fulfill personal information management and protection obligations, they will bear responsibility for public damages through public interest litigation. The 11 typical cases include both pure civil public interest litigation cases involving internet companies' illegal collection or acquisition of personal information, as well as civil public interest litigation cases incidental to criminal cases involving the illegal acquisition and transaction of personal information through other means, such as technical software and property services.
China Publishes Draft Provisions on Mobile Applications for Public Comments
On April 26, 2021, the draft Provisions on the Administration of Mobile Internet Applications Information Services was made available for public comment until May 26 (source document in Chinese). The provisions would regulate information service providers that utilize mobile apps and app store services within the territory of China. The provisions (i) defined the scope of application and the supervising authorities; (ii) clarified the principles of "informed consent" and "least necessary"; (iii) refined the principal responsibilities and obligations of app developers and operators, distribution platforms, third-party service providers, terminal manufacturers, and network access service providers; and (iv) proposed standards for complaints and reports, supervision and inspection, disposal measures, and risk warnings.
China Promulgates Provisions on the Scope of Necessary Personal Information Required for Mobile Applications
On May 1, 2021, the Provisions on the Scope of Necessary Personal Information Required for Common Types of Mobile Internet Apps took effect (source document in Chinese). The provisions prohibit mobile app operators from refusing to offer basic mobile app functions to users who do not agree to provide unnecessary personal information. The provisions were implemented specifically to enforce the Chinese Cybersecurity Law provisions involving network operators' compliance with principles of lawfulness, fairness, and necessity in the collection and use of personal information, and the prohibition on the collection of personal information irrelevant to services they provide. The provisions set forth the scope of necessary personal information for 39 common types of mobile apps.
Cabinet of Japan Issues Order to Enforce PIPA Amendments
On March 24, 2021, the Cabinet of Japan issued the amendment to the Cabinet Order to Enforce the Personal Information Protection Act ("PIPA") and the amendment to Enforcement Regulation Concerning PIPA (source documents in Japanese). These amendments provide further detailed guidance regarding the key amendments to the PIPA, including when and how data breach reports should be made, and additional information that must be provided to obtain consent for cross-border transfer.
Diet Passes Bill to Amend PIPA
On May 12, 2021, the National Diet of Japan ("Diet") passed a bill amending the PIPA (source document in Japanese). This amendment, among other goals, aims to integrate different data protection laws and rules that apply to the private and public sectors, including unifying the definition of "personal information" for both sectors, and broadening the authority of the Personal Information Protection Commission to supervise and govern the sectors.
PPC Publishes Draft Guidelines for Amendment of PIPA
On May 19, 2021, the Personal Information Protection Commission ("PPC") published a draft amendment of the guidelines regarding the 2020 amendment of PIPA, which will fully take effect on April 1, 2022 (source document in Japanese). The draft amendment guidelines include, among other things, an amendment regarding the general rules, an amendment regarding cross-border transfer, an amendment regarding verification and recordkeeping at the time of transfer of data, and an amendment regarding anonymously processed information (source documents in Japanese). Public comments were due on June 18, 2021.
Thailand Delays Implementation of PDPA
On May 5, 2021, Thailand delayed businesses' obligations to comply with the new Personal Data Protection Act ("PDPA") until May 31, 2022, due to the effects of COVID-19. The PDPA was expected to come into full effect at the end of May 2021 after initially being deferred in May 2020. In the interim, data controllers must have in place personal data security maintenance measures in accordance with the standards prescribed by the Ministry of Digital Economy and Society.
The following Jones Day lawyers contributed to this section: Elizabeth Cole, Michiru Takahashi, and Sharon Yiu.
ASIC Stresses Focus on Cyber Risk
On March 10, 2021, the Australian Securities and Investments Commission ("ASIC") Deputy Chair gave a speech to the Australian Financial Review Business Summit in which she referred to cyber risk as the new frontier for both national defense and market integrity. She highlighted ASIC's cyber supervisory endeavors, which include raising awareness of cyber resilience, helping regulated entities prepare for their self-assessment, and taking deterrence-based enforcement action. She also referred to the first action taken by ASIC against an Australian financial services licensee for deficient cybersecurity systems and warned that it would not be the last.
Australian Government Launches International Cyber and Critical Technology Engagement Strategy
On April 21, 2021, the Australian government launched its International Cyber and Critical Technology Engagement Strategy, which builds on and compliments the strategy developed in 2017, and the 2020 Cyber Security Strategy. The strategy offers $37.5 billion in support to neighboring countries and has a key focus on "values, security, and prosperity," as well as developing and shaping relationships with trusted international partners and cybersecurity and critical technologies.
APRA Considers Cyber Risk the Most Difficult Prudential Threat
On April 28, 2021, the Australian Prudential Regulation Authority ("APRA") Chair gave a speech to the Committee for the Economic Development of Australia in which he referred to cyber risk as the most difficult prudential threat, as it is driven by malicious and adaptive adversaries who are intent on causing damage. He outlined APRA's three primary focus areas: to establish a baseline of cyber controls; to enable boards and executives of financial institutions to oversee and correct cyber exposures; and to rectify weak links within the broader financial ecosystem and supply chain.
The following Jones Day lawyers contributed to this section: Adam Salter, Daniel Moloney, and Maria Yiasemides.
Recent and Upcoming Speaking Engagements
Managing Through Crushing Litigation & Disruptive M&A, BarkerGilmore (March 2021). Jones Day Speaker: Lisa Ropple
Obligation to Document Data Breaches and Post-breach Management Measures: Contract Management and Liability Issues, Online Seminar "Responding to personal data breaches in the Post-GDPR," Academy of European Law (ERA) (March 2021). Jones Day Speaker: Jörg Hladjk
JONES DAY TALKS®: Cyber Risks: A False Sense of Security – Episode 1 (May 2021). Jones Day Speakers: Justin Herdman, Lisa Ropple, Grayson Yeargin
Jones Day's Cybersecurity and Privacy Update: A Roundtable Discussion of Key Developments and Hot Topics Webinar (May 2021). Jones Day Speakers: Various
Legal Developments, Trends and Predictions for Financial Services and FinTech in Georgia, sponsored by the State Bar of Georgia (May 2021). Jones Day Moderator: Mary Alexander Myers
Mexican National Registry of Mobile Users (PANAUT): A Privacy Analysis, IAPP Mexico City Knowledge Net Chapter (May 2021). Jones Day Speaker: Guillermo Larrea
PS Forum Workshop: Latin American Privacy Law (May 2021). Jones Day Speaker: Guillermo Larrea
Cybersecurity: How Companies are Taking a Step Further to Combat Hacking and Security Breaches?, The IE Ethics & Compliance Club (May 2021). Jones Day Speaker: Guillermo Larrea
Cutting Edge Cyber Risk: Critical Infrastructure & Supply Chain, Boston Bar Association (June 2021). Jones Day Speaker and Moderator: Lisa Ropple
Jones Day's Sweeping EU Proposal to Regulate AI: A New Global Standard? Webinar (June 2021). Jones Day Speakers: Various
"Cybersecurity – That was Then, this is Now", Society for Corporate Governance, 20201 National Conference (June 2021). Jones Day Moderator: Lisa Ropple
Jones Day's New SCCs and Post-Schrems II Enforcement: Latest Developments On International Data Transfers Webinar (July 2021). Jones Day Speakers: Various
Recent and Upcoming Publications
COVID-19 Vaccinations and Considerations for European Employers (March 2021). Jones Day Authors: Various
COVID-19 Key EU Developments, Policy & Regulatory Update No. 38 (March 2021). Jones Day Authors: Various
Virginia Becomes the Second State to Enact a Comprehensive Data Privacy Law (March 2021). Jones Day Authors: Various
New York Department of Financial Services Imposes Penalty and Consent Order for Cybersecurity Violations (March 2021). Jones Day Authors: Various
GSA's Use of DoD Cybersecurity Language for Future Contracts Signals Increased Security Requirements in Civilian Contracts (March 2021). Jones Day Authors: Various
European Commission Expert Group Issues Connected and Automated Vehicle Privacy Recommendations (April 2021). Jones Day Authors: Various
France Plans on Adopting New Rules for Self-Driving Cars (April 2021). Jones Day Authors: Various
NFTs: Key U.S. Legal Considerations for an Emerging Asset Class (April 2021). Jones Day Authors: Various
Regulating Artificial Intelligence: European Commission Launches Proposals (April 2021). Jones Day Authors: Various
Autonomous Vehicles: Legal and Regulatory Developments in the United States (May 2021). Jones Day Authors: Various
Litigation and Regulatory Considerations and Risks for Financial Market Participants in a Post-Pandemic Society (May 2021). Jones Day Authors: Various
Cybersecurity Executive Order Establishes Framework to Strengthen Cybersecurity Elements of Federal Government Contracts (May 2021). Jones Day Authors: Various
China Takes Major Step Towards Finalizing National Data Regulation Regime (May 2021). Jones Day Authors: Various
Executive Order Launches Cybersecurity Labeling Regime for Consumer Products (May 2021). Jones Day Authors: Various
Italian Data Protection Authority Issues Guidelines on Data Processing Relating to Employees' COVID-19 Vaccinations at the Workplace (May 2021). Jones Day Authors: Various
Model Terms Demanded for Cloud Service Agreements with European Banks (May 2021). Jones Day Authors: Various
White House Calls for Federal Reforms in Long-Anticipated Cybersecurity Executive Order (May 2021). Jones Day Authors: Various
New Standard Contractual Clauses by the European Commission: What You Need to Know (June 2021). Jones Day Authors: Various
China Finalizes Data Security Law to Strengthen Regulation on Data Protection (June 2021). Jones Day Authors: Various
Supreme Court Narrows Article III Standing in Damages Actions (July 2021). Jones Day Authors: Various
New York Department of Financial Services Announces New Guidance on Ransomware Prevention (July 2021). Jones Day Authors: Various
Colorado Becomes Third State to Enact Comprehensive Data Privacy Law (July 2021). Jones Day Authors: Various
FinCEN Issues First U.S. Priorities for Anti-Money Laundering and Counter-Terrorism Financing (July 2021). Jones Day Authors: Various
Florida Makes Significant Changes to State Telemarketing Laws (July 2021). Jones Day Authors: Various
Connecticut Expands Data Breach Notification Requirements and Establishes a Cybersecurity "Safe Harbor" (July 2021). Jones Day Authors: Various
Jones Day publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our “Contact Us” form, which can be found on our website at www.jonesday.com. The mailing of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.