Jones Day Global Privacy & Cybersecurity Update | Vol. 28 | Jones Day

Jones Day Cybersecurity, Privacy & Data Protection Lawyer Spotlight: Mary Alexander Myers

As corporations more and more concentrate on information as a essential asset, and information turns into a driver of technology-focused transactions, corporations should steadiness compliance obligations with the will to commercialize and use information. Mary Alexander Myers guides shoppers by all features of data-related transactions, serving to them navigate the more and more advanced authorized, regulatory, and contractual necessities rising on this space. She has an revolutionary transactional apply, by which she supplies strategic recommendation regarding data-related points on the intersection of privateness, cybersecurity, mental property, and licensing. She advises shoppers on a variety of strategic expertise transactions and cybersecurity and information privateness issues, with specific concentrate on defending key mental property and information property. She has intensive expertise counseling shoppers on information privateness compliance, outsourcing and expertise transactions, mental property licensing preparations, and different associated issues. Her apply contains representing consumers and sellers in home and cross-border company transactions, together with mergers and acquisitions and financing preparations. Mary Alexander has suggested shoppers in all kinds of industries, together with monetary providers, healthcare, and expertise, and works with public corporations in addition to rising technology-driven companies and start-ups.

Mary Alexander is positioned within the Firm’s Atlanta Office. She serves on the manager committee for the Privacy and Technology Section of the State Bar of Georgia, the place she coordinates programming and outreach. She steadily speaks on points associated to expertise, privateness, and safety.

UNITED STATES

Regulatory—Policy, Best Practices, and Standards

President Biden Issues Cybersecurity Executive Order 

On May 12, 2021, President Biden issued an govt order that positioned new requirements on the cybersecurity of software program bought to the federal authorities. The order requires software program bought by the federal authorities to satisfy a sequence of latest cybersecurity requirements, requires growth of contractual language that permits service suppliers to share data concerning potential incidents to federal companies, and proposes to standardize the federal authorities’s response to essential vulnerabilities and incidents. The new order additionally establishes a Cybersecurity Safety Review Board, co-chaired by authorities and personal sector leads, to investigate what occurred following a cybersecurity incident and to make suggestions for bettering cybersecurity.

White House Issues Best Practices for Ransomware Threats for Private Businesses

On June 2, 2021, the White House published an open letter to company executives and enterprise leaders with the U.S. authorities’s really helpful finest practices to mitigate and stop ransomware threats and assaults. The letter urged personal companies to implement the 5 finest practices from the president’s executive order, again up information, commonly check the backups and preserve the backups offline, replace and patch programs promptly, check the incident response plan, implement third-party penetration checks of system safety, and phase inner networks.

Regulatory—Consumer and Retail

FTC Settles With Photo App Developer Over Claims of Misusing Facial Recognition Technology
 
On May 7, 2021, a photograph app developer finalized a settlement with the Federal Trade Commission (“FTC”) over claims that it deceived shoppers about its use of facial recognition expertise and its retention of the photographs and movies of customers who deactivated their accounts. The FTC alleged that the developer misled customers of its cellular app that it could not apply facial recognition expertise to customers’ content material except they affirmatively selected to activate the function, although the facial recognition function was activated for all customers besides these in three U.S. states and the European Union. The FTC additionally alleged that the developer falsely represented that it could delete the photographs and movies of customers who deactivated their accounts, although it retained their photographs and movies indefinitely. As a part of the settlement, the developer is required to acquire shoppers’ categorical consent earlier than utilizing facial recognition expertise and delete the photographs and movies of customers who deactivated their accounts, in addition to the fashions and algorithms it had developed by utilizing these shoppers’ photographs and movies.

FTC Releases Annual Report
On May 24, 2021, the FTC launched its 2020 Privacy and Data Security Update, an annual report on the company’s most important enforcement actions, coverage and advocacy initiatives, and schooling and outreach packages prior to now yr.

Regulatory—Financial

NYDFS Issues Report on Photo voltaicWinds Hack

In April 2021, the New York Department of Financial Services (“NYDFS”) issued the “Report on the Photo voltaicWinds Cyber Espionage Attack and Institutions’ Response.” While the report discovered that, up to now, no firm regulated by the NYDFS had reported that the Photo voltaicWinds hackers actively exploited their community and that monetary providers corporations had been usually not actively focused for exploitation, it additionally warned that the “subsequent nice monetary disaster might come from a cyber assault.” The company made a number of suggestions, together with implementing a number of layers of safety and an incident response plan.

NYDFS Issues New Guidance on Ransomware Prevention

On June 30, 2021, the NYDFS issued new steerage to regulated entities on stopping ransomware assaults. The steerage said that regulated corporations ought to implement the next controls every time potential: (i) e-mail filtering and anti-phishing coaching; (ii) vulnerability and patch administration with common testing and updates; (iii) multifactor authentication; (iv) disabled distant desktop entry; (v) robust, distinctive passwords; (vi) privileged entry administration; (vii) system monitoring and an Endpoint Detection and Response resolution. For extra data, please see our Jones Day Alert.

Regulatory—Energy/Utilities

DOE Announces RFI Focused on Protecting U.S. Supply Chain

On April 20, 2021, the Office of Electricity on the Department of Energy (“DOE”) notified the general public of a Request for Information (“RFI”) on “guaranteeing the continued safety of the United States essential electrical infrastructure,” targeted on “[p]reventing exploitation and assaults by overseas threats to the U.S. provide chain.” The DOE plans to make use of the requested suggestions to develop a long-term technique to make sure stakeholders’ procurement practices evolve to match the altering risk panorama, which at the moment contains exploitable vulnerabilities in foreign-sourced electrical programs gear. The RFI is a part of the DOE’s cybersecurity “100-day dash” initiative geared toward enhancing the safety of precedence electrical infrastructure management programs.

Pipeline Suffers Ransomware Attack

On May 7, 2021, an oil pipeline firm reported that it suffered a ransomware assault. As a precaution to forestall the ransomware from migrating, the corporate selected to close down its pipeline and didn’t return it to full service for a number of days. In response to the assault, the White House announced an initiative to reinforce collaboration on cybersecurity resilience between the federal government and its personal sector companions, whereas noting that the assault “put the highlight on the truth that our nation’s essential infrastructure is essentially owned and operated by private-sector corporations.”

Regulatory—Health Care/HIPAA

Medical Collection Agency Reaches Agreement With 41 States Following 2019 Data Breach

On March 11, 2021, a medical assortment company reached an settlement with 41 state attorneys common following a 2019 information breach that uncovered the non-public data of 21 million people. The company agreed to implement and preserve quite a lot of information safety practices to strengthen shopper protections. The company could be accountable for a $21 million cost to the states if the corporate violates the injunctive phrases of the settlement.

Clinical Laboratory Settles HIPAA Violations

On May 25, 2021, a scientific laboratory reached a $25,000 settlement with the Office for Civil Rights (“OCR”) on the U.S. Department of Health and Human Services (“HHS”) for alleged violations of the Health Insurance Portability and Accountability Act (“HIPAA”) Security Rule. The firm supplies diagnostic and laboratory-developed checks, together with scientific and genetic testing providers. After conducting an investigation, the OCR discovered systemic noncompliance with HIPAA, together with the failure to conduct an enterprise-wide threat evaluation and implement threat administration and audit controls. The OCR reiterated that “[c]linical laboratories, like different coated well being care suppliers, should adjust to the HIPAA Security Rule.”

Regulatory—Defense and National Security

DHS Announces Cybersecurity Requirements for Critical Pipeline Owners

On May 27, 2021, the Department of Homeland Security (“DHS”) announced new cybersecurity necessities for homeowners and operators of essential pipelines. Owners and operators should report confirmed and potential cybersecurity incidents to the DHS Cybersecurity and Infrastructure Security Agency and designate a cybersecurity coordinator who might be out there 24/7. They additionally should evaluation their present cybersecurity practices to establish gaps and remediation measures and should report the outcomes inside 30 days.

President Biden Issues Executive Order to Protect Sensitive Data 

On June 9, 2021, President Biden issued an govt order to additional handle the continued nationwide emergency with respect to the threats posed to the United States’ data and communications expertise and providers (“ICTS”) provide chain. The govt order directs the usage of a criteria-based choice framework and evidence-based evaluation to deal with threats posed by ICTS transactions involving software program purposes topic to a overseas adversary jurisdiction. The govt order additionally directs the Department of Commerce to make suggestions to guard delicate private information and transactions involving software program purposes regarding a overseas adversary.

NSA Funds Development and Release of D3FEND

On June 22, 2021, the National Security Agency (“NSA”) announced the discharge of the NSA-funded MITRE D3FEND, “a framework for cybersecurity professionals to tailor defenses in opposition to particular cyber threats.” D3FEND establishes terminology of laptop community defensive methods and supplies a mannequin of how to counter frequent offensive methods. The framework is complimentary to MITRE’s ATT&CK, a information base of cyber advisory habits.

Regulatory—Transportation

DHS Taps Transportation Systems for Cybersecurity “Sprint”

On March 31, 2021, the Department of Homeland Security (“DHS”) outlined six “sprints” deliberate by DHS to enhance federal cybersecurity throughout a variety of areas, together with the nation’s transportation programs. Each dash will play out over 60 days and endeavor to “mobilize motion by elevating current efforts, eradicating roadblocks, and launching new initiatives the place crucial.”

Litigation, Judicial Rulings, and Enforcement Actions

NYDFS Imposes Penalty and Consent Order for Cybersecurity Violations

On March 3, 2021, the NYDFS announced a consent order with a mortgage financial institution for violations of New York’s Cybersecurity Regulation. In March 2020, the NYDFS performed a routine compliance examination of the financial institution and found that the financial institution had didn’t adequately examine or report a March 2019 cybersecurity incident as required beneath state information breach notification legal guidelines and the NYDFS Cybersecurity Regulation. As a part of the settlement, the financial institution agreed to pay $1.5 million in penalties and to adjust to all provisions of the Cybersecurity Regulation. For extra data, please see our Jones Day Alert.

District Court Finds CCPA Does Not Apply Retroactively

On March 5, 2021, the District Court for the Northern District of California found that the California Consumer Privacy Act (“CCPA”) doesn’t apply retroactively if an alleged information breach occurred earlier than January 1, 2020. The plaintiff filed a category motion go well with alleging {that a} retailer didn’t disclose an information breach. The plaintiff didn’t allege a date of the breach, solely that his private data “is at the moment out there on the darkish net.” The courtroom discovered that “absent allegation establishing that [the company’s] alleged violation of the CCPA occurred after it went into impact, Plaintiff’s CCPA declare isn’t viable.” The district courtroom granted the corporate’s movement to dismiss, however allowed the plaintiff to file an amended grievance.

Supreme Court Clarifies TCPA Definition of “Autodialer” 

On April 1, 2021, the Supreme Court resolved a key query beneath the Telephone Consumer Protection Act (“TCPA”)—whether or not gear that dials from an inventory of numbers qualifies as an “computerized phone dialing system” (“ATDS”) topic to the TCPA’s statutory penalties. The Supreme Court held that gear dialing from an inventory of numbers doesn’t qualify as an ATDS. Instead, gear should “use a random or sequential quantity generator” to qualify as an ATDS. For extra data, please see our Jones Day Alert.

Supreme Court Curbs FTC’s Ability to Pursue Monetary Relief

On April 22, 2021, the Supreme Court held that Section 13(b) of the FTC Act doesn’t authorize the FTC to hunt, or a courtroom to award, equitable financial aid comparable to restitution or disgorgement. While the district courtroom and Ninth Circuit each allowed for equitable financial aid beneath Section 13(b), the Supreme Court reversed, discovering that the plain language of Section 13(b) authorizes solely injunctive aid, and never retrospective financial treatments because the FTC had beforehand and constantly relied upon. Now the FTC can search financial treatments solely in “conditioned and restricted” circumstances.

Second Circuit Provides Clarity on Data Breach Standing Threshold

On April 26, 2021, the Second Circuit clarified that the danger of id theft after an information breach could also be grounds to sue. In that case, a well being providers supplier inadvertently disclosed personally identifiable data (e.g., social safety numbers and dates of beginning) of present and former workers. While the Second Circuit discovered that mere threat of id theft following an information breach could enable for standing, the courtroom held that the info at subject right here failed to point out “a considerable threat of future id theft or fraud enough to determine Article III standing.”

Pennsylvania AG Investigates Breach of Contact Tracing Data

On April 29, 2021, an IT providers firm announced that among the private data that it had collected for COVID-19 contact tracing providers in Pennsylvania had been accessed by an unauthorized get together. The Attorney General of Pennsylvania remarked, “[M]y workplace has opened investigations into this information breach on a number of fronts,” however declined to supply additional touch upon the investigation.

Massachusetts AG Probes Data Collection Practices of Pharmacies Offering COVID-19 Vaccines

On May 3, 2021, the Massachusetts Attorney General’s Office sent a letter to main pharmacy chains, requesting that they clarify their private information assortment practices for sufferers receiving the COVID-19 vaccine. The letter requested the pharmacies how they disclosed information assortment practices, obtained consent to gather private information, and used the non-public data of those self same shoppers, and whether or not the pharmacies collected data or required the creation of accounts from shoppers who sought or acquired the vaccine at their shops.

Retailer to Settle BIPA Class Action for $10 Million

On June 16, 2021, an Illinois courtroom permitted a settlement whereby a retailer can pay $10 million to resolve claims that it violated the Illinois Biometric Information Privacy Act (“BIPA”). The class alleging BIPA violations consisted of present and former workers who claimed that they had been required to make use of a palm scanner system to entry the money register with out first offering written consent. The firm had tried to dismiss the case in 2019, arguing that plaintiffs’ claims had been time-barred and merely confirmed procedural violations of state regulation.

Supreme Court Narrows Article III Standing for Class Actions

On June 25, 2021, the Supreme Court determined TransUnion LLC v. Ramirez, vacating a category motion judgment and holding {that a} plaintiff lacks Article III standing to hunt damages for a non-public defendant’s statutory violations except the plaintiff can present an precise real-world harm. Whereas the Ninth Circuit had held that every one 8,185 class members had standing on their statutory claims, the Supreme Court restricted standing to solely the 1,853 class members whose shopper experiences had been disseminated to third-party companies. For extra data, please see our Jones Day Commentary.

Legislative—Federal

Members of Congress Reintroduce Bills to Protect Energy Infrastructure

In late April and early May 2021, House lawmakers reintroduced a number of bipartisan payments, first launched within the 116th Congress, geared toward avoiding future cyberattacks on essential vitality infrastructure. The present version of the Pipeline and LNG Facility Cybersecurity Preparedness Act would require the DOE to “perform a program regarding bodily safety and cybersecurity for pipelines and liquefied pure fuel services,” whereas this yr’s version of the Enhancing Grid Security through Public-Private Partnerships Act would require the DOE to implement a program that facilitates and encourages public-private partnerships to deal with cybersecurity vulnerabilities of the electrical grid. The latest iteration of the Cyber Sense Act, which handed the House in 2020, would require the DOE to determine a program to check the cybersecurity of “merchandise and applied sciences meant to be used within the bulk-power system.”

Legislative/Executive—States

Virginia Passes Omnibus Consumer Privacy Law
On March 2, 2021, Virginia signed into regulation the Virginia Consumer Data Protection Act (“VCDPA”). The act, which fits into impact on January 1, 2023, applies to corporations doing enterprise in Virginia or advertising and marketing to Virginians that meet one in every of two specified thresholds. Unlike the CCPA, the VCDPA accommodates no personal proper of motion, applies to fewer coated companies, and has a narrower definition of the “sale” of information. The VCDPA additionally eschews the language of the CCPA in favor of the European Union’s information safety terminology (e.g., adopting phrases comparable to “controller” and “processor”).

Oklahoma Adds Ransomware Language to Computer Crimes Act

On May 28, 2021, the Oklahoma Legislature amended the Oklahoma Computer Crimes Act so as to add “malicious laptop program” as an outlined time period that features “viruses, Trojan horses, spyware and adware, worms, rootkits, backdoors, [and] ransomware.” Additionally, it’s now illegal to make use of malicious laptop packages to reveal or take possession of a pc, laptop community or system, information, or some other property. The modification turns into efficient on November 1, 2021.

Connecticut Expands Data Breach Notification Requirements and Establishes a Cybersecurity “Safe Harbor”

On June 16 and July 6, 2021, the Connecticut governor signed two new cybersecurity legal guidelines. “An Act Concerning Data Privacy Breaches” amends Connecticut’s current information breach notification regulation to shorten the time to inform Connecticut residents of an information breach to 60 days after discovery, and expands the definition of private data to incorporate IRS identification numbers, sure medical data, biometric data, and on-line account data, amongst different modifications. “An Act Incentivizing the Adoption of Cybersecurity Standards for Businesses” establishes a secure harbor in opposition to tort claims for corporations which have applied a written cybersecurity program that complies with an industry-recognized framework, such because the National Institute of Standards and Technology. For extra data, please see our Jones Day Alert.

Colorado Becomes Third State to Enact Comprehensive Data Privacy Law

On July 7, 2021, the Colorado governor signed the Colorado Privacy Act (“Act”) into regulation, making Colorado the third state, after California and Virginia, to enact a complete information privateness regulation. The Act comes on the heels of the March 2021 passage of the VCDPA and seems to borrow many information safety ideas from each the VCDPA and the European Union’s General Data Protection Regulation. The Act takes impact on July 1, 2023. For extra data, please see our Jones Day Commentary.

The following Jones Day legal professionals contributed to this part: Jennifer C. Everett, Kerianne Tobitsch, Keeton Christian, Rebecca Iafrati, Ruby Lang, Bailey Loverin, Sara Lynch, Megan McKnelly, Dan Ongaro, Christina O’Tousa, Michael Phillips, Ayesha Rasheed, Molly Russell, and Jenny Whalen-Ball. Summer affiliate Lindsy Maglich additionally contributed to this part. 

LATIN AMERICA

Argentina

AAIP Issues Guidelines on Personal Data Processing During COVID-19 Pandemic

On April 20, 2021, Argentina’s Public Information Access Agency (Agencia de Acceso a la Información Pública—”AAIP”) issued three pointers to bolster the correct processing of private information, physique temperature information, and geolocation information through the COVID-19 pandemic (supply doc in Spanish).

Brazil

ANPD and SENACON Sign Cooperation Agreement

On March 22, 2021, the Brazilian Data Protection Authority (Autoridade Nacional de Proteção de dados—”ANPD”) and the Consumer Protection Agency (Secretária da Secretaria Nacional do Consumidor—”SENACON”) released a press assertion concerning their current cooperation settlement, which goals to guard shoppers’ information and speed up safety incident investigations (supply doc in Portuguese). 

ANPD Issues Recommendations for Social Media Privacy Policies

On May 7, 2021, the ANPD issued suggestions to social media corporations concerning their privateness insurance policies (supply doc in Portuguese). The suggestions advised postponement of the brand new privateness insurance policies till the Brazilian privateness suggestions are adopted, and upkeep of the present utilization mannequin and accounts.

ANPD Issues Guideline for Definition of Processing Agents and Data Protection Officers

On May 28, 2021, the ANPD issued a Guideline for the Definition of Processing Agents and Data Protection Officers (supply doc in Spanish). This guideline defines and supplies examples of private information brokers, comparable to the information controller, information processor, and information safety officer. Furthermore, it differentiates between joint and separate controllerships. A joint controller refers to a couple of information controller making frequent selections concerning information processing, whereas beneath a separate controllership selections are made by a single information controller.

Chile

CPLT Offers Free Online Data Protection Courses

On April 2, 2021, the Council for Transparency (Consejo para la transparencia—”CPLT”) released a press assertion selling its new instructional platform, which incorporates private information protection-focused on-line trainings and academic sources (supply doc in Spanish).

Colombia

SIC Releases Annual Survey on Data Processing Security Measures

On March 11, 2021, the Superintendence of Industry and Commerce (“SIC”) issued a press launch on the second annual examine of safety measures carried out by the 33,596 entities that registered their databases within the National Database Registry for assortment, storage, or processing of private information (supply doc in Spanish). The examine confirmed that many organizations didn’t have environment friendly mechanisms to guard their customers’ information from safety incidents.

SIC Issues Recommendations on Use of Physical or Electronic Biometric Data Readers

On March 16, 2021, the SIC issued suggestions urging corporations to chorus from utilizing fingerprint or biometric readers to gather private information, because of the COVID-19 transmission threat posed by these units (supply doc in Spanish). Furthermore, the SIC said that if an alternate biometric information assortment mechanism isn’t potential, a everlasting cleansing and disinfection course of have to be applied.

Ecuador

Ecuadorian Legislators Approve Data Protection Law

On May 10, 2021, Ecuadorian legislators approved the Organic Law on Data Protection, which goals to ensure private information safety rights, digital rights, and enough information processing (supply doc in Spanish). The nationwide information authority would be the Superintendence of Personal Data Protection, which is able to preserve a nationwide information safety registry. Violators of the regulation are topic to fines.

Mexico

INAI Issues Recommendations on Personal Data Protection During COVID-19 Vaccination Process

On March 10, 2021, the National Institute of Transparency, Access to Information and Personal Data Protection (Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales—”INAI”) issued official communication No. INAI/083/21, which really helpful information processing practices for the COVID-19 vaccination course of (supply doc in Spanish).

INAI Issues Recommendations Regarding Banking Institutions and Clients’ Geolocation

On March 20, 2021, the INAI issued official communication No. INAI/097/21, which recommends banking establishments take excessive precautions when monitoring shoppers’ geolocation (supply doc in Spanish). These suggestions come up from the newly launched anti-money laundering pointers, which require financial institution prospects to offer their consent previous to geolocation monitoring. The INAI said that geolocation monitoring of shoppers is simply permissible with prior consent.

INAI Challenges National Registry of Cellphone Users in Supreme Court

On April 27, 2021, the INAI issued a press launch concerning its choice to file an motion in Mexico’s Supreme Court (“SCJN”) alleging the modification to the Federal Telecommunications and Broadcasting Law that created the National Register of Mobile Telephone Users (“PANAUT”) is unconstitutional (supply paperwork in Spanish). The INAI alleged that PANAUT violates private information safety rights and ideas of proportionality, safety, and authorized certainty as a result of the registry makes use of delicate biometric information, restricts the proper to entry data, and grants undue energy to the Federal Telecommunications Institute. The SCJN has not but decided whether or not the motion will proceed.

Mexican Senator Proposes Bill to Create a 72-Hour Data Breach Notification Requirement

On April 29, 2021, a senator filed an initiative to switch the Federal Law on Protection of Personal Data Held by Private Parties (“LFPDPPP”) by including a requirement that entities notify information topics and the INAI of an information breach inside 72 hours (supply doc in Spanish). The initiative additionally goals to impose an obligation on overseas controllers to nominate an area consultant to adjust to their obligations beneath the LFPDPPP. The initiative was despatched from the Senate to the respective fee, and awaits additional approval.

Panama

Panamanian Data Protection Law Enters in Force

On March 29, 2021, Panama’s data protection law (Ley 81 del 26 de marzo del 2019) took impact (supply doc in Spanish). The regulation creates ideas, obligations, and procedures for lawful information processing; requires information controllers to acquire the information topic’s consent previous to any information processing; and imposes sanctions on those that fail to conform, together with fines starting from USD $998 to $9,998 and database document closure.

Peru

Peru Introduces New Data Protection Authority

On June 9, 2021, Peru’s Council of Ministers (Consejo de Ministros) permitted the Project of Law No. 337-2021, which permits the creation of the National Authority for Transparency, Access to Public Information, and Protection of Personal Data (Autoridad Nacional de Transparencia, Acceso a la Información Pública y Protección de Datos Personales) (supply in Spanish). Under present regulation, the National Authority for Personal Data (Autoridad Nacional de Protección de Datos Personales) is the information safety authority for Peru, however now it is going to be merged with the brand new authority to create a brand new hybrid authority that can have its personal authorized standing, larger autonomy, and sources.

Uruguay

Agency Issues Recommendations on Use of Vaccination Center Images

On March 15, 2021, the Regulatory and Personal Data Control Unit (Unidad Reguladora y de Control de Datos Personales) issued a sequence of suggestions concerning the gathering and dissemination of pictures of people in COVID-19 vaccination facilities. These pictures are categorised as private information requiring the categorical and written consent of the information topic (supply doc in Spanish).

The following Jones Day legal professionals contributed to this part: Guillermo Larrea, Juan Carlos Quinzaños, and Victoria Villagomez.

EUROPE

European Commission

Commission Proposes New Rules to Regulate AI 

On April 31, 2021, the European Commission (“Commission”) unveiled a proposal for a “Regulation laying down harmonized guidelines on synthetic intelligence” (“AI Regulation”), which units out how AI programs and their outputs might be launched to and used within the European Union (“EU”). If adopted by the EU Parliament and Council (which might take two to 3 years), the AI Regulation would apply alongside the EU General Data Protection Regulation (“GDPR”) to make sure the safety of people’ private information. For extra data, please see our Jones Day Alert.

Commission Adopted New Standard Contractual Clauses

On June 4, 2021, the Commission adopted new Standard Contractual Clauses (“SCCs”) for the switch of information to 3rd nations that don’t meet GDPR necessities for an enough degree of information safety. SCCs are mannequin information switch phrases which can be applied between entities within the European Economic Area (“EEA”) exporting private information to importing entities in third nations. On the identical day, the Commission adopted one other choice on a set of ordinary contractual clauses beneath Article 28 GDPR to be used between controllers and processors established within the EEA. These normal contractual clauses concern the provisions crucial for an information processing settlement pursuant to Article 28 of the GDPR and shouldn’t be confused with the SCCs, that are safeguards for the switch of private information to 3rd nations.

Commission Adopted Two Adequacy Decisions for the United Kingdom

On June 28, 2021, the Commission adopted two adequacy selections for the United Kingdom (“UK”), one beneath the GDPR and the other for the Law Enforcement Directive. The adequacy selections enable for the free stream of private information from the EU to the UK, the place UK regulation supplies an primarily equal degree of information safety to that assured beneath EU regulation. For the primary time, each selections embody a “sundown clause,” which limits the length of adequacy to 4 years and permits the Commission to watch the authorized state of affairs within the UK. As lengthy and so far as the adequacy selections apply, EU information exporters aren’t required to implement applicable safeguards beneath Article 46 of the GDPR (comparable to SCCs) for information transfers to the UK.

European Council

Council Adopts Conclusions on EU’s Cybersecurity Strategy 

On March 22, 2021, the EU Council (“Council”) adopted conclusions on the EU’s cybersecurity technique (“Strategy”). The Strategy outlines the framework for EU motion to guard EU residents and companies from cyber threats, promote safe data programs, and defend a world, open, free, and safe our on-line world. In its conclusions, the Council highlighted quite a lot of areas for motion within the coming years (e.g., making a community of safety operation facilities within the EU and making use of the EU 5G toolbox measures).

Court of Justice of the European Union

ECJ Rules on Conditions for Access to Retained Traffic and Location Data

On March 2, 2021, the European Court of Justice (“ECJ”) in H.Okay. v. Prokuratuur Case C-746/18 clarified the circumstances beneath which public authorities could entry visitors or location information to fight severe crime or stop severe threats to public safety. In specific, the ECJ held that entry could also be granted “whatever the size of the interval in respect of which entry to these information is sought and [regardless of] the amount or nature of the information out there in respect of such a interval.”

European Data Protection Board

EDPB and EDPS Adopt Joint Opinion on Data Governance Act

In March 2021, the European Data Protection Board (“EDPB”) and the European Data Protection Supervisor (“EDPS”) adopted a joint opinion on the proposal for a Data Governance Act (“DGA”). The DGA would promote the supply of public sector information and information sharing within the inner market. The opinion invited legislators to make sure that the DGA could be in keeping with EU information safety laws.

EDPB Issues Opinions on Draft UK Adequacy Decision 

On April 13, 2021, the EDPB issued two opinions (Opinion 14/2021 and Opinion 15/2021) concerning the Commission’s draft implementing choice on the enough safety of private information within the UK. The EDPB concluded that the core provisions of the UK and EU information safety legal guidelines are aligned, however really helpful that the Commission analyze the mechanism used to tell related EU Member States of additional processing or disclosure by UK authorities to which private information has been transferred. In addition, the EDPB suggested the Commission to meet its monitoring position and to amend the adequacy choice to introduce particular safeguards for information transferred from the EU or to droop the choice in case the equal degree of safety of private information isn’t maintained by the UK.

Belgium

Belgian DPA Develops Practical Tools for Companies 

In March 2021, the Belgian Data Protection Authority (“DPA”) developed sensible instruments for information controllers, information processors, and information safety officers (supply doc in Dutch). The instruments encompass simplified templates for information registers, a roadmap on exchanges of private information by federal authorities companies, and a few instruments for subject-matter consultants (e.g., FAQs on information safety and template letters for information topics to train their rights).

Belgian DPA Calls on Citizens to Take Action Against Social Media Company

In April 2021, the DPA contacted the Irish DPA concerning a social media firm’s information breach that affected a minimum of three million Belgian accounts. The Belgian DPA advised affected Belgian residents to be vigilant and, if crucial, to file a grievance with the Belgian DPA, although the corporate’s headquarters are in Ireland (supply doc in Dutch).

France

CNIL Warns Stakeholders of Approaching Deadline for Cookie Compliance

On April 2, 2021, the French Data Protection Authority (“CNIL”) published a discover to tell stakeholders on the expiration of the deadline to adjust to laws relevant to cookies, which expired on March 31, 2021 (supply doc in French). The CNIL warned that it’s going to start finishing up assessments of web site and app compliance with cookie laws.

CNIL Publishes Provisional Recommendations for Remote Quality Control of Clinical Trials During the Health Crisis

On April 22, 2021, the CNIL released provisional suggestions for the distant high quality management of scientific trials through the pandemic (supply doc in French). Among different issues, the CNIL’s suggestions offered steerage on safety measures crucial to make sure the safety of well being information as stakeholders had been pressured to conduct distant quality control because of the pandemic.

CNIL Releases Opinion on the French “Health Pass” Bill 

On May 12, 2021, the CNIL issued an opinion on the contemplated implementation by the French authorities of a “well being cross” to manage entry to sure institutions based mostly on vaccination or COVID-19 testing standing (supply doc in French). The CNIL said that the usage of a well being cross have to be restricted to the length of the pandemic and to occasions involving a lot of folks. The CNIL additionally really helpful clearly defining the needs of processing and individuals approved to confirm this delicate information to forestall any violations of information privateness laws.

CNIL Releases Interim Recommendations on Data Processing Activities During Clinical Trials

On June 24, 2021, the CNIL up to date its interim recommendations on the distant monitoring of scientific trials information, relevant till September 30, 2021 (supply doc in French). Further to the authorization by the French Health Security Authority of a restricted listing of scientific trials permitting for distant monitoring, the CNIL issued suggestions on distant monitoring, together with steerage on required French formalities and safety measures.

CNIL Publishes Guidance on Data Subject Rights Exercised by Power of Attorney 

On June 25, 2021, the CNIL issued its guidelines and FAQ on the usage of a Power of Attorney (“PoA”) to train information topics’ rights (supply paperwork in French). The CNIL additionally revealed a PoA template together with pointers.

Germany

Federal Labor Court Rules on Employee’s Right to Receive Copies of Their Emails

On April 27, 2021, Germany’s Federal Labor Court (Bundesarbeitsgericht) held that an worker’s request that their employer present copies of the worker’s whole e-mail correspondence and any emails that include the worker’s title was not adequately particular beneath German civil procedural regulation (supply doc in German). The courtroom didn’t make clear the fabric scope of the proper to obtain a duplicate of private information processed pursuant to Art. 15(3) GDPR.

Federal Labor Court Submits Questions to ECJ on Requirements for Dismissing DPO

On April 27, 2021, Germany’s Federal Labor Court submitted inquiries to the ECJ for a preliminary ruling on the necessities for the dismissal of an organization information safety officer (“DPO”) beneath the GDPR (supply doc in German). Additionally, the courtroom sought clarification as as to if there’s a battle of pursuits pursuant to Article 38(6) of the GDPR if the DPO serves because the chairperson of the controller’s works council.

DPAs Publish Questionnaires for Coordinated Investigation of International Data Transfers 

On June 1, 2021, quite a lot of German Data Protection Authorities (“DPAs”) published their collectively developed questionnaires for the coordinated investigation of worldwide information transfers within the wake of the Schrems II choice issued one yr in the past by the ECJ (supply doc in German). The DPAs taking part within the coordinated investigation introduced their intention to achieve out to corporations in Germany on the premise of those questionnaires. The 5 questionnaires out there so far focus particularly on the effectiveness of switch safeguards associated to the usage of applicant portals, intragroup information transfers, monitoring instruments, and net and e-mail internet hosting.

Italy

Italian DPA Issues Negative Opinion on Video Security System Based on Facial Recognition 

On March 25, 2021, the Italian DPA issued a detrimental opinion on the Italian Ministry of the Interior’s use and public set up of a video surveillance system based mostly on real-time facial recognition (supply doc in Italian). The system would have allowed for the real-time evaluation of human faces, comparability with a watch-list database, and rapid alert to the police power if a match had been recognized. According to the DPA, the system lacked a correct authorized foundation for large-scale, automated information remedy of biometric information, and the system as designed would have resulted in indiscriminate mass surveillance.

Italian DPA Issues Warning to Government on COVID-19 Vaccination Pass

On April 23, 2021, the Italian DPA issued a warning to the Italian authorities pursuant to Article 58 of the GDPR in relation to the introduction of a COVID-19 vaccination cross to facilitate free motion inside Italy (supply doc in Italian). The DPA underlined main information safety considerations, comparable to the shortage of an enough authorized foundation, inadequate specification of authorized functions for the processing of information, and the necessity for breach minimization and transparency ideas. Moreover, the federal government didn’t seek the advice of the Italian DPA earlier than adopting the decree, as is required by relevant regulation.

Netherlands

Dutch DPA Fines Online Travel Agency for Late Breach Reporting

On March 31, 2021, the Dutch DPA announced a positive of €475,000 for a Dutch-headquartered on-line journey company for failing to report an information breach inside 72 hours of changing into conscious of the incident in 2019 (supply doc in Dutch). The information breach resulted in criminals gaining open entry to non-public information, together with names, cellphone numbers, login credentials, and bank card numbers. In its assertion, the Dutch DPA famous that the corporate was knowledgeable of the breach on January 13, 2019, however didn’t report the incident till February 7, 2019.

Dutch DPA Fines Municipality for Wi-Fi Tracking

In April 2021, town of Enschede was fined €600,000 by the Dutch DPA for utilizing Wi-Fi monitoring within the metropolis middle in violation of the GDPR. The Dutch DPA identified that “deploying Wi-Fi monitoring that makes this potential is in itself a severe breach” of the Dutch privateness regulation. The municipality of Enschede has lodged an objection in opposition to the choice.

Spain

Spanish DPA Imposes 8.15 Million Fine on Telecom Company for GDPR Violations
 
On March 11, 2021, the Spanish DPA imposed a positive of €8.15 million on a telecommunications firm for GDPR violations (supply doc in Spanish). The €8.15 million positive is the best positive imposed so far by the Spanish DPA for violation of the GDPR. More particularly, the DPA discovered that the corporate (i) engaged in business communications to potential shoppers with out categorical authorization; (ii) performed promoting regardless of shoppers’ objections; (iii) didn’t adjust to the duty controllers to “confirm[] the ensures of the information processor” through the course of the project; and (iv) carried out information transfers with out complying with the ensures required by the GDPR.

Spanish DPA Sanctions and Fines Consumer Reporting Agency for Misuse of Personal Data
 
On April 26, 2021, the Spanish DPA imposed a positive of €1 million on a shopper reporting company for violating 5 articles of the GDPR (supply doc in Spanish). After receiving 97 complaints that the corporate had included private information within the File of Judicial Claims and Public Bodies (“FIJ”), with out first acquiring consent, the DPA carried out an investigation. In addition to the positive, the Spanish DPA has prohibited the corporate from persevering with to course of private information by the FIJ and required the deletion of private information.

United Kingdom

ICO Welcomes EU Adequacy Decision 

On June 28, 2021, the Information Commissioner’s Office (“ICO”) issued a statement welcoming the EU Commission’s choice to grant the United Kingdom an adequacy choice. This adequacy choice permits EU corporations to ship private information to the United Kingdom in accordance with the GDPR.

The following Jones Day legal professionals contributed to this part: Laura Baldisserra, Carla Calcagnile, Laurent De Muyter, Undine von Diemar, Olivier Haas, Jörg Hladjk, Bastiaan Kout, Jonathon Little, Lucie Fournier, Martin Lotz, Hatziri Minaudier, Selma Olthof, Irene Robledo, and Christopher Schmidt.

ASIA

Hong Kong

PCPD Issues Guidance on Use of Social Media and Instant Messaging Apps

On April 5, 2021, the Office of the Privacy Commissioner for Personal Data (“PCPD”) issued its “Guidance on Protecting Personal Data Privacy within the Use of Social Media and Instant Messaging Apps,” offering the general public with recommendation on how one can mitigate privateness dangers with social media. The steerage highlighted that social media customers typically unwittingly reveal extra data than anticipated, and most supplies shared on-line can go away a perpetual digital footprint that’s troublesome to take away. Information shared on-line may also be misused by third events, or be used for id theft, cyberbullying, or doxxing. The steerage additional suggested social media customers to be additional cautious about sharing photographs and data of youngsters, and to supply enough steerage to kids on the usage of social media.

Government Proposes Legislation Amendments Against Doxxing

On May 11, 2021, the Hong Kong authorities proposed a sequence of authorized amendments to cost anybody as much as 5 years of imprisonment and a positive of as much as HK$1 million (roughly USD$128,000) for partaking in doxxing (i.e., maliciously revealing one other particular person’s private data with out consent) with the intent to threaten, intimidate, harass, or trigger psychological hurt. Local employees of abroad web sites might additionally face two years of imprisonment and a positive of as much as HK$100,000 (roughly USD$13,000) if their platforms fail to adjust to content material elimination requests. The proposal additional really helpful that the PCPD be granted the investigative powers to hold out felony investigations and prosecutions and demand takedowns of web content material.

People’s Republic of China

SPP Announces 11 Typical Cases of Public Interest Litigation for Personal Information Protection

On April 22, 2021, the Supreme People’s Procuratorate (“SPP”) announced 11 typical circumstances of public curiosity litigation concerning the safety of private data (supply doc in Chinese). The announcement revealed that if web corporations fail to meet private data administration and safety obligations, they may bear accountability for public damages by public curiosity litigation. The 11 typical circumstances embody each pure civil public curiosity litigation circumstances involving web corporations’ unlawful assortment or acquisition of private data, in addition to civil public curiosity litigation circumstances incidental to felony circumstances involving the unlawful acquisition and transaction of private data by different means, comparable to technical software program and property providers.

China Publishes Draft Provisions on Mobile Applications for Public Comments

On April 26, 2021, the draft Provisions on the Administration of Mobile Internet Applications Information Services was made out there for public remark till May 26 (supply doc in Chinese). The provisions would regulate data service suppliers that make the most of cellular apps and app retailer providers inside the territory of China. The provisions (i) outlined the scope of software and the supervising authorities; (ii) clarified the ideas of “knowledgeable consent” and “least crucial”; (iii) refined the principal duties and obligations of app builders and operators, distribution platforms, third-party service suppliers, terminal producers, and community entry service suppliers; and (iv) proposed requirements for complaints and experiences, supervision and inspection, disposal measures, and threat warnings.

China Promulgates Provisions on the Scope of Necessary Personal Information Required for Mobile Applications

On May 1, 2021, the Provisions on the Scope of Necessary Personal Information Required for Common Types of Mobile Internet Apps took impact (supply doc in Chinese). The provisions prohibit cellular app operators from refusing to supply primary cellular app features to customers who don’t agree to supply pointless private data. The provisions had been applied particularly to implement the Chinese Cybersecurity Law provisions involving community operators’ compliance with ideas of lawfulness, equity, and necessity within the assortment and use of private data, and the prohibition on the gathering of private data irrelevant to providers they supply. The provisions set forth the scope of crucial private data for 39 frequent kinds of cellular apps.

Japan

Cabinet of Japan Issues Order to Enforce PIPA Amendments

On March 24, 2021, the Cabinet of Japan issued the amendment to the Cabinet Order to Enforce the Personal Information Protection Act (“PIPA”) and the amendment to Enforcement Regulation Concerning PIPA (supply paperwork in Japanese). These amendments present additional detailed steerage concerning the important thing amendments to the PIPA, together with when and the way information breach experiences ought to be made, and extra data that have to be offered to acquire consent for cross-border switch.

Diet Passes Bill to Amend PIPA

On May 12, 2021, the National Diet of Japan (“Diet”) passed a invoice amending the PIPA (supply doc in Japanese). This modification, amongst different targets, goals to combine completely different information safety legal guidelines and guidelines that apply to the personal and public sectors, together with unifying the definition of “private data” for each sectors, and broadening the authority of the Personal Information Protection Commission to oversee and govern the sectors.

PPC Publishes Draft Guidelines for Amendment of PIPA

On May 19, 2021, the Personal Information Protection Commission (“PPC”) revealed a draft modification of the rules concerning the 2020 amendment of PIPA, which is able to totally take impact on April 1, 2022 (supply doc in Japanese). The draft modification pointers embody, amongst different issues, an amendment concerning the final guidelines, an amendment concerning cross-border switch, an amendment concerning verification and recordkeeping on the time of switch of information, and an amendment concerning anonymously processed data (supply paperwork in Japanese). Public feedback had been due on June 18, 2021.

Thailand

Thailand Delays Implementation of PDPA

On May 5, 2021, Thailand delayed companies’ obligations to adjust to the brand new Personal Data Protection Act (“PDPA”) till May 31, 2022, because of the results of COVID-19. The PDPA was anticipated to return into full impact on the finish of May 2021 after initially being deferred in May 2020. In the interim, information controllers will need to have in place private information safety upkeep measures in accordance with the requirements prescribed by the Ministry of Digital Economy and Society.

The following Jones Day legal professionals contributed to this part: Elizabeth Cole, Michiru Takahashi, and Sharon Yiu.

AUSTRALIA

ASIC Stresses Focus on Cyber Risk

On March 10, 2021, the Australian Securities and Investments Commission (“ASIC”) Deputy Chair gave a speech to the Australian Financial Review Business Summit by which she referred to cyber threat as the brand new frontier for each nationwide protection and market integrity. She highlighted ASIC’s cyber supervisory endeavors, which embody elevating consciousness of cyber resilience, serving to regulated entities put together for his or her self-assessment, and taking deterrence-based enforcement motion. She additionally referred to the primary motion taken by ASIC in opposition to an Australian monetary providers licensee for poor cybersecurity programs and warned that it could not be the final.

Australian Government Launches International Cyber and Critical Technology Engagement Strategy

On April 21, 2021, the Australian authorities launched its International Cyber and Critical Technology Engagement Strategy, which builds on and compliments the technique developed in 2017, and the 2020 Cyber Security Strategy. The technique presents $37.5 billion in help to neighboring nations and has a key concentrate on “values, safety, and prosperity,” in addition to creating and shaping relationships with trusted worldwide companions and cybersecurity and important applied sciences.

APRA Considers Cyber Risk the Most Difficult Prudential Threat

On April 28, 2021, the Australian Prudential Regulation Authority (“APRA”) Chair gave a speech to the Committee for the Economic Development of Australia by which he referred to cyber threat as essentially the most troublesome prudential risk, as it’s pushed by malicious and adaptive adversaries who’re intent on inflicting injury. He outlined APRA’s three major focus areas: to determine a baseline of cyber controls; to allow boards and executives of economic establishments to supervise and proper cyber exposures; and to rectify weak hyperlinks inside the broader monetary ecosystem and provide chain.

The following Jones Day legal professionals contributed to this part: Adam Salter, Daniel Moloney, and Maria Yiasemides.

Recent and Upcoming Speaking Engagements

Managing Through Crushing Litigation & Disruptive M&A, BarkerGilmore (March 2021). Jones Day Speaker: Lisa Ropple

Obligation to Document Data Breaches and Post-breach Management Measures: Contract Management and Liability Issues, Online Seminar “Responding to non-public information breaches within the Post-GDPR,” Academy of European Law (ERA) (March 2021). Jones Day Speaker: Jörg Hladjk

JONES DAY TALKS®: Cyber Risks: A False Sense of Security – Episode 1 (May 2021). Jones Day Speakers: Justin Herdman, Lisa Ropple, Grayson Yeargin

Jones Day’s Cybersecurity and Privacy Update: A Roundtable Discussion of Key Developments and Hot Topics Webinar (May 2021). Jones Day Speakers: Various

Legal Developments, Trends and Predictions for Financial Services and FinTech in Georgia, sponsored by the State Bar of Georgia (May 2021). Jones Day Moderator: Mary Alexander Myers

Mexican National Registry of Mobile Users (PANAUT): A Privacy Analysis, IAPP Mexico City Knowledge Net Chapter (May 2021). Jones Day Speaker: Guillermo Larrea

PS Forum Workshop: Latin American Privacy Law (May 2021). Jones Day Speaker: Guillermo Larrea

Cybersecurity: How Companies are Taking a Step Further to Combat Hacking and Security Breaches?, The IE Ethics & Compliance Club (May 2021). Jones Day Speaker: Guillermo Larrea

Cutting Edge Cyber Risk: Critical Infrastructure & Supply Chain, Boston Bar Association (June 2021). Jones Day Speaker and Moderator: Lisa Ropple

Jones Day’s Sweeping EU Proposal to Regulate AI: A New Global Standard? Webinar (June 2021). Jones Day Speakers: Various

“Cybersecurity – That was Then, that is Now”, Society for Corporate Governance, 20201 National Conference (June 2021). Jones Day Moderator: Lisa Ropple

Jones Day’s New SCCs and Post-Schrems II Enforcement: Latest Developments On International Data Transfers Webinar (July 2021). Jones Day Speakers: Various

Recent and Upcoming Publications

COVID-19 Vaccinations and Considerations for European Employers (March 2021). Jones Day Authors: Various

COVID-19 Key EU Developments, Policy & Regulatory Update No. 38 (March 2021). Jones Day Authors: Various

Virginia Becomes the Second State to Enact a Comprehensive Data Privacy Law (March 2021). Jones Day Authors: Various

New York Department of Financial Services Imposes Penalty and Consent Order for Cybersecurity Violations (March 2021). Jones Day Authors: Various

GSA’s Use of DoD Cybersecurity Language for Future Contracts Signals Increased Security Requirements in Civilian Contracts (March 2021). Jones Day Authors: Various

European Commission Expert Group Issues Connected and Automated Vehicle Privacy Recommendations (April 2021). Jones Day Authors: Various

France Plans on Adopting New Rules for Self-Driving Cars (April 2021). Jones Day Authors: Various

NFTs: Key U.S. Legal Considerations for an Emerging Asset Class (April 2021). Jones Day Authors: Various

Regulating Artificial Intelligence: European Commission Launches Proposals (April 2021). Jones Day Authors: Various

Autonomous Vehicles: Legal and Regulatory Developments in the United States (May 2021). Jones Day Authors: Various

Litigation and Regulatory Considerations and Risks for Financial Market Participants in a Post-Pandemic Society (May 2021). Jones Day Authors: Various

Cybersecurity Executive Order Establishes Framework to Strengthen Cybersecurity Elements of Federal Government Contracts (May 2021). Jones Day Authors: Various

China Takes Major Step Towards Finalizing National Data Regulation Regime (May 2021). Jones Day Authors: Various

Executive Order Launches Cybersecurity Labeling Regime for Consumer Products (May 2021). Jones Day Authors: Various

Italian Data Protection Authority Issues Guidelines on Data Processing Relating to Employees’ COVID-19 Vaccinations at the Workplace (May 2021). Jones Day Authors: Various

Model Terms Demanded for Cloud Service Agreements with European Banks (May 2021). Jones Day Authors: Various

White House Calls for Federal Reforms in Long-Anticipated Cybersecurity Executive Order (May 2021). Jones Day Authors: Various

New Standard Contractual Clauses by the European Commission: What You Need to Know (June 2021). Jones Day Authors: Various

China Finalizes Data Security Law to Strengthen Regulation on Data Protection (June 2021). Jones Day Authors: Various

Supreme Court Narrows Article III Standing in Damages Actions (July 2021). Jones Day Authors: Various

New York Department of Financial Services Announces New Guidance on Ransomware Prevention (July 2021). Jones Day Authors: Various

(*28*) (July 2021). Jones Day Authors: Various

FinCEN Issues First U.S. Priorities for Anti-Money Laundering and Counter-Terrorism Financing (July 2021). Jones Day Authors: Various

Florida Makes Significant Changes to State Telemarketing Laws (July 2021). Jones Day Authors: Various

Connecticut Expands Data Breach Notification Requirements and Establishes a Cybersecurity “Safe Harbor” (July 2021). Jones Day Authors: Various

Related Posts