Jones Day Global Privacy & Cybersecurity Update Vol. 28 – Privacy

Jones Day Cybersecurity, Privacy & Data Protection
Lawyer Spotlight: Mary Alexander Myers

As firms more and more deal with information as a crucial asset, and
information turns into a driver of expertise-centered transactions, firms
should stability compliance obligations with the will to
commercialize and use information. Mary Alexander Myers guides shoppers by
all points of knowledge-associated transactions, serving to them navigate the
more and more complicated authorized, regulatory, and contractual
necessities rising on this space. She has an modern
transactional apply, wherein she offers strategic recommendation
regarding information-associated points on the intersection of privateness,
cybersecurity, mental property, and licensing. She advises
shoppers on a variety of strategic expertise transactions and
cybersecurity and information privateness issues, with specific deal with
defending key mental property and information property. She has
in depth expertise counseling shoppers on information privateness compliance,
outsourcing and expertise transactions, mental property
licensing preparations, and different associated issues. Her apply
consists of representing consumers and sellers in home and
cross-border company transactions, together with mergers and
acquisitions and financing preparations. Mary Alexander has suggested
shoppers in all kinds of industries, together with monetary
providers, healthcare, and expertise, and works with public
firms in addition to rising expertise-pushed companies and

Mary Alexander is positioned within the Firm’s Atlanta Office. She
serves on the chief committee for the Privacy and Technology
Section of the State Bar of Georgia, the place she coordinates
programming and outreach. She incessantly speaks on points associated
to expertise, privateness, and safety.


Regulatory-Policy, Best Practices, and

President Biden Issues Cybersecurity Executive

On May 12, 2021, President Biden issued an government order that positioned new
requirements on the cybersecurity of software program bought to the federal
authorities. The order requires software program bought by the federal
authorities to fulfill a sequence of recent cybersecurity requirements, calls
for improvement of contractual language that enables service
suppliers to share info relating to potential incidents to
federal companies, and proposes to standardize the federal
authorities’s response to crucial vulnerabilities and
incidents. The new order additionally establishes a Cybersecurity Safety
Review Board, co-chaired by authorities and personal sector leads, to
analyze what occurred following a cybersecurity incident and to
make suggestions for bettering cybersecurity.

White House Issues Best Practices for Ransomware Threats
for Private Businesses

On June 2, 2021, the White House published an open letter to company
executives and enterprise leaders with the U.S. authorities’s
really helpful greatest practices to mitigate and forestall ransomware
threats and assaults. The letter urged non-public companies to
implement the 5 greatest practices from the president’s executive order, again up information, repeatedly take a look at
the backups and maintain the backups offline, replace and patch programs
promptly, take a look at the incident response plan, implement third-occasion
penetration assessments of system safety, and phase inside

Regulatory-Consumer and Retail

FTC Settles With Photo App Developer Over Claims of
Misusing Facial Recognition Technology
On May 7, 2021, a photograph app developer finalized a settlement with the Federal Trade
Commission (“FTC”) over claims that it deceived shoppers
about its use of facial recognition expertise and its retention of
the images and movies of customers who deactivated their accounts. The
FTC alleged that the developer misled customers of its cellular app that
it could not apply facial recognition expertise to customers’
content material until they affirmatively selected to activate the characteristic,
although the facial recognition characteristic was activated for all
customers besides these in three U.S. states and the European Union. The
FTC additionally alleged that the developer falsely represented that it
would delete the images and movies of customers who deactivated their
accounts, although it retained their images and movies
indefinitely.  As a part of the settlement, the
developer is required to acquire shoppers’ specific consent
earlier than utilizing facial recognition expertise and delete the images
and movies of customers who deactivated their accounts, in addition to the
fashions and algorithms it had developed by utilizing these
shoppers’ images and movies.

FTC Releases Annual Report
On May 24, 2021, the FTC launched its 2020 Privacy and Data Security Update, an
annual report on the company’s most important enforcement
actions, coverage and advocacy initiatives, and schooling and
outreach applications up to now yr.


NYDFS Issues Report on Photo voltaicWinds Hack

In April 2021, the New York Department of Financial Services
(“NYDFS”) issued the “Report on the Photo voltaicWinds
Cyber Espionage Attack and Institutions’ Response.” While
the report discovered that, so far, no firm regulated by the NYDFS
had reported that the Photo voltaicWinds hackers actively exploited their
community and that monetary providers firms have been typically not
actively focused for exploitation, it additionally warned that the
“subsequent nice monetary disaster may come from a cyber
assault.” The company made a number of suggestions, together with
implementing a number of layers of safety and an incident response

NYDFS Issues New Guidance on Ransomware

On June 30, 2021, the NYDFS issued new steering to regulated entities on
stopping ransomware assaults. The steering acknowledged that regulated
firms ought to implement the next controls at any time when
attainable: (i) e-mail filtering and anti-phishing coaching; (ii)
vulnerability and patch administration with common testing and
updates; (iii) multifactor authentication; (iv) disabled distant
desktop entry; (v) robust, distinctive passwords; (vi) privileged
entry administration; (vii) system monitoring and an Endpoint
Detection and Response resolution. For extra info, please see
our Jones Day Alert.


DOE Announces RFI Focused on Protecting U.S. Supply

On April 20, 2021, the Office of Electricity on the Department
of Energy (“DOE”) notified the general public of a Request for
Information (“RFI”) on “making certain the continued
safety of the United States crucial electrical
infrastructure,” centered on “[p]reventing exploitation
and assaults by international threats to the U.S. provide chain.” The
DOE plans to make use of the requested suggestions to develop a
lengthy-time period technique to make sure stakeholders’ procurement
practices evolve to match the altering risk panorama, which
at the moment consists of exploitable vulnerabilities in international-sourced
electrical programs tools. The RFI is a part of the DOE’s
cybersecurity “100-day dash” initiative aimed toward
enhancing the safety of precedence electrical infrastructure management

Pipeline Suffers Ransomware Attack

On May 7, 2021, an oil pipeline firm reported that it suffered a ransomware assault.
As a precaution to forestall the ransomware from migrating, the
firm selected to close down its pipeline and didn’t return it to
full service for a number of days. In response to the assault, the White
House announced an initiative to boost
collaboration on cybersecurity resilience between the federal government
and its non-public sector companions, whereas noting that the assault
“put the highlight on the truth that our nation’s crucial
infrastructure is basically owned and operated by non-public-sector

Regulatory-Health Care/HIPAA

Medical Collection Agency Reaches Agreement With 41
States Following 2019 Data Breach

On March 11, 2021, a medical assortment company reached an settlement with 41 state attorneys
common following a 2019 information breach that uncovered the non-public
info of 21 million people. The company agreed to
implement and preserve various information safety practices to
strengthen client protections. The company can be accountable for a
$21 million cost to the states if the corporate violates the
injunctive phrases of the settlement.

Clinical Laboratory Settles HIPAA

On May 25, 2021, a scientific laboratory reached a $25,000
settlement with the Office for Civil Rights (“OCR”) at
the U.S. Department of Health and Human Services (“HHS”)
for alleged violations of the Health Insurance Portability and
Accountability Act (“HIPAA”) Security Rule. The firm
offers diagnostic and laboratory-developed assessments, together with
scientific and genetic testing providers. After conducting an
investigation, the OCR discovered systemic noncompliance with HIPAA,
together with the failure to conduct an enterprise-vast danger evaluation
and implement danger administration and audit controls. The OCR
reiterated that “[c]linical laboratories, like different coated
well being care suppliers, should adjust to the HIPAA Security

Regulatory-Defense and National Security

DHS Announces Cybersecurity Requirements for Critical
Pipeline Owners

On May 27, 2021, the Department of Homeland Security
(“DHS”) announced new cybersecurity necessities for
homeowners and operators of crucial pipelines. Owners and operators
should report confirmed and potential cybersecurity incidents to the
DHS Cybersecurity and Infrastructure Security Agency and designate
a cybersecurity coordinator who can be accessible 24/7. They additionally
should assessment their present cybersecurity practices to determine gaps
and remediation measures and should report the outcomes inside 30

President Biden Issues Executive Order to Protect
Sensitive Data 

On June 9, 2021, President Biden issued an government order to additional tackle
the continued nationwide emergency with respect to the threats posed to
the United States’ info and communications expertise
and providers (“ICTS”) provide chain. The government order
directs using a standards-primarily based choice framework and
proof-primarily based evaluation to handle threats posed by ICTS
transactions involving software program functions topic to a international
adversary jurisdiction. The government order additionally directs the
Department of Commerce to make suggestions to guard delicate
private information and transactions involving software program functions
regarding a international adversary.

NSA Funds Development and Release of D3FEND

On June 22, 2021, the National Security Agency (“NSA”)
announced the discharge of the NSA-funded MITRE
D3FEND, “a framework for cybersecurity professionals to tailor
defenses in opposition to particular cyber threats.” D3FEND establishes
terminology of laptop community defensive strategies and offers a
mannequin of the way to counter frequent offensive strategies. The framework
is complimentary to MITRE’s ATT&CK, a data base of
cyber advisory habits.


DHS Taps Transportation Systems for Cybersecurity

On March 31, 2021, the Department of Homeland Security
(“DHS”) outlined six “sprints” deliberate by
DHS to enhance federal cybersecurity throughout a variety of areas,
together with the nation’s transportation programs. Each dash will
play out over 60 days and endeavor to “mobilize motion by
elevating present efforts, eradicating roadblocks, and launching new
initiatives the place obligatory.”

Litigation, Judicial Rulings, and Enforcement

NYDFS Imposes Penalty and Consent Order for
Cybersecurity Violations

On March 3, 2021, the NYDFS announced a consent order with a mortgage financial institution
for violations of New York’s Cybersecurity Regulation. In March
2020, the NYDFS performed a routine compliance examination of the
financial institution and found that the financial institution had did not adequately
examine or report a March 2019 cybersecurity incident as
required below state information breach notification legal guidelines and the NYDFS
Cybersecurity Regulation. As a part of the settlement, the financial institution
agreed to pay $1.5 million in penalties and to adjust to all
provisions of the Cybersecurity Regulation. For extra info,
please see our Jones Day Alert.

District Court Finds CCPA Does Not Apply

On March 5, 2021, the District Court for the Northern District
of California found that the California Consumer Privacy Act
(“CCPA”) doesn’t apply retroactively if an alleged information
breach occurred earlier than January 1, 2020. The plaintiff filed a category
motion go well with alleging {that a} retailer did not disclose an information
breach. The plaintiff didn’t allege a date of the breach, solely
that his private info “is at the moment accessible on the
darkish internet.” The courtroom discovered that “absent allegation
establishing that [the company’s] alleged violation of the CCPA
occurred after it went into impact, Plaintiff’s CCPA declare is
not viable.” The district courtroom granted the corporate’s
movement to dismiss, however allowed the plaintiff to file an amended

Supreme Court Clarifies TCPA Definition of

On April 1, 2021, the Supreme Court resolved a key query
below the Telephone Consumer Protection Act
(“TCPA”)-whether tools that dials from an inventory of
numbers qualifies as an “automated phone dialing
system” (“ATDS”) topic to the TCPA’s statutory
penalties. The Supreme Court held that tools dialing from an inventory of
numbers doesn’t qualify as an ATDS. Instead, tools should
“use a random or sequential quantity generator” to qualify
as an ATDS. For extra info, please see our Jones Day Alert.

Supreme Court Curbs FTC’s Ability to Pursue Monetary

On April 22, 2021, the Supreme Court held that Section 13(b) of the FTC Act doesn’t
authorize the FTC to hunt, or a courtroom to award, equitable financial
reduction corresponding to restitution or disgorgement. While the district
courtroom and Ninth Circuit each allowed for equitable financial reduction
below Section 13(b), the Supreme Court reversed, discovering that the
plain language of Section 13(b) authorizes solely injunctive reduction,
and never retrospective financial cures because the FTC had beforehand
and persistently relied upon. Now the FTC can search financial
cures solely in “conditioned and restricted”

Second Circuit Provides Clarity on Data Breach Standing

On April 26, 2021, the Second Circuit clarified that the chance of
identification theft after an information breach could also be grounds to sue. In that
case, a well being providers supplier inadvertently disclosed personally
identifiable info (e.g., social safety numbers and dates
of start) of present and former staff. While the Second Circuit
discovered that mere danger of identification theft following an information breach might
enable for standing, the courtroom held that the info at situation right here did not
present “a considerable danger of future identification theft or fraud
enough to determine Article III standing.”

Pennsylvania AG Investigates Breach of Contact Tracing

On April 29, 2021, an IT providers firm announced that a number of the private info
that it had collected for COVID-19 contact tracing providers in
Pennsylvania had been accessed by an unauthorized occasion. The
Attorney General of Pennsylvania remarked, “[M]y workplace has
opened investigations into this information breach on a number of
fronts,” however declined to supply additional touch upon the

Massachusetts AG Probes Data Collection Practices of
Pharmacies Offering COVID-19 Vaccines

On May 3, 2021, the Massachusetts Attorney General’s Office
sent a letter to main pharmacy chains,
requesting that they clarify their private information assortment
practices for sufferers receiving the COVID-19 vaccine. The letter
requested the pharmacies how they disclosed information assortment practices,
obtained consent to gather private information, and used the non-public
info of those self same shoppers, and whether or not the pharmacies
collected info or required the creation of accounts from
shoppers who sought or obtained the vaccine at their shops.

Retailer to Settle BIPA Class Action for $10

On June 16, 2021, an Illinois courtroom accepted a settlement whereby a retailer pays $10
million to resolve claims that it violated the Illinois Biometric
Information Privacy Act (“BIPA”). The class alleging BIPA
violations consisted of present and former staff who claimed
that they have been required to make use of a palm scanner system to entry the
money register with out first offering written consent. The firm
had tried to dismiss the case in 2019, arguing that plaintiffs’
claims have been time-barred and merely confirmed procedural violations of
state legislation.

Supreme Court Narrows Article III Standing for Class

On June 25, 2021, the Supreme Court determined TransUnion LLC v. Ramirez, vacating a
class motion judgment and holding {that a} plaintiff lacks Article
III standing to hunt damages for a non-public defendant’s
statutory violations until the plaintiff can present an precise
actual-world harm. Whereas the Ninth Circuit had held that every one
8,185 class members had standing on their statutory claims, the
Supreme Court restricted standing to solely the 1,853 class members
whose client studies had been disseminated to 3rd-occasion
companies. For extra info, please see our Jones Day Commentary.


Members of Congress Reintroduce Bills to Protect Energy

In late April and early May 2021, House lawmakers reintroduced
a number of bipartisan payments, first launched within the 116th
Congress, aimed toward avoiding future cyberattacks on crucial vitality
infrastructure. The present version of the Pipeline and LNG Facility Cybersecurity
Preparedness Act
would require the DOE to “perform a
program regarding bodily safety and cybersecurity for
pipelines and liquefied pure fuel services,” whereas this
yr’s version of the Enhancing Grid Security through Public-Private
Partnerships Act
would require the DOE to implement a program
that facilitates and encourages public-non-public partnerships to
tackle cybersecurity vulnerabilities of the electrical grid. The latest iteration of the Cyber Sense Act, which handed the House in
2020, would require the DOE to determine a program to check the
cybersecurity of “merchandise and applied sciences supposed to be used
within the bulk-energy system.”


Virginia Passes Omnibus Consumer Privacy

On March 2, 2021, Virginia signed into legislation the Virginia Consumer Data
Protection Act (“VCDPA”). The act, which works into impact
on January 1, 2023, applies to firms doing enterprise in Virginia
or advertising to Virginians that meet one in every of two specified
thresholds. Unlike the CCPA, the VCDPA comprises no non-public proper of
motion, applies to fewer coated companies, and has a narrower
definition of the “sale” of knowledge. The VCDPA additionally eschews
the language of the CCPA in favor of the European Union’s information
safety terminology (e.g., adopting phrases corresponding to
“controller” and “processor”).

Oklahoma Adds Ransomware Language to Computer Crimes

On May 28, 2021, the Oklahoma Legislature amended the Oklahoma Computer Crimes Act to
add “malicious laptop program” as an outlined time period that
consists of “viruses, Trojan horses, spyware and adware, worms, rootkits,
backdoors, [and] ransomware.” Additionally, it’s now illegal
to make use of malicious laptop applications to reveal or take possession
of a pc, laptop community or system, information, or another
property. The modification turns into efficient on November 1, 2021.

Connecticut Expands Data Breach Notification
Requirements and Establishes a Cybersecurity “Safe

On June 16 and July 6, 2021, the Connecticut governor signed two
new cybersecurity legal guidelines. “An Act Concerning Data Privacy
Breaches” amends Connecticut’s present information breach
notification legislation to shorten the time to inform Connecticut
residents of an information breach to 60 days after discovery, and expands
the definition of private info to incorporate IRS
identification numbers, sure medical info, biometric
info, and on-line account info, amongst different adjustments.
“An Act Incentivizing the Adoption of Cybersecurity Standards
for Businesses” establishes a protected harbor in opposition to tort claims
for firms which have applied a written cybersecurity program
that complies with an business-acknowledged framework, such because the
National Institute of Standards and Technology. For extra
info, please see our Jones Day Alert.

Colorado Becomes Third State to Enact Comprehensive Data
Privacy Law

On July 7, 2021, the Colorado governor signed the Colorado Privacy Act (“Act”) into
legislation, making Colorado the third state, after California and
Virginia, to enact a complete information privateness legislation. The Act comes
on the heels of the March 2021 passage of the VCDPA and seems to
borrow many information safety rules from each the VCDPA and the
European Union’s General Data Protection Regulation. The Act
takes impact on July 1, 2023. For extra info, please see our
Jones Day Commentary.

The following Jones Day attorneys contributed to this part:
Jennifer C. Everett, Kerianne Tobitsch, Keeton Christian, Rebecca
Iafrati, Ruby Lang, Bailey Loverin, Sara Lynch, Megan McKnelly, Dan
Ongaro, Christina O’Tousa, Michael Phillips, Ayesha Rasheed,
Molly Russell, and Jenny Whalen-Ball. Summer affiliate Lindsy
Maglich additionally contributed to this part. 



AAIP Issues Guidelines on Personal
Data Processing During COVID-19 Pandemic

On April 20, 2021, Argentina’s Public Information Access
Agency (Agencia de Acceso a la Información
) issued three pointers to bolster the
correct processing of private information, physique temperature information, and
geolocation information throughout the COVID-19 pandemic (supply doc in


ANPD and SENACON Sign Cooperation Agreement

On March 22, 2021, the Brazilian Data Protection Authority
(Autoridade Nacional de Proteção de
) and the Consumer Protection Agency
(Secretária da Secretaria Nacional do
) released a press assertion relating to their
current cooperation settlement, which goals to guard shoppers’
information and speed up safety incident investigations (supply
doc in Portuguese). 

ANPD Issues Recommendations for Social Media Privacy

On May 7, 2021, the ANPD issued suggestions to social media
firms relating to their privateness insurance policies (supply doc in
Portuguese). The suggestions advised postponement of the brand new
privateness insurance policies till the Brazilian privateness suggestions are
adopted, and upkeep of the present utilization mannequin and

ANPD Issues Guideline for Definition of Processing
Agents and Data Protection Officers

On May 28, 2021, the ANPD issued a Guideline for the Definition of Processing Agents
and Data Protection Officers
(supply doc in Spanish). This
guideline defines and offers examples of private information brokers,
corresponding to the info controller, information processor, and information safety
officer. Furthermore, it differentiates between joint and separate
controllerships. A joint controller refers to multiple information
controller making frequent choices relating to information processing, whereas
below a separate controllership choices are made by a single information


CPLT Offers Free Online Data Protection

On April 2, 2021, the Council for Transparency (Consejo para
la transparencia-“CPLT”
) released a press assertion selling its new
instructional platform, which incorporates private information
safety-centered on-line trainings and academic assets
(supply doc in Spanish).


SIC Releases Annual Survey on Data Processing Security

On March 11, 2021, the Superintendence of Industry and Commerce
(“SIC”) issued a press launch on the second annual
examine of safety measures carried out by the 33,596 entities that
registered their databases within the National Database Registry for
assortment, storage, or processing of private information (supply
doc in Spanish). The examine confirmed that many organizations did
not have environment friendly mechanisms to guard their customers’ information from
safety incidents.

SIC Issues Recommendations on Use of Physical or
Electronic Biometric Data Readers

On March 16, 2021, the SIC issued suggestions urging firms to
chorus from utilizing fingerprint or biometric readers to gather
private information, because of the COVID-19 transmission danger posed by these
units (supply doc in Spanish). Furthermore, the SIC acknowledged
that if an alternate biometric information assortment mechanism will not be
attainable, a everlasting cleansing and disinfection course of should be


Ecuadorian Legislators Approve Data Protection

On May 10, 2021, Ecuadorian legislators approved the Organic Law on Data Protection,
which goals to ensure private information safety rights, digital
rights, and satisfactory information processing (supply doc in Spanish).
The nationwide information authority would be the Superintendence of Personal
Data Protection, which is able to preserve a nationwide information safety
registry. Violators of the legislation are topic to fines.


INAI Issues Recommendations on Personal Data Protection
During COVID-19 Vaccination Process

On March 10, 2021, the National Institute of Transparency,
Access to Information and Personal Data Protection (Instituto
Nacional de Transparencia, Acceso a la Información y
Protección de Datos Personales-“INAI”)
issued official communication 
No. INAI/083/21, which really helpful information processing practices for
the COVID-19 vaccination course of (supply doc in Spanish).

INAI Issues Recommendations Regarding Banking
Institutions and Clients’ Geolocation

On March 20, 2021, the INAI issued official communication No. INAI/097/21,
which recommends banking establishments take excessive precautions when
monitoring shoppers’ geolocation (supply doc in Spanish).
These suggestions come up from the newly launched anti-cash
laundering pointers, which require financial institution prospects to offer their
consent previous to geolocation monitoring. The INAI acknowledged that
geolocation monitoring of consumers is just permissible with prior

INAI Challenges National Registry of Cellphone Users in
Supreme Court

On April 27, 2021, the INAI issued a press launch relating to its choice
to file an motion in Mexico’s Supreme Court (“SCJN”)
alleging the modification to the Federal Telecommunications and Broadcasting Law
that created the National Register of Mobile Telephone Users
(“PANAUT”) is unconstitutional (supply paperwork in
Spanish). The INAI alleged that PANAUT violates private information
safety rights and rules of proportionality, safety, and
authorized certainty as a result of the registry makes use of delicate biometric information,
restricts the precise to entry info, and grants undue energy
to the Federal Telecommunications Institute. The SCJN has not but
decided whether or not the motion will proceed.

Mexican Senator Proposes Bill to Create a 72-Hour Data
Breach Notification Requirement

On April 29, 2021, a senator filed an initiative to change the Federal Law
on Protection of Personal Data Held by Private Parties
(“LFPDPPP”) by including a requirement that entities notify
information topics and the INAI of an information breach inside 72 hours (supply
doc in Spanish). The initiative additionally goals to impose an
obligation on international controllers to nominate an area consultant
to adjust to their obligations below the LFPDPPP. The initiative
was despatched from the Senate to the respective fee, and awaits
additional approval.


Panamanian Data Protection Law Enters in

On March 29, 2021, Panama’s data protection law (Ley 81 del 26 de marzo del 2019) took
impact (supply doc in Spanish). The legislation creates rules,
obligations, and procedures for lawful information processing; requires
information controllers to acquire the info topic’s consent previous to
any information processing; and imposes sanctions on those that fail to
comply, together with fines starting from USD $998 to $9,998 and
database file closure.


Peru Introduces New Data Protection

On June 9, 2021, Peru’s Council of Ministers (Consejo de
accepted the Project of Law No. 337-2021, which
permits the creation of the National Authority for Transparency,
Access to Public Information, and Protection of Personal Data
(Autoridad Nacional de Transparencia, Acceso a la
Información Pública y Protección de Datos
(supply in Spanish). Under present legislation, the
National Authority for Personal Data (Autoridad Nacional de
Protección de Datos Personales)
is the info safety
authority for Peru, however now it is going to be merged with the brand new
authority to create a brand new hybrid authority that can have its personal
authorized standing, larger autonomy, and assets.


Agency Issues Recommendations on Use of Vaccination
Center Images

On March 15, 2021, the Regulatory and Personal Data Control Unit
(Unidad Reguladora y de Control de Datos Personales) issued a sequence of suggestions relating to
the gathering and dissemination of photos of people in
COVID-19 vaccination facilities. These photos are categorized as
private information requiring the specific and written consent of the info
topic (supply doc in Spanish).

The following Jones Day attorneys contributed to this part:
Guillermo Larrea, Juan Carlos Quinzaños, and Victoria


European Commission

Commission Proposes New Rules to Regulate

On April 31, 2021, the European Commission
(“Commission”) unveiled a proposal for a “Regulation
laying down harmonized guidelines on synthetic intelligence”
(“AI Regulation”), which units out how AI programs and
their outputs could be launched to and used within the European Union
(“EU”). If adopted by the EU Parliament and Council
(which may take two to 3 years), the AI Regulation would
apply alongside the EU General Data Protection Regulation
(“GDPR”) to make sure the safety of people’
private information. For extra info, please see our Jones Day

Commission Adopted New Standard Contractual

On June 4, 2021, the Commission adopted new Standard Contractual Clauses
(“SCCs”) for the switch of knowledge to 3rd nations that
don’t meet GDPR necessities for an satisfactory degree of knowledge
safety. SCCs are mannequin information switch phrases which can be applied
between entities within the European Economic Area (“EEA”)
exporting private information to importing entities in third nations.
On the identical day, the Commission adopted one other choice on a set of ordinary
contractual clauses below Article 28 GDPR to be used between
controllers and processors established within the EEA. These commonplace
contractual clauses concern the provisions obligatory for an information
processing settlement pursuant to Article 28 of the GDPR and will
not be confused with the SCCs, that are safeguards for the
switch of private information to 3rd nations.

Commission Adopted Two Adequacy Decisions for the United

On June 28, 2021, the Commission adopted two adequacy choices for the United
Kingdom (“UK”), one below the GDPR and the other for the Law Enforcement Directive. The
adequacy choices enable for the free move of private information from
the EU to the UK, the place UK legislation offers an primarily equal
degree of knowledge safety to that assured below EU legislation. For the
first time, each choices embody a “sundown clause,”
which limits the length of adequacy to 4 years and permits the
Commission to observe the authorized scenario within the UK. As lengthy and as
far because the adequacy choices apply, EU information exporters usually are not
required to implement applicable safeguards below Article 46 of
the GDPR (corresponding to SCCs) for information transfers to the UK.

European Council

Council Adopts Conclusions on EU’s Cybersecurity

On March 22, 2021, the EU Council (“Council”) adopted conclusions on the EU’s
cybersecurity technique (“Strategy”). The Strategy
outlines the framework for EU motion to guard EU residents and
companies from cyber threats, promote safe info programs,
and defend a world, open, free, and safe our on-line world. In its
conclusions, the Council highlighted various areas for motion
within the coming years (e.g., making a community of safety operation
facilities within the EU and making use of the EU 5G toolbox measures).

Court of Justice of the European Union

ECJ Rules on Conditions for Access to Retained Traffic
and Location Data

On March 2, 2021, the European Court of Justice
(“ECJ”) in H.Ok. v. Prokuratuur  Case
C-746/18 clarified  the circumstances below
which public authorities might entry visitors or location information to
fight critical crime or forestall critical threats to public safety.
In specific, the ECJ held that entry could also be granted
“whatever the size of the interval in respect of which
entry to these information is sought and [regardless of] the amount or
nature of the info accessible in respect of such a interval.”

European Data Protection Board

EDPB and EDPS Adopt Joint Opinion on Data Governance

In March 2021, the European Data Protection Board
(“EDPB”) and the European Data Protection Supervisor
(“EDPS”) adopted a joint opinion on the proposal for a
Data Governance Act (“DGA”). The DGA would promote the
availability of public sector information and information sharing within the inside
market. The opinion invited legislators to make sure that the DGA
can be consistent with EU information safety laws.

EDPB Issues Opinions on Draft UK Adequacy

On April 13, 2021, the EDPB issued two opinions (Opinion 14/2021 and Opinion 15/2021) relating to the
Commission’s draft implementing choice on the satisfactory
safety of private information within the UK. The EDPB concluded that the
core provisions of the UK and EU information safety legal guidelines are aligned,
however really helpful that the Commission analyze the mechanism used to
inform related EU Member States of additional processing or
disclosure by UK authorities to which private information has been
transferred. In addition, the EDPB suggested the Commission to
fulfill its monitoring function and to amend the adequacy choice to
introduce particular safeguards for information transferred from the EU or
to droop the choice in case the equal degree of safety
of private information will not be maintained by the UK.


Belgian DPA Develops Practical Tools for

In March 2021, the Belgian Data Protection Authority
(“DPA”) developed sensible instruments for information
controllers, information processors, and information safety officers (supply
doc in Dutch). The instruments encompass simplified templates for
information registers, a roadmap on exchanges of private information by federal
authorities companies, and a few instruments for topic-matter consultants
(e.g., FAQs on information safety and template letters for information
topics to train their rights).

Belgian DPA Calls on Citizens to Take Action Against
Social Media Company

In April 2021, the DPA contacted the Irish DPA relating to a
social media firm’s information breach that affected at the very least three
million Belgian accounts. The Belgian DPA advised affected Belgian residents to be
vigilant and, if obligatory, to file a grievance with the Belgian
DPA, although the corporate’s headquarters are in Ireland
(supply doc in Dutch).


CNIL Warns Stakeholders of Approaching Deadline for
Cookie Compliance

On April 2, 2021, the French Data Protection Authority
(“CNIL”) published a discover to tell stakeholders on
the expiration of the deadline to adjust to rules
relevant to cookies, which expired on March 31, 2021 (supply
doc in French). The CNIL warned that it’s going to start carrying
out assessments of web site and app compliance with cookie

CNIL Publishes Provisional Recommendations for Remote
Quality Control of Clinical Trials During the Health

On April 22, 2021, the CNIL released provisional suggestions for the
distant high quality management of scientific trials throughout the pandemic
(supply doc in French). Among different issues, the CNIL’s
suggestions supplied steering on safety measures essential to
make sure the safety of well being information as stakeholders have been pressured to
conduct distant quality control because of the pandemic.

CNIL Releases Opinion on the French “Health
Pass” Bill 

On May 12, 2021, the CNIL issued an opinion on the contemplated
implementation by the French authorities of a “well being
cross” to manage entry to sure institutions primarily based on
vaccination or COVID-19 testing standing (supply doc in French).
The CNIL acknowledged that using a well being cross should be restricted to
the length of the pandemic and to occasions involving a big quantity
of individuals. The CNIL additionally really helpful clearly defining the needs
of processing and individuals approved to confirm this delicate information
to forestall any violations of knowledge privateness rules.

CNIL Releases Interim Recommendations on Data Processing
Activities During Clinical Trials

On June 24, 2021, the CNIL up to date its interim recommendations on the distant
monitoring of scientific trials information, relevant till September 30,
2021 (supply doc in French). Further to the authorization by
the French Health Security Authority of a restricted checklist of scientific
trials permitting for distant monitoring, the CNIL issued
suggestions on distant monitoring, together with steering on
required French formalities and safety measures.

CNIL Publishes Guidance on Data Subject Rights Exercised
by Power of Attorney 

On June 25, 2021, the CNIL issued its guidelines and FAQ on using a Power of Attorney
(“PoA”) to train information topics’ rights (supply
paperwork in French). The CNIL additionally revealed a PoA template together with pointers.


Federal Labor Court Rules on Employee’s Right to
Receive Copies of Their Emails

On April 27, 2021, Germany’s Federal Labor Court
(Bundesarbeitsgericht) held that an worker’s request that their
employer present copies of the worker’s complete e-mail
correspondence and any emails that comprise the worker’s identify
was not adequately particular below German civil procedural legislation
(supply doc in German). The courtroom didn’t make clear the fabric
scope of the precise to obtain a duplicate of private information processed
pursuant to Art. 15(3) GDPR.

Federal Labor Court Submits Questions to ECJ on
Requirements for Dismissing DPO

On April 27, 2021, Germany’s Federal Labor Court submitted inquiries to the ECJ for a
preliminary ruling on the necessities for the dismissal of a
firm information safety officer (“DPO”) below the GDPR
(supply doc in German). Additionally, the courtroom sought
clarification as as to whether there’s a battle of pursuits
pursuant to Article 38(6) of the GDPR if the DPO serves because the
chairperson of the controller’s works council.

DPAs Publish Questionnaires for Coordinated
Investigation of International Data Transfers 

On June 1, 2021, various German Data Protection Authorities
(“DPAs”) published their collectively developed
questionnaires for the coordinated investigation of worldwide
information transfers within the wake of the Schrems II choice
issued one yr in the past by the ECJ (supply doc in German). The
DPAs collaborating within the coordinated investigation introduced their
intention to achieve out to firms in Germany on the idea of
these questionnaires. The 5 questionnaires accessible to this point
focus particularly on the effectiveness of switch safeguards
associated to using applicant portals, intragroup information transfers,
monitoring instruments, and internet and e-mail internet hosting.


Italian DPA Issues Negative Opinion on Video Security
System Based on Facial Recognition 

On March 25, 2021, the Italian DPA issued a detrimental opinion on the Italian
Ministry of the Interior’s use and public set up of a
video surveillance system primarily based on actual-time facial recognition
(supply doc in Italian). The system would have allowed for the
actual-time evaluation of human faces, comparability with a watch-checklist
database, and speedy alert to the police power if a match have been
recognized. According to the DPA, the system lacked a correct authorized
foundation for big-scale, automated information remedy of biometric information,
and the system as designed would have resulted in indiscriminate
mass surveillance.

Italian DPA Issues Warning to Government on COVID-19
Vaccination Pass

On April 23, 2021, the Italian DPA issued a warning to the Italian authorities
pursuant to Article 58 of the GDPR in relation to the introduction
of a COVID-19 vaccination cross to facilitate free motion inside
Italy (supply doc in Italian). The DPA underlined main information
safety issues, corresponding to the dearth of an satisfactory authorized foundation,
inadequate specification of authorized functions for the processing of
information, and the necessity for breach minimization and transparency
rules. Moreover, the federal government did not seek the advice of the Italian
DPA earlier than adopting the decree, as is required by relevant


Dutch DPA Fines Online Travel Agency for Late Breach

On March 31, 2021, the Dutch DPA announced a high-quality of ?475,000 for a
Dutch-headquartered on-line journey company for failing to report a
information breach inside 72 hours of changing into conscious of the incident in
2019 (supply doc in Dutch). The information breach resulted in
criminals gaining open entry to private information, together with names,
cellphone numbers, login credentials, and bank card numbers. In its
assertion, the Dutch DPA famous that the corporate was knowledgeable of the
breach on January 13, 2019, however didn’t report the incident till
February 7, 2019.

Dutch DPA Fines Municipality for Wi-Fi

In April 2021, the town of Enschede was fined ?600,000 by the Dutch DPA for utilizing
Wi-Fi monitoring within the metropolis middle in violation of the GDPR. The
Dutch DPA identified that “deploying Wi-Fi monitoring that
makes this attainable is in itself a critical breach” of the
Dutch privateness legislation. The municipality of Enschede has lodged an
objection in opposition to the choice.


Spanish DPA Imposes  ?8.15 Million
Fine on Telecom Company for GDPR Violations
On March 11, 2021, the Spanish DPA imposed a high-quality of ?8.15 million on a
telecommunications firm for GDPR violations (supply doc in
Spanish). The ?8.15 million high-quality is the very best high-quality imposed to
date by the Spanish DPA for violation of the GDPR. More
particularly, the DPA discovered that the corporate (i) engaged in
industrial communications to potential shoppers with out specific
authorization; (ii) performed promoting regardless of shoppers’
objections; (iii) did not adjust to the duty controllers
to “confirm[] the ensures of the info processor” throughout
the course of the project; and (iv) carried out information transfers
with out complying with the ensures required by the GDPR.

Spanish DPA Sanctions and Fines Consumer Reporting
Agency for Misuse of Personal Data
On April 26, 2021, the Spanish DPA imposed a high-quality of ?1 million on a client
reporting company for violating 5 articles of the GDPR (supply
doc in Spanish). After receiving 97 complaints that the
firm had included private information within the File of Judicial Claims
and Public Bodies (“FIJ”), with out first acquiring
consent, the DPA carried out an investigation. In addition to the
high-quality, the Spanish DPA has prohibited the corporate from persevering with to
course of private information by the FIJ and required the deletion of
private information.

United Kingdom

ICO Welcomes EU Adequacy Decision 

On June 28, 2021, the Information Commissioner’s Office
(“ICO”) issued a statement welcoming the EU Commission’s
choice to grant the United Kingdom an adequacy choice. This
adequacy choice permits EU firms to ship private information to the
United Kingdom in accordance with the GDPR.

The following Jones Day attorneys contributed to this part:
Laura Baldisserra, Carla Calcagnile, Laurent De Muyter, Undine von
Diemar, Olivier Haas, Jörg Hladjk, Bastiaan Kout, Jonathon
Lucie Fournier,  Martin Lotz,
Hatziri Minaudier, Selma Olthof, Irene Robledo, and 

Christopher Schmidt.


Hong Kong

PCPD Issues Guidance on Use of Social Media and Instant
Messaging Apps

On April 5, 2021, the Office of the Privacy Commissioner for
Personal Data (“PCPD”) issued its “Guidance on Protecting
Personal Data Privacy within the Use of Social Media and Instant
Messaging Apps,” offering the general public with recommendation on methods to
mitigate privateness dangers with social media. The steering highlighted
that social media customers usually unwittingly reveal extra info
than anticipated, and most supplies shared on-line can go away a
perpetual digital footprint that’s tough to take away.
Information shared on-line will also be misused by third events, or
be used for identification theft, cyberbullying, or doxxing. The steering
additional suggested social media customers to be additional cautious about
sharing images and data of kids, and to supply satisfactory
steering to youngsters on using social media.

Government Proposes Legislation Amendments Against

On May 11, 2021, the Hong Kong authorities proposed a sequence of authorized amendments to
cost anybody as much as 5 years of imprisonment and a high-quality of as much as
HK$1 million (roughly USD$128,000) for partaking in doxxing
(i.e., maliciously revealing one other particular person’s private
info with out consent) with the intent to threaten,
intimidate, harass, or trigger psychological hurt. Local workers of
abroad web sites may additionally face two years of imprisonment and a
high-quality of as much as HK$100,000 (roughly USD$13,000) if their
platforms fail to adjust to content material removing requests. The
proposal additional really helpful that the PCPD be granted the
investigative powers to hold out legal investigations and
prosecutions and demand takedowns of web content material.

People’s Republic of China

SPP Announces 11 Typical Cases of Public Interest
Litigation for Personal Information Protection

On April 22, 2021, the Supreme People’s Procuratorate
(“SPP”) announced 11 typical instances of public curiosity
litigation relating to the safety of private info (supply
doc in Chinese). The announcement revealed that if web
firms fail to satisfy private info administration and
safety obligations, they are going to bear accountability for public
damages by public curiosity litigation. The 11 typical instances
embody each pure civil public curiosity litigation instances involving
web firms’ unlawful assortment or acquisition of
private info, in addition to civil public curiosity litigation
instances incidental to legal instances involving the unlawful
acquisition and transaction of private info by different
means, corresponding to technical software program and property providers.

China Publishes Draft Provisions on Mobile Applications
for Public Comments

On April 26, 2021, the draft Provisions on the Administration of
Mobile Internet Applications Information Services was made
accessible for public remark till May 26 (supply doc in
Chinese). The provisions would regulate info service
suppliers that make the most of cellular apps and app retailer providers inside
the territory of China. The provisions (i) outlined the scope of
utility and the supervising authorities; (ii) clarified the
rules of “knowledgeable consent” and “least
obligatory”; (iii) refined the principal duties and
obligations of app builders and operators, distribution
platforms, third-occasion service suppliers, terminal producers,
and community entry service suppliers; and (iv) proposed requirements
for complaints and studies, supervision and inspection, disposal
measures, and danger warnings.

China Promulgates Provisions on the Scope of Necessary
Personal Information Required for Mobile Applications

On May 1, 2021, the Provisions on the Scope of Necessary Personal
Information Required for Common Types of Mobile Internet Apps took
impact (supply doc in Chinese). The provisions prohibit cellular
app operators from refusing to supply fundamental cellular app features to
customers who don’t agree to supply pointless private info.
The provisions have been applied particularly to implement the Chinese
Cybersecurity Law provisions involving community operators’
compliance with rules of lawfulness, equity, and necessity
within the assortment and use of private info, and the
prohibition on the gathering of private info irrelevant to
providers they supply. The provisions set forth the scope of
obligatory private info for 39 frequent varieties of cellular


Cabinet of Japan Issues Order to Enforce PIPA

On March 24, 2021, the Cabinet of Japan issued the amendment to the Cabinet Order to Enforce the
Personal Information Protection Act (“PIPA”) and the amendment to Enforcement Regulation Concerning
PIPA (supply paperwork in Japanese). These amendments present
additional detailed steering relating to the important thing amendments to the PIPA,
together with when and the way information breach studies must be made, and
extra info that should be supplied to acquire consent for
cross-border switch.

Diet Passes Bill to Amend PIPA

On May 12, 2021, the National Diet of Japan (“Diet”)
passed a invoice amending the PIPA (supply
doc in Japanese). This modification, amongst different objectives, goals to
combine totally different information safety legal guidelines and guidelines that apply to
the non-public and public sectors, together with unifying the definition
of “private info” for each sectors, and
broadening the authority of the Personal Information Protection
Commission to oversee and govern the sectors.

PPC Publishes Draft Guidelines for Amendment of

On May 19, 2021, the Personal Information Protection Commission
(“PPC”) revealed a draft modification of the rules
relating to the 2020 amendment of PIPA, which is able to totally take
impact on April 1, 2022 (supply doc in Japanese). The draft
modification pointers embody, amongst different issues, an amendment relating to the overall guidelines, an amendment relating to cross-border switch, an
amendment relating to verification and
recordkeeping on the time of switch of knowledge, and an amendment relating to anonymously processed
info (supply paperwork in Japanese). Public feedback have been
due on June 18, 2021.


Thailand Delays Implementation of PDPA

On May 5, 2021, Thailand delayed companies’ obligations to
adjust to the brand new Personal Data Protection Act (“PDPA”)
till May 31, 2022, because of the results of COVID-19. The PDPA was
anticipated to return into full impact on the finish of May 2021 after
initially being deferred in May 2020. In the interim, information
controllers will need to have in place private information safety upkeep
measures in accordance with the requirements prescribed by the
Ministry of Digital Economy and Society.

The following Jones Day attorneys contributed to this part:
Elizabeth Cole, Michiru Takahashi, and Sharon Yiu.


ASIC Stresses Focus on Cyber Risk

On March 10, 2021, the Australian Securities and Investments
Commission (“ASIC”) Deputy Chair gave a speech to the Australian Financial
Review Business Summit wherein she referred to cyber danger because the
new frontier for each nationwide protection and market integrity. She
highlighted ASIC’s cyber supervisory endeavors, which embody
elevating consciousness of cyber resilience, serving to regulated entities
put together for his or her self-evaluation, and taking deterrence-primarily based
enforcement motion. She additionally referred to the primary motion taken by
ASIC in opposition to an Australian monetary providers licensee for
poor cybersecurity programs and warned that it could not be the

Australian Government
Launches International Cyber and Critical Technology Engagement

On April 21, 2021, the Australian authorities launched its International Cyber and Critical
Technology Engagement Strategy, which builds on and compliments the
technique developed in 2017, and the 2020 Cyber Security Strategy. The
technique provides $37.5 billion in help to neighboring nations
and has a key deal with “values, safety, and
prosperity,” in addition to growing and shaping relationships
with trusted worldwide companions and cybersecurity and demanding
applied sciences.

APRA Considers Cyber Risk the Most Difficult Prudential

On April 28, 2021, the Australian Prudential Regulation
Authority (“APRA”) Chair gave a speech to the Committee for the
Economic Development of Australia wherein he referred to cyber
danger as essentially the most tough prudential risk, as it’s pushed by
malicious and adaptive adversaries who’re intent on inflicting
harm. He outlined APRA’s three main focus areas: to
set up a baseline of cyber controls; to allow boards and
executives of economic establishments to supervise and proper cyber
exposures; and to rectify weak hyperlinks inside the broader monetary
ecosystem and provide chain.

The following Jones Day attorneys contributed to this part:
Adam Salter, Daniel Moloney, and Maria Yiasemides.

To view the complete article please click on

The content material of this text is meant to supply a common
information to the subject material. Specialist recommendation must be sought
about your particular circumstances.

Related Posts