Jones Day Cybersecurity, Privacy & Data Protection Lawyer Spotlight: Lisa Ropple
Cyberattacks remain among the most feared events confronting corporations. A significant data security incident can cripple a company's operations, damage its brand and relationships with customers or clients, expose the company to multiple regulatory investigations and lawsuits, and require substantial capital and human resources to address. Yet despite corporations' vigilant, material investments in defensive measures, cyberattacks are expected to increase in both frequency and threat profile—targeted espionage, ransomware, denial of service, and privacy breaches. As the federal government has warned, these risks are further heightened during this pandemic, as hackers target vulnerabilities in remote work arrangements and company IT staffs are stretched thin.
Lisa Ropple, a partner based in Boston, was recently named the new co-Leader of Jones Day's global Cybersecurity, Privacy & Data Protection Practice. Lisa focuses her practice on helping companies respond effectively to significant data security events. She has represented clients across industries in connection with security incidents of all types, including some of the largest public breaches in history and nation state attacks. Experienced in all aspects of breach response, she structures and directs forensic investigations, works closely with law enforcement authorities on criminal attacks, advises and implements regulatory and individual notification, and coordinates across internal corporate functions to facilitate a consistent, strategic response.
In addition, as a litigator for over 30 years, Lisa represents companies in regulatory investigations and enforcement actions, including those brought by the FTC, SEC, OCR, multiple state attorneys general, and other federal and state regulators.
Lisa is excited to lead this dynamic practice group in advising clients on cutting-edge cybersecurity, data protection, and privacy issues in jurisdictions around the world.
Regulatory—Policy, Best Practices, and Standards
Cybersecurity Standards Issued for Government Contractors
On January 31, the Office of the Under Secretary of Defense for Acquisition and Sustainment finalized and released its first set of cybersecurity standards for government contractors. The Cybersecurity Maturity Model Certification ("CMMC") sets baseline cybersecurity standards with which government contractors must comply before being awarded Department of Defense contracts. The CMMC is a multi-tiered framework based on levels of security that are necessary for the work the contractor would be performing.
Trump Signs Executive Order Strengthening Resilience of Positioning, Navigation, and Timing Services
On February 12, President Trump signed an Executive Order establishing national policy on promoting the Federal Government's responsible use of positioning, navigation, and timing ("PNT") services. According to the Executive Order, much of U.S. critical infrastructure is reliant on PNT services—including mobile devices, all modes of transportation, emergency response, and precision agriculture. The Executive Order is designed to strengthen the national resilience of these PNT systems by providing the federal government with the ability to foster their responsible use.
Government Accountability Office Releases Report on Agency Use of NIST Framework
On February 25, the U.S. Government Accountability Office ("GAO") released a report detailing the GAO's study of 12 U.S. agencies that have a lead role in protecting critical infrastructure sectors. The report, which was commissioned pursuant to the Cybersecurity Enhancement Act of 2014, concluded that most of the agencies had not developed methods to determine the level and type of adoption of the National Institute of Standards and Technology's ("NIST") Framework for Improving Critical Infrastructure Cybersecurity. The report did find, however, that all 12 of the organizations reported either partially or fully using the Framework.
NIST Releases Draft Revisions to Cybersecurity Framework Manufacturing Profile
On March 4, NIST promulgated a draft revision to the Cybersecurity Framework Manufacturing Profile (NISTIR 8183). The Manufacturing Profile is designed to aid manufacturers in managing cybersecurity risks. The proposed updates address cybersecurity management within supply chains, self-assessments of cybersecurity risk, vulnerability disclosures, and systems integrity. NIST is seeking public comment on the proposed revisions through May 4.
Regulatory—Consumer and Retail
FTC Releases 2019 Privacy and Security Year-in-Review Report
On February 25, the FTC released its annual data privacy and security update that highlighted significant actions taken in 2019. The report noted the significant monetary awards the FTC had obtained in the past year, including a $5 billion penalty against a technology company that violated a 2012 FTC privacy order—the largest consumer privacy penalty in history—and a $700 million settlement with a consumer reporting agency related to the agency's 2017 data breach. The FTC also touted its strong enforcement of the EU–U.S. Privacy Shield framework, having brought 13 cases in 2019 against companies that allegedly made false promises related to the Privacy Shield.
FTC Announces Public Workshop on Safeguards Rule
On March 2, the FTC announced a public workshop to seek "research, testimony, and other input on proposed changes to the Safeguards Rule under the Gramm-Leach-Bliley Act." The FTC explained "[t]he workshop will explore some of the issues raised in response to amendments the FTC has proposed making to the Safeguards Rule, which requires financial institutions to develop, implement, and maintain a comprehensive information security program." The workshop will take place on May 13.
OCIE Releases 2020 Examination Priorities
On January 7, the Office of Compliance Inspections and Examinations ("OCIE") released its 2020 Examination Priorities. OCIE provided it "will continue to prioritize information security in each of its five examination programs." For Registered Investment Advisers, OCIE noted that examinations will focus on "(1) governance and risk management; (2) access controls; (3) data loss prevention; (4) vendor management; (5) training; and (6) incident response and resiliency."
FINRA Holds Cybersecurity Conference
On January 14, the Financial Industry Regulatory Authority ("FINRA") held its cybersecurity conference to discuss the benefits of the NIST Cybersecurity Framework in developing a strong cybersecurity program, measures and controls to secure online systems, detecting threats in a timely manner, and minimizing the damage of security breaches. A recording of the conference is available to FINRA member firms and Certified Regulatory and Compliance Professional program graduates.
SEC Releases Cybersecurity Observations and Guidance
On January 27, the OCIE released a report detailing its cybersecurity and resiliency observations. The OCIE's report came after "thousands of examinations of broker-dealers, investment advisers, clearing agencies, national securities exchanges, and other SEC registrants." The report highlighted current market practices in seven areas of cybersecurity, including access rights, data loss prevention, mobile security, incident response, and training.
NYDFS Requires Financial Institutions to Submit COVID-19 Risk Management Reports
On March 10, the New York Department of Financial Services ("NYDFS") announced that certain regulated entities are required to submit a report on their preparedness and risk management plans in connection with COVID-19. Entities should address business continuity, the increased risk of cyberattacks, and data privacy as they shift to a remote work environment.
FERC Issues Performance Assessment For NERC
On January 23, the Federal Energy Regulatory Commission ("FERC") released its five-year performance assessment of the North American Electric Reliability Corporation ("NERC"), in which it concluded that NERC demonstrated it can develop and enforce Reliability Standards related to cybersecurity supply-chain risk and enhanced cyber-incident reporting.
National Academies Call for Research on Effects of Drone Traffic on Privacy, Cybersecurity
On February 19, the National Academies of Sciences, Engineering, and Medicine published "Advancing Aerial Mobility—A National Blueprint," a report based on a study by the National Academies that evaluated the potential benefits and challenges associated with advanced aerial mobility (e.g., drones). The report recommended that NASA, the Federal Aviation Administration, industry, and academia collaborate to research the effects of increased unpiloted air vehicle traffic on society, including ramifications to privacy and cybersecurity.
HHS Issues Limited Waivers of HIPAA Sanctions for Hospitals Responding to COVID-19
On March 16, the Department of Health and Human Services ("HHS") issued a bulletin that temporarily lessens the burden on hospitals to comply with certain obligations under HIPAA to facilitate the hospitals' response to potential COVID-19 exposures. The Bulletin waives sanctions and penalties under HIPAA against a covered hospital that does not comply with certain provisions of HIPAA's Privacy Rule. For more information, please see our Jones Day Commentary.
OCR Exercises HIPAA Enforcement Discretion Related to Remote Telehealth Communications During Public Health Emergency
On March 17, the Office for Civil Rights ("OCR") at HHS announced that, effective immediately, it would exercise enforcement discretion and waive potential penalties for noncompliance with HIPAA privacy and security rules in connection with the good-faith provision of telehealth using nonpublic-facing audio or video communication technologies during the COVID-19 outbreak. For more information, please see our Jones Day Commentary.
OCR to Allow Non-HIPAA Compliant Telehealth Remote Communications
On March 17, OCR announced that it would permit health care providers to communicate with patients and provide telehealth services through remote communication technologies, even if the technologies and the manner in which they are used may not be fully HIPAA-compliant. While not endorsing or recommending any specific technology or products, OCR will permit covered health care providers to use nonpublic-facing remote communication product. OCR also provided a nonexhaustive list of technology vendors that will enter into business associate agreements in connection with the provision of video communication products for telehealth purposes. For more information, please see our Jones Day Commentary.
OCR Issues Guidance on Disclosure of PHI Related to COVID-19
On March 24, OCR issued guidance on how covered entities may disclose protected health information ("PHI") about an individual infected with or exposed to COVID-19 to first responders, public health authorities, and law enforcement. The guidance addresses the disclosure of names or other identifying information about individuals without their HIPAA authorization.
OCR Announces Enforcement Discretion on Good-Faith Use and Disclosure of PHI During Public Health Emergency
On April 2, OCR announced that, effective immediately, it would exercise enforcement discretion and waive penalties for violations of certain provisions of the HIPAA Privacy Rule against health care providers and their business associates in connection with the good-faith use and disclosure of PHI for public health and public health oversight activities during the COVID-19 public health emergency.
Regulatory—Defense and National Security
DoD Requires Contractors to Complete Cybersecurity Certification
On January 31, the Department of Defense ("DoD") issued its new Cybersecurity Maturity Model Certification ("CMMC"), which now requires all defense contractors to complete a cybersecurity certification course before submitting contract proposals. The CMMC provides for five levels of certification, which are determined by a company's cybersecurity practices and processes.
NCSC Releases National Counterintelligence Strategy
On February 10, the National Counterintelligence and Security Center ("NCSC") released the U.S. National Counterintelligence Strategy for 2020–2022. The strategy focuses on five key areas: critical infrastructure, key U.S. supply chains, the U.S. economy, American democratic institutions, and cyber and technical operations. The strategy addresses the use of increasingly sophisticated technologies—including advanced cyber tools, encryption, and big data analytics—by threat actors to disrupt critical infrastructure and supply chains and exploit the U.S. economy.
DoD Adopts Ethical Principles for Artificial Intelligence
On February 24, the DoD announced the adoption of a series of ethical principles for the use of artificial intelligence ("AI"). These principles include the safety and security of AI capabilities through testing across their entire lifecycle and the minimization of unintended bias. The DoD Joint Artificial Intelligence Center will coordinate the implementation of AI ethical principles for the department.
Cyberspace Solarium Commission Releases Final Report On March 11, the Cyberspace Solarium Commission published its final report recommending a strategy of layered cyber deterrence for the next generation of cybersecurity defense in the United States. The U.S. Cyberspace Solarium Commission was chartered by the 2019 National Defense Authorization Act to analyze strategic approaches to defending the United States against cyberattacks, and the policies and legislation required to implement that strategy. In its report, the Commission recommended that Congress establish Committees on Cybersecurity in the House and Senate, along with a National Cyber Director to be the President's principal advisor for cybersecurity-related issues.
Litigation, Judicial Rulings, and Agency Enforcement Actions
Court Approves Mortgage Broker's Settlement of FTC Allegations
On January 10, a federal court approved the government's proposed settlement with a California-based mortgage broker over FTC allegations that the mortgage broker had violated the Fair Credit Reporting Act ("FCRA") when responding to negative online consumer reviews by revealing the reviewers' personal information. The FTC also alleged that the mortgage broker violated the Federal Trade Commission Act and the Gramm-Leach-Bliley Act by not implementing an information security program until September 2017 and by not testing the program. The settlement requires the mortgage broker to pay a $120,000 penalty, implement a comprehensive data security program, designate an officer to oversee and annually certify the company's compliance with the program, and obtain third-party assessments of the program every two years.
Nine States Urge Court to Reject $13M Settlement
On January 21, the attorneys general of Arizona, Alabama, Alaska, Missouri, Ohio, Arkansas, Idaho, Indiana, and Louisiana filed an amicus brief objecting to a proposed $13 million settlement of a class action lawsuit against an internet company pending in the Northern District of California. Plaintiffs allege that the company engaged in the large-scale collection of consumer information transmitted over public Wi-Fi networks, in violation of consumer privacy. In addition to the monetary penalty, the proposed settlement would require the company to delete data it acquired from the Wi-Fi networks.
Court Orders Social Media Company to Turn Over Third-Party App Data
On January 17, the Superior Court of Massachusetts ordered a social media company to turn over data about third-party applications that allegedly mishandled the personal information of users. The attorney general of Massachusetts filed the case in August 2019 in part because of media reports concerning misuse of private user information by the company.
Social Media Companies Take SCA Suit to U.S. Supreme Court
On February 7, two social media companies fileda petition for a writ of certiorari asking the Supreme Court to review a judgment of the California Court of Appeals that upheld a contempt order against the companies for refusing to turn over their users' communications in response to criminal defendants' subpoenas, out of concern that it would violate the Stored Communications Act ("SCA"). The companies have asked the Supreme Court to decide whether a criminal defendant has a constitutional right to force them to turn over the contents of their account holders' communications, notwithstanding the SCA's express prohibition on such disclosures, and whether a service provider can be held in contempt for refusing to violate the SCA in response to such a subpoena.
Attorney General Charges Chinese Military Officials for Data Breach
On February 10, the Department of Justice indicted four members of the Chinese People's Liberation Army who were allegedly behind one of the largest data breaches in history that led to the theft of millions of American citizens' personal information in 2017. The hackers allegedly used a vulnerability in a consumer reporting agency's website to gain unauthorized access to the company's network. The hackers then spent weeks conducting reconnaissance, uploading malicious software, and stealing login credentials to obtain personal information and trade secrets. The attorney general linked this attack to China's overall strategy to infiltrate American companies and to obtain the personal information of American citizens.
New Mexico Sues Internet Company for Unlawful Collection of Children's Data
On February 20, the attorney general of New Mexico filed a lawsuit against an internet company for allegedly collecting the personal data of children in violation of both federal and state law. The data included physical location information, website and video viewing histories, and voice recordings. The action is brought under the Children's Online Privacy Protection Act and the New Mexico Unfair Practices Act, and also alleges a state common law claim of intrusion upon seclusion.
Social Media Company Takes CFAA Suit to U.S. Supreme Court
On March 8, a social media company filed a petition for a writ of certiorari asking the Supreme Court to review a Ninth Circuit holding in a Computer Fraud and Abuse Act ("CFAA") case. The Ninth Circuit upheld the district court's decision barring the company from blocking a data analytics firm from using data-scraping bots and accessing the company's servers. The company asked the Supreme Court to determine whether a company violates the CFAA by deploying anonymous computer "bots" to circumvent technical barriers and harvest millions of individuals' personal data from computer servers that host public-facing websites.
Vermont Attorney General Sues Data Broker
On March 10, the Vermont attorney general filed a lawsuit against a data broker specializing in facial recognition. The complaint alleges that the data broker improperly collected faces of Vermont residents, compiled them in a database, and used artificial intelligence to map individuals' faces in violation of the Vermont Consumer Protection Act and the Vermont Fraudulent Acquisition of Data Law. The company sells access to its database to private businesses, law enforcement, and individuals, who can use the database to identify a person using only a photograph.
ACLU Sues for Records on Facial Recognition
On March 12, the American Civil Liberties Union ("ACLU") filed a lawsuit in New York federal court against the U.S. Department of Homeland Security and other federal agencies, arguing that the public has a right to know how the government is using powerful facial recognition technology in U.S. airports and what privacy safeguards are in place.
Senator Proposes U.S. Data Protection Agency
On February 13, Senator Kirsten Gillibrand announced the "Data Protection Act of 2020," which would create an independent federal agency called the Data Protection Agency ("DPA"). The DPA would have authority to enforce data protection rules using civil penalties, injunctive relief, and equitable remedies.
Senator Introduces Proposed Federal Privacy Law
On March 12, Senator Jerry Moran introduced the "Consumer Data Privacy and Security Act of 2020," which would regulate the collection, use, and protection of consumer personal information and empower the FTC with oversight authority. The bill would require companies to collect and process personal data only with the consent of the individual or for a permissible purpose.
California Attorney General Issues CCPA Advisory for California Consumers
On January 6, the attorney general of California issued an advisory for consumers regarding their rights under the California Consumer Privacy Act ("CCPA"). The advisory highlights the rights afforded to California residents under the CCPA, explains which businesses are subject to the CCPA, and notes the existence of the California Data Broker Registry, which is also accessible to consumers. The advisory also advises consumers of their right to pursue a private right of action under the CCPA in the case of a data breach.
California Attorney General Issues First and Second Modified CCPA Regulations
On February 10, the California attorney general released a first setof modifications to the CCPA regulations pursuant to the CCPA, which retains the "do not sell" signal requirement and adds restrictions on the use of personal information by service providers. On March 11, the attorney general of California released asecond set of modifications that, among other changes, removed clarifications indicating that an IP address that does not reasonably link to a particular consumer or household does not constitute personal information, eliminated the newly designed opt out button, and expanded notice requirement exemptions for businesses that collect personal information indirectly.
Ohio Attorney General's Facial Recognition Task Force Releases Report
On February 20, the Ohio attorney general released a report on Ohio's use of facial recognition and recommendation on appropriate uses of facial recognition technology by law enforcement. The task force commissioned to create the report concluded that the privacy interests of Ohio residents must be balanced against the need for public safety and that some level of oversight is necessary to ensure that objective is achieved.
California Attorney General Urges Congress Not to Preempt CCPA
On February 25, the California attorney general sent a letter to four U.S. senators urging them not to preempt the CCPA with ineffective federal legislation and advocated for a federal law that serves as a "floor rather than a ceiling" and allows states to provide further protections to their residents.
Washington Legislature Passes Facial Recognition Law
On March 12, the Washington legislature passed SB 6280, which regulates the use of facial recognition technologies by state and local government agencies. The bill was signed into law on March 31 and requires, for example, public agencies to disclose the use of facial recognition and to test software for fairness and accuracy in certain circumstances. Additionally, any decisions based on facial recognition technologies that produce "legal effects" (e.g., financial loans, health care, housing, employment opportunities) must be subject to meaningful human review. The bill also establishes a task force to study government agency use and deployment of facial recognition technologies.
Washington Legislature Fails to Pass Privacy Act
On March 13, the Washington legislature failed to pass SB 6281, also known as the Washington Privacy Act. The Washington Privacy Act was modeled on the CCPA, which gives consumers the right to access, the right to delete, and the right to opt out of the sale of their personal information. The Washington bill also would have given consumers a right to correct their personal information and would have imposed additional obligations on businesses, including an appeals process for consumer requests. The bill failed to pass when the Senate and House could not reconcile their respective versions of the bill.
States Propose Bills Modeled on CCPA
Several states have recently introduced legislation similar to the CCPA. These bills would require companies to provide notice of the types of personal information they collect and the third parties to whom they disclose the information. The bills also grants individuals the right to access or opt out of the sale of their personal information. The following bills are pending:
- Florida (SB 1670, HB 963)—On January 10, the Florida legislature introduced a bill that imposes new obligations on companies offering a website or online service to Florida residents, including providing notice to consumers and allowing consumers to "opt out" of the sale of their personal information.
- Hawaii (HB 2572)—On January 23, the Hawaii legislature introduced a bill that would require consumer opt in before a business could sell geolocation or internet browsing information.
- Illinois (SB 2330)—On January 8, the Illinois legislature introduced the Data Transparency and Privacy Act, which includes additional requirements beyond those found in the CCPA, including giving consumers a private right of action and the right to correct their personal information.
- Nebraska (LB 746)—On January 8, the Nebraska legislature introduced the Consumer Data Privacy Act, which gives consumers a right to access requests, a right to deletion, and a right to general transparency on how data is being used by an organization.
- New Hampshire (HB 1680)—On January 8, the New Hampshire legislature introduced a bill that expands upon the obligations found in the CCPA, including providing for a private right of action for consumers.
- New Jersey (A 2188)—On January 14, the New Jersey legislature introduced a bill that contains many of the same rights found in the CCPA but applies only to website owners.
- South Carolina (H 4812)—On January 14, the South Carolina legislature introduced H 4812, which governs businesses' use of consumer biometric information.
- Wisconsin (AB 870, 871, 872)—On February 10, the Wisconsin legislature introduced a trio of bills, collectively called the Wisconsin Data Privacy Act, which aims to give consumers more control over their data, including giving consumers the right to access and right to deletion, and limiting how businesses can process a consumer's information.
OPC Issues Proposals for Privacy in AI
On January 28, the Office of the Privacy Commissioner of Canada ("OPC") released its proposals for regulating privacy in artificial intelligence ("AI"). The proposals included incorporating a definition of AI within the Personal Information Protection and Electronic Documents Act ("PIPEDA") and creating privacy rights for processing using AI.
OPC Issues Privacy Guidance During COVID-19 Outbreak
On March 20, the OPC issued guidance to help organizations understand their privacy-related obligations during the COVID-19 outbreak. The guidance addresses the circumstances in which organizations may collect, use, or disclose personal information without the consent of the individual.
The following Jones Day lawyers contributed to this section: Meredith Christian, Jennifer Everett, Jay Johnson, Daniel Lopez, John Michels, Marina Moreno, Dan Ongaro, Christina O'Tousa, Clinton Oxford, Nicole Perry, Molly Russell, Ben Sanchez, Kerianne Tobitsch, and Jenny Whalen-Ball.
Public Information Agency to Allow Private Appointments to Discuss Privacy
On January 31, the Agency of Public Information Access (Agencia de Acceso a la Información Pública) ("Agency")announced that users of the app "Mi Argentina" will now be able to request an appointment with the Agency online to learn about the Agency's data protection and privacy procedures (source document in Spanish).
Public Information Agency Addresses COVID-19 Privacy Concerns
On March 11, the Agency clarified that sensitive personal data would continue to be processed with special care during the outbreak (source document in Spanish). It advised citizens with concerns about how their privacy or personal data would be affected to contact the Agency.
Brazil Fines Social Media Company R$6.6 Million for Improper Data Sharing
On December 30, 2019, the Brazilian Ministry of Justice and Public Safety (Ministério da Justiça e da Segurança Pública), through its Consumer Protection Agency (Departamento de Proteção e Defesa do Consumidor—"DPDC"), announced a fine of R$6.6 million (approximately US$1.4 million) against a social media company accused of improperly sharing user data (source document in Portuguese). The Consumer Protection Agency asserted that Facebook failed to provide appropriate information to its users regarding privacy settings on the social media platform and how user data was shared with third parties.
Superintendence Orders Social Media Company to Improve Security Systems
On February 13, the Colombian Superintendence of Industry and Commerce (Superintendencia de Industria y Comercio) issued resolution No. 4885/2020 ordering a social media company to improve its information security system with respect to its 31 million Colombian users (source document in Spanish). The platform was ordered to guarantee safety of personal information in order to avoid fraudulent use by unauthorized parties.
Data Protection Office Mandates Database Registration
On February 7, the National Data Protection Office of Citizens (Agencia de Protección de Datos de los Habitantes, or "PRODHAB") published an order requiring registration of every database of personal data—whether private or public, and regardless of whether the data is used for commercial reasons—with the PRODHAB (source document in Spanish).
Deputy Proposes Bill Amending Data Protection Law
On March 5, Deputy José María Villalta introduced a bill amending the Individual's Protection Law for any Processioning of Personal Data (Ley Número 8968, Ley de Protección de la Persona Frente al Tratamiento de sus Datos Personales). The amendment would transfer the PRODHAB from the Ministry of Justice and Peace to the Office of the Ombudsman and require data processing agents to register with the PRODHAB.
IAIP and Journalists Discuss Patient Confidentiality in COVID-19 Reporting
On February 28, the Access to Public Information Institute held meetings with journalism and health organizations to discuss protocols for maintaining confidentiality of patient information during the global pandemic (source document in Spanish).
Deputy Proposes Bill to Amend Federal Data Protection Law
On February 5, Deputy Ximena Puente de la Mora filed a bill proposing modifications to the Federal Law on the Protection of Personal Data held by Obliged Subjects (Governmental Agencies) (source document in Spanish). The bill would expand the definition of "sensitive personal data" to include sexual preference and biometric data.
Mexican Ministry of Economy Resumes Activities After Hack
On February 24, the Mexican Ministry of Economy (Secretaría de Economía) released an official statement announcing that it was temporarily suspending all activities in response to a security incident on its servers, which had resulted in unauthorized access to emails and files (source document in Spanish). On March 9, the Ministry issued a statement announcing that the system was secure and that the Ministry would resume operations (source document in Spanish).
DPA Issues Recommendations on Personal Data Related to COVID-19 Cases
On March 13, the National Institute for Transparency, Access to Public Information, and Personal Data Protection issued recommendations for personal data processing during the COVID-19 pandemic period (source document in Spanish). The recommendations included: (i) protecting confidentiality of personal data to avoid discrimination; (ii) processing data only after providing notice of the purpose for processing; (iii) maintaining the confidentiality of the identity of individuals affected by COVID-19; (iv) documenting any transfer of personal data to health authorities and performing transfers with appropriate security measures in place; and (v) defining when and how personal data related to COVID-19 cases will be destroyed.
Uruguay Issues Decree Updating Regulation Regarding Personal Data Protection
On February 21, the federal government issued an order outlining new requirements regarding the protection of personal data to bring Uruguayan law more in line with standards set by the EU General Data Protection Regulation ("GDPR") (source document in Spanish).
The following Jones Day lawyers contributed to this section: Guillermo Larrea, Daniel D'Agostini, Juan Carlos Quinzaños, and Gabriela C. Samanez.
EU Council Presents a Modified Proposal of the e-Privacy Regulation
On March 6, the President of the Council of the European Union presented a modified version of the e-Privacy regulation proposal. The modifications address the scope of the regulation, machine-to-machine communications, and internet of things ("IoT") services.
Court of Justice of the European Union
Advocate General Issues Opinion on Preliminary Ruling in Telecommunications Case
On March 4, Advocate General Szpunar issued an Opinion in the preliminary ruling in a matter involving a telecommunication provider that required customers to consent to the copying and storing of identity documents. According to Szpunar, this requirement goes beyond what is necessary for the performance of the contract, and customers are unable to "give their free, specific and informed consent."
European Commission Endorses EU Toolbox for 5G
On January 30, the European Commission endorsed a toolbox with a set of measures agreed upon by the European Union Member States to address security risks related to the implementation of the 5G mobile network. Through this toolbox, the Member States commit to moving forward in a joint manner based on an objective assessment of identified risks and proportionate mitigating measures. The Commission called for key measures to be put in place by April 30.
European Commission Adopts Recommendation for Negotiations with United Kingdom
On February 3, the European Commission adopted a recommendation for a Council Decision authorizing the opening of negotiations for a new partnership with the United Kingdom. The envisaged partnership will most likely comprise general, economic, and security arrangements.
European Commission Unveils European Digital Strategy
On February 19, the European Commission published white papers detailing strategies regarding the use of data and artificial intelligence. Several additional reports accompany the white papers and cover topics such as safety and liability and high-level policy goals. The European Commission's stated goals for the various policy recommendations are to help European companies exploit industrial and commercial data, position Europe as a leader in the data economy, and set global standards.
European Data Protection Board
EDPB Adopts Guidelines on Connected Vehicles
On January 28,the European Data Protection Board ("EDPB") adopted guidelines on processing personal data in the context of connected vehicles and mobility-related applications. The guidelines were subject to public consultation until March 20 and provide guidance on the processing of personal data in the context of non-professional use of connected vehicles by data subjects.
EDPB Adopts Guidelines on Personal Data Processed Through Video Devices
On January 28, the EDPB adopted the final version of Guidelines on the processing of Personal Data through Video Devices (following public consultation). The Guidelines provide guidance on the application of the GDPR in relation to the processing of personal data through video devices.
EDPB Adopts Statement on Privacy Implications of Mergers
On February 24, the EDPB adopted a Statement on privacy implications of mergers specific to the case of a tech company's potential acquisition of a wearables company. The EDPB expressed its concern that "possible further combination and accumulation of sensitive personal data regarding people in Europe by a major tech company could entail a high level of risk to the fundamental rights to privacy and to the protection of personal data."
EDPB Adopts Guidelines on Data Transfers Between EEA and Non-EEA Public Bodies
On February 24, the EDPB adopted guidelines on articles 46(2)(a) and 46(3)(b) for transfers of personal data between EEA and non-EEA public authorities and bodies that are not covered by an adequacy decision from the European Commission.
EDPB Releases Statement on Data Processing During COVID-19 On March 16, the EDPB adopted a statement of the EDPB Chair on the processing of personal data in the context of the COVID-19. The Chair stated that data protection rules should not hinder measures adopted to fight the pandemic. However, data controllers (e.g., an employer or a public health authority) should take data protection rules into account to guarantee the lawful processing of personal data.
European Data Protection Supervisor
Supervisor Adopts Opinion on New Partnerships with the UK
On February 24, the European Data Protection Supervisor ("EDPS") adopted an opinion on the opening of negotiations for a new partnership with the UK. The goal is to ensure security and an economic partnership between the EU and the UK that comply with EU data protection standards.
European Union Agency for Network and Information Security
ENISA Endorses EU Toolbox for 5G Security
On January 30, European Union Agency for Cybersecurity("ENISA") played a supporting role in the delivery of the EU Toolbox for 5G Security endorsed by the European Commission. This toolbox offers measures to mitigate cybersecurity risks related to the implementation of 5G networks.
Cybersecurity AgencyPublishes Cybersecurity Procurement Guide for Hospitals
On February 24, the ENISA published a Cybersecurity Procurement Guide for Hospitals. The aim of the document is to provide guidance on best practices tailored to reflect hospitals' IT procurements and threats.
DPA Publishes Recommendation on Direct Marketing
On January 17, the Belgian Data Protection Authority ("DPA") published Recommendation n° 1/2020 providing guidance on the implications of the GDPR to direct marketing (source document in French).
DPA Publishes Strategic Plan for 2020–2025
On January 28, the Belgian DPA published its Strategic Plan for 2020–2025 that put forward six objectives: raise awareness, enforce regulations, encourage innovation, improve cooperation, improve guidance, and set the DPA as a referee so that it can be an efficient regulator (source document in French).
Brussels Court of Appeal Overrules Belgian DPA Decision
On February 19, the Court of Appeal of Brussels overruled a decision from the Belgian DPA issuing a €10,000 fine for a disproportionate use of customers' electronic identity cards (source documents in Dutch). The Court of Appeal held that the DPA did not sufficiently support its decision and annulled the decision and sanction.
DPA Publishes Guidance on Data Processing During COVID-19
On March 13, theBelgian DPA published Guidance on the processing of personal data in the workplace during the COVID-19 outbreak (source document in French). The Guidance emphasizes the importance of continued adherence to lawful data processing, especially with respect to proportionality and data minimization principles. The DPA also answered frequently asked questions raised by employers.
CNIL Publishes Guide on Best Practices for Web or Application Developers On January 28, the French Data Protection Authority ("CNIL") published a guide for developers, service providers, and persons interested in web or app development (source document in French). The guide includes 16 thematic sheets that cover each stage of development, from preparation to audience measurement, source code management, securing the servers, and SDK management. The guide is not binding.
CNIL Publishes Guidelines for "Binding Corporate Rules" On February 7, the CNIL released guidelines to help concerned entities understand and master the Binding Corporate Rules ("BCRs") (source document in French). The CNIL's guidelines include explanations and advice on how best to prepare BCR submissions, as well as information on the approval process (source document in French).
CNIL Provides Guidance on Political and Electoral Strategy Software On February 10, the CNIL provided guidance to candidates and their service providers with five best practices for processing voters' personal data for political purposes (source document in French). The CNIL stressed that data controllers must: (i) verify the nature and origin of the data to determine whether the data may legally be used for electoral purposes; (ii) minimize data collection; and (iii) retain data for a limited period of time. The CNIL also stressed that candidates must obtain voter consent before processing their data and guarantee effective rights to access their data and object to processing. Where a service provider processes personal data on behalf of the candidate, the data processing agreement must include mandatory provisions pursuant to the GDPR.
CNIL Issues Formal Notices Against Energy Supply Companies On February 11, the CNIL issued two formal notices against energy supply companies (source document in French). Both companies failed to obtain valid consent from users and toadhere to proportionality principles for their data retention periods. The consent was insufficient because it was obtained by a single checkbox provided for different purposes. The CNIL gave these companies three months to take appropriate corrective measures.
CNIL Provides Guidance on Collection of Health Data During COVID-19 Outbreak On March 6, the CNIL provided guidelines reminding employers that they may not collect health data that would go "beyond the management of suspicions of exposure to the virus" (source document in French). Employers should refrain from systematically and widely collecting information relating to possible symptoms. In the event of a report of exposure to the virus, an employer may record "the date and identity of the person suspected of having been exposed, and the organizational measures taken," such as containment, teleworking, or contact with the occupational physician.
CNIL Announces Focus on Three Priority Control Areas On March 12, the CNIL announced that its control activities will focus on three priority areas related to day-to-day concerns, which will constitute about 20% of the control procedures in 2020 (source document in French). First, in light of the rise of telemedicine and IoT health care in response to COVID-19, the CNIL will focus on safety measures implemented by or on behalf of health professionals. Second, controls will focus on how geolocation services ensure proportionate data collection, define retention periods, provide information to users, and implement security measures. Finally, the CNIL will enforce the requirements of the e-Privacy directive related to cookies and other tracking technologies.
German Legislator Clarifies: Tax Consultants Are Not Data Processors
On January 14, the Bavarian Data Protection Authority ("Bavarian DPA") published an interpretation note about the classification of tax consultants as data processors or data controllers (source document in German). In view of recent revisions to the Tax Advisory Act ("Steuerberatungsgesetz") in December 2019, the Bavarian DPA clarified that tax consultants do not process personal data on the instructions of their clients for the provision of services and therefore should not be considered data processers.
DPA Advises that Disclosure of Email Addresses to Postal Service Requires Consent
On January 28, the Bavarian DPA published its activity report for 2019 (source document in German). According to the report, the disclosure of customer email addresses to postal service providers for shipment tracking purposes requires the consent of the customer. Companies are relieved of such burden if they do not provide the email address of the customer to the postal service provider but rather forward the tracking link of the postal service provider to customers themselves.
DPA Report Addresses Employer's Right to Ask Questions About Health Data
On January 28, the Bavarian DPA published its activity report for 2019 (source document in German). Sec. 26 (3) of the German General Data Protection implementation law permits the processing of special categories of personal data for employment-related purposes if there is no reason to believe that the data subject has an overriding legitimate interest. In order for the employer to comply with his special duty of care toward its employees, the report acknowledged the employer's right to ask questions about health-related restriction of its employees when the task involves heavy physical work (e.g., lifting or carrying heavy objects).
Court Rules on Interaction Between Data Protection and Competition Law
On February 29, the Higher Regional Court of Stuttgart ruled that Art. 80 of the GDPR does not prevent competing entities from asserting infringement of provisions of the GDPR under competition law if those provisions regulate market conduct (source document in German). The court held that the information to be provided pursuant to Art. 13 GDPR concerns the regulation of market conduct and that infringements of Art. 13 GDPR have a potentially significant adverse effect on the interests of consumers, other market participants, and competitors.
Commissioner Issues Guidance for Data Processing During COVID-19
On March 13, the Federal Commissioner for Data Protection and Freedom of Information ("BfDI") issued guidance for employers on the lawful processing of employee, guest, and visitor data—particularly health data—in connection with the coronavirus pandemic (source document in German). The guidance provides for possible justifications and certain limits with regard to the principle of proportionality when implementing measures to ensure the safety of the employees.
DPA Urges Employers to Avoid Unlawful Data Use During COVID-19 Outbreak
On March 2, the Italian Data Protection Authority ("DPA") issued a press release providing guidance to employers in relation to the treatment of employees' personal data in the wake of COVID-19. Employers are prevented from collecting—in a systematic and generalized manner—any information relating to flu symptoms experienced by employees or on their acquaintances. This information, along with individuals' recent movements, will be managed only by health personnel or other authorities entrusted with such task by the Italian Civil Protection Authority. However, employees must inform their employers: (i) of any security risk that might affect the workplace; (ii) if they come from a "risk area"; or (iii) if they have been in contact with a suspected case of COVID-19. Employers can remind employees to provide this information to the competent authorities and set up a dedicated channel to facilitate such communication.
Employers' Associations Issues Practical Guidelines Related to COVID-19
On March 14, the Employers' Associations and the National Trade Unions executed a protocol providing practical guidelines for Italian employers to improve the precautionary measures already adopted to fight the COVID-19 epidemic ("Protocol"). Pursuant to the Protocol, employers may test employees' body temperature and request self-declarations from the employees in compliance with privacy rules before permitting employees to enter the workplace. The Protocol instructed employers not to record data unless the temperature exceeds the threshold (37.5° or higher) and to provide data subjects with the relevant privacy notice (either in writing or verbally), retain data until the end of the COVID-19 emergency, and protect employees' privacy and dignity in the event of temporary isolation.
DPA Announces Number of Complaints and Breach Notifications in 2019 On February 14, the Dutch Data Protection Authority ("DPA") released its 2019 report announcing that it received 27,800 privacy-related complaints during 2019 (an increase of 79% over 2018) and 27,000 notifications of data breaches (an increase of 29% over 2018) (source document in Dutch). The DPA also announced the breakdown of notifications by sector: 30% of breach notifications related to the financial services sector, followed by health care (28%), and governmental bodies/public administration (17%). The Dutch DPA noticed a 25% increase in hacking and malware-related notifications.
DPA Imposes Order for Incremental Penalty Payments on Health Insurer On February 14, the DPA announced a penalty on a health insurance company for processing more medical data than necessary to assess applications for reimbursement of rehabilitation care (source document in Dutch). As a result of the investigation, the insurance company removed data relating to 12 applicants from its systems and will assess the need for additional information on a case-by-case basis when deciding on certain applications.
DPA to Investigate Providers of Online Personal Finance Applications On February 24, the DPA announced that it will commence an investigation into Dutch companies with a PSD2-license that process payment data of consumers (source document in Dutch). With a PSD2-license and the explicit consent of the accountholder, companies can obtain access to the payment information of bank customers, potentially providing these companies with a detailed view of a customer's personal life. The purpose of the investigation is to ensure that companies with a PSD2-license are aware of their privacy compliance obligations under the GDPR.
DPA Imposes €525,000 Fine on Sports Association On March 3, the DPA announced that it had imposed a €525,000 fine on a sports association for selling the personal data of more than 300,000 members to two of its sponsors (source document in Dutch) (decision in Dutch) (summary in Dutch). The DPA determined that the association lacked a lawful basis for processing the data.
Company Loses Personal Information of 6.9 Million Organ Donors On March 10, the organization responsible for maintaining the country's organ donor list released a statement announcing that it lost two hard drives containing back-ups of digitized paper forms dated from 1998–2010 (source document in Dutch). According to the organization, there are no indications that the hard drives have fallen in the wrong hands, and it assesses the risk of abuse as limited. The organization notified the DPA of the data breach.
SDPA Publishes Accreditation Criteria for Supervisory Code of Conduct Bodies
On February 28, the Spanish Data Protection Agency ("SDPA") published the accreditation criteria for supervisory code of conduct bodies (source in Spanish). The accreditation criteria reflect the provisions of Articles 41 and 57 of the GDPR and guidelines published by the European Data Protection Board.
SDPA Publishes Guidance for Spanish Organic Law 3/2018
On February 20, the SDPA published guidance clarifying when, pursuant to Spain's Data Protection Law, administrative authorities may access data held by other administrative bodies (source document in Spanish).
SDPA Publishes Report to Help Companies Carry Out Privacy Impact Assessments
On March 5, the SDPA published a model report to help companies carry out privacy impact assessments (source in Spanish). The document compiles the aspects that must be taken into account by the private sector to prepare a privacy impact assessment ("PIA") report, complementing the Practical Guide published by the Agency. The Agency also published an update of the model to guide public administrations in collaboration with the Ministry of Labor and Social Economy and the Centre for Information Security of the Social Security IT Management.
SDPA Approves First Binding Corporate Rules Within the Framework of GDPR
On March 16, the SDPA approved the country's first binding corporate rules ("BCR"), following the framework established by the GDPR (source document in Spanish). The European Data Protection board reviewed the BCRs and gave them a favorable report.
ICO Publishes Code of Practice for Children's Privacy Online On January 22, the Information Commissioner's Office ("ICO") published a code of practice setting out the standards expected for online services likely to be accessed by children. It requires services to automatically provide a built-in baseline of data protection, set to high by default, and warns against "nudge techniques" to encourage children to weaken settings. Location services should be switched off by default.
EU and UK Set Out Their Opening Positions on Data Protection After Brexit On February 3, the European Commission and the UK Government set out their formal opening positions in negotiating the future EU–UK relationship. The European Union emphasized the importance of data flows, the need to affirm each side's commitment to high levels of data protection, and to fully respect the adequacy decision process. The United Kingdom's goals include adopting an independent data protection policy by the end of the current transition period, maintaining high data protection standards, negotiating an EU adequacy decision by the end of the transition period, and keeping these negotiations separate from other EU–UK negotiations.
ICO Issues £500,000 Fine to Airline Company for Failing to Secure Customer Data On March 4, the ICO announced that it issued a £500,000 fine to an airline company for failure to apply appropriate security measures over a 3-1/2 year period. This failure exposed 111,500 UK customer records and an overall global total of 9,400,000 records. The airline company reported a cyberattack to the ICO, and an investigation revealed that the company had not taken adequate security measures. The fine was imposed under the law preceding the GDPR and is the maximum possible.
ICO Closes its Consultation on New Direct Marketing Code of Practice On March 4, the ICO closed its consultation period on a new direct marketing code of practice.
The following Jones Day lawyers contributed to this section: Laurent De Muyter, Undine von Diemar, Olivier Haas, Jörg Hladjk, Bastiaan Kout, Jonathon Little, Martin Lotz, Hatziri Minaudier, Selma Olthof, Sara Rizzon, Irene Robledo, and Lucie Fournier.
Commissioner Addresses Privacy Issues Related to COVID-19
On February 26, the Privacy Commissioner commented on the use of social media information to track potential carriers of COVID-19. The Commissioner noted that the Privacy Ordinance regulates the collection of personal data from social media and requires use to be consistent with or directly related to the original purpose for which the data is collected and may be disclosed only with consent. The Commissioner also highlighted an exception to the use rule where restriction is likely to cause serious harm to the physical or mental health of the data subject or any other individual.
Commissioner Comments on Cybercrime During Work-From-Home Arrangements
On February 27, the Privacy Commissioner advised that employees intending to bring home files containing confidential and personal data should follow the established guidelines of their organizations. In addition, employees who are using their laptops or other mobile devices during the work-from-home ("WFH") period should always be cautious and vigilant about the risks arising from mobile and cloud technologies. Data breach notifications are not mandatory under the current regime, meaning that there could be some unreported data breaches for organizations that have introduced WFH arrangements.
Commissioner Comments on Data Collection as Masks are Distributed in China
On March 3, the Privacy Commissioner responded to questions about personal data collected through efforts to deliver masks to Hong Kong residents in mainland China (source document in Chinese). The Commissioner noted that the office has no jurisdiction over the collection, processing, or use of personal data outside Hong Kong. The Commissioner advised individuals not to disclose unnecessary information, such as Hong Kong Identity Card number and mobile phone number, when obtaining masks.
Commissioner Comments on £500,000 Fine Imposed by UK's ICO
On March 6, the Privacy Commissioner responded to inquiries about the £500,000 fine imposed by the UK's Information Commissioner's Office. The Commissioner declined to comment on the investigation or judgment of the ICO and noted generally that the Commissioner's office had published an investigatory report for the underlying breach in 2019. The Privacy Commissioner would also follow up on the remedial and corrective measures taken by the relevant organization. The Privacy Commissioner is currently not empowered to impose any fine but has submitted proposals on legislation amendment in respect of the imposing of administrative fines and the increase in the existing level of relevant fines under the Privacy Ordinance to enhance deterrent effect.
People's Republic of China
New Encryption Law Goes Into Effect
On January 1, China's new Encryption Law went into effect. The law provides that a commercial encryption product relating to national security, the national economy, people's livelihood, or public interest may be sold or provided only after an approved institution confirms that the product has passed security authentication or otherwise complies with security requirements (source document in Chinese).
National Standards on Personal Information Released for Public Comment
On January 20, the National Information Security Standardization Technical Committee released new proposed information security rules. The "Information Security Technology—Guidelines for Personal Information Notices and Consent" proposes guidance for network operators on the content and structure of personal data notices and the methods for obtaining consent from data subjects (source document in Chinese). The "Information Security Technology—Basic Specification for Collecting Personal Information in Mobile Internet Applications"would require mobile internet applications to collect only "minimum information" when providing app services, and describes the permitted scope of "minimum information" for 30 common service types, including map navigation and online payments (source document in Chinese).
Central Bank Releases Personal Financial Information Protection Specification On March 4, the People's Bank of China ("PBOC"), China's central bank, released a notice urging banking institutions to protect personal financial information by following technical measures outlined in the Protection Specification (source document in Chinese). The Specification was issued by the PBOC on February 13. The Specification defines and categorizes personal financial information according to sensitivity. The most sensitive personal financial information includes card verification codes, passwords, and biometric information, and the least sensitive personal financial information includes data about when and where a bank account is opened.
Government Issues New National Standards on Information Security Technology
On March 6, the State Administration for Market Regulation and the Standardization Administration jointly issuedeight national standards (source document in Chinese). Covered topics include: authentication of mobile smart terminals using biometric data, cryptographic application for electronic records,secure electronic seal signature cryptography, one-time-password cryptographic application, security test methods for office devices, and technical requirements for cybersecurity management support systems. The new national standards will come into force on October 1.
Government Issues Security Standard for Remote Work
On March 16, the State Administration for Market Regulation issued "Practice Guideline for Cybersecurity Standard—security for remote office work" (source document in Chinese). The standard analyzes the risks of office security systems, including data security, equipment security, and personal information protection. The standard also provides security control measures for users of remote office systems.
Cabinet Submits Bill to Enhance Transparency and Fairness on Digital Platforms
On February 29, the Cabinet approved and submitted to the Diet a bill for the Act to Enhance Transparency and Fairness of Specified Digital Platformers (source document in Japanese). This Act targets and regulates giant digital technology platforms. The Act would require digital platformers to disclose to general consumers information regarding how they collect and use data on general consumers' searching, browsing, and purchasing history.
Government Issues Draft Security Management Guidelines Published for Medical Information
On March 5, the Ministry of Internal Affairs and Communications ("MIC") and the Ministry of Economy, Trade and Industry ("METI") jointly released a draft of Security Management Guidelines for Information System Service Providers Handling Medical Information (source document in Japanese). MIC and METI had previously issued separate guidelines; the March 5 guidelines are an integration of the two.
Cabinet Submits Bill to Amend Personal Information Protection Act
On March 10, the Cabinet approved and submitted to the Diet a bill to amend the Personal Information Protection Act (source document in Japanese). The proposed amendment would impose a data breach reporting obligation, expand individuals' right to request that data holders cease using and erase data, increase of the amount of fines available, and establish more stringent requirements for cross-border transfers.
PDPC Addresses Proposed Data Portability Right Under PDPA
On January 20, the Personal Data Protection Commissioner ("PDPC") issued a response to public comments on the PDPC's proposal to create data portability and data innovation provisions under Singapore's Personal Data Protection Act ("PDPA").
Singapore and Australia Sign Memorandum of Understanding
On March 25, the PDPC announced that the PDPC and the Office of the Australian Information Commissioner ("OAIC") signed a Memorandum of Understanding to jointly promote the Cross Border Privacy Rules under the Asia-Pacific Economic Cooperation to facilitate cross-border data transfers.
The following Jones Day lawyers contributed to this section: Michiru Takahashi, Sharon Yiu, and Grace Zhang.
Attorney General Issues Emergency Privacy Declaration for Australian Bushfires
On January 20, the attorney general of Australia issued the "Privacy (Australian Bushfires Disaster) Emergency Declaration (No. 1) 2020 (Cth)." The instrument declared that the "bushfires in Australia resulting in death, injury and/or property damage occurring from August 2019 into 2020" were events of national significance under section 80J of the Privacy Act 1988(Cth). The declaration triggers Part VIA of the Privacy Act, which provides for the collection, use, and disclosure of personal information in emergencies and disasters. The declaration expires on January 21, 2021.