Jones Day Cybersecurity, Privacy & Data Protection Attorney Spotlight: Edward S. Chang
Data privacy- and security-related class actions appear to be on the rise, and effectively defending them requires the right mix of substantive and procedural knowledge. Edward Chang is a partner based in Irvine, California, and, for nearly 15 years, has represented institutional clients in a wide array of complex litigation matters, with an emphasis on cybersecurity, privacy, and consumer issues. He has served as lead counsel in hundreds of class and individual actions, complicated business disputes, and regulatory investigations, including bet-the-company matters.
As a leader in Jones Day’s cybersecurity practice in California, Ed advises clients on their most sensitive business and cybersecurity issues. He advises industry leaders on a variety of cyber and privacy matters, including industry standards, cybersecurity management, data governance, third-party management, product liability risk, licensing, and regulatory and litigation risks. Ed also advises clients on data-breach response and data-breach class actions filed in state and federal courts across the country, including working on a team handling more than 47 nationwide data-breach class actions in one of the largest data-breach matters in U.S. history.
Regulatory—Policy, Best Practices, and Standards
NIST Evaluates Advances in Face Recognition Software
On November 30, 2018, the National Institute of Standards and Technology (“NIST”) published a report evaluating the accuracy of facial recognition software. NIST’s study found that between 2014 and 2018, facial recognition software became 20 times better at searching databases to find matching photographs. The evaluation used 127 software algorithms from 39 different developers, which represent the bulk of the industry.
NIST Proposes Steps to Modernize Technology Transfer and Innovation
On December 6, 2018, NIST released a draft green paper with proposed steps to modernize the transfer and commercialization of technology developed through federally funded research and development initiatives. The proposals include updating legal tools for the transfer of technology, such as intellectual property rights for the licensing and commercial development of federal research. The draft green paper includes input from federal stakeholders, such as the National Science and Technology Council’s Lab-to-Market Subcommittee, as well as public comments.
Regulatory—Consumer and Retail
FTC Releases Do Not Call Registry Data for Fiscal Year 2018
On December 6, 2018, the Federal Trade Commission (“FTC”) released the National Do Not Call Registry Data Book for Fiscal Year 2018, along with state-by-state analyses of the data. The number of registrants with the Do Not Call list has increased significantly, while the number of complaints has decreased and the most prevalent types of calls have changed.
FTC Holds Hearings on Data Security
On December 11-12, 2018, the FTC held hearings on data security as part of its examination of consumer protection in the 21st century. The hearings included discussions on incentives to invest in data security, consumer demand for data security, data security assessments, a U.S. consumer framework for data security, and the FTC’s data security enforcement program. Video recordings and transcripts of the hearing are available on the FTC website.
Retailer Discloses Cybersecurity Attack
On December 21, 2018, a retailer disclosed that it was the victim of a cybersecurity attack involving suspicious log-in activity. The retailer planned to notify all customers whose usernames and passwords may have been used to access their accounts, even though there was no indication that the usernames and passwords used in the log-in attempts were obtained from its systems, or that any personal information stored on its customers’ accounts were obtained.
Hotel Discloses Approximately 383 Million Records Affected in 2018 Breach
On January 4, a hotel chain disclosed that up to 383 million guest records were compromised in a breach of its reservation database that began in 2014. This is an increase from the figure reported when the company first announced the existence of the breach on November 30, 2018. The hackers accessed names, addresses, phone numbers, email addresses, and passport numbers stored in the reservation database. The incident affected approximately 8.6 million encrypted payment card numbers, 5.25 million unencrypted passport numbers, and 20.3 million encrypted passport numbers.
FTC Seeks Comments on Identity Theft Detection Requirements
On December 4, 2018, the FTC announced that it is seeking comments on whether it should change rules that currently require financial institutions and creditors to take steps to detect signs of identity theft affecting customers. The FTC is seeking comments on the costs these rules impose on consumers and businesses, whether there is a continuing need for the rules, and whether to expand the types of creditors covered by the rules.
SEC Office of Compliance and Examinations to Focus on Cybersecurity
On December 20, 2018, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) announced its 2019 examination priorities, which include a focus on cybersecurity and digital assets. The SEC reiterated that all OCIE examination programs “will prioritize cybersecurity with an emphasis on, among other things, proper configuration of network storage devices, information security governance, and policies and procedures related to retail trading information security.”
DOE Announces Cyber Threats Targeting Cloud Services Providers
On December 20, 2018, the United States Department of Energy (“DOE”) announced that a Chinese cyber group is engaging in cyber-enabled theft targeting global managed service providers, cloud service providers, and their clients. The DOE stated that the group operated on behalf of the Chinese Ministry of State Security and used a mix of sophisticated custom malware and off-the-shelf applications to compromise multiple service and cloud providers. The group targeted information from critical infrastructure companies in the areas of information technology, energy, health care, communications, and critical manufacturing.
DOE Announces $40 Million Grid Modernization Initiative
On January 24, the DOE announced a $40 million initiative in Fiscal Year 2019 for its Grid Modernization Initiative. The initiative aims to work with public and private partners to develop tools and technologies for a modern “grid of the future” that is resilient, reliable, and secure. The initiative will leverage subject matter expertise across national laboratories, including on the topics of cybersecurity, resilience modeling, advanced sensors, and energy storage. Additional details are expected to be released by March.
Pennsylvania Criminalizes Drone Misuse
On January 12, Pennsylvania’s law imposing criminal penalties for unlawful use of drones went into effect. The new law prohibits the use of drones to intentionally or knowingly conduct surveillance of another in a private space, or the operation of a drone in a manner that places another person in reasonable fear of bodily injury. The law permits a $300 fine for violations.
HHS Releases New Health Industry Cybersecurity Practices
On December 28, 2018, the U.S. Department of Health and Human Services (“HHS”) released the publication of “Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients.” The publication suggests voluntary cybersecurity practices, resources, and templates for small, medium, and large health care organizations. The publication is the result of a two-year industry-led effort in response to Section 405(d) of the Cybersecurity Act of 2015 mandating the development of practice guidelines to reduce cybersecurity risks for the health care industry.
HHS Seeks Public Input on Modifications to the HIPAA Privacy Rule
On December 12, 2018, HHS issued a Request for Information seeking public input on how the HIPAA Privacy Rule could be modified to further the goal of protecting the privacy and security of individuals’ health information while permitting information-sharing needed for important purposes, such as coordination of treatment and care.
Regulatory—Defense and National Security
Secretaries Issue Joint Statement on Chinese Cyber Attacks
On December 20, 2018, the Secretary of State and Secretary of Homeland issued a joint statement regarding hacks on managed service and cloud service providers by actors linked to the Chinese Ministry of State Security. The statement expressed concern that these hacks may have violated commitments made by China in 2015 to refrain from conducting or knowingly supporting “cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors.”
Director of National Intelligence Unveils National Intelligence Strategy
On January 24, the Director of National Intelligence unveiled the National Intelligence Strategy, a quadrennial publication that sets intelligence strategy for the next four years. The strategy calls attention to cyber and space as new domains of warfare. In particular, the strategy notes that the relatively low cost of cyber operations and lack of attribution makes the cyber domain attractive to smaller nations, terror groups, transnational criminal networks, and individuals. The strategy also calls for the United States to be at the forefront of research on artificial intelligence, advanced automation, and nanotechnology.
Litigation, Judicial Rulings, and Agency Enforcement Actions
Hotel Chain Faces Multimillion-Dollar Data Breach Class Action
On December 1, 2018, an individual filed a putative class action complaint in New York federal court against a hotel chain alleging violations of federal securities laws related to a massive data breach that potentially affected up to 500 million hotel guests. The complaint alleges that the company made materially false and misleading statements in SEC filings regarding the security of customer data. The company seeks to combine this case with other class actions filed throughout the United States.
District of Columbia Sues Social Media Company Over Data Harvesting
On December 19, 2018, the Attorney General for the District of Columbia sued a social media company for violations of the District’s Consumer Protection Procedures Act in relation to the harvesting of user data by a third-party application developer who sold the data to a political consulting firm. The complaint alleges that the company engaged in unfair and deceptive trade practices for allegedly failing to inform consumers that their personal information may be shared with third-party applications without their knowledge or consent.
Airline Reaches $2.3M Settlement to End Worker Background Check Class Action
On January 3, an airline agreed to pay $2.3 million to settle a proposed class action brought on behalf of about 44,100 job applicants that claimed the company disregarded federal and California law by including extraneous and misleading information in notifications to prospective employees about background checks, and did not make standalone disclosures in compliance with the Fair Credit Reporting Act.
SEC Charges Hackers of EDGAR System
On January 15, the SEC announced charges against nine defendants for hacking into the SEC’s EDGAR system and extracting nonpublic information. The SEC’s complaint alleges that the hackers gained access to EDGAR in 2016 and extracted files containing nonpublic earnings results, and used the information to make trades and earn at least $4.1 million in illegal profits.
Illinois Supreme Court Issues Highly Anticipated BIPA Decision
On January 25, the Illinois Supreme Court unanimously held that a person has standing to sue under the Biometric Information Privacy Act (“BIPA”) without alleging a separate, real-world harm. BIPA imposes requirements on companies that collect and handle biometric identifiers of Illinois residents, such as notice and consent requirements. BIPA permits an “aggrieved” person to sue for violations of the statute, and the Illinois Supreme Court determined that a plaintiff is “aggrieved” when the individual’s rights have been infringed, without the need to plead an actual injury or adverse effect beyond a technical violation of the statute. For more information, please see our Jones Day Alert.
Senator Calls for Data Minimization Laws
On November 30, 2018, U.S. Senator Mark Warner (D-VA) issued a press release calling for national data privacy legislation to safeguard consumer information. The announcement called for data minimization and retention requirements to limit how much sensitive information companies collect and retain about consumers. The announcement also called for the legislation to hold companies accountable for security costs.
Additional States Propose Bills with CCPA-Like Provisions
Since January 1, a number of states have introduced bills modeled at least in part on California’s Consumer Privacy Act (“CCPA”) and borrow many of the same provisions, such as requiring companies to provide notice of the types of personal information they collect and the categories of third parties to whom they disclose personal information. The bills also would grant individuals certain rights, such as the right to request access to their personal information and the right to opt-out of the sale of personal information. Washington’s bill goes further and proposes requirements closer to the European Union’s GDPR, such as defining roles for controllers and processors and imposing a requirement to correct inaccurate information. Most of these bills have been referred to committees and are under consideration (except for the Mississippi bill, which died in committee on February 5). For more information, please see our Jones Day Alert.
- On January 2, SB 176 was introduced in New Mexico.
- On January 9, S00224 was introduced in New York.
- On January 12, SD 341 was introduced in Massachusetts.
- On January 14, HB 1485 was introduced in North Dakota.
- On January 18, SB 418 was introduced in Hawaii.
- On January 25, HB 1253 was introduced in Mississippi.
- On January 30, SB 5376 was introduced in Washington.
- On January 31, S0234 was introduced in Rhode Island.
- On February 4, SB0613 was introduced in Maryland.
South Carolina Enacts Insurance Data Security Act
On January 1, South Carolina enacted a breach notification and information security law for insurers, agents, and other licensed entities authorized to operate under the state’s insurance laws. The South Carolina Insurance Data Security Act is based on the National Association of Insurance Commissioners’ Insurance Data Security Model Law and includes stringent requirements for investigating and disclosing certain cybersecurity events within 72 hours of discovery.
Vermont Regulates Data Brokers
On January 1, Vermont passed a law to regulate data brokers that collect and sell personal information about consumers. The law requires data brokers to register with the Secretary of State, provide information about the broker’s opt-out policies, maintain a written information security program, and make certain disclosures to consumers. Vermont passed the law in response to reported risks associated with the widespread aggregation and sale of data about consumers.
Massachusetts Amends Data Breach Notification Law
On January 10, the Governor of Massachusetts signed legislation to amend Massachusetts’ data breach notification law to require the sharing of additional information with state regulators, among other changes. Entities must provide information about the nature of the breach, the number of affected state residents, the identity of the person responsible for the breach, and a description of the information compromised. Companies also must disclose whether they have a written information security program and the steps taken after the data breach. The new law goes into effect on April 11.
Canadian Health Department Seeks Comment on Medical Device Cybersecurity Guidance
On December 7, 2018, Health Canada published draft guidance on cybersecurity for medical devices. The guidance recommended the incorporation of cybersecurity into the design of the device and across the device’s lifecycle, and recommended that manufacturers engage in post-market monitoring to identify and address evolving vulnerabilities. Health Canada requested comments from across the industry on the “technical considerations related to cybersecurity of medical devices and the submission requirements for a medical device license.”
The following Jones Day lawyers contributed to this section: Kaeley Brown, Shirley Chan, Jeremy Close, Meredith Collier, Jennifer Everett, Levent Hergüner, Jay Johnson, Christopher Markham, Mallory McKenzie, Mary Alexander Myers, Nicole Perry, and Kerianne Tobitsch.
Agency Approves Guidelines for Binding Corporate Rules
On December 7, 2018, the Access to Public Information Agency (Agencia de Acceso a la Información Pública) issued through an official communication the Guidelines and Basic Contents of Binding Corporate Rules (Lineamientos y Contenidos Básicos de Normas Corporativas Vinculantes), which provides guiding principles of self-regulation standards for personal data protection among entities from the same group of companies (source documents in Spanish). The guidelines allow companies to prove before the Agency that international data transfers are secure and have an adequate level of protection, especially when the recipient country does not have the same security standards for personal data.
Federal District Attorney’s Office Investigates Hotel Data Breach
On December 3, 2018, the Federal District Attorney’s Office in Brasília (Ministério Público do Distrito Federal e Territórios), through its Special Unit for Data Protection and Artificial Intelligence, started an investigation into the potential leak of Brazilians’ personal data stored in the servers of an international hotel chain. The breach potentially exposed the personal data of up to 500 million guests worldwide, including personal information such as full name, passport number, mailing address, email, phone number, date of birth, arrival and departure dates, and, in some cases, credit card information.
Brazil Creates National Data Protection Authority
On December 27, 2018, the former Brazilian President signed Executive Order No. 869/2018, which established the Brazilian National Data Protection Authority (Agência Nacional de Proteção de Dados, or “ANPD”) (source document in Portuguese). Brazil created the ANPD pursuant to the Brazilian General Data Protection Law (Lei Geral de Proteção de Dados Pessoais). The ANPD will regulate data protection issues, oversee persons subject to the Brazilian General Data Protection Law, and enforce penalties for data protection violations.
Ministry Announces Cybersecurity Campaign
On December 28, 2018, the Ministry of the Interior and Public Security (Ministerio del Interior y Seguridad Publica) announced a cybersecurity campaign to promote protection of individuals’ rights in digital environments (source document in Spanish). As part of the campaign, the Ministry issued recommendations for safely navigating the internet, posting on social networks, and using online security settings. The Ministry also issued guidance regarding the sharing of personal information online (source document in Spanish).
Costa Rica Hosts the Ibero-American Meeting of Data Protection
On December 4, 2018, the Inhabitants Data Protection Agency (Agencia de Protección de Datos de los Habitantes, or “PRODHAB”) issued an official communication stating that Costa Rica hosted the sixth Ibero-American Data Protection Meeting (Encuentro Iberoamericano de Protección de Datos) (source document in Spanish). Experts across the Latin American region came together to discuss actions to protect the security and privacy of personal data. The government’s announcement highlighted the takeaways from the meeting, including the need create a data protection culture, update compliance models, and invest in privacy.
Data Protection Agency Resolves More Than 10,000 Appeals in 2018
On December 30, 2018, the National Institute for Transparency, Access to Information, and Personal Data Protection (Instituto Nacional de Acceso a la Información y Protección de Datos Personales) announced that, between January and November 2018, it had resolved 10,745 appeals related to data protection and access to information (source document in Spanish). Among these appeals, 9,485 (approximately 88%) related to the right to access information, and 1,260 (approximately 12%) related to personal data protection.
Data Protection Agency Hosts International Personal Data Protection Day
On January 28, the Instituto Nacional de Acceso a la Información y Protección de Datos Personaleshosted the International Personal Data Protection Day to discuss significant and controversial issues regarding personal data (source document in Spanish). The topics of discussion included: (i) the personal data protection rights of legal entities and (ii) the legal requirement to obtain a judicial order to use geolocation services to locate possible criminals in Mexico.
Peru Fines Entities More Than US$230M in 2018 for Privacy Violations
On January 1, the Peruvian National Authority of Data Protection (Autoridad Nacional de Protección de Datos) announced that it fined several public and private entities throughout 2018 for violations of the Peruvian Data Privacy Law (source document in Spanish). Peruvian authorities found that these entities should have implemented security measures for the protection of personal data, such as security protocols for access, privileged data management, and periodic review of privileges, among other measures.
Agency Modifies Data Protection Law
On January 28, the Regulatory and Personal Data Control Unit (Unidad Reguladora y de Control de Datos Personales) announced modifications to the Law of Accountability N°19.670 (Ley de Rendición de Cuentas N°19.670) (source documents in Spanish). These modifications include extending the law’s application to the processing of personal data outside of Uruguayan territory in certain circumstances, requiring that entities provide notice of security breaches to data owners and implement remediation steps, and requiring entities that process personal data on a regular basis to designate a data protection official.
The following Jones Day lawyers contributed to this section: Guillermo Larrea, Daniel D’Agostini, and Juan Carlos Quinzaños.
European Council Publishes New Electronic Communications Code
On December 4, 2018, the European Council adopted the European Electronic Communication Code (“EEOC”), which it published in the Official Journal on December 17, 2018. The EEOC expands the ePrivacy Directive to regulate over-the-top (or OTT) communications services, such as instant messages and email, and to promote the rollout of high-capacity networks, such as 5G and fiber networks. Each EU member state has two years to enact national implementing legislation for the EEOC.
European Court of Justice
Advocate General Makes Recommendation in Case Involving Third-Party Plugin
On December 19, 2018, Advocate General Bobek recommended to the European Court of Justice (“ECJ”) that when a website operator embeds a third-party plugin into its website that collects and transmits a user’s personal data, both the website operator and the third party should be considered joint controllers. This recommendation is limited to circumstances in which both parties co-determine the means and processing of data, but not preceding or subsequent stages of processing. The Advocate General made this recommendation in the context of a case before the ECJ involving a fashion company that embedded on its website a “Like” button from a third-party social media platform.
Advocate General Makes Recommendation on De-Referencing of Sensitive Data
On January 10, Advocate General Szpunar recommended to the ECJ that when the operator of a search engine receives a request to de-reference links displaying sensitive data, the operator must accede to the request as a matter of course. If the issue of the derogation of freedom of expression arises, the Advocate General recommends that the operator balance data protection and respect for private life with the right of the public to access the information and the right to freedom of expression. The Advocate General made this recommendation in the context of a case before the ECJ involving a request by individuals to de-reference a webpage that contained sensitive information and satirized government officials.
Advocate General Recommends that “Right To Be Forgotten” Not Apply to Search Engines Beyond EU Borders
On January 10, Advocate General Szpunar recommended that the ECJ limit the application of the “right to be forgotten” to the territory of the European Union. The Advocate General recommended that a search engine operator responding to a request for de-referencing should not be required to de-reference search results on domains outside of EU borders, although he did not rule out the possibility that there may be some circumstances where de-referencing should occur at a worldwide level. The Advocate General also recommended that search engines must implement all possible measures, including geo-blocking, to enforce effective de-referencing for all IP addresses located in the European Union, regardless of the domain. The Advocate General made this recommendation in the context of a case before the ECJ involving a search engine operator that refused to comply with a demand by the French Data Protection Authority to conduct de-referencing on all of its domain name extensions regardless of location.
EU Negotiators Reach Agreement on Cybersecurity Act
On December 10, 2018, the European Parliament, the EU Council, and the European Commission reached a political agreement on the Cybersecurity Act, which was first introduced by the European Commission on September 13, 2017. The agreement creates the first EU-wide certification scheme to ensure that products and services sold in EU countries meet certain cybersecurity standards. The agreement also upgrades the European Union Agency for Network and Information and Security (“ENISA”) with a permanent grant to coordinate responses to cybersecurity attacks among EU member states and assist EU institutions in developing cybersecurity policies. The new regulation must be formally approved by the European Parliament and the Council of the European Union.
European Data Protection Board
EDPB Adopts Revised Guidelines on Accreditation
On December 4, 2018, the European Data Protection Board (“EDPB”) adopted revised guidelines on accreditation of certification bodies under Article 43 of the GDPR, including a new annex. The document provides guidance on how to interpret and implement Article 43, which requires member states to ensure that certification bodies, which issue certification under Article 42(1) of the GDPR, are accredited by either or both the competent supervisory authority or the national accreditation body. The annex will be subject to public consultation.
EDPB Adopts Opinion on EU-Japan Draft Adequacy Decision
On December 5, 2018, the EDPB published an opinion regarding the European Commission’s draft decision on the adequate protection of personal data by Japan. The EDPB noted the areas of convergence between the legal frameworks of each region but noted several remaining concerns, such as monitoring of compliance, the need to protect personal data transferred from the European Union to Japan throughout the entire data lifecycle, and access by public authorities to data transferred to Japan.
Belgian DPA Publishes GDPR Activity Review
On November 23, 2018, the Belgian Data Protection Authority (“DPA”) published a six-month review of its activities since the GDPR came into effect on May 25, 2018 (source document in French and in Dutch). The review assesses the impact of the GDPR, including the structural changes made to the former Belgian Privacy Commission to accommodate increased demand. Since the GDPR took effect, the Belgian DPA has received 317 reports of data breaches, 3,599 requests for information, and 148 complaints.
Belgium Adopts Law Reforming Belgian Privacy Commission
On January 10, the Law of December 3, 2017, creating the Data Protection Authority, was published in the Belgian Official Gazette (source documents in French and in Dutch). The law aims at reforming the Belgian Privacy Commission, originally established by the Law of December 8, 1992, implementing Directive 95/46/EC, and replaces the Belgian Privacy Commission with the Belgian DPA. The main purpose of the new law is to provide the Belgian DPA with more powers to fulfill its tasks under the GDPR.
Belgian DPA Publishes Prior Consultation Form in Context of DPIAs
In January, the Belgian DPA published a form to be completed for prior consultation in the context of a data protection impact assessment (“DPIA”) under Article 35 of the GDPR (source document in French and in Dutch). The form includes questions regarding details of the processing activity and how to manage risks associated with the processing activity.
Belgian DPA Issues Legal Note Defining Roles of Controllers and Processors
In January, the Belgian DPA published guidance on the role of a data controller versus data processor (source documents in French and Dutch). The guidance sets out the basic principles, definitions, and criteria to help entities identify their status as a controller or processor, as well as the data protection responsibilities of entities in each role.
CNIL Warns about Privacy Risks from Internet-Connected Toys
On December 3, 2018, the French Data Protection Authority (“CNIL”) published an article about the privacy risks that can arise from the use of internet-connected toys (source document in French). The CNIL warned about the types of data processing activities that may be carried out through internet-connected toys, such as targeted advertising directed to children. The CNIL provided guidance to customers on how to secure these toys.
CNIL Issues Guidance on Consent to Data Sharing
On December 28, 2018, the CNIL published guidance on the sharing of personal data with business partners (source document in French). The CNIL stated that companies must inform data subjects of the identity of their business partners and obtain consent before sharing any personal data with their partners. The recipient of the personal data must obtain new consent from the data subject before sharing it with additional business partners.
CNIL Publishes Booklet on Digital Interfaces
On January 18, the CNIL’s Digital Innovation Laboratory published its sixth booklet regarding best practices for the design of a digital service interface, which should incorporate privacy designs (source document in French).
CNIL Fines Internet Search Engine €50 Million
On January 21, the CNIL fined an internet search engine company up to €50 million after investigating data privacy complaints from two associations representing about 10,000 persons (source document in French). The CNIL conducted an investigation of the complaints and found two violations: the company did not provide adequate notice to users and did not have a valid legal basis to process users’ personal data for targeted advertising.
CNIL Releases Guidelines for Social Workers
On January 23, the CNIL published guidelines for social workers who assist individuals in their use of online public services (source document in French). The CNIL stressed that social workers who have access to individuals’ personal data while assisting them should: (i) request only information that is strictly necessary for use of the online public services; (ii) urge the individuals to delete any navigation history when disconnecting; (iii) not keep any information relating to such individuals; and (iv) request a written authorization prior to carrying out any formality on behalf of the individual.
Bavarian DPA to Investigate Deletion Concepts by Enterprises Using SAP Systems
In December 2018, the Data Protection Authority of Bavaria for the Private Sector (“BayLDA”) announced that it will investigate larger enterprises using SAP Enterprise-Resource-Planning systems with respect to their deletion routines. The audits will focus on GDPR compliance and timely deletion of personal data. BayLDA has not yet published selection criteria for the enterprises to be audited.
Italian DPA Verifies that Codes of Conduct Comply with GDPR
On December 24, 2018, the Italian DPA verified that Codes of Conduct issued under the pre-GDPR regime for newspaper activity, scientific and statistic research activity, and defensive investigations are consistent with the GDPR (source document in Italian). The provisions contained in the Codes of Conduct, as revised by the Italian DPA, were published in the Italian Official Gazette in January 2019 and supplement the conditions for lawful processing set forth under the GDPR and the Harmonization Decree No. 101/2018.
Italian DPA Starts Public Consultation on General Authorizations for Processing of Sensitive Data
In December 2018, the Italian DPA identified five provisions under the pre-GDPR regime for the processing of sensitive data that are compatible with the GDPR (source document in Italian). These provisions include the processing of sensitive data in the employment context, for scientific research purposes, and in other circumstances. On January 11, 2019, the DPA made these provisions available for public consultation to gather comments, observations, and proposals from all interested subjects before their final approval.
DDPA Limits WiFi Tracking to Exceptional Circumstances
On November 30, 2018, the DDPA announced that companies may track people on the street, in shopping centers, or in stations via WiFi tracking or other means on their mobile devices in only a few circumstances and under strict conditions (source document in Dutch). The DDPA published a Q&A on this subject on its website.
DDPA Clarifies “Large-Scale” Processing for Health Care Providers
On December 11, 2018, the DDPA explained that it considers all processing of personal data by hospitals, doctors, and care groups to be processing of personal data on a “large scale” (source document in Dutch). All other health care providers are considered to engage in large-scale processing of personal data if they process data of more than 10,000 patients in one information system.
Banks and Insurance Companies Meet DPO Obligations After DDPA Audit
On January 14, the DDPA completed its audit of banks and insurance companies and determined that all 45 banks and 93 insurance companies have registered a data protection officer (“DPO”) with the DDPA and published contact information for their DPO on their websites (source document in Dutch).
Spain Approves National Law Implementing GDPR
On December 5, 2018, Spain’s Parliament approved the Organic Law 3/2018 for the Protection of Personal Data and the Guarantee of Digital Rights (“LOPDGDD”), which implements the GDPR in Spain. The LOPDGDD creates rules for notifying citizens about the processing of their personal data, sets the age of consent at 14 years old, provides for the right to be forgotten on social networks or similar services, and updates the right to privacy against the use of video surveillance and sound recording in the workplace.
SDPA Publishes Data Protection Officers Registry
On December 11, 2018, the Spanish Data Protection Agency (“SDPA”) published the registry of DPOs. The registry contains the contact data of nearly 20,000 entities, of which approximately 3,000 correspond to the public sector and the rest to the private sector. Citizens who want to exercise their rights can find contact details of the DPO on the registry by searching by the company name or tax identification number.
SDPA Publishes Report on Processing of Personal Data Related to Political Opinions
On December 19, 2018, the SDPA published a report analyzing the processing by political parties of personal data related to political opinions. The report states that political parties, federations, coalitions, and constituencies can process political opinions only when they have been freely expressed by people in the exercise of their right to freedom of expression and their ideological freedom. The report also states that the processing must be proportional to the objective.
Survey Shows Increase in Data Subject Access Requests to Medical Providers
On December 14, 2018, the British Medical Association released the results of an online survey showing a more than 30 percent increase in the number of subject access requests that UK doctors are receiving each month from patients or their representatives after implementation of the GDPR. Though doctors previously were allowed to charge a reasonable fee to cover the administrative costs of completing subject access requests, the GDPR now requires that these be free of charge unless the request is “manifestly unfounded” or “excessive.” The survey also found that, on average, more than three-quarters of requests were made by companies acting on behalf of patients, such as solicitors, compared to 22 percent made by patients themselves.
Government Appoints Chair of New Geospatial Commission
On December 19, 2018, Sir Andrew Dilnot was appointed Chair of the UK Government’s new Geospatial Commission. The Commission was established in 2018 to set geospatial strategy, policy, and data standards and encourage more productive use of location-linked data. Unlike the independent Information Commissioner’s Office, the Geospatial Commission is part of the UK Government and sits within the Cabinet Office, the governmental body responsible for coordinating government policy.
The following Jones Day lawyers contributed to this section: Laurent De Muyter, Undine von Diemar, Olivier Haas, Jörg Hladjk, Levent Herguner, Bastiaan Kout, Jonathon Little, Martin Lotz, Hatziri Minaudier, Selma Olthof, Audrey Paquet, Sara Rizzon, Irene Robledo, Elizabeth Robertson, Lucia Stoican, Rhys Thomas, and Kerianne Tobitsch.
Privacy Commissioner Receives Notification of Data Breach
On November 28, 2018, Hong Kong’s Privacy Commissioner for Personal Data (“Privacy Commissioner”) received a data breach notification from a consumer credit reporting agency regarding suspected security loopholes in its application procedures for credit reports. The Privacy Commissioner initiated a compliance check, and the company took immediate remedial actions to mitigate any possible losses, including freezing the affected online accounts and notifying affected individuals.
Privacy Commissioner Releases Inspection Report on Private Tutorial Services Industry
On December 28, 2018, the Privacy Commissioner released a report with the results of its inspections of the personal data systems of companies in the private tutorial services industry. While the Commissioner found that personal data protection measures are generally acceptable in the industry, there are still some inadequacies, such as unnecessary or excessive collection of personal data, indefinite data retention, improper use of personal data, and inadequate personal data security.
European Commission Adopts Adequacy Decision on Japan
On January 23, the European Commission adopted its adequacy decision on Japan, which allows personal data to flow freely under adequate data protection guarantees between the two regions. The decision includes a set of rules that will bridge several differences between the two data protection systems and a complaint mechanism for Europeans regarding access to their data by Japanese public authorities. The decision went into effect on the day of adoption.
People’s Republic of China
Committee Releases National Standard for Health Information
On December 26, 2018, the National Information Security Standardization Technical Committee released a national standard for the handling of health information called “Information Security Technology Health and Medical Information Security Guide” (“Standard”) (source document in Chinese). The Standard defines “personal health information” and requires controllers to obtain authorization from the individuals when using or disclosing their personal health information. The Standard provides measures that controllers can implement to protect personal health information, including employee training and assessment, data system management, data categorization, access control, user restrictions, and encryption.
Cyberspace Administration Approves New Rules for Blockchain Service Providers
On January 10, the Cyberspace Administration of China approved new rules for blockchain service providers called the “Provisions on the Administration of Blockchain Information Services,” which will take effect on February 15 (source document in Chinese). The Provisions require blockchain service providers to register with the Cyberspace Administration of China and be subject to regular monitoring. Blockchain service providers must implement comprehensive measures, such as user registration and identity verification, and report to the government any new products, applications, or functions before launching them.
Government to Inspect Data Collection through Mobile Applications
On January 25, four government agencies announced a campaign to inspect mobile applications that obtain personal information (source documents in Chinese). Between January and December, the government will inspect mobile applications to ensure that they comply with cybersecurity laws when collecting or processing personal information. The campaign will evaluate data privacy policies on the applications and the type and amount of personal information collected through the applications. The campaign will focus on applications that have a large number of users or are closely related to users’ daily life. Applications that pass the inspection will receive verification certificates, while those that fail will be referred to law enforcement.
IMDA Launches Data Protection Trustmark Certification
On January 9, the Infocomm Media Development Authority (“IMDA”) announced that its Data Protection Trustmark (“DPTM”) certification was available for applicants. DPTM is a voluntary enterprise-wide certification of a company’s data protection policies, processes, and accountability practices that is meant to help companies build trust with consumers by demonstrating accountable data protection practices. The certification is valid for three years.
The following Jones Day lawyers contributed to this section: Michiru Takahashi, Sharon Yiu, and Grace Zhang.
New Legislation Provides Law Enforcement Access to Communications
On December 6, 2018, Parliament passed the Telecommunications and Other Legislation (Assistance and Access) Act 2018. The Act amended existing legislation to require designated communications providers to grant access to communications on their platforms when requested by law enforcement agencies investigating serious offenses that are punishable by a term of imprisonment of three years or more. The Australian Federal Government has agreed to consider amendments to the Act proposed by the Opposition Labour Party and industry groups in the new legislative session, so the Act may be amended in the short term.
Federal Government Introduces Consumer Data Rights Legislation
On January 13, the Australian Federal Government introduced legislation to Parliament that would establish the Consumer Data Right (“CDR”). The CDR would allow consumers to access data held by businesses about their consumption of goods and services, and would allow consumers to obtain the data directly from businesses in a standard format. If the Australian Parliament passes the legislation, the CDR will apply to the banking sector incrementally starting on July 1, 2019.
The following Jones Day lawyers contributed to this section: Adam Salter and Drew Broadfoot.