On February 28, 2019, Thailand’s National Legislative Assembly finally approved and endorsed the draft Personal Data Protection Act (the “PDPA”), which will now be submitted for royal endorsement and subsequent publication in the Government Gazette. Publication is anticipated to occur within the next few weeks.
On March 8, 2019, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP issued a white paper on Regulatory Sandboxes in Data Protection: Constructive Engagement and Innovative Regulation in Practice (the “White Paper”). The release of the White Paper follows a joint roundtable held by CIPL and senior staff from the UK Information Commissioner’s Office (“ICO”) on February 19, 2019. Over 35 CIPL members attended the full-day roundtable, exchanging views on how the regulatory sandbox should work in practice, discussing the benefits of participation and key questions around appropriate safeguards upon entering and exiting the sandbox, as well as sharing examples of innovative projects where a sandbox may be useful.
On March 5, 2019, the Global Privacy Enforcement Network (“GPEN”), a global network of more than 60 data protection authorities (“DPAs”) around the world, published the results of its 2018 intelligence gathering operation on organizations’ data privacy accountability practices (the “Sweep”). On the same date, some participating DPAs released the results of the Sweep exercise carried out in their respective jurisdiction.
On March 5, 2019, the Federal Trade Commission announced that it is seeking comment on proposed changes to the FTC’s Safeguards Rule and Privacy Rule under the Gramm-Leach-Bliley Act (“GLB”).
The proposed amendments to the Safeguards Rule, which went into effect in 2003 and imposes data security obligations on financial institutions over which the Commission has jurisdiction, are based primarily on the cybersecurity regulations issued by the New York Department of Financial Services and the insurance data security model law issued by the National Association of Insurance Commissioners. The proposed changes would add more detailed requirements on how financial institutions must protect customer information.
On February 26, 2019, the European Data Protection Board (the “EDPB”) presented its first overview of the GDPR’s implementation and the roles and means of the national supervisory authorities to the European Parliament (the “Overview”).
The Overview provides key statistics relating to the consistency mechanism among national data protection authorities (“DPAs”), the cooperation mechanism of the EDPB, the means and powers of the DPAs and enforcement of the GDPR at the national level.
During the week of February 25, 2019, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP participated in the meetings of the APEC Data Privacy Subgroup (“DPS”) and Electronic Commerce Steering Group (“ECSG”) in Santiago, Chile. CIPL enjoys formal guest status and a seat at the table at these bi-annual APEC privacy meetings.
On February 27, 2019, the Federal Trade Commission announced a record $5.7 million civil penalty against popular video creation and sharing app Music.ly (now known as TikTok) for violations of U.S. children’s privacy rules. According to the FTC’s complaint, Music.ly is designed to appeal to young children (among others), and the company was aware that a significant percentage of Music.ly users were children under the age of 13. The FTC also alleged that Music.ly gained actual knowledge of underage use from parents who unsuccessfully sought to have their children’s information deleted. Under the FTC’s settlement, in addition to paying the penalty, Music.ly must destroy or obtain parental consent for all previously improperly collected children’s information.
On February 25, 2019, the European Data Protection Board (the “EDPB”) issued a statement regarding the transfer of personal data from Europe to the U.S. Internal Revenue Service (the “IRS”) for purposes of the U.S. Foreign Account Tax Compliance Act (“FATCA”).
Enacted in 2010, FATCA requires that foreign financial institutions report information about financial accounts and assets held by their U.S. account holders to the IRS. Such institutions are required to register directly with the IRS to comply with FATCA or comply with intergovernmental agreements signed between the foreign country and the U.S. government. FATCA was designed to combat tax evasion by U.S. persons holding accounts and other financial assets offshore.
On February 22, 2019, California state senator Hannah Beth-Jackson introduced a bill (SB-561) that would amend the California Consumer Privacy Act of 2018 (“CCPA”) to expand the Act’s private right of action and remove the 30-day cure period requirement for enforcement actions brought by the State Attorney General. The bill would not change the compliance deadline for the CCPA, which remains January 1, 2020. California Attorney General Xavier Becerra supports the amendment bill, characterizing it as “a critical measure to strengthen and clarify the CCPA.”
The Belgian Data Protection Authority (the “Belgian DPA”) recently published (in French and in Dutch) the updated list of the types of processing activities which require a data protection impact assessment (“DPIA”). Article 35.4 of the EU General Data Protection Regulation (“GDPR”) obligates supervisory authorities (“SAs”) to establish a list of the processing operations that require a DPIA and transmit it to the European Data Protection Board (the “EDPB”).