On May 22, 2019, the European Data Protection Board (the “EDPB”) published on its website a summary of enforcement actions taken by the European Economic Area Supervisory Authorities (“EEA Supervisory Authorities”) one year after the entry into force of the General Data Protection Regulation (the “GDPR”). Reflecting on the growing numbers of data controllers designating a lead supervisory authority, the EDPB reported that of the 446 cross-border cases opened by EEA Supervisory Authorities, 205 of these cases have led to One-Stop-Shop procedures. The EDPB indicated that 144,000 queries and complaints (the term has not yet been defined by the EDPB) and over 89,000 data breaches have been logged by EEA Supervisory Authorities. The majority of cases (63%) have now been closed and 37% remain ongoing. In addition, the EDPB indicated that the majority of EU citizens polled (67%) have at least heard of the GDPR and 36% of these EU citizens indicated that they are well aware of what the regulation entails. Finally, EEA Supervisory Authorities have reported that while the GDPR cooperation procedures are robust and efficient, they were time and resource intensive. The EDPB is now taking stock of this to build its upcoming working program for 2019 and 2020.
On May 16, 2019, the California State Senate Appropriations Committee did not approve SB 561, a bill that would have amended the California Consumer Privacy Act (“CCPA”) to expand the private right of action to permit consumers to sue for any violations of the CCPA. The Committee’s decision to hold the bill means it will not pass out of the Senate this session.
Continue Reading California Senate Committee Declines to Expand Private Right of Action under the CCPA
On May 10, 2019, New Jersey Governor Phil Murphy signed into law a bill that amends New Jersey’s data breach notification law to expand the definition of personal information to include online account information. The amendment goes into effect September 1, 2019.
On May 6, 2019, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) announced that it had entered into a resolution agreement and $3 million settlement with Touchstone Medical Imaging (“Touchstone”). The settlement is the first OCR HIPAA enforcement action in 2019, following an all-time record year of HIPAA enforcement in 2018.
As reported by Bloomberg Law, on May 7, 2019, Washington State Governor Jay Inslee signed a bill (HB 1071) amending Washington’s data breach notification law. The new requirements include the following:
- Expanded Definition of Personal Information. HB 1071 expands the definition of “personal information.” Washington’s breach notification law previously defined personal information as an individual’s name in combination with the individual’s Social Security number, state identification card number, or financial account or credit or debit card number in combination with any required security code, access code or password that would permit access to an individual’s financial account. HB 1071 adds the following data elements to the definition, when compromised in combination with an individual’s name:
- full date of birth;
- private key that is unique to an individual and that is used to authenticate or sign an electronic record;
- student, military or passport identification number;
- health insurance policy number or health insurance identification number;
- any information about a consumer’s medical history or mental or physical condition or about a health care professional’s medical diagnosis or treatment of the consumer; or
- biometric data generated by automatic measurements of an individual’s biological characteristics such as a fingerprint, voiceprint, eye retinas, irises or other unique biological patterns or characteristics that is used to identify a specific individual.
On May 6, 2019, the Federal Trade Commission announced that Meet24, FastMeet and Meet4U—three dating apps owned by Ukrainian-based company Wildec LLC—were removed from the Apple App Store and Google Play Store following an FTC letter alleging that the apps potentially violated the Children’s Online Privacy Protection Act (“COPPA”) and the Federal Trade Commission Act (“FTC Act”). According to the letter and contrary to what was claimed in their privacy policies, the apps, which collect dates of birth, email addresses, photographs and real-time location date, failed to block users who indicated they were under the age of 13.
On May 3, 2019, the International Association of Privacy Professionals (“IAPP”) honored Centre for Information Policy Leadership (“CIPL”) President Bojana Bellamy with the 2019 IAPP Privacy Vanguard Award during its Global Privacy Summit in Washington, D.C. The IAPP also honored European Data Protection Supervisor Giovanni Buttarelli with its 2019 Privacy Leadership Award. Since the early 2000s the IAPP has recognized professionals and organizations making a difference in the world of privacy through these yearly awards.
In late April, the California state legislature’s Privacy and Consumer Protection Committee held hearings on nine bills that seek to refine the California Consumer Privacy Act of 2018 (“CCPA”) by clarifying the legislation and limiting its scope. Eight bills advanced to the Assembly Appropriations Committee; the ninth is non-fiscal and will next be heard by the full Assembly. Last week, the California Assembly Appropriations Committee approved three of the bills. These bills, now on the Assembly’s “Consent Calendar,” will be heard this week. The Appropriations Committee will hold hearings on the other five bills in the next two weeks.
From the Assembly’s Appropriations Committee, bills must go through the full Assembly, the California Senate and the California governor to be enacted as law. Continue Reading Bills Proposing to Amend the CCPA Move Forward in California Assembly
On April 26, 2019, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights announced reductions in available penalties for three out of four tiers of privacy and security violations set forth in the HITECH Act, based on the severity of the violation. Previously, all four tiers of violation were subject to a maximum annual civil monetary penalty of $1.5 million. The revised regime provides for maximum civil penalties of $25,000 for the lowest tier of violation (i.e., unknowing violations), $100,000 for the second tier of violation (i.e., violations where the company had a reasonable cause for the violation occurring) and $250,000 for the third tier of violation (i.e., where the company is willfully neglectful but corrects the violation within 30 days). The maximum penalty for violations resulting from uncorrected willful neglect will remain $1.5 million. The revised penalty tier was published in a Federal Register Notice, which explained HHS’s determination that a better reading of the HITECH Act is to apply annual penalty limits according to severity of the violation. The new penalty rates are effective immediately.
At its annual conference, CYBERUK, the National Cyber Security Centre (the “NCSC”), pledged not to pass on confidential information about cyberattacks to the UK Information Commissioner’s Office (the “ICO”) without the consent of the affected organization. This commitment is an attempt to reassure organizations, encouraging them to report and seek assistance in the event of a cybersecurity incident.