On June 17, 2021, Senator Kirsten Gillibrand (D-NY) announced the reintroduction of the Data Protection Act of 2021 (the “bill”), which would create an independent federal agency, the Data Protection Agency, to “regulate high-risk data practices and the collection, processing, and sharing of personal data.” The bill was first introduced in 2020 and has since been revised to include updated provisions intended to protect against privacy harms, oversee the use of “high-risk data practices” and examine the social, ethical, and economic impacts of data collection.
On June 21, 2021, following a public consultation, the European Data Protection Board (“EDPB”) published the final version of its recommendations on supplementary measures in the context of international transfer safeguards, such as Standard Contractual Clauses (“SCCs”) (the “Recommendations”).
On June 14, 2021, Texas Governor Greg Abbott signed HB 3746, a bill amending Texas’s data breach notification law. Texas’s breach notification law requires notice to affected residents in the event of a data breach affecting certain sensitive personal data, including Social Security numbers, driver’s license or other government-issued ID numbers, account numbers or payment card numbers in combination with any required security code, access code or password, or certain information about an individual’s health or medical condition or treatment. The law also requires businesses to notify the Texas Attorney General of any data breach affecting at least 250 Texas residents.
After two rounds of public comments, the Data Security Law of the People’s Republic of China (the “DSL”) was formally issued on June 10, 2021, and will become effective on September 1, 2021.
Compared to previous drafts of the law, the final version of the DSL differs with respect to:
- establishing a work coordination mechanism and clarifying the duties of each governmental authority;
- establishing an administration system for state core data;
- encouraging data development and use to make public service more intelligent and requiring consideration of the needs of the elderly and people with disabilities when providing intelligent public services;
- protecting the security of government data; and
- increasing the punishment dynamics for violations of the law.
On June 15, 2021, the U.S. Senate confirmed Lina Khan to the Federal Trade Commission by a vote of 69-28. Khan will fill the vacancy left by former Chairman Joseph Simons (R) who resigned from the FTC in January 2021.
On June 15, 2021, the Court of Justice of the European Union (the “CJEU”) released its judgment in case C-645/19 of Facebook Ireland Limited, Facebook Inc., Facebook Belgium BVBA v. the Belgian Data Protection Authority (“Belgian DPA”). We previously reported on the background of the case and the Advocate General’s opinion.
On June 9, 2021, President Biden signed an Executive Order on Protecting Americans’ Sensitive Data from Foreign Adversaries (the “EO” or “Biden EO”). The Biden EO elaborates on measures to address the national emergency regarding the information technology supply chain declared in 2019 by the Trump administration in Executive Order 13873. Simultaneously, the Biden EO also revokes three Trump administration orders (Executive Orders 13942, 13943 and 13971) that sought to prohibit transactions with TikTok, WeChat, their parent companies and certain other “Chinese connected software applications.” In their place, the Biden EO provides for (1) cabinet-level assessments and future recommendations to protect against risks from foreign adversaries’ (a) access to U.S. persons’ sensitive data and (b) involvement in software application supply and development; and (2) the continuing evaluation of transactions involving connected software applications that threaten U.S. national security.
July 1, 2021 marks the deadline for certain businesses to comply with the metrics reporting obligations under the California Consumer Privacy Act of 2018 (“CCPA”) regulations. Section 999.317(g) of the regulations applies to any business that is subject to the CCPA and that knows or reasonably should know that it, alone or in combination, buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes the personal information of 10,000,000 or more California residents in a calendar year.
As reported on the Hunton Retail Law Resource blog, this week, the Federal Trade Commission voted 3 to 1 to accept a settlement agreement with MoviePass, Inc., its parent company, and two of the now-defunct company’s former employees, after allegations of failure to take reasonable measures to secure consumers’ data and deceptive trade practices. The Commission brought an enforcement action against MoviePass pursuant to the FTC Act and the Restore Online Shoppers’ Confidence Act (“ROSCA”), the latter of which requires disclosure of all material terms, a consumer’s informed consent, and a simple mechanism to stop recurring charges when marketing negative option services.
On June 3, 2021, the U.S. Supreme Court in Van Buren v. United States reversed the U.S. Court of Appeals for the Eleventh Circuit’s decision to uphold the conviction of Nathan Van Buren, a former Georgia police sergeant alleged to have violated the Computer Fraud and Abuse Act of 1986 (“CFAA”) when accessing a law enforcement database for a non-law-enforcement purpose against his department’s policy. Van Buren, the target of an FBI sting operation, had accessed the database to look up license plate information in exchange for money. The Court addressed a split in authority among the circuits regarding the scope of liability under the CFAA.