At its plenary meeting on February 13, 2019, in Brussels, the European Data Protection Board (“EDPB”) adopted an Information Note on Data Transfers under the GDPR in the Event of a No-Deal Brexit, and an Information Note on BCRs for Companies Which Have ICO as BCR Lead Supervisory Authority.
The European Commission has issued an EU-wide recall of the Safe-KID-One children’s smartwatch marketed by ENOX Group over concerns that the device leaves data such as location history, phone and serial numbers vulnerable to hacking and alteration. The watch is equipped with GPS, a microphone and speaker, and has a companion app that grants parents oversight of the child wearer. According to a February 1, 2019 alert posted on the EU’s recall and notification index for nonfood products, flaws in the product could permit malicious users to send commands to any Safe-KID-One watch, making it call any other number, and to communicate with the child wearing the device or locate the child through GPS. The European Commission concluded that, as a result, the device does not comply with the 1994 Radio Equipment Directive. This recall follows Germany’s November 2017 ban on smartwatches for children.
In January 2019, Hunton Andrews Kurth celebrates the 10-year anniversary of our award-winning Privacy and Information Security Law Blog. Over the past decade, we have worked hard to provide timely, cutting-edge updates on the ever-evolving global privacy and cybersecurity legal landscape. Ten Years Strong: A Decade of Privacy and Cybersecurity Insights is a compilation of our blog’s top ten most read posts over the decade, and addresses some of the most transformative changes in the privacy and cybersecurity field.
On January 22, 2019, the European Data Protection Board (“EDPB”) issued a report on the Second Annual Review of the EU-U.S. Privacy Shield (the “Report”). Although not binding on EU or U.S. authorities, the Report provides guidance to regulators in both jurisdictions regarding implementation of the Privacy Shield and highlights the EDPB’s ongoing concerns with regard to the Privacy Shield. We previously blogged about the European Commission’s report on the second annual review of the Privacy Shield, and the joint statement of the European Commission and Department of Commerce regarding the second annual review.
The Illinois Supreme Court ruled today that an allegation of “actual injury or adverse effect” is not required to establish standing to sue under the Illinois Biometric Information Privacy Act, 740 ILCS 14 (“BIPA”). This post discusses the importance of the ruling to current and future BIPA litigation.
Hundreds of contractors and subcontractors with connections to U.S. electric utilities and government agencies have been hacked, according to a recent report by the Wall Street Journal. The U.S. government has linked the hackers to a Russian state-sponsored group, sometimes called Dragonfly or Energetic Bear. The U.S. government alerted the public that the hacking campaign started in March 2016, if not earlier, although many of its victims were unaware of the incident until notified by the Federal Bureau of Investigation and Department of Homeland Security, the Wall Street Journal reports.
On January 23, 2019, the European Commission announced that it has adopted its adequacy decision on Japan (the “Adequacy Decision”). According to the announcement, Japan has adopted an equivalent decision and the adequacy arrangement is applicable with immediate effect.
On January 21, 2019, the French Data Protection Authority (the “CNIL”) imposed a fine of €50 million on Google LLC under the EU General Data Protection Regulation (the “GDPR”) for its alleged failure to (1) provide notice in an easily accessible form, using clear and plain language, when users configure their Android mobile device and create a Google account, and (2) obtain users’ valid consent to process their personal data for ad personalization purposes. The CNIL’s enforcement action was the result of collective actions filed by two not-for-profit associations. This fine against Google is the first fine imposed by the CNIL under the GDPR and the highest fine imposed by a supervisory authority within the EU under the GDPR to date.
On January 15, 2019, the UK House of Commons rejected the draft Brexit Withdrawal Agreement negotiated between the UK Prime Minister and the EU by a margin of 432-202. While the magnitude of the loss sets in motion a process which could potentially have resulted in an early general election being held, on January 16 a majority of British Members of Parliament rejected a vote of no confidence in Theresa May’s government.
As we previously reported in February 2017, an Illinois federal judge denied a motion to dismiss two complaints brought under the Illinois Biometric Information Privacy Act, 740 ILCS 14 (“BIPA”) by individuals who alleged that Google captured, without plaintiff’s consent, biometric data from facial scans of images that were uploaded onto Google Photos. The cases subsequently were consolidated, and on December 29, 2018, the Northern District of Illinois dismissed the case on standing grounds, finding that despite the existence of statutory standing under BIPA, neither plaintiff had claimed any injury that would support Article III standing.