On November 19, 2019, the Federal Trade Commission announced that Medable, Inc. (“Medable”) agreed to settle allegations that the company had misrepresented its participation in the EU-U.S. Privacy Shield program. The FTC alleged that, from December 2017 to October 2018, Medable falsely claimed in its online privacy policy that it was a certified participant in the EU-U.S. Privacy Shield framework and adhered to the framework’s principles. According to the complaint, although Medable did initiate an application with the Department of Commerce in December 2017, the company never completed the steps necessary to participate in the framework.

Continue Reading Company Settles FTC Allegations of Privacy Shield Misrepresentation

On November 13, 2019, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth issued a discussion paper on “Organizational Accountability in Light of FTC Consent Orders” (the “Discussion Paper”). The Discussion Paper examines the recent $5 billion FTC settlement with Facebook, which resulted from Facebook’s alleged violation of a prior 2012 FTC consent order, and the recent $575 million FTC settlement with Equifax, related to its 2017 data breach.

Continue Reading CIPL Issues Discussion Paper on Organizational Accountability in Light of FTC Consent Orders

On November 7, 2019, the Office for Civil Rights (“OCR”) of the U.S. Department of Health and Human Services (“HHS”) announced a $1.6 million civil penalty imposed against the Texas Health and Human Services Commission (“TX HHSC”), a state agency, for violations of HIPAA Privacy and Security Rules in connection with the unauthorized disclosure of electronic protected health information (“ePHI”). The ePHI breach – which exposed names, addresses, Social Security numbers, and treatment information of at least 6,617 individuals – was first reported to OCR on June 11, 2015, by Texas’s Department of Aging and Disability Services (“DADS”).

Continue Reading HHS Imposes 1.6 Million Dollar Civil Penalty on Texas State Agency for Health Data Breach

On October 22, 2019, the drafting group of China’s National Information Security Standardization Technology Committee (“NISSTC”) released a third set of draft amendments to the Information Security Technology – Personal Information Security Specification (GB/T 35273 – 2017) (the “Updated Draft Specification”). The original Specification, first issued on December 29, 2017, became effective May 1, 2018, and saw earlier draft amendments on February 1, 2019 and June 25, 2019. The NISSTC received more than 400 public comments on the proposed June amendments. The latest draft amendment was issued without a public comment period.

Continue Reading China Issues Updated Draft Amendments to Information Security Technology Specification

On November 18, 2019, Hunton Andrews Kurth will host a networking luncheon in the firm’s Brussels office. The luncheon will feature Isabelle Vereecken, Head of the Secretariat of the European Data Protection Board (“EDPB”), and will focus on the role of the EDPB and cooperation between supervisory authorities (“SAs”) in cross-border matters.

Continue Reading Brussels Event: The Role of the EDPB and the Cooperation of SAs

The European Data Protection Board recently published on its website that the Austrian Data Protection Authority (“Austrian DPA”) imposed an €18 million fine (approximately $20 million) on the Austrian Postal Service, Österreichische Post AG (“ÖPAG”), for various violations of the EU General Data Protection Regulation (“GDPR”). After conducting an investigation, the Austrian DPA established that ÖPAG unlawfully processed and sold data with respect to its customers’ alleged political affinities. Another GDPR violation was related to the ÖPAG’s further processing of data on package frequency and frequency of relocations for direct marketing purposes.

The fine is not yet final as it may still be appealed before the Austrian Federal Administrative Court.

On November 5, 2019, Representatives Anna G. Eshoo (CA) and Zoe Lofgren (CA) introduced the Online Privacy Act (the “Act”), which proposes sweeping legislation that would create federal privacy rights for individuals, require companies to adhere to data minimization and establish a federal Digital Privacy Agency (“DPA”).

Continue Reading Representatives Eshoo and Lofgren Introduce Online Privacy Act

On November 5, 2019, the Berlin Commissioner for Data Protection and Freedom of Information (“the Berlin Commissioner,” Berliner Beauftragte für Datenschutz und Informationsfreiheit) announced that it had imposed a fine of €14.5 million (approximately $16 million) on Deutsche Wohnen SE, a prominent real estate company. This is the highest fine issued in Germany since the EU General Data Protection Regulation (“GDPR”) became applicable.

Continue Reading Berlin Commissioner Issues Fine to Deutsche Wohnen SE

On October 30, 2019, Facebook reached a settlement with the UK Information Commissioner’s Office (“ICO”) under which it agreed to pay (without admission of liability) the £500,000 fine imposed by the ICO in 2018 in relation to the processing and sharing of its users’ personal data with Cambridge Analytica.

Continue Reading Facebook Reaches Settlement with ICO over £500,000 Data Protection Fine

On November 19, 2019, Hunton Andrews Kurth will host an in-person breakfast briefing in the firm’s London office to explore the California Consumer Privacy Act (“CCPA”), against the backdrop of the EU General Data Protection Regulation (“GDPR”).

In the seminar, we will discuss:

  • The CCPA in the context of the GDPR, covering the similarities and differences between the frameworks
  •  Key CCPA obligations
  • The CCPA’s approach to enforcement and penalties
  • How businesses are approaching CCPA compliance, and leveraging their GDPR work

The event will be led by Hunton partners Bridget Treacy and Aaron Simpson. Space is limited. For more information and to register, please click here.