On May 25, 2021, the Grand Chamber of the European Court of Human Rights handed down its judgement in the case of Big Brother Watch and Others v. the United Kingdom, determining that the former surveillance regime in the UK violated Article 8 of the European Convention on Human Rights (“ECHR”), i.e., the right to respect for private and family life.

Continue Reading European Court of Human Rights Says Bulk Interception Is Not a Violation of Human Rights

On June 4, 2021, the European Commission published the final version of the implementing decision on standard contractual clauses for transfers of personal data to third countries under the EU General Data Protection Regulation (“GDPR”), as well as the final version of the new standard contractual clauses (the “SCCs”). The European Commission had previously published draft versions of the implementing decision and the SCCs in November 2020.

Continue Reading European Commission Publishes Final Version of Updated Standard Contractual Clauses

On June 3, 2021, Google informed app developers that beginning in late 2021, when Android 12 OS users opt out of personalized ads, the advertising ID provided by Google Play services (the Google Ad ID, or “GAID”) will not be made available to app developers for any purpose.

Continue Reading Google to Prevent App Developers from Using Advertising ID for Any Purpose Following User Opt-Out

Hunton Andrews Kurth LLP partner Lisa J. Sotto, chair of the firm’s Global Privacy and Cybersecurity practice, has been recognized by Chambers and Partners with the 2021 Outstanding Contribution to the Legal Profession award. This honor is given to one lawyer each year for exceptional achievements.

Continue Reading Chambers and Partners Honors Hunton’s Lisa Sotto for Outstanding Contribution to the Legal Profession

On May 25, 2021, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP submitted its response (in English and in Mandarin) to the Standing Committee of the National People’s Congress (“NPC”) of the People’s Republic of China on the updated version of the Draft Personal Information Protection Law (“PIPL”).

Continue Reading CIPL Submits Comments on China’s Updated Draft Personal Information Protection Law

On May 27, 2021, the European Data Protection Supervisor (the “EDPS”) announced that it has opened two investigations regarding (1) the use of cloud services provided by Amazon Web Services and Microsoft under Cloud II contracts by European Union institutions, bodies and agencies; and (2) the use of Microsoft Office 365 by the European Commission.

Continue Reading EDPS Opens Investigations Following Schrems II Judgment

On May 27, 2021, the U.S. Department of Homeland Security’s (“DHS”) Transportation Security Administration (“TSA”) announced a Security Directive (the “Directive”) that will impose new cybersecurity requirements on critical pipeline owners and operators. Continue Reading U.S. Department of Homeland Security Announces Pipeline Cybersecurity Directive

On May 26, 2021, the Court of Appeal handed down its judgment in the case of R (Open Rights Group and the3million) v Secretary of State for the Home Department and Others [2021] EWCA Civ 800, finding that the UK 2018 Data Protection Act’s (“DPA 2018”) “immigration exemption” is unlawful.

Continue Reading UK Court of Appeal Signals It Will Closely Scrutinize UK DPA Exemptions

On May 25, 2021, the Office for Civil Rights (“OCR”) of the U.S. Department of Health and Human Services (“HHS”) announced that it had reached a settlement with Peachstate Health Management, LLC (“Peachstate”) for violations of the HIPAA Security Rule. As part of this settlement, Peachstate (dba AEON Clinical Laboratories) agreed to pay OCR $25,000 and to implement a robust corrective action plan. Continue Reading HHS Reaches Settlement with Clinical Laboratory for Alleged Violations of HIPAA Security Rule

On May 20, 2021, the Belgian Data Protection Authority (“Belgian DPA”), as the lead authority (in collaboration with two co-reviewing authorities), announced that it had approved the EU Data Protection Code of Conduct for Cloud Service Providers (the “EU Cloud CoC”). The EU Cloud CoC is the first transnational EU code of conduct since the entry into force of the EU General Data Protection Regulation (the “GDPR”).

Continue Reading Belgian DPA Approves First EU Data Protection Code of Conduct for Cloud Service Providers