In the February 2021 issue of the “Data Protection Leader,” Hunton partner Dora Luo discusses China’s draft Personal Information Protection Law in the context of other comprehensive data protection frameworks, such as the EU General Data Protection Regulation. This post includes a link to download the full article.
Continue Reading Hunton Partner Dora Luo Publishes “China: The Draft PIPL and the GDPR – A Comparative Perspective”

As we previously reported, significant data privacy bills, titled the Consumer Data Protection Act, are working their way through the Virginia legislature. If enacted, Virginia would be the second state to enact major data privacy legislation of general applicability.
Continue Reading Virginia Moves Closer to Be the Second State to Enact Major Privacy Legislation

On February 19, 2021, the European Commission published a draft data protection adequacy decision relating to the UK. If the draft decision is adopted, organizations in the EU will be able to continue to transfer personal data to organizations in the UK without restriction, and will not need to rely upon data transfer mechanisms, such as the EU Standard Contractual Clauses, to ensure an adequate level of protection.
Continue Reading European Commission Publishes Draft UK Data Transfer Adequacy Determination

On February 10, 2021, the European Data Protection Supervisor published two opinions on the European Commission’s proposals for a Digital Services Act and a Digital Markets Act. The two proposals are part of a set of measures announced in the 2020 European Strategy for Data and have two main goals: (1) creating a safer digital space in which the fundamental rights of all users of digital services are protected, and (2) establishing a level playing field to foster innovation, growth and competitiveness in the European Single Market and globally.
Continue Reading EDPS Publishes Opinion on Digital Services Act and Digital Markets Act

On February 5, 2020, the Centre for Information Policy Leadership at Hunton Andrews Kurth submitted a response to the European Commission’s public consultation on the Commission’s Proposal for a Regulation on European Data Governance. This proposal is the first set of initiatives announced under the broader European Data Strategy.
Continue Reading CIPL Submits Response to European Commission’s Proposal for a Regulation on European Data Governance

On January 27, 2021, the French Data Protection Authority announced that it imposed a fine of 150,000 Euros on a data controller, and a fine of 75,000 Euros on its data processor, for failure to implement adequate security measures to protect customers’ personal data against credential stuffing attacks on the website of the data controller. The CNIL decided not to make its decisions public, thereby not disclosing the name of the companies sanctioned.
Continue Reading CNIL Fines a Data Controller and Its Processor 225,000 Euros for Security Violation in Connection with Credential Stuffing

The recent UK case of Soriano v Forensic News and Others tested the territorial reach of the General Data Protection Regulation and represents the first UK judgment dealing with the territorial scope of the GDPR. This was a “service out” case, where the claimant, Walter T. Soriano, sought the Court’s permission under the UK Civil Procedure Rules to serve proceedings on the defendants, who were all domiciled in the U.S.
Continue Reading UK Case Tests the Territorial Application of the GDPR to U.S. Run Website

On January 18, 2021, the European Data Protection Board released draft Guidelines 01/2021 on Examples regarding Data Breach Notification. The Guidelines aim to assist data controllers in deciding how to handle data breaches, including by identifying the factors that they must take into account when conducting risk assessments to determine whether a breach must be reported to relevant supervisory authorities and/or the affected data subjects.
Continue Reading EDPB Publishes Guidelines on Examples regarding Data Breach Notification