Jones Day Global Privacy & Cybersecurity Update | Vol. 27 – Technology

Jones Day Cybersecurity, Privacy & Data Protection Lawyer Spotlight: Amy Harman Burkart Cyber threat actors

Jones Day Cybersecurity, Privacy & Data Protection Lawyer
Spotlight: Amy Harman Burkart

Cyber threat actors target businesses of every size, in all
sectors, with a variety of motivations. Many seek financial gain in
the form of a ransomware payment or payout of a fraud scheme. Other
threat actors seek to steal intellectual property, or to disrupt
business operations. These attacks present far-reaching challenges
for businesses, from navigating the immediate operational issues to
assessing notification obligations and defending against ensuing
regulatory investigations and litigation focused on the adequacy of
businesses’ data security and incident response. Amy Harman
Burkart, of counsel in the Boston Office, guides businesses through
each stage of responding to a cyber incident. With a decade of
experience investigating and prosecuting cyber, intellectual
property, and financial crimes, Amy directs internal forensic
investigations, guides clients to respond effectively and
efficiently to the event, and represents them in related legal

Amy is the former chief of the Cybercrime Unit at the United
States Attorney’s Office in Boston, Massachusetts. She is an
experienced trial lawyer who directed investigative teams from the
Federal Bureau of Investigation (“FBI”), Secret Service,
Department of Homeland Security, U.S. Food & Drug
Administration (“FDA”), and the Internal Revenue Service
on computer intrusions, data breaches, network attacks, securities
fraud, theft of trade secrets, insider trading, money laundering,
trafficking in counterfeit goods, fraud schemes, and national
security cyber activity. Amy previously worked in private practice
in Boston and New York, where she represented clients in criminal
matters and civil litigation related to securities, accounting, and
other financial matters.


Regulatory-Policy, Best Practices, and Standard

NIST Unveils Draft Guidance to Protect Critical

On October 22, 2020, the National Institute of Standards and
Technology (“NIST”) released a draft of the Cybersecurity Profile for the
Responsible Use of Positioning, Navigation, and Timing
(“PNT”) Services (“Profile”) to extend the NIST
Cybersecurity Framework to the use of PNT services-e.g., the Global
Positioning System-across economic sectors. Developed in response
to a February 2020 Executive Order, the Profile aims “to help organizations identify
systems, networks, and assets dependent on PNT services; identify
appropriate PNT services; detect the disruption and manipulation of
PNT services; and manage the associated risks to the systems,
networks, and assets dependent on PNT services.”

NIST Releases Guidelines on Information Technology and
Storage Infrastructure

On October 26, 2020, NIST released the Security Guidelines for Storage
Infrastructure. The guidelines “span [security focus areas]
that are common to the entire IT infrastructure, such as physical
security, authentication and authorization, change management,
configuration control, incident response, and recovery,” as
well as storage-specific technologies, including network-attached
storage, storage area networks, data protection, data isolation,
restoration assurance, and encryption.

Regulatory-Consumer and Retail

FTC Announces Settlement With Video Conferencing

On November 9, 2020, the Federal Trade Commission
(“FTC”) announced a proposed settlement of its
administrative complaint with a video conferencing technology
provider. The complaint alleged that the company misled consumers
about the security of their communications on the platform when it
undermined a browser’s security features. The proposed
settlement will require the company to establish, implement, and
maintain an information security program to protect the security of
its users and obtain biennial assessments of its security

FTC Issues Financial Report for

On November 16, 2020, the FTC issued its Fiscal Year 2020 Agency Financial
Report. The report includes annual audited financial statements, as
well as “the Office of the Inspector General’s assessment
of the FTC’s key management accomplishments and opportunities
for performance improvements.”

Security Firm Discloses Security Breach

On December 8, 2020, a security firm announced it had been attacked by a suspected
state-sponsored threat actor utilizing novel techniques. The
company announced that the attacker targeted the assessment tools
it used to test customers’ security. The company is
investigating the attack together with the FBI and other partners.
The company made countermeasures that can detect or block the use
of compromised tools available publicly on its blog.


FINRA Alerts Firms to Phishing

On November 30, 2020, the Financial Industry Regulatory
Authority (“FINRA”) warned member firms of an ongoing phishing
campaign involving a fraudulent email domain. FINRA asked the
internet domain registrar to suspend services for this domain.


Treasury Sanctions Russian Government Institution for
Developing Malware

On October 23, 2020, the Department of the Treasury’s
Office of Foreign Assets Control (“OFAC”) sanctioned a Russian government institution for
developing the Triton malware. The Triton malware was identified in
a 2017 cyber attack targeting industrial safety systems at a Middle
Eastern petrochemical facility, and has since been discovered
probing numerous U.S. electric utilities. Pursuant to Section 224
of the Countering America’s Adversaries Through Sanctions Act,
OFAC has designated the entity as undermining the cybersecurity of
U.S. critical infrastructure.

NERC Expands Key Cybersecurity

On November 31, 2020, the North America Electric
Reliability Corporation (“NERC”) partnered with the
Department of Energy to expand the Cybersecurity Risk Information
Sharing Program to include operational technology. The expansion
includes two operational technology pilot programs to identify
potential cyber threats to utilities’ industrial control

Regulatory-Health Care/HIPAA

Agencies Issue Joint Advisory Warning of Cybercrime
Threat to Health Care Providers

On October 28, 2020, the Cybersecurity and Infrastructure
Security Agency (“CISA”), FBI, and the United States
Department of Health & Human Services (“HHS”) coauthored a joint cybersecurity advisory
warning that the agencies “have credible information of an
increased and imminent cybercrime threat to U.S. hospitals and
health care providers.” The advisory described tactics,
techniques, and procedures used to infect target systems in the
health care and public health sector with ransomware. The
ransomware attacks have led to the disruption of health care
services and created a heightened risk for health care
organizations dealing with the COVID-19 pandemic.

HHS Proposes Changes to HIPAA

On December 10, 2020, HHS proposed significant changes to the Health
Insurance Portability and Accountability Act (“HIPAA”)
Privacy Rule. If adopted, the new rule would provide individuals
with greater access to their health information, clarify
permissible information sharing procedures for case coordination
and management, and expand the ability to disclose protected health
information under certain circumstances. The agency will accept
comments on the proposed rule for 60 days following its publication
in the Federal Register. For more information, please see our Jones
Day Alert.

Regulatory-Defense and National Security

DoD Rolls Out New Security Requirements for Government

On November 30, 2020, the interim rule of the Department
of Defense (“DoD”) implementing the Cybersecurity
Maturity Model Certification (“CMMC”) framework went into
effect. The interim rule, which the DoD issued on September 29,
2020, defines five cybersecurity levels implementing controls from
NIST SP 800-171 for contractors. The DoD will begin implementing
requirements for Level 3 and below in fiscal year 2021. The DoD is
currently reviewing pilot nominations and anticipates contract
awards in late 2021 after the contractors undergo appropriate CMMC
assessments. All contractors “must achieve the required CMMC
level at time of contract award, and flow down the appropriate CMMC
requirement to subcontractors.” For more information, please
see our Jones Day Commentary.

CISA Issues Emergency Directive on Cyber Threat to
Government and Businesses

On December 13, 2020, CISA issued an Emergency
and followed, on December 17, 2020, with Alert (AA20-352A) that reported a cyber attack
on United States government agencies, critical infrastructure
entities, and private sector organizations by an advanced
persistent threat actor, beginning in at least March 2020. One of
the initial attack vectors leveraged a supply chain compromise of a
software suite. CISA ordered the affected agencies to
“immediately disconnect or power down” two versions of
the software products from their networks. The threat poses a grave
risk to government agencies, critical infrastructure entities, and
a variety of private sector organizations. The software provider,
CISA, and cybersecurity industry are rapidly releasing intelligence
and potential remedial countermeasures. For more information,
please see our Jones Day Alert.

U.S. Government Responds to Significant Cyber

On December 16, 2020, the FBI, CISA, and the Office of
the Director of National Intelligence announced the formation of a Cyber Unified
Coordination Group to coordinate a whole-of-government response to
an ongoing cybersecurity event affecting a software provider to the
U.S. government. The chairman of the House Permanent Select
Committee on Intelligence said the “intrusions reinforce the need
to secure our unclassified government networks and those in the
private sector that partner with the government.”


NHTSA Solicits Public Comment on Automated Driving
System Safety Principles

On November 19, 2020, the U.S. Department of
Transportation’s National Highway Traffic Safety Administration
(“NHTSA”) published an advance notice of public
rulemaking on the development of a framework of principles to
govern the safe behavior of automated driving systems. The
rulemaking is intended to address safety, security, and privacy
“without hampering innovation in the development of automated
driving systems.”

Litigation, Judicial Rulings, and Enforcement Actions

State Attorneys General Ask Supreme Court for Broad
Interpretation of Autodialer

On October 23, 2020, attorneys general from 36 states and
the District of Columbia submitted an amicus brief asking the Supreme
Court to interpret the definition of an “autodialer”
broadly under the Telephone Consumer Protection Act
(“TCPA”). The complaint alleged that a social media
company violated the TCPA prohibition on the use of “any
automatic telephone dialing system or an artificial or prerecorded
voice” to send text messages to cell phones. The attorneys
general challenged the company’s contention that a device must
use a random or sequential number generator to qualify as an
autodialer, arguing that the statute encompassed “any device
with the capacity to store and dial numbers

Third-Party Database Manager May Owe a Duty of Care in
Hotel Data Breach

On October 26, 2020, a federal court denied in part a third-party technology
provider’s motion to dismiss claims in multidistrict litigation
stemming from its management of hotel guest reservation databases
that suffered a large data breach discovered in 2018. The data
breach involved the theft of millions of unencrypted passport
numbers and payment card data from the hotel’s reservation
database for more than four years. The provider was a named
defendant in a class action lawsuit brought against the hotel chain
claiming it negligently provided security consulting services. The
court denied the motion with respect to certain claims after
finding that the plaintiff adequately alleged a duty of care under
Maryland, Connecticut, and Florida law.

Eleventh Circuit Vacates FACTA Class Action

On October 28, 2020, a split en banc Eleventh Circuit held that to establish Article III standing
under the Fair and Accurate Credit Transactions Act
(“FACTA”), plaintiffs must show a material risk of
identity theft. Vacating the lower court’s approval of a class
settlement, the appeals court held that printing more credit card
digits on a receipt than FACTA allows is not a concrete harm
establishing Article III standing. The ruling aligns the Eleventh
Circuit with the Second, Third, and Ninth Circuits in requiring
concrete harm to establish standing in FACTA cases.

Judge Dismisses Data Breach Class Action for Lack of

On November 5, 2020, a Massachusetts district court
dismissed a class action against a department store because the
plaintiff failed to allege an impending risk of identity theft from
the breach or misuse of personal information. The judge found that
the data exposed by a 2019 data breach “was not highly
sensitive,” and that immediately canceling one’s credit
card could mitigate risks of recurrent credit card fraud.

CCPA Lawsuit Alleges Failure to Maintain Reasonable
Security Measures for Electronic Payments

On November 9, 2020, plaintiffs filed a class action alleging that a
restaurant chain’s use of magnetic strip technology rather than
EMV chip readers for payment card transactions violated the
California Consumer Privacy Act (“CCPA”) because the
“unsecure” payment method put customers’ data at
“unnecessary risk.” Between May 2019 and September 2020,
the chain experienced multiple breaches of its customers’
unredacted and unencrypted personally identifiable information,
including customers’ first and last names, their payment card
numbers, and security codes.

Car Manufacturer Faces Class Action Regarding Web User
Tracking Software

On November 11, 2020, plaintiffs filed a class action
lawsuit in federal court against a car manufacturer and its
marketing analytics software provider, alleging that the companies
illegally wiretapped the electronic communications of visitors to
the manufacturer’s websites. The software provided to the
company observed and recorded website visitors’ keystrokes,
mouse clicks, and other web activity in real time. The complaint
asserts claims under multiple sections of the California penal code
and invokes the California constitutional right of privacy.

Satellite Television Provider Pays $126M Settlement for
Telemarketing Violations

On December 7, 2020, a satellite television provider reached a $126 million settlement with the
Department of Justice (“DOJ”), as well as the attorneys
general of California, Illinois, North Carolina, and Ohio to
resolve alleged violations of the FTC Act and the TCPA. The company
was accused of making unsolicited calls to consumers who were
either listed on the Do Not Call Registry or had previously
declined to receive sales calls from the provider. The DOJ’s press release stated that the settlement was
“the largest civil penalty ever paid to resolve telemarketing
violations under the FTC Act, and exceeds the total penalties paid
to the government by all prior violators” of the FTC’s
Telemarketing Sales Rule.


IoT Cybersecurity Improvement Act Becomes

On December 4, 2020, the president signed the Internet of Things (“IoT”) Cybersecurity
Improvement Act
(“IoT Act”). The IoT Act requires
NIST to develop and publish standards and guidelines on minimum
information security requirements for how the federal government
should appropriately use and manage IoT devices. NIST’s
guidelines also may serve as a guide to state governments and the
private sector. For more information, please see our Jones Day Alert.


California Voters Approve CPRA
On November 3, 2020, California voters approved the California Privacy Rights Act
(“CPRA”), a consumer privacy ballot initiative that
introduces significant amendments to the CCPA. The CPRA affords
California residents significantly more control over their personal
information, imposes heightened compliance obligations on covered
businesses, and establishes a new enforcement agency dedicated to
consumer privacy. The CPRA’s substantive provisions become
effective on January 1, 2023, and new regulations are expected to
be introduced by July 1, 2022. For more information, please see our
Jones Day Commentary.

Portland, Maine Enhances Facial Recognition

On November 3, 2020, voters in Portland, Maine passed a ballot initiative enhancing an
existing ban on the use of facial recognition software by police
and other public officials. The ballot initiative enables citizens
to sue the city for violations, with up to $1,000 in penalties in
addition to attorneys’ fees. It also requires suppression of
illegally obtained evidence in any legal proceeding and allows city
employees to be suspended or terminated for violations.

Michigan Amends Constitution to Protect Data From Search
and Seizure

On November 3, 2020, Michigan voters approved a constitutional amendment
prohibiting unreasonable searches or seizures of a person’s
electronic data and communications, in effect applying the same
warrant requirements needed to search a person’s home or seize

California Releases Fourth Set of Proposed Modifications
to the CCPA

On December 10, 2020, the California Department of Justice
released the fourth set of proposed
modifications to the CCPA. These modifications relate to the sale
of personal information and a uniform button to opt out of the sale
of personal information. The department is accepting written
comment submissions regarding the proposed changes between December
11 and December 28, 2020. For more information, please see our
Jones Day Alert.


Canada Proposes New Federal Privacy Law

On November 17, 2020, the Canadian government introduced the Digital Charter Implementation
Act. The bill would authorize the Office of the Privacy
Commissioner to order a company to cease processing activities and
to impose fines up to the greater of CAD $25 million or 5% of an
organization’s global revenue. It also creates individual data
portability and deletion rights and a private right of action. The
bill would require businesses to provide algorithmic transparency
and obtain customer consent through plain language before using
their personal data.

The following Jones Day lawyers contributed to this section:
Jennifer C. Everett, Kerianne Tobitsch, Claire Gianotti, Ruby Lang,
Bailey Loverin, Daniel Lopez, Sara Lynch, Megan McKnelly, Dan
Ongaro, Christina O’Tousa, Clinton Oxford, Ayesha Rasheed,
Molly Russell, Ben Sanchez, and Jenny Whalen-Ball.



Council Urges Improved Data Protection Regulatory
Framework for Incident Response

On November 27, 2020, the Council for Transparency
(“Consejo para la transparencia,
“CPLT”) released a press release addressing a series of incidents
involving breaches of government servers and databases (source
document in Spanish). The CPLT aims to establish a model national
response to cyber attacks to notify affected persons of data


Superintendence Releases Guide for Personal Data
Processing in Horizontal Property

On November 20, 2020, the Columbian Superintendence of
Industry and Commerce (“Superintendencia de Industria y
” “SIC”) published the Guide for Personal Data Processing in
Horizontal Property
(source documents in Spanish). The
guide presents recommendations to all personal data controllers who
regularly collect or process personal data in buildings or
residential complexes, such as through video surveillance

Superintendence Orders Social Media Company to Comply
With Data Protection Standards

On November 27, 2020, the SIC ordered a social media company to implement
additional data protection measures to comply with Colombian data
protection standards (source document in Spanish). The SIC ordered
the companies to implement a demonstrable consent mechanism, create
a privacy notice, and implement special protections for the
collection and processing of data of children and adolescents.


INAI Launches Site to Promote Data Protection

On October 29, 2020, the National Institute of
Transparency, Access to Information and Personal Data Protection
(“Instituto Nacional de Transparencia, Acceso a la
Información y Protección de Datos
,” “INAI”) launched a new portal to facilitate the
exercise of personal data protection rights and promote an
accessible approach (source document in Spanish).

INAI Adds New Title to General Guidelines on Personal
Data Protection

On November 11, 2020, the INAI issued a 10th title to the General Guidelines on Personal Data Protection
for Obliged Subjects
in the Federal Official
(source documents in Spanish). This new title adds
compliance and reporting obligations for government data
controllers, including an annual evaluation program and annual
report on compliance performance.

Mexican Senate Approves National Registry of Cellphone

On December 10, 2020, the Mexican Senate published a bill to create a national register
of cellphone users (source document in Spanish). This register will
be mandatory and will contain the following data: (i) cellphone
number; (ii) date and time of SIM card activation; (iii) full name
of the line holder; (iv) nationality; (v) official identification
number with photograph and unique population number; and (vi)
biometric data of the line holder.


Paraguay Publishes Regulation on Personal Credit Data

On November 12, 2020, Paraguay published new regulations to protect consumer
credit data (source document in Spanish). These regulations mandate
that after five years, credit data may only be kept for statistical
purposes. Additionally, the new rules seek to protect job seekers
from discrimination based on credit history, allowing fines of up
to USD $4,968,450 for data controllers or processors who carry out
unlawful credit data processing, or up to USD $9,936,000 for repeat

The following Jones Day lawyers contributed to this section:
Guillermo Larrea, Daniel D’Agostini, and Juan Carlos


European Council

European Commission Publishes Proposal for Data
Governance Act

On November 25, 2020, the EU Commission published a proposal for a regulation on data
governance, also called the Data Governance Act
(“Proposal”). The Proposal aims to increase trust in
sharing personal and non-personal data and to lower transaction
costs linked to business-to-business and consumer-to-business data
sharing by creating a notification regime for data sharing
providers. The Proposal includes provisions to protect non-personal
commercially sensitive data (such as trade secrets or IP-protected
content) and further regulate the transfer of data to third

Court of Justice of the European Union

CJEU Clarifies Conditions on Data

On October 6, 2020, the Court of Justice of the European
Union (“CJEU”) ruled in Case C-623/17 Privacy
, and joined Cases C-511/18 La Quadrature du Net
and Others
, C-512/18 French Data Network and Others
and C-520/18 Ordre des barreaux francophones et germanophone
and Others
in concluding that the national security laws of
the United Kingdom, France, and Belgium contravene EU law because
they require that providers of electronic communications services
retain traffic and location data on a general and indiscriminate
basis. For more information, see our Jones Day Commentary.

Council of the European Union

Council Adopts Conclusions on Cybersecurity of Connected

On December 2, 2020, the Council of the European Union
(“Council”) approved conclusions on the cybersecurity of
connected devices. The conclusions acknowledge the increased use of
consumer products and industrial devices connected to the internet
and the related privacy, information security, and cybersecurity
risks. The aim of the conclusions is to address this issue by
setting priorities and fostering the global competitiveness of the
IoT industry by ensuring high resilience, safety, and security

European Data Protection Board

EDPB Adopts Recommendations on the European Essential
Guarantees for Surveillance Measures

On November 10, 2020, the European Data Protection Board
(“EDPB”) adopted recommendations on the European
Essential Guarantees for surveillance measures, following the
CJEU’s Schrems II ruling in July 2020. The
recommendations provide guidance to companies that transfer
personal data to third countries and require them to assess whether
the countries to which they transfer this data adequately protect
it. The recommendations summarize four European Essential
Guarantees: (i) processing based on clear, precise, and accessible
rules; (ii) necessity and proportionality with regard to the
legitimate objectives of processing; (iii) an independent oversight
mechanism; and (iv) effective remedies for individuals.

EDPB Adopts Draft Recommendations on Measures That
Supplement Transfer Tools

On November 10, 2020, the EDPB adopted draft recommendations on measures that
supplement transfer tools to ensure compliance with an EU level of
personal data protection, following CJEU’s Schrems II
ruling in July 2020. The recommendations provide a roadmap of
actions companies should follow prior to undertaking the transfer
of personal data from the EU to third countries. In particular, the
recommendations stress that companies should perform a data mapping
exercise and identify the legal mechanism used for such transfers
to assess whether transfer tools are effective or if supplementary
measures are required.

EDPB Publishes Information Note on Data Transfers to the
United Kingdom After Transition

On December 15, 2020, the EDPB published a note stating that beginning on
January 1, 2021, following the United Kingdom’s withdrawal from
the EU, transfers of personal data between stakeholders subject to
the General Data Protection Regulation (“GDPR”) and UK
entities will constitute a transfer of personal data to a third
country and, therefore, be subject to the provisions of Chapter V
GDPR. The EDPB stressed that supplementary measures might be
necessary to bring the level of protection of data transferred to
the United Kingdom up to the EU standard of essential equivalence.
For more information, please see our Jones Day Commentary.

European Union Agency for Cybersecurity

ENISA Publishes Threat Landscape Reports for

On October 20, 2020, the European Union Agency for
Cybersecurity (“ENISA”) published a series of reports on the threat
landscape in 2020. The reports focused on, among other things,
malware, data breaches, ransomware attacks, information leakage,
and phishing attacks. The reports identified and evaluated the top
cybersecurity threats for the period of January 2019-April

ENISA Publishes Guidelines for Securing the IoT Supply

On November 9, 2020, ENISA published guidelines on securing the supply
chain for the IoT. The guidelines address the entire lifespan of
IoT product development by offering security measures for each step
(i.e., requirements and design, end use delivery and maintenance,
and disposal). The guidelines have sought to help IoT
manufacturers, developers, integrators, and all stakeholders
involved in the supply chain of the IoT to make better security
decisions when building, deploying, or assessing IoT


Belgian DPA Issues Decision Against

On November 9, 2020, the Belgian Data Protection
Authority (“DPA”) issued a decision against a hospital for
infringing on the principle of transparency enshrined in the GDPR
by deducting trade union membership fees directly from
employees’ salaries (source document in French). No sanctions
were issued due to the prompt intervention of the data protection
officer of the hospital.

Belgian DPA Issues GDPR Compliance

On November 17, 2020, the Belgian DPA issued a GDPR
compliance toolbox for data protection officers, controllers, and
processors (“Toolbox”) (source document in French and Dutch). The Toolbox helps controllers and
processors implement the GDPR. In particular, it provides a 13-step
plan of action for companies to assess and adapt their current
levels of compliance with the GDPR.

Belgian DPA Signs Cooperation Agreement on Domain

On November 26, 2020, the Belgian DPA signed a
cooperation agreement with the organization that manages domain
names in Belgium (“Agreement”) (source document in French and Dutch). The Agreement authorizes the Belgian
DPA to ban more quickly any websites with the domain
“.be” that violate the GDPR. In addition, the Agreement
highlights that the Belgian DPA, competent courts, and public
authorities are responsible for assessing whether “.be”
websites violate the GDPR.


CNIL Fines Ecommerce Companies
On November 26, 2020, the French Data Protection
Authority (“CNIL”) announced that between May and July
2019, it conducted checks on two ecommerce companies, following
several complaints, which revealed violations concerning the
processing of customer and potential customer data under the GDPR,
French Postal and Electronic Communications Code, and French Data
Protection Act (source document in French). These included
violations of the obligations to (i) inform users of processing;
(ii) obtain users’ prior consent to use of advertising cookies;
(iii) limit the data retention period; and (iv) facilitate the
exercise of users’ rights, among other obligations. The CNIL
fined the two companies ?2,250,000 and ?800,000, respectively.

CNIL Fines Ecommerce Company for Unlawful Use of

On December 10, 2020, the CNIL announced that it conducted several checks on
an ecommerce company’s website between December 12, 2019, and
May 19, 2020, and found that the company used advertising cookies
automatically without prior consent from users (source document in
French). The CNIL also determined that the information provided to
users was not clear with regard to the purposes of the cookies, nor
complete because users were not informed of their right to refuse
cookies. The CNIL fined the company ?35 million and issued an
injunction against the company to comply with the French Data
Protection Act or face a fine of ?100,000 per day of delay.

CNIL Fines Multinational Technology Company for Unlawful
Use of Cookies

On December 10, 2020, the CNIL announced that it had conducted a check on a
technology company’s websites on March 16, 2020, and determined
that the company and its Irish affiliate used advertising cookies
automatically without prior consent from users and without
providing information on cookies (source document in French). The
CNIL also noted a partial failure of the mechanism to refuse the
cookies. The CNIL fined the company and its affiliate ?60 million
and ?40 million, respectively, and issued an injunction against
both to comply with the French Data Protection Act or face a fine
of ?100,000 per month.


DPA Fines Retail Company ?35 Million Under GDPR for
Employee Surveillance

On October 1, 2020, the DPA of Hamburg announced a fine of ?35
million (approximately USD $41.3 million) against a multinational
retail company for violations of the GDPR related to the
surveillance of several hundred employees at a service center in
Germany since 2014. The DPA found that the company had engaged in
extensive recording of the private lives of employees. The
recording, collection, and storage of this data was discovered in
October 2019 when a configuration error made these notes accessible
across the company for a few hours.

Labor Court Submits Questions to

On October 21, 2020, Germany’s Federal Labor Court
(Bundesarbeitsgericht) submitted questions to the CJEU for a
preliminary ruling on protection against the termination of data
protection officers’ contracts pursuant to Article 38(3) GDPR.
The court is concerned not only with the question of whether
employed data protection officers can be dismissed, but also with
questions related to the GDPR.

DSK Publishes Guidelines on Video Conferencing

On October 23, 2020, Germany’s Conference of Data Protection
Authorities (Datenschutzkonferenz, “DSK”) published guidelines on using, hosting, and
implementing video conferencing systems, accompanied by a checklist that accounts for
concerns specific to the current pandemic (source documents in
German). The guidelines examine the applicable legal bases and
obligations under the GDPR, as well as technical and organizational
requirements, distinguishing between self-hosted, externally
operated, and software-as-a-service operational models.

Court Reduces Fine Against Telecommunication Services

On November 11, 2020, the Bonn Regional Court reduced a ?9.55
million fine issued by the German Federal Data Protection Authority
(Der Bundesbeauftragte für den Datenschutz und die
, “BfDI”) against a German
telecommunication services provider to ?900,000. The fine was
issued for inadequate caller identification mechanisms, which
allowed access to further personal data from customer accounts
after only providing a name and date of birth.


Italian DPA Orders Search Engine Company to Honor Right
to Be Forgotten

On October 15, 2020, the Italian Data Protection
Authority (“Italian DPA”) ordered a search engine company to remove
links to research listings of articles, including links containing
the personal details of two individuals involved in judicial
proceedings that were terminated without any judicial consequences
for the individuals (source document in Italian). According to the
Italian DPA, the continued online availability of articles
associated with the names of the plaintiffs created a
disproportionate impact on their rights, which was not outweighed
by a public interest in making the news available to the


Dutch DPA Questions Processing of Foreign Nationals’
Biometric Data

On November 6, 2020, the Dutch Data Protection Authority
(“Dutch DPA”) published advice on the June 24, 2020, amendments to the Dutch Aliens Act 2000 that
would extend the collection and registration of biometric data of
foreign nationals by five years (source documents in Dutch). The
current law allows biometric data to be collected from foreign
nationals to combat identity and document fraud and is set to
expire in 2021 unless extended. The Dutch DPA finds that the
privacy of foreign nationals is insufficiently safeguarded because
processing of their biometric data is not limited to certain
categories of foreign nationals, may be processed without a basis,
and may be stored for unnecessarily long periods of time, among
other concerns.

Dutch DPA Issues Multiyear Budget

On November 19, 2020, the Dutch DPA issued its Multiyear Budget 2021-2025 (source
document and full report in Dutch). To carry out its tasks
properly, the Dutch DPA urged an increase in workforce from 184 to
470 full-time employees and an increase in budget to more than ?66
million by 2025. The Dutch DPA specifically flagged developments in
the fields of facial recognition, IoT, artificial intelligence,
smartphone technology, tracking software, and trading in data as
requiring adequate supervision.

Dutch DPA Investigates Companies Measuring
Employees’ Temperatures

On November 26, 2020, the Dutch DPA announced that, following an investigation,
two large companies violated the GDPR by measuring and processing
employees’ temperatures before they entered the office during
the COVID-19 outbreak (source document in Dutch). The Dutch DPA
found that none of the exceptions for processing sensitive data
applied in these cases. No fine was imposed on either company, but
the Dutch DPA urged the companies to improve their compliance and
will check the companies again later.

Association Takes the Dutch DPA to Court for Slow
Handling of Complaint

On November 30, 2020, the Dutch Consumers’
Association announced that it intends to take the Dutch
DPA to court to force the DPA to make a decision on the complaint
that the association filed against a technology company in 2018
(source document in Dutch). According to the association, the Dutch
DPA has failed to substantively respond to repeated requests for
information while the Irish DPA takes the lead.


SDPA Publishes Tool to Help Controllers Decide Whether
to Communicate Security Breaches

On October 22, 2020, the Spanish Data Protection Agency
(“SDPA”) published “Comunica-Brecha RGPD,” a
tool to help data controllers decide whether to communicate a
security breach to affected data subjects (source document in
Spanish). This new tool aims to promote transparency and proactive
responsibility from data controllers and allows data subjects
affected by a security breach to know when their rights and
freedoms may be at risk. The tool is free and uses a short form to
determine if there is a risk associated with a security breach.

SDPA Approves First Code of Conduct Under

On November 3, 2020, the SDPA approved the Code of Conduct for Data
Processing in Advertising Activity, which was presented by the
Association for the Self-Regulation of Commercial Communication,
whose main purpose is the establishment of an agile, effective, and
free out-of-court system to process claims about data protection
and advertising (source document in Spanish).

United Kingdom

ICO Issues Updated Guidance on Access

On October 21, 2020, the Information Commissioner’s
Office (“ICO”) issued updated guidance on data subject access
requests. This update clarified that the time frame to respond to
an access request pauses in circumstances where the controller asks
for information to clarify a request, provide guidance on what is a
“manifestly excessive” request, and explain what can be
included in a charge for excessive, unfounded, or repeat

ICO Fines Hotel Chain for Data

On October 30, 2020, the ICO issued a fine of £18.4 million against a
hotel chain for a data breach involving 339 million guest records.
The incident concerned an attack in 2014 against a company acquired
by the hotel chain in 2016, but the hotel chain did not detect the
breach until 2018. The breach affected the records of 7 million
people in the United Kingdom, compromising unencrypted passport
numbers and email addresses. The ICO found that the company failed
to put in place appropriate technical or organizational measures to
protect personal data.

UK Introduces Draft Telecommunications Security

On November 24, 2020, the UK Telecommunications
(Security) Bill was introduced in the House of Commons. If
enacted, the bill would provide a new security framework for
telecommunications-related supply chains and ban certain high-risk

The following Jones Day lawyers contributed to this section:
Laurent De Muyter, Undine von Diemar, Olivier Haas, Jörg
Hladjk, Bastiaan Kout, Jonathon Little, Lucie Fournier, Martin
Lotz, Hatziri Minaudier, Selma Olthof, Irene Robledo, and
Christopher Schmidt.


Hong Kong

PCPD Issues Three Guidance Notes on Work-From-Home

On November 30, 2020, the Hong Kong Office of the Privacy
Commissioner for Personal Data (“PCPD”) issued three
guidance notes related to work-from-home arrangements: “Guidance for Organisations,” “Guidance for Employees,” and “Guidance on the Use of Video Conferencing
.” These are part of the series “Protecting
Personal Data under Work-from-Home Arrangements,” intended to
provide practical advice to organizations, employees, and users of
video conferencing software on enhancing data security and
protecting personal data.

People’s Republic of China

China Publishes Draft Personal Information Protection

On October 21, 2020, the draft Personal Information Protection Law was
published after deliberation at the 22nd session of the Standing
Committee of the 13th National People’s Congress. The draft law
strengthens the protection of personal information in China by
restating the current legal requirements for transferring data to
overseas recipients. The draft law also sets forth stricter data
localization requirements.

MIIT Requires Mobile Applications to Rectify

On October 22, 2020, the Ministry of Industry and
Information Technology (“MIIT”) announced that it had completed the technical
inspection of 320,000 mobile applications, instructed more than
1,100 operators to rectify issues with their applications, publicly
reported 246 applications that had not rectified issues within the
prescribed time frame, and taken down 34 applications that refused
to rectify related issues from application stores (source document
in Chinese). On November 13, 2020, the Rectification Workforce on
Collection and Use of Personal Information by Applications in
Violation of Laws and Regulations published a list of 35 applications identified
as having issues with the collection and use of personal
information and ordered operators to rectify these issues within 30
days from the date of notice (source document in Chinese).

MIIT Announces Plans to Protect Personal Information on
Mobile Applications

On October 27, 2020, MIIT announced that it had engaged a third-party
testing agency to inspect the fifth batch of mobile applications
that MIIT found in violation of the law this year and urged
application operators to rectify personal information protection
issues before November 2, 2020 (source document in Chinese). On
November 9, 2020, MIIT requested to take down 60 applications that
had not completed rectification (source document in Chinese).

Guide for Classifying Cybersecurity Protection Levels
Goes Into Effect

On November 1, 2020, the Information Security
Technology?Classification Guide for Classified Protection of
Cybersecurity (GB/T 22240-2020) went into effect (source document in Chinese). The
guide requires network operators to classify their systems and
technology into five levels depending on their importance to
national security, economic construction, and social life and their
potential adverse impact on national security, social order, public
interest, and the legitimate rights of citizens in the event of a
breach. Network operators that are preliminarily classified as
Level 2 or above must receive adjudication from an information
security expert and business expert who must provide an expert
opinion that the relevant public security bureau will review for

China Launches Pilot Program to Implement Security

On November 18, 2020, the National Information Security
Standardization Technical Committee held a pilot program meeting in Beijing for
the national standard “Information Security Technology and
Personal Information Security Specification” (source document
in Chinese). The pilot program selected targets of various forms,
including applications, software development toolkits, cloud
computing, mini programs, and wearable devices, with the aim of
verifying the operability and applicability of the national
standard in order to develop a mode of standard implementation.

China Publishes Draft Scope of Personal Information
Necessary for Mobile Applications

On December 1, 2020, the Cyberspace Administration of
China published the draft Scope of Necessary
Personal Information Collected by General Mobile Internet
Applications for public comments (source document in Chinese). The
public comment period ended on December 16, 2020. The document
specifies the scope of personal information necessary for 38 common
types of applications. Necessary personal information refers to
personal information that is necessary to ensure the normal
operation of an application’s basic functions.


PIPC Publishes Draft Amendment to

On December 25, 2020, Japan’s Personal Information
Protection Commission (“PIPC”) published a draft amendment to the Cabinet Order to
Enforce Personal Information Protection Act and a draft Enforcement Regulation Concerning
Personal Information Protection Act (“PIPA”) (original
documents in Japanese). These draft amendments of cabinet order and
enforcement regulation provide detailed guidance regarding the
recent key amended points of the PIPA, including when and how data
breach reports should be made and the additional information that
needs to be provided to obtain a data subject’s consent for
cross-border transfer. Public comments to the draft cabinet order
and regulation must be submitted by January 25, 2021.


Parliament Passes PDPA Amendments
On November 2, 2020, the Singapore Parliament passed the Personal Data Protection
(Amendment) Bill (“Bill”). The amendments in the Bill to
the Personal Data Protection Act (“PDPA”) and related
amendments to the Spam Control Act are expected to be published and
come into effect in early 2021. Key amendments include: (i)
expanding the concept of “deemed consent” and new consent
exceptions; (ii) expanding data portability obligations; (iii)
introducing mandatory data breach notification; and (iv) enhancing
the enforcement regime. On November 20, 2020, the PDPC issued draft advisory guidelines on the key
provisions in the Bill.

The following Jones Day lawyers contributed to this section:
Elizabeth Cole, Michiru Takahashi, and Sharon Yiu.


Australian Federal Government Announces Review of
Privacy Act

On October 30, 2020, the federal government announced its review of the Privacy Act 1988
(Cth) (“Privacy Act”) and published an issues paper
related to that review. The government’s review follows the Digital Platforms Inquiry conducted by the
Australian Competition and Consumer Commission in 2019, which
recommended amendments to the Privacy Act. The terms of reference
for the Privacy Act review include considering whether individuals
should have direct rights of action under the Privacy Act, whether
a statutory tort of “serious invasion of privacy” should
be introduced, and whether an independent certification scheme to
ensure compliance with the Privacy Act should be introduced.
Although the period for submissions on the government’s issues
paper is now closed, there will be a further opportunity for
interested parties to provide feedback on an upcoming decision
paper scheduled for release in 2021.

Australia Introduces Draft of Critical Infrastructure

On November 9, 2020, the Australian legislature introduced a draft of the Security Legislation
Amendment (Critical Infrastructure) Bill 2020. The bill would build
on the existing regulatory framework-in particular, the Security of
Critical Infrastructure Act 2018-by introducing a sector-specific
“positive security obligation” that implements a risk
management program, creating additional cybersecurity obligations
for critical infrastructure entities, and providing for government
assistance in the event of a significant cyber attack.

OAIC Issues Determination Against Travel

On November 25, 2020, the Office of the Australian
Information Commissioner (“OAIC”) issued a determination that a travel agency
had interfered with the privacy of approximately 6,918 individuals
by disclosing customer data to third-party attendees of a
“design jam” event conducted in 2017. This data contained
some personal information, including credit card details and
passport numbers. In response, Flight Centre implemented a number
of remedial steps following the incident.

The following Jones Day lawyers contributed to this section:
Adam Salter and Drew Broadfoot.

Originally published January 2021

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.