Jones Day Cybersecurity, Privacy & Data Protection Attorney Spotlight: Aaron Charfoos

Cybersecurity and privacy risks are on the rise, the regulatory landscape changes daily, and data protection authorities are closely examining data collection, use, and protection practices across the globe. It has never been more important to have trustworthy and knowledgeable counsel guiding companies through this challenging environment to both comply with legal requirements and unlock the value of the data they hold.

Aaron Charfoos is an accomplished privacy and data protection trial lawyer. He regularly guides clients with responding to high-profile incidents, privacy litigation, regulatory enforcement actions, and coordinated vulnerability disclosures. In 2012, he won his first cybersecurity trial, successfully defending a Fortune 100 technology client accused of violating Indiana's data breach notification statute. Since then, Aaron has guided well over 100 companies through similar cybersecurity incidents, and companies now regularly seek his advice in developing multinational privacy and data security compliance programs and in reducing data-related risk in corporate transactions.

UNITED STATES

Regulatory—Policy, Best Practices, and Standards

NIST Produces Roadmap for Improving Critical Infrastructure Cybersecurity Version 1.1

On April 25, the National Institute of Standards and Technology produced a roadmap for improving critical infrastructure cybersecurity version 1.1. The roadmap outlined several areas of focus for future development of the framework, including authentication methods, automated indicator sharing, conformity assessments, data analytics, and supply chain risk management.

Regulatory—Consumer and Retail

FTC Takes Action Against Companies Falsely Claiming to Comply with Privacy Shield

Federal Trade Commission ("FTC") On June 14, the announced that it had reached a settlement with a company that provides employment background checks for falsely claiming participation in the EU–U.S. Privacy Shield and Swiss–U.S. Privacy Shield frameworks. The FTC also sent warning letters to 13 companies that claimed to participate in expired U.S.–EU Safe Harbor and the U.S.–Swiss Safe Harbor frameworks. The FTC instructed the companies to remove any "public documents or statements that might be construed as claiming participation or involvement" in the privacy frameworks.

Regulatory—Financial

NYDFS Creates New Fintech Division

Consistent with New York's status as a financial services and technology hub, the New York State Department of Financial Services ("NYDFS") announced on July 23 a new Research and Innovation Division focusing on fintech innovation and consumer protection. The Division will also assume responsibility for licensing and supervising entities engaged in virtual currency business activity under the NYDFS's BitLicense Regulation. As the NYDFS explained, the Division is intended to make the NYDFS "the regulator of the future" by reviewing the use of technology in financial services, safeguarding consumer data rights, and fostering fintech innovation.

Regulatory—Communications

FCC Complaint Alleges Wireless Carriers Violated Privacy Laws

On June 14, several public interest groups filed with the Federal Communications Commission ("FCC") against prominent wireless carriers, alleging that the carriers sold customers' real-time location data to third parties without informed consent. The complaint highlighted the public safety risk associated with the sale of such data. The groups urged the FCC to investigate these practices and enforce Sections 201(b) and 222 of the Communications Act against the carriers. an informal complaint

Regulatory—Energy/Utilities

FERC Strengthens Electric Grid Cybersecurity Standards

On June 20, the Federal Energy Regulatory Commission ("FERC") signed that expands the reporting requirements for incidents involving attempts to compromise operation of the electric grid. The new standards require that entities report cybersecurity incidents that compromise electronic security perimeters, electronic access control or monitoring systems, and physical security perimeters associated with cyber systems. Furthermore, the standards require that entities develop criteria for identifying an attempt to compromise a cyber asset and then apply the criteria during their cybersecurity incident identification process. an order

Regulatory—Transportation

California Proposes Limiting Access of Local Authorities to Scooter Data

On May 22, the California State Assembly passed legislation that would allow providers of shared mobility devices, such as bicycles and motorized scooters, to withhold individual trip data from local governments. Local authorities could still require providers to share de-identified and aggregated trip data as a condition for operating a shared mobility device program. The proposed legislation comes as some cities have begun implementing regulations requiring shared mobility providers to share individual trip data with local authorities.

House Representatives Raise Privacy Concerns over Use of Facial Recognition at Airports

On June 13, 23 members of the House of Representatives sent a letter to the Department of Homeland Security to raise privacy and security concerns over reports that U.S. Customs and Border Protection ("CBP") is using facial recognition technology at airports to scan U.S. citizens. According to the reports, CBP has partnered with the Transportation Security Administration and commercial airlines to use facial recognition technology on U.S. citizens, potentially in violation of the Biometric Exit Program, which permits CBP to collect biometric data on foreign nationals entering and exiting the United States.

Regulatory—Health Care/HIPAA

Medical Records Service Settles HIPAA Breach

On May 23, the U.S. Department of Health and Human Services ("HHS") announced that a medical records service paid the Office for Civil Rights $100,000 to settle a breach that exposed the electronic protected health information ("ePHI") of approximately 3.5 million people in violation of the Health Insurance Portability and Accountability Act ("HIPAA") Privacy and Security Rules. The breach occurred when hackers used a compromised user ID and password to access the ePHI. The investigation found that the record service did not conduct a comprehensive risk analysis prior to the breach.

Breach of Third-Party Collections Vendor Affects Millions of Patients

On June 3–4, two health care diagnostics companies each filed a report with the SEC reporting unauthorized activity on the webpage of their third-party collections service provider between August 1, 2018, and March 30, 2019, which affected up to 11.9 and 7.7 million patients, respectively.

FDA Warns of Dangerous Cybersecurity Hacking Risk with Connected Medical Devices

On June 27, the Food and Drug Administration ("FDA") warned that a company's internet-connected insulin pumps have potential cybersecurity risks and suggested that patients switch to a different model. The devices are vulnerable to malicious use of radiofrequencies to change device settings impacting insulin delivery. The FDA was not aware of any reports of harm caused by the cybersecurity risk.

Regulatory—Defense and National Security

Executive Order Declares Network Security National Emergency

On May 15, President Trump issued an executive order that declares a national emergency with respect to foreign threats against information and communications technology and services in the United States. The executive order delegates authority to the U.S. Secretary of Commerce to establish, within 150 days, a regulatory regime to mitigate or prohibit transactions with a "foreign adversary" if the agency determines those transactions pose risk of sabotage to U.S. networks, critical infrastructure, the digital economy, or other national security risks.

Litigation, Judicial Rulings, and Agency Enforcement Actions

FTC Settles Data Breach Allegations with Website Operators

On April 24, the FTC announced settlements with website operators for failure to take reasonable steps to protect consumer data in light of a breach of each website. The FTC alleged that one company failed to implement readily available security measures, despite falsely claiming to use the latest security and encryption measures. This enabled a hacker to download a document with clear text information about 6.6 million consumers, including 500,000 in the United States. The FTC alleged that the second company failed to implement reasonable security measures to protect the personal information of children under the age of 13 and collected personal information from children without parental consent, in violation of the Children's Online Privacy Protection Act ("COPPA").

FTC Warns Dating App Operator about Potential COPPA, FTC Act Violations

On May 1, the FTC sent a letter to a Ukraine-based operator of an online dating application warning it about potential violations of COPPA by failing to block users who indicated they were under 13 years old from using the apps.

Indiana Attorney General Brings Data Breach Claim Against Credit Reporting Agency

On May 6, Indiana's attorney general sued a consumer credit reporting agency over claims that it violated the state's Disclosure of Security Breach Act and Deceptive Consumer Sales Act by failing to protect consumers' personal information. The complaint alleged that the agency failed to implement adequate security measures or disclose security deficiencies, resulting in a data breach in 2017. The attorney general is seeking penalties, injunctive relief, restitution, costs, and attorneys' fees.

Vermont Attorney General Settles Failure to Secure Information Charge Against Software Supplier

On May 23, Vermont's attorney general settled against a third-party provider of municipal management software to municipalities in Vermont for failing to secure municipal employees' personal information in violation of the state's Consumer Protection Act. According to the complaint, the company failed to adequately encrypt the employees' personally identifiable information or maintain basic data security programs such as antivirus software or endpoint security, log attempts to access its server, and review its security programs. Under the settlement, the company must pay a penalty of $30,000, implement a specified security program, and provide information security risk training to employees. charge a

Sixteen Attorneys General Settle Data Breach Charge with Electronic Health Records Company

On May 23, 16 state attorneys general reached a settlement with a health care service provider related to a data breach that affected 3.9 million people. The company provides patients with access to their personal electronic heath records. The state attorneys general concluded that the company failed to protect patient data because the hackers exploited vulnerabilities, such as poor password and security management protocols. The company must pay a penalty of $900,000, maintain a data security program, implement multifactor authentication to access electronic personal health information, implement a program to detect and respond to data breaches, train employees on cybersecurity policies, and implement stronger password security policies.

Three Attorneys General Investigate Medical Testing Vendor Over Data Breach

On June 5–7, Connecticut, Illinois, and Michigan attorneys general initiated investigations into a data breach of a collections service provider that exposed the medical and financial information of 19.7 million patients. The attorneys general have issued letters to the service provider requesting information about the breach, including what cybersecurity measures the company had in place, the categories of information compromised, and how the company planned to inform affected patients and prevent future breaches.

New York Attorney General Settles Data Breach Notification Charge Against Online Clothing Retailer

On June 6, the New York attorney general settledagainst an online clothing retailer for allegedly failing to timely notify consumers about a breach of its website that led to unauthorized access to customer payment information. Under the settlement, the company must pay a penalty of $65,000, implement policies for investigating data breaches, and provide compliance training to employees.data breach claim a

FTC Hosts Fourth Annual PrivacyCon

On June 27, the FTC hosted the fourth annual PrivacyCon, which focused on the latest academic research related to consumer privacy and data security. A video recording of the conference is available on the FTC website.

Software and Data Services Provider Settles Allegations of Data Security Violations

In June, the FTC Commission voted 5–0 in favor of a settlement with a third-party provider of auto dealer software and data services regarding allegations that the provider failed to employ reasonable measures to protect personal information. The FTC alleged that the provider stored and transmitted personal data about customers and employees from auto dealers in clear text, without any access controls or authentication protections. The settlement prohibits the provider from transferring, selling, sharing, collecting, maintaining, or storing personal information unless it implements and maintains a comprehensive information security program.

Legislative—Federal

Senate Staff Report Finds Federal Agencies Left Sensitive Data Vulnerable

On June 25, the Senate Homeland Security and Governmental Affairs Subcommittee released detailing system vulnerabilities that left America's sensitive personal information unsafe and vulnerable to theft. The report highlighted that the federal government holds extensive amounts of highly personal information on most Americans but found that eight government agencies have outdated, vulnerability-laden systems. The report made several recommendations, including the consolidation of security processes and capabilities across federal agencies.a 99-page report

Legislative—States

Hawaii Adopts Resolution Authorizing Study on Internet Privacy

On April 30, the Hawaii legislature adopted Concurrent Resolution 225, which convenes a task force that will examine and recommend laws and regulations relating to internet privacy, the processing and protection of personal information, data breaches, and other related subjects. The task force will comprise members of the Senate and House, the attorney general, the director of Commerce and Consumer Affairs, the chief information officer, and the prosecuting attorney of the City and County of Honolulu. A report of the task force's findings and recommendations, including any proposed legislation, is due by December 1.

Maryland Expands Applicability of Data Breach Law

On April 30, the Maryland governor signed into law HB 1154, a bill amending the Maryland Personal Information Protection Act. The bill expands the applicability of the Act to those businesses that maintain personal information of Maryland residents. Prior to this bill, the investigatory requirement applied only to businesses that own or license personal information. The bill also shifts the responsibility of notification from businesses to "the owner or licensee of the computerized data." The law goes into effect October 1.

Washington Expands Data Breach Notification Law

On May 7, Washington's governor signed that will expand the definition of "personal information" under the state's data breach notification law to include information such as health and genetic information, student and military identification numbers, usernames and passwords, biometric data, and electronic signatures. The law will also reduce the time period in which to notify consumers and the attorney general's office of a data breach from 45 to 30 days. The law will go into effect March 1, 2020.bill into law a

New Jersey Amends Data Breach Law to Expand Definition of "Personal Information"

On May 10, New Jersey's governor signed into law S52, which amends New Jersey's data breach notification law by expanding the definition of "personal information" to include a resident's "user name, email address, or any other account holder identifying information, in combination with any password or security question and answer that would permit access to an online account." The bill also allows businesses to provide notification of a data breach electronically for data breaches involving the resident's username or password, in combination with any password or security question and answer that would permit access to an online account, except for a data breach involving the resident's email account. The law goes into effect September 1.

CCPA Amendments Progress in California Legislative Process

On May 16, the California State Senate Appropriations Committee declined to advance SB 561, which, among other requirements, would have expanded the California Consumer Privacy Act's ("CCPA") private right of action to include any violation of the CCPA, out of the Committee by the legislative deadline. However, several other key amendments passed their originating chamber and are still under consideration, including:

  • AB 25: This amendment would revise the CCPA's definition of "consumer" to exclude a covered business's job applicant, employee, contractor, or agent, provided that the personal information is collected and used within the course of the consumer acting in that role.
  • AB 1416: This amendment would, among other requirements, make clear that aggregate information and de-identified information do not qualify as "personal information" as defined by the CCPA.
  • AB 846: This amendment makes clear that the CCPA's prohibition on nondiscrimination would not apply to loyalty and rewards programs to which consumers voluntarily participate, provided that such programs meet certain requirements.
  • AB 1564: This amendment clarifies that covered businesses may provide consumers with an email address, in addition to a physical address, for purposes of exercising consumers' CCPA rights.

Oregon Extends Data Breach Notification Requirements to Vendors

On May 24, Oregon's governor signed into law SB 684, a bill amending the Oregon Consumer Identity Theft Protection Act. Under the bill, vendors must notify the covered entity and the Oregon attorney general following a data breach unless the covered entity has already provided notice to the attorney general. The bill also expands the definition of "personal information" to include a consumer's "user name or other means of identifying a consumer for the purpose of permitting access to the consumer's account." The law goes into effect January 1, 2020.

Illinois Amends Data Breach Law to Add Attorney General Notification Requirement

On May 27, the Illinois legislature passed SB 1624, amending the Personal Information Protection Act. Under the bill, "data collectors," as defined under the Act, must provide notice to the attorney general "in the most expedient time possible and without unreasonable delay" if more than 500 Illinois residents are affected by a data breach. The bill now awaits the governor's approval. If signed by the governor, the law goes into effect October 1.

Nevada Amends Online Privacy Law to Add "Do Not Sell" Requirement

On May 29, Nevada's governor signed into law SB 220, which amends the state's existing online privacy law by requiring operators of websites and online services to provide consumers a new right to opt out of the sale of their covered information. The amended law also requires covered entities to provide a "designated request address" where consumers can submit opt-out requests. Covered entities will have 60 days to respond to such requests, with the possibility of a 30-day extension when "reasonably necessary." SB 220 preserves the law's existing enforcement mechanism, which affords the Nevada attorney general exclusive authority for enforcing the law. The law becomes operative October 1.

Oregon Adopts Law Requiring Security Features on Internet-Connected Devices

On May 30, Oregon's governor signedto protect the devices and information stored on them from unauthorized access, destruction, modification, use, or disclosure. Failure to do so will result in a violation of the state's Unlawful Trade Practices Act. The new law will go into effect January 1, 2020. that will regulate internet-connected devices—including things like video streaming devices, digital cameras, or garage door openers. Under the new law, manufacturers must give internet-connected devices "reasonable security features"bill into law a

Maine Passes Internet Privacy Protection Law

On June 6, Maine's governor signed into law LD 946, which requires broadband internet service providers ("ISPs") to obtain a customer's express, affirmative consent before using, disclosing, selling, or permitting access to the customer's personal information. LD 946 covers only ISPs that provide services to customers "physically located and billed for service received in the State." The law broadly protects information that customers generate when using internet services, including their web browsing history, personal identifying information, and geolocation information.

Texas Amends Data Breach Notification Requirements

On June 14, Texas Governor Greg Abbott signed into law HB 4390 amending the state's data breach notification law. Specifically, the bill requires that notice of a data breach be provided to consumers within 60 days. The bill also adds a requirement to notify the Texas attorney general if the entity must notify at least 250 Texas residents following a data breach. The bill also creates the Texas Privacy Protection Advisory Council, which is charged with studying privacy laws in Texas, other states, and in relevant jurisdictions outside the United States. The law goes into effect September 1, 2019 (privacy council amendment) and January 1, 2020 (notification amendment).

New York Passes SHIELD Act

On July 25, New York Governor Andrew M. Cuomo signed into law the Stop Hacks and Improve Electronic Data Security Act ("SHIELD Act"), which heightens data breach notification and data security requirements. The law contains four key requirements: (i) broadens the definition of "private information," which now includes biometric information and a username and corresponding password or security questions and answers; (ii) expands the definition of "data breach" to include "access" to private information; (iii) expands the territorial scope to any business that owns or licenses private information, not just companies that conduct business in New York; and (iv) requires companies to implement reasonable safeguards to protect private information. The breach notification amendments take effect October 23, 2019, while the data security requirements take effect March 21, 2020. For more information, please see our Jones Day Alert.

New York Passes Identity Theft Mitigation Law

On July 25, New York Governor Cuomo signed into law the Identity Theft Prevention and Mitigation Services Act, which requires a credit reporting agency that suffers a data breach containing consumer Social Security numbers to offer consumers certain identity theft prevention and mitigation services.

CANADA

Canadian Centre for Cyber Security Issues Guidance on Protecting High-Value Information for Small and Medium Organizations

On April 30, the Canadian Centre for Cyber Security issued advice to small and medium organizations seeking to protect sensitive business, employee, and customer information. The Centre's advice included identifying threats and vulnerabilities within the organization, including cybersecurity as part of the organization's business processes. It also advised organizations on how to secure high-value information through a variety of steps, including encryption, applying anti-virus software, training employees on responses to incidents, and regularly backing up information.

Canadian Privacy Commissioner Reframes its Transborder Dataflow Consultation Document

On June 11, the Office of the Privacy Commissioner of Canada ("OPC") announced that it would change its approach to its consultation "on transfers for processing, including transborder dataflows." The OPC made this decision following the publication of the Canadian federal government's Digital Charter on May 21, in which the government suggested that "transborder data flows may be dealt with in an eventual new federal privacy law." The OPC invited stakeholders to submit comments and questions by August 6.

The following Jones Day lawyers contributed to this section: Shirley Chan, Meredith Collier, David Coogan, Jennifer Everett, Levent Hergüner, Jay Johnson, Daniel Lopez, Christopher Markham, Mallory McKenzie, Marina Moreno, Katherine Nugent, Clinton Oxford, Nicole Perry, Kerianne Tobitsch, and Jenny Whalen-Ball.

LATIN AMERICA

Argentina

Data Protection Agency Meets With United Nations Special Rapporteur on Right to Privacy

On May 7, the Director of Argentina's Data Protection Agency met with the United Nations Special Rapporteur on the Right to Privacy to evaluate the status of personal data protection in Argentina and discuss proposals to strengthen it (source document in Spanish). The Special Rapporteur is an independent expert appointed by the UN Human Rights Council to examine and report on a country situation or a specific issue—in this case, data privacy.

Argentina Participates in Plenary Meeting of Convention Committee of 108 Agreement

On June 13, the Access to Public Information Agency of Argentina participated in the Plenary Meeting of the Convention Committee of the 108 Agreement for the first time as a state party (source document in Spanish). The meeting took place at the headquarters of the Council of Europe in Strasbourg, France. Previously, Argentina had participated in the plenary meetings as an observer state. However, this was the first time that Argentina participated as a plenary country.

Brazil

Brazilian Congress Approves Final Draft of General Data Protection Law

On May 29–30, both houses of the Brazilian National Congress approved) (source document in Portuguese). The ANPD was designed to strengthen the enforceability of the LGPD and regulate the use of personal information in Brazil. After consolidating amendments, the Brazilian Congress sent the final bill of law to President Bolsonaro for approval. All obligations created by the LGPD will go into effect by August 2020.", "LGPDLei Geral de Proteção de Dados Pessoais) and made changes to the General Data Protection Law (""ANPD ,Autoridade Nacional de Proteção de Dados the creation of the National Data Protection Authority (

Bill of Law Plans on Criminalizing Data Privacy Violations

On May 30, a congressman presented a bill of law aimed to criminalize data privacy violations (source document in Portuguese). The bill of law would regulate the act of disclosing, providing, or granting access to personal data to third parties without authorization and/or lawful purposes. The potential sanctions would include two to six years of imprisonment and monetary fines. The bill of law will now be submitted to a vote by members of the Brazilian Congress.

Chile

Director of Chilean Council for Transparency Participates in Privacy Panel at RIPD Meeting in Mexico

On June 19–20, Andre Ruiz, director of the Council for Transparency, discussed challenges to personal data protection in Chile at the Meeting of the Ibero-American Data Protection Network ("RIPD") in Mexico (source document in Spanish). The director participated in a panel called "Challenges to Privacy and the Protection of Personal Data in the Governments of the Digital Era," in which she shared her experiences and the initiatives that Chile had developed at the national level.

Colombia

Colombian Data Protection Agency Punishes Companies for Failure to Comply with Data Protection Law

, "SIC") issued resolution Superintendencia de la Industria y el ComercioOn April 25, Andrés Barreto, the Superintendent of Industry and Commerce (9766/2019, imposing a fine of $496,899,600 pesos (approximately US$154,640) to a bank and ordering it to adopt measures regarding the rights of individuals in connection with the processing of personal information (source documents in Spanish). On the same day, the Agency also issued resolution 9800/2019, imposing a fine of $298,121,760 pesos (approximately US$92,778) on another company for violating the Colombian data protection law.

Mexico

Jones Day Hosts Fourth Annual Latin America Privacy & Cybersecurity Symposium

On May 15–16, Jones Day produced and hosted the Fourth Annual Latin America Privacy & Cybersecurity Symposium in Mexico City. The Symposium brought together private practitioners, government officials, and experts to discuss regional trends in privacy and cybersecurity law. More than 300 attendees joined the event this year, which welcomed an impressive set of panels that included representatives from the Cyber Division of the U.S. Federal Bureau of Investigations, regional banking regulators, data protection agencies, and other similar agencies from Chile, Brazil, Costa Rica, and Mexico. The event covered many current topics in cybersecurity and privacy regulations, including the evolving nature of regulation, management of cyberattacks, and challenges in data privacy compliance posed by emerging technologies such as intelligent systems.

INAI Participates in 108th Convention of Council of Europe

On June 18, the Mexican National Institute for Transparency, Access to Information and Personal Data Protection ("INAI") participated in the 38th Plenary Session of the Consultative Committee of the Council of Europe Convention 108 held in Strasbourg, France (source document in Spanish). The participants discussed issues related to the protection of personal data and privacy and the agenda of the Consultative Committee for 2020–2021, which will focus on issues of facial recognition, processing of personal data in the context of education systems, and automated profiling.

Mexican Data Protection Agency Considers Challenges of Blockchain Technology

On June 19, the INAIissued official communication No. INAI/2017/19 regarding the participation of the INAI's commissioner in the meeting of the Ibero-American Data Protection Network (source document in Spanish). The commissioner expressed that new technologies, such as blockchain, present both opportunities and risks with regard to the privacy of personal data. The commissioner expressed that these technologies simplify and reduce transaction costs, including those associated with access, rectification, cancellation, and opposition rights ("ARCO rights"). But he cautioned that there are risks in implementing technology and emphasized the necessity of prioritizing privacy rights.

Mexico Hosts 17th Ibero-American Data Protection Meeting

On June 19–20, the 17th meeting of the Ibero-American Data Protection Network was held in Mexico, where dozens of experts and national and international authorities addressed issues relating to privacy and personal data protection, the use of new technologies, blockchain, data ethics, and cooperation between government authorities and companies in assessing the impact and challenges to data protection from the use of new technologies (source document in Spanish).

Panama

Panama Publishes New Law on Protection of Personal Data

On March 29, Panama published a new law on the protection of personal data, establishing principles, rights, obligations, and procedures to regulate the protection of sensitive private information (source document in Spanish). The new law regulates matters such as: storage or transfer of personal data; consent; definition of "sensitive data"; access, rectification, cancellation, opposition, and portability rights; database custodians; and the creation of the Personal Data Protection Council. The law will go into effect in 2021.

Uruguay

Uruguayan Data Protection Authority Hosts "Coffee Talk" on Artificial Intelligence and Personal Data Protection

) Unidad Reguladora y de Control de Datos PersonalesOn June 5, the Uruguayan Personal Data Regulation and Control Unit (hosted a new "Coffee Talks" event where the panelists discussed the use of artificial intelligence ("AI") and AI's implications for personal data protection (source document in Spanish). They also exchanged views on the impact of AI on people's lives, especially the relationship between "innovation" and "privacy." In this context, the panelists agreed that the protection of personal data does not hinder innovation; to the contrary, it allows the technologies to develop within a framework of guarantees.

The following Jones Day lawyers contributed to this section: Guillermo Larrea, Daniel D'Agostini, Juan Carlos Quinzaños, and Gabriela C. Samanez

EUROPE

European Council

Council of the European Union Adopts Sanctions Regime for Cyberattacks

On May 17, the Council of the European Union adopted Regulation (EU) 2019/796 concerning restrictive measures against cyberattacks threatening the European Union or its Member States. The Regulation establishes a framework allowing the European Union to impose targeted restrictive measures, such as a travel ban or asset freeze, and deter and respond to cyberattacks that constitute an external threat to the European Union or its Member States.

European Parliament

European Parliament Releases Briefing on European Union's Data Protection Achievements

In April, the European Parliament published a briefing on personal data protection

achievements during the 2014–2019 legislative term, highlighting the EU General Data Protection Regulation, Regulation 2018/1725, and the adequacy decision as some of its notable achievements.

European Parliament Adopts Regulation Strengthening European Union's Cybersecurity and Cyber-Resilience

On April 17, the European Parliament adopted Regulation (EU) 2019/881, which strengthens the mandate of the European Union Agency for Cybersecurity ("ENISA"), the EU cybersecurity watchdog, to support EU Member States with tackling cybersecurity threats and attacks. It also establishes an EU-wide cybersecurity certification framework in which ENISA plays a key role. Under the new Framework, ENISA will coordinate the preparation of candidate cybersecurity certification schemes to be submitted to the European Commission for adoption.

European Commission

EC Issues Recommendation on Cybersecurity in Energy Sector

On April 3, the European Commission ("EC") issued Recommendation (EU) 2019/553 on cybersecurity in the energy sector. The Recommendation provides guidance to network operators and technology suppliers on how to address the specific cybersecurity challenges of the energy sector, including concerns related to the combination of legacy and state-of-the-art technologies.

EC Presents Next Steps on Building Trust in Artificial Intelligence

On April 8, the European Commission presented next steps for building trust in AI. The Commission set forth seven key requirements for "trustworthy" AI, including human agency and oversight; technical robustness and safety; privacy and data governance; transparency; diversity, nondiscrimination, and fairness; societal and environmental well-being; and accountability.

EC Issues Guidance on Free Flow of Non-Personal Data

On May 29, the European Commission issued a Communication that provides guidance on the Regulation on a framework for the free flow of non-personal data ("FFD Regulation") in the European Union. This guidance aims to help users understand the interaction between the FFD Regulation and the General Data Protection Regulation, particularly when data sets comprise personal and non-personal data.

European Data Protection Board

EDPB Releases Draft Guidelines on Data Processing of Online Services for Public Consultation

On April 10, the European Data Protection Board ("EDPB") released draft guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects. The guidelines provide practical guidance for relying on a contract as the legal basis for processing personal data in the context online services. The guidelines also discuss how using a contract as a legal basis for processing personal data applies in specific situations, such as fraud prevention and online behavioral advertising.

EDPB Designates Representatives for Third Annual Review of EU–U.S. Privacy Shield

On May 15, during the 10th plenary session of the EDPB, the EDPB designated representatives for the third annual review of the EU–U.S. Privacy Shield. Austria, Bulgaria, France, Germany, Hungary, and the EDPS will represent the Board during the review.

EDPB Issues Statistics on Cases at GDPR's One-Year Anniversary

On May 22, the EDPB took stock of the GDPR on its one-year anniversary. According to the EDPB's summary, a total of 446 cross-border cases have been registered to date, 205 of which led to One-Stop-Shop procedures. In addition, more than 144,000 queries and complaints and more than 89,000 data breaches have been logged by the supervisory authorities.

EDPB Adopts Final Version of Annex 2 to Guidelines on Certification

On June 4, the EDPB adopted the final version of Annex 2 to the Guidelines on Certification. These guidelines identify overarching criteria, which may be relevant to all types of certification mechanisms issued in accordance with Article 42 and Article 43 of the GDPR. Annex 2 sets forth a list of minimum requirements that the EDPB and data protection authorities ("DPAs") will consider when approving certifications.

EDPB Adopts Final Version of Guidelines on Accreditation of Certification Bodies

On June 4, the EDPB adopted the final version of Guidelines 4/2018 on the accreditation of certification bodies under Article 43 of Regulation 2016/679. These guidelines convey the purpose of accreditation in the context of the GDPR, explain available routes to accredit certification bodies, and provide a framework for establishing additional accreditation requirements.

EDPB Adopts Final Version of Guidelines on Codes of Conduct and Monitoring Bodies

On June 4, the EDPB adopted the final version of Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679. These guidelines aim to provide practical guidance and interpretative assistance in relation to the application of Articles 40 and 41 of the GDPR, along with clarifying the procedures and rules involved in the submission, approval, and publication of codes of conduct.

European Data Protection Supervisor

EDPS Adopts Opinion in Context of Budapest Cybercrime Convention

On April 2, the European Data Protection Supervisor ("EDPS") adopted Opinion 3/2019 regarding participation in negotiations of a Second Additional Protocol to the Budapest Cybercrime Convention. The EDPS supports the adoption of a Council Decision giving a clear mandate to the European Commission to participate in the ongoing negotiations. It also stressed the need for detailed safeguards regarding international data transfers and the respect of fundamental rights.

EDPS Releases Opinion on EU–U.S. Agreement for Cross-Border Access to e-Evidence

On April 2, the EDPS adopted Opinion 2/2019 on an EU–U.S. agreement on cross-border access to electronic evidence. This follows the European Commission's adoption of a recommendation to negotiate with the United States on access to electronic evidence in criminal matters. The EDPS welcomed the need for data protection safeguards and suggested adding compliance with Article 16 Treaty on the Functioning of the EU as a substantive legal basis for the processing of personal data in the future EU–U.S. agreement.

European Union Agency for Cybersecurity

ENISA Issues Recommendations on Industry 4.0 and Cybersecurity Challenges

On May 20, the European Union Agency for Cybersecurity ("ENISA") published Industry 4.0—Cybersecurity Challenges and Recommendations. The Recommendations identify the main challenges to the adoption of security measures in the context of Industry 4.0 and Industrial IoT. Moreover, ENISA lists high-level recommendations for different stakeholder groups to promote Industry 4.0 cybersecurity and facilitate wider adoption of relevant innovations in a secure manner.

ENISA Publishes Annual Report on Telecom Security Incidents

On June 5, ENISA published its annual report on telecom security incidents. The incident report stressed that in 2018, natural phenomena and system failures were the dominant causes of security incidents.

Belgium

Belgian DPA Publishes 2018 Annual Report

On April 25, the Belgian Data Protection Authority ("DPA") published its 2018 annual report (source document in French and Dutch). The report highlights the DPA's notable actions, which include new implementing legislation and the transition from the Privacy Commission to the Belgian DPA. The report canvasses the main activities of the DPA and offers several figures for 2018, including the number of data breaches (445 in 2018, compared to 25 in 2017), opinions on draft legislation (215), files of all types (7,182 cases), and investigations (73).

Brussels Court of Appeal Rejects Jurisdiction in Data Privacy Case Involving Social Media Company

On May 8, the Brussels Court of Appeal ruled on jurisdiction in a longstanding case concerning a social media company's noncompliance with the Belgian privacy and European privacy rules (source document in Dutch). The Brussels Court of Appeal ruled that it had no jurisdiction in relation to the company. Although the court stated that it had jurisdiction with respect to the company's Belgian affiliate, it referred preliminary questions to the Court of Justice of the European Union with respect to the interest of the Belgian DPA to act against the entity before national courts.

Belgian DPA Issues its First GDPR Fine

On May 28, the Belgian DPA imposed its first financial penalty since the GDPR's establishment (source document in Dutch). The administrative fine amounts to €2,000 and relates to the misuse of personal data by a mayor for election purposes.

Belgian DPA Launches a Consultation on Direct Marketing

On July 12, 2019, the Belgian DPA launched a consultation to update its direct marketing recommendation, which was released on January 30, 2013 (source document in French and Dutch). The Consultation was available online until July 31, 2019, and sought input on the most prevalent issues facing organizations since the implementation of the GDPR as well as the technologies data controllers use when conducting their marketing activities.

France

CNIL Releases Best Practices for Developers

On May 13, the French Data Protection Authority ("CNIL") released a "Developer Kit," which offers a series of best practices to help developers choose their work tools, manage source codes, understand how to use software libraries, and document coding activities (source document in French).

CNIL Reports on First Year of GDPR Implementation

On May 23, the CNIL issued a report on the implementation of the GDPR (source document in French). The CNIL highlighted the increase in complaints filed by data subjects (11,900) and noted that 19,000 data protection officers were appointed by data processing entities. The CNIL also stated that it received 2,044 notifications of data breaches. 

CNIL Launches Fourth Edition of CNIL–INRIA Privacy Award

On May 29, the CNIL launched the fourth edition of the CNIL–INRIA privacy award, which is intended to promote research on the protection of personal data and privacy. For example, submissions may cover issues related to privacy by design, algorithm transparency, anonymization, privacy risk analysis, and accountability.

CNIL Releases Action Plan for Targeted Online Advertising

On June 28, the CNIL released its 2019–2020 action plan on the use of targeting technologies in online advertising (source document in French). The CNIL stated that it will issue new guidelines on the rules applicable to the use of targeting technologies and will provide operators with a 12-month period to implement the new guidelines. The CNIL will also initiate a consultation with stakeholders on operational methods to obtain a data subject's consent.

CNIL Provides for Transition Period on Legal Framework Applicable to Online Consent

On June 28, the CNIL published a press release where it stated that "scrolling down or swiping through a website or application" is not considered as a valid expression of consent. Therefore, after the publication of the new guidelines on online consent, the CNIL announced a 12-month transition period for entities to adopt new practices for obtaining online consent. The CNIL is also implementing relevant changes on its own website.

Germany

DSK Issues Guide on Data Protection Requirements for Telemedia Service Providers

("DSK"), which is the consensus body of the German Data Protection Authorities, issued a DatenschutzkonferenzIn March, the guideline on data protection requirements for the processing of users' data through telemedia services (source document in German). The lawfulness of the data processing may be based on Article 6 para. 1 (f) (legitimate interests), and if the legitimate interest justification is not available, Article 6 para. 1 (a) GDPR (consent). The guide addresses these requirements in detail and provides for examples related to websites, cookies, and tracking.

DSK Publishes Guideline on Access Protection for Online Service Providers

On March 29, the DSK published a guideline on access protection for online service providers (source document in German). It provides for, inter alia, a list of measures regarding the secure transmission and storage of passwords, the course of action in the event that services are compromised, and password security requirements.

DSK Releases Position Paper on Biometric Analysis

On April 3, the DSK released a position paper on biometric analysis (source document in German). The paper describes various biometric systems and sensors as well as different "use cases" for them. The paper also evaluates the processing of biometric data under the GDPR and sets forth factors that should be taken into account when using biometric systems.

Data Protection Officer Imposes First Fine on Police Officer

On May 9, the data protection officer of Baden-Wűrttemberg imposed a fine of €1,400 on a member of the police force (source document in German). The officer used the internal databases of the Federal Motor Transport Authority to obtain the telephone number of a casual acquaintance in order to call her. This was, according to our knowledge, the first published German case of a fine imposed on a public servant pursuant to the GDPR.

German Parliament Passes Second GDPR Implementation Bill

On June 27, the German Parliament passed the second GDPR implementation bill (source document in German). The bill addressed changes in 154 laws. The main changes included, inter alia, the adaptation of definitions and legal bases for data processing as well as regulations regarding data subjects' rights. Furthermore, the threshold in the German Federal Data Protection Act for private companies to designate a data protection officer was increased from 10 to 20 persons involved in data processing. Consents in the employment relationship may now be obtained in writing and electronically.

Italy

Italian DPA Facilitates Transfer of Data Among Financial Supervisors Within and Outside EEA

In May, the Italian Data Protection Authority ("DPA") authorized the Italian financial supervisor to enter into an administrative agreement for the transfer of personal data between the financial supervisors of the European Economic Area ("EEA") and those outside the EEA (source document in Italian). This agreement seeks to prevent illegal activities and to increase the quality of international cooperation. This action marks the first time the DPA has authorized the Italian financial supervisor to transfer data to other financial supervision authorities in accordance with Article 46 of the GDPR. The DPA established additional conditions, including a requirement that the Italian Companies and Exchange Commission ("CONSOB") must inform the DPA of any suspension of data transfers, as well as any revision or suspension of participation in the agreement.

Italian DPA Clarifies Consent to Marketing in Context of Prize Contests

On June 12, the Italian DPA issued an order clarifying that a data subject's consent to marketing activity cannot be a condition to participate in a prize contest (source document in Italian). The DPA reviewed a company's registration practices for a prize contest. As a condition for completing registration for the contest, the company required registrants to join the customer loyalty program and consent to marketing activity. The DPA determined that this did not provide customers with the opportunity to express free and specific consent for promotional activity. The DPA ordered the company to change the data collection form on its website so that users may express a free and informed consent for promotional uses of their data.

The Netherlands

NCSC Publishes Transport Layer Security Guidelines

On April 23, the Dutch National Cyber Security Centre ("NCSC") published an update to its transport layer security ("TLS") protocol guidelines (source document in Dutch). The updated guidelines aim to improve TLS configuration security, so that organizations can prioritize certain threats requiring daily attention. The guidelines assist entities with procurement, setup, and review of TLS configurations.

EDPB Elects Aleid Wolfsen as New Deputy Chair

On May 15, the European Data Protection Board ("EDPB") elected Aleid Wolfsen as the new deputy chair (source document available in Dutch and in English). Along with fellow Deputy Chair Ventsislav Karadjov, Aleid Wolfsen will support the EDPB Chair Andrea Jelinek in her work for the Board over the coming years.

Spain

SPDA Publishes Guide Addressing Data Protection Impact of DronesOn May 30, the Spanish Data Protection Agency ("SDPA") published a guide called "Drones and Data Protection," which addresses the impact of various types of drone operations, including those with the capability of processing personal data and those whose operations actually process personal data, such as video surveillance (source document in Spanish). The guide offers a series of recommendations for amateurs and professional drone operators.

SPDA Publishes Recommendations for Anonymization ProcessesOn June 14, the SDPA published a technical note addressing anonymization processes performed on data sets (source document in Spanish). The publication addresses the limitations on effectiveness of anonymization processes, the extent to which information is actually anonymized, and how the risk of re-identification can be managed. In light of the GDPR, the SDPA cautions that entities must analyze the risks of data processing, including those arising from potential re-identification derived from the anonymization processes, and those risks generated in the subsequent enrichment of data sets.

United Kingdom

UK Government Launches Consultation on Regulation of Consumer Internet of Things

On May 1, the UK government launched a on privacy and security issues raised by IoT devices, including regulatory proposals for a security labelling scheme to evidence compliance with the voluntary Code of Practice for Consumer Internet of Things Security. consultation

ICO Closes Its "Regulatory Sandbox"

On May 24, the ICO closed its regulatory sandbox that allows selected organizations with products and services using personal data in innovative ways access to ICO expertise, support, and a way to test how data protection frameworks may apply.

ICO Fines Hotel Chain £99 Million Under GDPR for Data Breach

On July 9, the ICO announced its intention to fine a hotel chain £99 million for GDPR violations in relation to a data breach that compromised the personal information of customers. The hotel chain acquired a company whose systems had been compromised, but the hotel chain did not discover the exposure of customer information until two years after the acquisition. The ICO's investigation found that the hotel chain failed to conduct sufficient due diligence when it bought the company.

The following Jones Day lawyers contributed to this section: Laurent De Muyter, Undine von Diemar, Olivier Haas, Jörg Hladjk, Bastiaan Kout, Jonathon Little, Martin Lotz, Hatziri Minaudier, Selma Olthof, Sara Rizzon, Irene Robledo, Elizabeth Robertson, Lucia Stoican, Ludovica Terenzi, and Rhys Thomas

ASIA

Hong Kong

Insurance Agent Receives Conviction Related to Direct Marketing

On April 3, an insurance agent was convicted of two charges under the Personal Data Ordinance. The first charge related to its use of the personal data of a data subject in direct marketing without obtaining her consent, in contravention of section 35C of the Ordinance. The second charge related to its failure to inform the data subject of her right to request that her personal data not be used in direct marketing, in contravention of section 35F of the Ordinance. The insurance agent pleaded guilty to both charges and was fined HK$8,000 in total.

Privacy Commissioner Responds to Suspected Clandestine Photographing in Taxis

On April 21, Hong Kong's Privacy Commissioner for Personal Data announced guidance on the suspected incident of artists being photographed inside taxis (source document in Chinese). The Privacy Commissioner has also issuedand will continue to strengthen educational campaigns. The Commissioner is proceeding with caution as he considers new restrictions and regulations, so as not to unduly hinder economic and technological development. s" "Guidance on CCTV Surveillance and Use of Drone

Privacy Commissioner Releases Compliance Checks Report Regarding Hong Kong Shopping Mall Membership Programs

On April 25, the Privacy Commissioner released a compliance checks report called "Overview of Personal Data Collection in Shopping Mall Membership Programs and Online Promotion Activities." The report provides guidance on personal data collection in shopping malls and online promotion activities, particularly membership programs. In general, the Privacy Commissioner accepts the collection of contact information for the purposes of identification and communication, but the collection of national HKID Card numbers by membership programs is generally considered excessive due to the sensitive nature of the data and the associated risk of identity theft.

Bank Receives HK$10,000 Fine for Direct Marketing Offense

On May 21, a bank was convicted under section 35G(3) of the Privacy Ordinance for failing to comply with a request from a data subject to cease using his personal data in direct marketing. The bank pleaded guilty to the charge and received a HK$10,000 fine.

Auction Company Receives HK$20,000 Fine for Direct Marketing Offense

On May 27, a company was convicted of two charges under the Privacy Ordinance. The first charge relates to the company's failure obtain a data subject's consent before using her personal data in direct marketing, in contravention of section 35C of the Privacy Ordinance. The second charge relates to the failure to inform the data subject of her right to request not to use her personal data in direct marketing in contravention of section 35F of the Privacy Ordinance. The company pleaded guilty to both charges, and was fined HK$20,000 in total.

Hong Kong and Singapore Sign MOU to Strengthen Cooperation in Personal Data Protection

On May 31, the data protection authorities of Hong Kong and Singapore signed a Memorandum of Understanding ("MOU") to strengthen cooperation on personal data protection between the two jurisdictions. Under the MOU, the authorities will share experiences and best practices, conduct joint research projects, and exchange information on potential or ongoing data breach investigations. Hong Kong and Singapore are also releasing a jointly developed "Guide to Data Protection by Design ("DPbD") for Information and Communications Technology ("ICT") Systems," which provides organizations with practical guidance for all phases of software development and good data protection practices in ICT system design.

Privacy Commissioner Issues Enforcement Notice Related to Data Breach

On June 6, the Privacy Commissioner published an investigation report on the breach of personal data of approximately 9.4 million airline passengers. The Privacy Commissioner found that the airline violated the data protection principles under the Privacy Ordinance relating to personal data security and retention, and served an Enforcement Notice directing the company to remedy and prevent any recurrence of the contraventions. It ordered the company to engage an independent data security expert to overhaul its systems containing personal data, implement effective multifactor authentication for remote access, conduct effective vulnerability scans, and destroy all unnecessary HKID Card numbers collected, among other measures.

Beauty Product Company Receives HK$8,000 Fine for Direct Marketing Offense

On June 18, a beauty product company was convicted under section 35C of the Privacy Ordinance for failing to obtain consent prior to using the personal data of a customer in direct marketing. The company pleaded guilty and was fined HK$8,000. The Privacy Commissioner reiterated the importance of small and medium enterprises' compliance with the requirements of the Privacy Ordinance on the protection of personal data in Hong Kong, and it emphasized the need for organizations to adopt proper data stewardship when handling customers' data.

People's Republic of China

Agency Issues Draft Measures to Complement E-Commerce LawOn April 30, the State Administration for Market Regulation publishednotice a announcing("Draft Measures") were open for public comments until May 29 (source documents in Chinese). The Draft Measures were "Internet Transaction Supervision and Management Measures" that the drafted, which came into effect January 1 (source document in Chinese). The goal of the Draft Measures was to resolve issues regarding the collection and use of consumers' personal information by requiring network transaction operators to clearly indicate the purpose, manner, and scope of information collected and obtain consumer consent on a case-by-case basis. E-Commerce Law of the People's Republic of China to complement the

Agency Issues Notice to Solicit Opinions on Collection and Use of Personal Information by Apps On May 5, the Office of the Central Cyberspace Affairs Commission published(source document in Chinese). The purpose of the Appraisal is to commence security assessments on apps that collect and use personal information in violation of the law and regulation, and to identify apps that force users to provide consent or collect personal information in excess or out of scope of the consent."Applicable Appraisal Methods for the Unlawful and Illegal Collection and Use of Personal Information by Apps" a notice to solicit opinions on the draft of

Zhejiang Police Crack Down on Malicious Registration of Online AccountsOn May 12, the Office of the Central Cyberspace Affairs Commission publishedEnforcement action has been taken in 262 criminal cases. on enforcement actions in Zhejiang based on the "Clean Internet Campaign 2019" (source document in Chinese). Investigations and enforcement activity focused on companies that allegedly engaged in the use of personal information for malicious registration of internet accounts or illegal fourth-party payment.news update a

Agency Publishes Cybersecurity Review Measures On May 24, the Office of the Central Cyberspace Affairs Commission published for the purpose of improving the safety and management of key information structures and maintaining national security (source document in Chinese). "Cybersecurity Review Measures (Draft for Comment)" the

Agency Issues Notice on Measures for Data Security ManagementOn May 28, the Office of the Central Cyberspace Affairs Commission published (source document in Chinese). The measures govern the way network operators (owners, administrators, and service providers) collect personal information, obtain data subject consent, correct or remove personal information, deregister users' accounts, and handle data breaches. The measures aim to protect national security and the legitimate interests of citizens, among other goals."Measures for Data Security Management" draft

Agency Issues Notice on Regulations to Protect Children's Personal InformationOn May 31, the Office of the Central Cyberspace Affairs Commission publishedThe Regulations aim to protect the legitimate interests of children by governing the collection, storage, use, and removal of personal information of minors under 14 years old. Among its proposed provisions, the Regulations stipulate that network operators should set up protection rules and user agreements dedicated specifically to children's personal information and should appoint a personal data protection officer to be responsible for the protection of children's personal information. Network operators are also required to inform and obtain the express consent of children's guardians when collecting or using children's personal information. (source document in Chinese)."Regulations on the Protection of Children's Personal Information on the Internet" a notice seeking public comments on the

Technical Committee Publishes Guidelines for Mobile App ProvidersOn June 1, the National Information Security Standardization Technical Committee published "Guidelines for Network Security Practices—Essential Information Specification for Basic Business Functions of Mobile Internet Applications" to provide the types of personal information commonly required by 16 basic categories of mobile applications (source document in Chinese). The Guidelines regulate the collection of personal information by mobile internet application providers.

Agency Issues Notice Related to Transfer of Personal Information On June 13, the Office of the Central Cyberspace Affairs Commission published (source document in Chinese). The Measures aim to restrict the transfer of personal information outside China and were issued for purposes of protecting personal information security, safeguarding cyberspace sovereignty, and national security interests. "Measures for Assessment of Personal Information Exit Security" a notice seeking public comments on the draft

Government Issues 2019 Plan of Special Action for Online Market RegulationOn June 23, several government departments published which aims to protect personal information collected in e-commerce (source document in Chinese). The Plan aims to promote fair competition in e-commerce, protect consumers and the legitimate interests of businesses, and ensure sustainable development of e-commerce.

SINGAPORE

PDPC Signs MOU with United Kingdom's ICO

On June 14, Singapore's Personal Data Protection Commission ("PDPC") signed a Memorandum of Understanding ("MOU") with the United Kingdom's Information Commissioner's Office ("ICO"). The MOU establishes a working relationship between the two regulatory bodies for cross-sharing of experiences, exchanging best practices, engaging in joint research projects, and exchanging information on regulatory approaches and activities.

PDPC and IMDA Release First Comprehensive Trusted Data-Sharing Framework

On June 28, the PDPC and the Infocomm Media Development Authority ("IMDA") released the first comprehensive Trusted Data-Sharing Framework to facilitate data sharing between organizations. The framework establishes a set of baseline practices by providing a common data-sharing language and includes resources that enables data sharing.

PDPC Releases DPO Competency Framework and Training Roadmap

On July 17, the PDPC released the Data Protection Officer ("DPO") Competency Framework and Training Roadmap. The purpose of the roadmap is to provide information on the core competencies and proficiency levels a DPO needs and to serve as a resource for companies in their hiring and training of DPOs.

The following Jones Day lawyers contributed to this section: Michiru Takahashi, Sharon Yiu, and Grace Zhang.

AUSTRALIA

Fair Work Commission Clarifies Employee Records Exception in Privacy Act

On May 1, the Fair Work Commission handed down a decision clarifying the application of the Privacy Act 1998 (Cth) to the collection of personal information from employees. The case involved an employer that sought to institute a fingerprint scanning system to record employees' site attendance. The company terminated an employee who repeatedly refused to use the system. The Commission held that the employee's fingerprint was "sensitive information" under the Privacy Act, and therefore the company was required to obtain the employee's consent before soliciting or collecting his fingerprint. The Commission found that the company had no privacy policy as required by Australian Privacy Principle (APP) 1, and the company provided the employee with some, but not all, of the information required by a privacy collection notice under APP 5. The Commission also held that the "employee records exception" to the APPs in section 7B(3) of the Privacy Act did not apply, since the exception applies to records already held by an employer, and does not relieve employers from the obligation to obtain consent from employees before collecting new forms of "personal information."

Liberal/National Coalition Wins Federal Election

On May 18, the coalition of the Liberal Party and the National Party, led by Prime Minister Scott Morrison, won reelection in the federal election. Many of the legislative changes with respect to privacy and cybersecurity announced by the Morrison government before the election will likely progress. These changes include amending the Privacy Act 1998 (Cth) to increase penalties for breaches and amending the Telecommunications and Other Legislation (Assistance and Access) Act 2018 (Cth), which requires designated communications providers to grant access to communications when requested by law enforcement agencies. Work has already begun. On August 1, the Federal Parliament passed the Treasury Laws Amendment (Consumer Data Right) Bill 2019 which creates the Consumer Data Right, a legislative framework to compel data holders to share nominated consumer data with individuals and businesses. We reported on these developments in the March 2019 and May 2019 Global Privacy & Cybersecurity Updates.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.