IoT Update: Congress Passes IoT Cybersecurity Improvement Act of 2020

The bipartisan Internet of Things (“IoT”) Cybersecurity Improvement Act of 2020 (S. 734, H.R. 1668) has passed the House and the Senate and is headed to the President’s desk for signature. The bill was sponsored in the House by Representatives Hurd (R-TX) and Kelly (D-IL), and in the Senate by Senators Warner (D-VA) and Gardner (R-CO). President Trump is expected to sign the measure into law.

According to Senator Warner (D-VA), the bill would “harness the purchasing power of the federal government and incentivize companies to finally secure the [internet-connected] devices they create and sell.”

The IoT Cybersecurity Improvement Act will require the National Institute of Standards and Technology (“NIST”) to develop minimum cybersecurity standards for internet-connected devices purchased or used by the federal government. The bill sets forth the following requirements: Continue Reading

The Spanish Supervisory Authority Approves a GDPR Code of Conduct on Advertising

By Kristof Van Quathem and Anna Oberschelp de Meneses on November 17, 2020 Posted in Advertising & Marketing, Data Privacy, EU Data Protection, GDPR

On September 16, 2020, the Spanish Supervisory Authority (“AEPD”) approved a “Code of Conduct for Data Processing in Advertising” (“Code”) (see the decision approving the code here). This is the first GDPR approved Code of Conduct with an accredited monitoring body in the European Union. The Code enters into effect on November 17, 2020, two months after its approval.

Below we provide a brief FAQ about the Code.

EDPB adopts recommendations on international data transfers following Schrems II decision

By Dan Cooper, Lisa Peets, Marty Hansen and Sam Jungyun Choi on November 12, 2020 Posted in Cross-Border Transfers, Data, Data Privacy, EU Data Protection, European Union

On 11 November 2020, the European Data Protection Board (“EDPB”) issued two draft recommendations relating to the rules on how organizations may lawfully transfer personal data from the EU to countries outside the EU (“third countries”). These draft recommendations, which are non-final and open for public consultation until 30 November 2020, follow the EU Court of Justice (“CJEU”) decision in Case C-311/18 (“Schrems II”). (For a more in-depth summary of the CJEU decision, please see our blog post here and our audiocast here. The EDPB also published on 24 July 2020 FAQs on the Schrems II decision here).

The two recommendations adopted by the EDPB are:

Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (“Draft Recommendations on Supplementary Measures”); and
Recommendations 02/2020 on the European Essential Guarantees for surveillance measures (“Recommendations on EEG”).

Californians Approve Ballot Initiative Modifying the California Consumer Privacy Act

By Lindsey Tonsager, Libbie Canter, Danielle Kehl and Alexandra Scott on November 5, 2020 Posted in California Consumer Privacy Act (CCPA), Data Privacy, Data Security, Privacy and Data Security, State Legislatures, United States

Voters in California approved Proposition 24, which updates the California Consumer Privacy Act (“CCPA”) just a few months after the landmark regulations implementing the privacy law went into effect. As we have previously explained, the California Privacy Rights Act (“CPRA”) will change the existing CCPA requirements in a number of ways, including limiting the sharing of personal information for cross-context behavioral advertising and the use of “sensitive” personal information, as well as creating a new correction right. It also establishes a new agency to enforce California privacy law. The key provisions of the bill will not go into effect until January 1, 2023, providing much-needed time to clarify the details and for businesses to adjust their CCPA compliance approaches to account for the additional requirements.

Courts Find TCPA Unenforceable for Acts Prior to July 2020

By Rafael Reyneri on November 3, 2020 Posted in Litigation, TCPA

Last week, an Ohio district court found that violations of the Telephone Consumer Protection Act (“TCPA”) occurring between 2015 and July 2020 cannot be enforced because the law was unconstitutional at the time. The case is captioned Lindenbaum v. Realgy, LLC, No. 19-CV-02862 (N.D. Ohio), and the opinion builds on an earlier decision from a Louisiana district court that reached a similar conclusion in Creasy v. Charter Communications Inc., No. 20-CV-01199 (E.D. La.). Continue Reading

Inside Privacy Audiocast: Episode 7 – Brexit and the Future of UK Data Privacy Law

By Dan Cooper on October 30, 2020 Posted in Brexit, Cross-Border Transfers, European Union, Privacy and Data Security, United Kingdom

Over the past 9 months, the UK has been hammering out the shape of its future trading relationship with the EU, as well as many others, and there apparently are signs of progress in the past few days as a result of intensified talks between the two sides. Some are reporting a deal will be reached soon, which would be significant, as the Brexit transition period will end on December 31, 2020, deal or no deal. Today’s episode features Dan Cooper and Joe Jones, Head of International Data Transfer Regime, Data Policy Directorate at the UK’s Department for Digital, Culture, Media & Sport.

Covington’s Inside Privacy Audiocast offers insights into topical global privacy issues and trends. Subscribe to our Inside Privacy Blog to receive notifications on new episodes.

French Court of Cassation Decides That an Employer Can Use a Facebook Post to Dismiss an Employee

By Kristof Van Quathem and Anna Oberschelp de Meneses on October 21, 2020 Posted in Data Privacy, EU Data Protection, European Union, GDPR, International, Privacy and Data Security, Social Media

On September 30, 2020, the French Court of Cassation (“Court”) ruled in favor of an employer that dismissed an employee because of the contents of a Facebook post (the decision is available here, in French). In particular, the employee in this case posted a photograph of a new clothing collection of the employer on a personal Facebook account. This post could be seen by the employee’s “friends”, including those who worked for competing firms. As a result, a co-worker who was a “friend” of that employee sent the post to the employer. Posting the photograph was in breach of the employee’s confidentiality obligations under the employment contract. Thus, the employer asked a bailiff to access the employee’s Facebook account in order to obtain proof of the employee’s actions. The employer subsequently dismissed the employee for gross misconduct.

According to the Court, the way in which the employer obtained a copy of the post was “not disloyal”, because a co-worker had sent it to the employer on a spontaneous basis. However, by presenting the Court with a copy of the post and information about the employee’s “friends” without the employee’s consent, the Court found that the employer had invaded the employee’s privacy.

The Court nevertheless decided that an employer may use evidence collected in violation of an employee’s right to privacy to dismiss an employee because that evidence is “essential for the exercise of the right to evidence and is proportionate to the aim pursued – namely, the defense of the employer’s legitimate interest in the confidentiality of its business”. Thus, an employer’s right to collect evidence for a “fair trial” (Article 6 of the Convention for the Protection of Human Rights and Fundamental Freedoms (“ECHR”)) may trump an employee’s right to privacy (Article 8 of the ECHR), provided the collection is – as the Court deemed in this case – necessary and proportionate.

French Supervisory Authority Releases Strict Guidance on the Use of Facial Recognition Technology at Airports

By Kristof Van Quathem and Anna Oberschelp de Meneses on October 21, 2020 Posted in Artificial Intelligence (AI), Data Privacy, Emerging Technologies, European Union, International, Privacy and Data Security

On October 9, 2020, the French Supervisory Authority (“CNIL”) issued guidance on the use of facial recognition technology for identity checks at airports (available here, in French). The CNIL indicates that it has issued this guidance in response to a request from several operators and service providers of airports in France who are planning to deploy this technology on an experimental basis. In this blog post, we summarize the main principles that the CNIL says airports should observe when deploying biometric technology.

Inside Privacy Audiocast: Episode 6 – View from Johannesburg Part II: Top Data Policy Trends to Look Out For in Africa

By Dan Cooper and Robert Kayihura on October 20, 2020 Posted in Cross-Border Transfers, GDPR, International, POPIA, Privacy and Data Security, South Africa

Recently, there has been a significant level of attention given to data protection and privacy matters on the Continent, and in the just the past year, we have seen new laws proposed or enacted in places like Nigeria, Egypt, Kenya, and of course South Africa, although prior to that, places like Morocco, Ghana and Mali sought fit to regulate in this space, passing their own data protection laws. In 2014, the African Union adopted its convention on cybersecurity and data protection, which 14 countries have signed, and a number have ratified. As things currently stand, nearly half the countries making up the region have enacted comprehensive data privacy laws. The data protection landscape in Africa is a fascinating place, reflecting some interesting trends.

Today’s episode is Part II of our “View from Johannesburg” series and features Dan Cooper and Robert Kayihura. Click here to view Part I of our series and download our Key Takeaways from the episode.

Covington’s Inside Privacy Audiocast offers insights into topical global privacy issues and trends. Subscribe to our Inside Privacy Blog to receive notifications on new episodes.

California AG Settlement Suggests Privacy and Security Practices of Digital Health Apps May Provide Fertile Ground for Enforcement Activity

By Inside Privacy on October 16, 2020 Posted in Health Privacy

In a new post on the Covington Digital Health blog, our colleagues discuss California Attorney General Xavier Becerra’s recent settlement against Glow, Inc., resolving allegations that the fertility app had “expose[d] millions of women’s personal and medical information.” The post explains the allegations and settlement terms, as well as takeaways for providers of digital health apps. For instance, the settlement highlights the sensitivity of health data, even if that data is not protected under the federal Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).