United States Privacy Updates:
Biotech: Thermo Fisher sued for use of Henreitta Lack’s cells without consent
Henrietta Lacks’ estate filed a lawsuit against Thermo Fisher Scientific, arguing that Thermo Fisher Scientific has continued to reproduce and sell Lacks’ HeLa cells without her family’s consent. Lacks’ estate is seeking repayment in the form of the full amount of Thermo Fisher’s net profits obtained by commercializing the cell line and a permanent order preventing Thermo Fisher from using the cells without the family’s express permission.
BIPA: Ancestry User Says Blackstone Deal Exposed Genetic Data
Ancestry.com is being sued for allegedly violating the Illinois Biometric Information Privacy Act (“BIPA”). The plaintiff claims that the company illegally disclosed “thousands if not millions” of individuals’ genetic information when it shared data with Blackstone, its affiliates, and possibly other third parties as a part of an acquisition process.
BIPA: Illinois Court ruling on the five versus one year limitation period for BIPA claims
On September 17, 2021, the Illinois Appellate Court, in a case of first impression at the appellate level, addressed the statute of limitations under BIPA, holding that some BIPA claims are subject to a five-year statute of limitations, while others must be brought within one year.1
The court found that claims brought under Sections 15(c) and (d) of BIPA, for sale and disclosure of biometrics, respectively, are subject to the one-year statute of limitations.2 However, the court held that Illinois’ five-year catchall statute of limitations period applies to Sections 15(a), (b), and (e) of BIPA because those sections “have absolutely no element of publication or dissemination.”3
CFPB: CFPB Orders Tech Giants to Turn Over Information on their Payment System Plans
The Consumer Financial Protection Bureau (the “CFPB”) issued orders Section 1022(c)(4) of the Consumer Financial Protection Act to collect information on the business practices of large technology companies operating payments systems in the United States. The initial orders were sent to Amazon, Apple, Facebook, Google, PayPal, and Square. The CFPB also proposes to study the payment system practices of Chinese tech giants, including Alipay and WeChat Pay. The orders seek information on company’s practices regarding collection and use of data including for behavioral targeting and company’s compliance with Electronic Fund Transfer Act and the Gramm-Leach-Bliley Act.
New law governing Children and Teen’s Privacy: Introduction to Children and Teen’s Online Privacy Act
The newly introduced Children and Teen’s Online Privacy Act (CTOPPA) Bill seeks to amend the current Children Online Privacy Protection Act (COPPA). Changes include:
Expanding scope to regulate personal data of “minors” between the age of 12 and under the age of 16.
Prohibiting targeted advertising directed at children. Verifiable consent required for targeted advertising to minors.
Adding a right of erasure that would allow users to erase or eliminate certain personal information from online platforms.
Introducing a new “constructive knowledge” standard for operators that are likely to have information regarding the age of its users.
Dark Patterns: FTC’s latest enforcement policy statement regarding “dark patterns” in Subscription Services
The Federal Trade Commission (FTC) issued new enforcement guidance for companies regarding dark patterns and negative option marketing practices in subscription services. The new statement clarified that the businesses must "clearly and conspicuously" disclose the terms of service, obtain customers’ "express informed consent" before charging for a service, and "provide easy and simple cancellation" options.
Education Technology: Draft Bill on Student Privacy and Education Technology
A recently released congressional proposal might trigger new requirements for how education technology companies handle K-12 student data. If enacted, it will also establish an independent auditing process for the data protection practices of such companies. The bill limits the use of student data collected by education businesses by regulating targeted advertising and the sale, profiling or disclosure of students’ personal information. The bill also requires operators to publish a standard “technology impact assessment” that includes a risk analysis of the harms to students, discrimination impacts, and accessibility considerations.
GLBA: FTC issues a final Rule to amend the Safeguards Rule
A final rule released by the FTC last week amended its Standards for Safeguarding Customer Information under the Gramm-Leach-Bliley Act. The amendments will require significant changes in data security policies and procedures to be made by non-banking financial institutions covered by the Safeguards Rule. Fundamental changes to the safeguard rule include:
The final rule requires regulated companies to complete a written risk assessment and adds specific criteria that must be included in an assessment.
The final rule requires the designation of a single “Qualified Individual” who is responsible for overseeing and implementing an institution’s information security program.
The final rule exempts financial institutions that collect information on fewer than 5,000 consumers from the requirements of a written risk assessment, incident response plan and annual reporting to the board of directors.
The final rule amends the definition of “financial institution” to include entities that are engaged in activities that the Federal Reserve Board determines to be incidental to financial activities.
HIPAA: FTC’s policy statement on the Health Breach Notification Rule
A new policy statement from the FTC offers guidance on the scope of the FTC’s Health Breach Notification Rule, while placing entities on notice of their ongoing breach notification obligations. The Statement clarifies that the developer of a health app or connected device is a “health care provider” because it “furnish[es] health care services or supplies.” The FTC clarified that sharing of covered information without an individual’s authorization is considered a breach requiring notification under the Rule. Apps that are capable of drawing information from multiple sources, such as through a combination of consumer inputs and APIs, are covered under the Rule.
State Law Privacy Updates:
Arizona: Genetic Testing and Data Enforcement
The Arizona Genetic Information Privacy Act came into effect on September 29, 2021. The Act, among other things, regulates genetic testing and direct-to-consumer genetic testing companies, stipulates various forms of consent that must be obtained before processing genetic data, describes organizations excluded from its application, and stipulates enforcement action and penalties for non-compliance.
California: California Enacts New Privacy Law for Genetic Data
Effective January 1, 2022, the California Genetic Information Privacy Act, which largely mirrors Utah’s Genetic Information Privacy Act, creates requirements for genetic data regarding (1) notice; (2) consent; (3) data security; and (4) individual rights. The applicability is limited to “direct-to-consumer genetic testing companies” that collect genetic data from “consumers” (i.e., California Residents).
Connecticut: Amendment to General Statute
An amendment to the Connecticut General Statute expands the definition of personal information. The amendment adds Taxpayer ID, Passport/Military ID, Health Insurance Policy/Subscriber Number, and Biometric Information to the definition, which impacts the scope of a number of laws including breach notification requirements. Other amendments included a shortened deadline after discovering a breach from 90 days to 60 days. Lastly, the amendment removed a clause requiring companies to consult law enforcement after a risk assessment.
Florida: Protecting DNA Privacy Act
Effective October 1, 2021, Florida's Protecting DNA Privacy Act amended Florida's genetic privacy law to establish new crimes arising out of the unlawful use of a person's DNA in the state of Florida.
New York: Updates to Employee Privacy Laws
A new amendment to the New York Civil Rights Law was signed into law on November 8, 2021, that requires employers in New York to notify employees how they will be electronically monitored at the time of hiring and publish the notice so that employees may access the information.
The New York City Council passed a new law on November 10, 2021, that requires employers in the city that use automated decision-making tools for employment or promotion decisions to conduct a bias audit and notify candidates residing in the city that their application is subject to an automated decision tool.
Some notable points from the working group discussions include:
Employing an "ability to cure" option for violations, should a potential cure exist;
Authorizing consumers to assert and requiring companies to honor a global opt-out setting as a single-step for consumers to opt-out of data collection;
Considering authorizing the Attorney General to pursue claims for actual damages based on consumer harm.
Latin America Privacy Updates:
Brazil: House of Representatives approves bill regulating AI
On September 29, the Brazil’s House of Representatives approved a bill regulating artificial intelligence. The bill establishes foundations and principles for the development and application of artificial intelligence and lists guidelines for the promotion and performance of public authorities on the subject.
Europe Privacy Updates:
Amazon Fine: Amazon appeals record EU GDPR fine
In July, Amazon filed its appeal to the proposed 746-million-euro EU General Data Protection Regulation (GDPR) fine handed down by Luxembourg's National Commission for Data Protection. The challenge was submitted to Luxembourg's Administrative Tribunal. Amazon referred to a prior statement noting that there was neither a data breach nor unlawful exposure of personal data to third parties to justify the penalty.
EDPB: Establishes cookie banner task force
The European Data Protection Board (EDPB) decided to set up a task force to respond to complaints concerning cookie banners. The task force aims to promote cooperation, information sharing, and best practices. The task force will (1) exchange views on legal analysis and possible infringements; (2) provide support to activities on the national level; and (3) streamline communication.
EDPB: Issues guidance on data subject rights
On October 13, 2021, the EDPB adopted the final version of its Guidelines on restrictions of data subject rights under Article 23 of the GDPR. The Guidelines aim to provide clarity on the application of Article 23 of the GDPR. The EDPB specified that the Guidelines:
Aim to recall the conditions surrounding the use of such restrictions by EU member states or the EU legislator in light of the EU Charter of Fundamental Rights and the GDPR;
Provide a thorough analysis of the criteria to apply restrictions, the assessments that need to be observed, how data subjects can exercise their rights after the restrictions are lifted, and the consequences of infringements of Article 23 of the GDPR; and
Analyze how the legislative measures setting out the restrictions need to meet the foreseeability requirement and examine the grounds for the restrictions listed in Article 23 GDPR and the obligations and rights which may be restricted.
IAB: Belgian DPA’s expected ruling on the IAB’s Transparency and Consent Framework (TCF)
The draft ruling is expected to find IAB Europe to be a data controller for “Transparency and Consent Strings”, the digital signals created on websites to capture data subjects’ choices about the processing of their personal data for digital advertising, content, and measurement. The Belgian DPA considers these signals to be personal data. The Belgian DPA is also expected to find IAB Europe to be a joint controller for this data in the specific context of real-time online ad bidding.
The draft ruling is expected to be shared with other Data Protection Authorities (DPAs) and those DPAs will have 30 days to review. Depending on the outcome of that review, the Belgian DPA may adopt a final ruling or the matter may be referred to the European Data Protection Board for a binding decision.
Ireland: Irish regulator proposes €36 million Facebook privacy fine - document
Ireland's Data Protection Commission (DPC) plans to fine Facebook between €28 million and €36 million over an alleged lack of transparency for what the company does with users' data.
Norway: Updated Transfer Guidance
Norway's data protection authority, Datatilsynet, published revised guidance on international data transfers in the wake of the Court of Justice of the European Union's "Schrems II" decision. The guidance calls on companies to assess the basis for a transfer before execution and apply additional technical, legal, or organizational measures to protect data when necessary. Datatilsynet also noted it would not grant companies pre-approval for transfer impact assessments before they are completed.
Norway: Norwegian DPA’s Report on Establishing a Facebook Page
The Norwegian Data Protection Authority published the summary of a DPIA. The report was based on an internal risk assessment of whether the Norwegian Data Protection Authority should establish a Facebook Page. The report briefly summarizes their analyses, assessments, and conclusions conserving risks, risk management, and duties according to data protection legislation if the Norwegian Data Protection Authority, as a public authority, were to establish and communicate through a Page on Facebook.
Switzerland: Secure email group Proton wins Swiss appeal over surveillance rule
Proton AG (the company behind ProtonMail and ProtonVPN) won an appeal regarding its treatment under Swiss Law. Swiss Government previously demanded that Proton AG retain a certain amount of data and give them a certain amount of access. The Swiss Administrative Court confirmed that email services cannot be considered telecommunications providers and thus are not subject to the data retention and government access requirements.
United Kingdom: Home Surveillance
In early October 2021, a UK judge ruled that a homeowner who installed a “smart” video doorbell and other security cameras that captured live video of his neighbor’s home violated the UK Data Protection Act.
United Kingdom: Supreme Court Blocks $4.3 billion British class action against Google
Richard Lloyd, a consumer rights activist alleged that Google secretly took more than 5 million iPhone users' personal data between 2011 and 2012 by bypassing default privacy settings on Safari browsers to track internet browsing histories, and then subsequently used this data for commercial purposes.
The Supreme Court unanimously allowed the appeal, in favor of Google, holding that for any individual to receive compensation under the UK Data Protection Act “it would be necessary to show both that Google made some unlawful use of personal data relating to that individual and that the individual suffered some damage as a result.”
United Kingdom: UK Information Commissioner Opinion on Age Assurance for the Children’s Code
The UK ICO’s Opinion on Age Assurance for the Children’s code provides the Commissioner’s view on how the law applies and facilitates consistent, clear, predictable regulation to those who might seek to use age assurance to conform with the Children’s code (formally known as the Age appropriate design code). The opinion discusses various methods of age assurances such as age verification, estimation, account confirmation and self declaration along with the specific cases in which each of the methods may be appropriate.
The ICO is looking for evidence including details on existing or proposed age estimation approaches, novel approaches to age assurance, systems where data protection by design has been applied, and the type of economic impact of age assurance approaches.
Africa Privacy Updates:
The Media Institute of Southern Africa Zimbabwe announced, on September 7, 2021, that its Chairperson, Golden Maunganidze, sent a letter to President Emmerson Mnangagwa asking the President to decline and not sign the Cybersecurity and Data Protection Bill into law following its passage in the House of Assembly and Senate.
Asia, Southeast Asia, and Australia Privacy Updates:
Australia: OAIC finds that Clearview AI breached privacy law
Office of the Australian Information Commissioner recently ordered Clearview AI to stop collecting facial images and biometric templates from individuals in the country and to destroy the existing images and templates collected from Australia.
Australia: 7-Eleven breached customer privacy by collecting facial imagery without consent
In Australia, the country’s information commissioner has found that 7-Eleven breached its customer’s privacy by collecting their sensitive biometric information without adequate notice or consent.
Australia: Review of the Privacy Act 1988
The Australian Attorney-General's Department (AGD) released its Privacy Act Review Discussion Paper October 2021 as part of its review of the Privacy Act 1988. The AGD is now inviting the public to provide feedback.
New Zealand: Privacy commissioner outlines regulation of biometrics
The Office of Privacy Commissioner of New Zealand published a paper outlining how the Privacy Act covers the use of biometric technologies. The paper intends to “inform decision-making about biometrics by all agencies” in public and private sectors according to OPC.