Hintze Law continuously tracks privacy and security updates around the world to bring you a regular update of the latest developments. Below is a snapshot of updates from the last month. If you missed our last round of updates, you can find those here.
United States: State Law Updates
California Privacy Protection Agency Board Meeting
The California Privacy Protection Agency will hold a public meeting on Friday, December 8, 2023. The meeting will include discussion on proposed regulations, which the CPPA notes are provided only to facilitate board discussion and that “the Agency has not yet started the formal rulemaking process.” Instructions on how to attend the meeting and the meeting agenda can be found here.
South Carolina House Committee to Study Artificial Intelligence
On November 13, 2023, South Carolina announced the formation of a new House Committee to study AI in order to develop strategies to protect the rights and interests of South Carolinians. House Speaker Murrell Smith states this committee will be the “first-in-the-nation” standing committee of its kind. The House Speaker plans to make this a permanent part of the House structure in 2024.
Seattle Releases GenAI Policy for City Employees
On November 3, 2023, the city of Seattle announced a policy governing the city’s use of generative artificial intelligence. The announcement states that “the new policy aligns with President Biden’s Executive Order regarding AI announced earlier this week, and positions Seattle to continue to be a national leader in civic innovation and technology.”
School District Unknowingly Gives Parent Access to Thousands of Students' Records
In response to a parent's request to access their child’s school records, Fairfax County Public Schools allegedly provided personal information of tens of thousands of students. The school district gave the parent supervised access to inspect and copy the provided paper files and electronic storage, which contained sensitive information such as students' mental health data, disability status, medical care, and attorney work product. Virginia student privacy law requires Fairfax County Public Schools to alert parents as soon as practicable of violations of child's privacy.
United States: Federal Updates
Judges on New Data Protection Review Court Sworn In
On November 14, 2023, eight judges for the Data Protection Review Court were sworn in. The court will help uphold commitments in the Data Privacy Framework and provide redress to EU citizens. The judges must have privacy experience, are appointed by the Attorney General, and will serve a four-year term.
UC Berkeley Publishes Report on Standards for Evaluating Risks in AI Systems
On November 8, 2023, UC Berkeley’s Center for Long-Term Cybersecurity published a 118 page report yesterday, AI Risk-Management Standards Profile for General-Purpose AI Systems (GPAIS) and Foundation Models, which is meant to complement best practices already detailed by the National Institute for Standards and Technology (NIST) and the International Organization for Standardization (ISO). The standards proposed in the report are meant primarily for use by developers of large-scale, state-of-the-art, general purpose AI systems (large language models, generative AI, foundation models, and the like). Key risk mitigation recommendations include risk-tolerance thresholds for AI’s use, red-teaming and adversarial testing, and involving external parties and system users in the risk identification process.
NIST Responsibilities under Biden Executive Order on Safe, Secure, and Trustworthy AI
On November 8, 2023, The National Institute of Standards and Technology (NIST) released a video describing NIST’s responsibilities under President Biden’s Executive Order (EO) on Safe, Secure, and Trustworthy AI issued on October 30th. NIST has been directed to develop guidelines and best practices to promote consensus industry standards. The video covers generative AI, evaluating AI, secure software development, AI test beds, and dual-use foundation models.
Hospital Associations and Health Systems Sue Federal Government
On November 2, 2023, the American Hospital Association (AHA), the Texas Hospital Association, Texas Health Resources, and United Regional Health Care System, sued the federal government over the HHS Office for Civil Rights’ (OCR) bulletin entitled, “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates. The lawsuit alleges that the bulletin “upended the balance that HIPAA and its regulations strike between privacy and information sharing.”
NYDFS Announces Amendments to Cybersecurity Regulation
On November 1, 2023, the New York State Department of Financial Services (NYDFS) announced amendments to Cybersecurity Regulation. The Amended Cybersecurity Regulations help ensure that cybersecurity is fully integrated into the business planning, decision-making, and ongoing risk management processes of regulated companies. The changes include:
Updates to definitions within the regulation
Stronger cybersecurity governance requirements, including oversight responsibilities for a company's senior governing body
Additional controls intended to prevent unauthorized access to information systems, and to prevent or mitigate attacks, including automated scans of information systems
More regular risk and vulnerability assessments (at a minimum, these should be done annually), more robust incident response documentation requirements, more granular requirements around business continuity and disaster recovery (BCDR) planning
Updated cybersecurity incident notification requirements, including a requirement to report extortion (ransomware) payments
Refreshed direction that requires companies to provide training and cybersecurity awareness programs to company workers at least annually
OMB Memo on AI Governance
On November 1, 2023, the Executive Office of the President, Office of Management and Budget (OMB) released a public draft of its memo to the heads of executive departments and agencies outlining requirements for agencies implementation and use of artificial intelligence. The memo defines a number of requirements, including the designation of a “Chief AI Officer,” requirements for development of compliance plans, and annual submission of AI use case inventories. Section 5 outlines use cases that are "safety-impacting" and "rights-impacting" which are subject to minimum practices described in the memo.
President Biden Issued Executive Order on Safe, Secure, and Trustworthy AI
On October 30, 2023, President Biden issued an Executive Order (“EO”) on AI. The press release states that the EO “establishes new standards for AI safety and security, protects Americans’ privacy, advances equity and civil rights, stands up for consumers and workers, promotes innovation and competition, advances American leadership around the world, and more.”
National Institute of Standards and Technology (NIST) releases second draft publication on Trusted IoT
On October 31, 2023, the NIST National Cybersecurity Center of Excellence (NCCoE) has published the second preliminary draft of volumes B, C, and E of Special Publication (SP) 1800-36, Trusted Internet of Things (IoT) Device Network-Layer Onboarding and Lifecycle Management. Comments are due on the draft by December 15, 2023. The drafts include how-to guides for organizations protecting IoT devices and their networks, risk and compliance management, and technical approach, architecture, and security characteristics.
FTC Amends Safeguards Rule to Require Breach Reporting for Non-Banking Financial Institutions
On October, 27, 2023, the FTC amended its Safeguards Rule to require covered financial institutions to report notification events (defined as the unauthorized acquisition of unencrypted customer information) that involve at least 500 customers to the FTC. Reports should be sent through a form that will be available on ftc.gov as soon as possible and no later than 30 days after discovery. The new rule, which will go in effect 180 days following publication, applies to all financial institutions covered by the Safeguards Rule, which includes non-banking entities such as mortgage lenders, motor vehicle dealers, and payday lenders.
Car Companies Prevail in Privacy Battle Over Text Message Interception
On October 27, 2023, the 9th Circuit Court of Appeals upheld a trial court’s dismissal of the claims that car manufacturer’s violated Washington’s state wiretap laws by allegedly intercepting and recording text message from cellphones connected to on-board infotainment systems. The court say that the allegations, even if proven true, wouldn't show that the alleged privacy violations caused injury, and the Washington state statute has a provision that “expressly requires” consumers to allege injuries.
Multistate Litigation Against Meta
On October 24, 2023, a federal lawsuit was filed on behalf of over three dozen states and D.C. accusing Meta of violating COPPA and other state consumer protection laws. Among other things, the complaint alleges that Meta designed its platform to prolong young users use, monetize their attention via data harvesting and targeted advertising, and that Meta doesn’t obtain verifiable parental consent under COPPA.
United States: Industry and Trade Group Updates
NAI Best Practices for Health Advertising
On November 8, 2023, The NAI released best practices for using demographic consumer data for health-related advertising, including sensitive health data. For more information, read the announcement, and the best practices.
IAB Tech Lab Draft Data Deletion Request Framework
On November 2, 2023, The IAB Tech Lab released a draft Data Deletion Request Framework as part of its Global Privacy Platform. It is designed to help handle data deletion requests. The framework is open for public comment until December 2, 2023. More information is here.
Europe and the United Kingdom
Draft EDPB Guidance on Applicability of Article 5(3) of the ePrivacy Directive
On November 15, 2023, the EDPB released draft guidance, titled “Guidelines 2/2023 on Technical Scope of Art. 5(3) of ePrivacy Directive.” According to the release, “[t]he Guidelines aim to clarify which technical operations, in particular new and emerging tracking techniques, are covered by the Directive, and to provide greater legal certainty to data controllers and individuals.” Comments are open until December 28, 2023. Please see our more in-depth blog post here.
Denmark Critiques Real Estate Platform Provider for Insufficient Cybersecurity
On November 10, 2023, Denmark's DPA, Datatilsynet, published a critique of software company Mindworking for failing to properly secure its web application product. Product users (potential sellers and buyers, as well as real estate agents) could access personal data processed by the platform by logging in to their account then inspecting the platform's source code in-browser.
CNIL Issues Fines for Employee Monitoring
On November 7, 2023, the French data protection authority, the CNIL, announced 10 different fines for employee monitoring, including for issues related to continuously tracking employee vehicle location and for continuous video surveillance at work stations.
UK Information Commissioner's Office and European Data Protection Supervisor Sign Memorandum of Understanding
On November 8, 2023, the UK Information Commissioner’s Office and the European Data Protection Supervisor signed a Memorandum of Understanding (MOU) that reinforces their common mission to uphold individuals’ data protection and privacy rights, and cooperate internationally to achieve this goal. The MOU sets out how the authorities will continue to share experiences and best practices, cooperate on specific projects of interest, share information or intelligence to support their regulatory work, and promote dialogue among data protection authorities and other digital regulators. The press release can be found here.
UK Online Safety Act Becomes Law and Ofcom Publishes Enforcement Strategy
On November 9, 2023, UK Ofcom, the regulator of the new Online Safety Act (which became law on October 26, 2023), published the first of four major consultations, which was published as part of Ofcom’s work to establish the new regulations over the next 18 months. The consultation focuses on how internet services that allow for the sharing of user generated content should approach obligations under the Online Safety Act relating to illegal content. For more information on Ofcom's approach to implementing the Online Safety Act, see approach documentation here.
Grindr Sues Norwegian DPA
On October 30, 2023, Grindr filed a lawsuit against the Norwegian DPA alleging that the DPA misinterpreted the GDPR in a way that would make it difficult for the app to operate in the country. The lawsuit is based on prior fine the Norwegian DPA issued against Grindr in December 2021.
EDPB Urgent Binding Decision on Legal Basis for Behavioral Ads
On October 27, 2023, the EDPB issued an urgent binding decision instructing the Irish DPA to take, within two weeks, final measures regarding Meta Ireland Limited and to impose a ban on the processing of personal data for behavioral advertising on the legal bases of contract and legitimate interest across the entire European Economic Area. The decision stated the instruction would become effective one week after the notification to Meta, which occurred on October 31, 2023.
Liechtenstein DPA Publishes Guidance on AI Chatbots
On October 27, 2023, the data protection authority (DPA) of Liechtenstein released guidance related to chatbots powered by artificial intelligence. It discusses, among other things, the legal basis for processing, obligations for transparency, and legal uncertainties for chatbots under the General Data Protection Regulation (GDPR) are included in this guidance.
CJEU Clarifies Right of Access in Dental Case
On October 26, 2023, Germany’s Federal Court of Justice referred a case to CJEU to resolve a conflict of laws between a German regarding access to medical records and GDPR. The conflict arose when a dentist charged a patient a fee for access to their medical records. The fee was permitted under German law, but the CJEU clarified that controllers may not charge a fee for a first request of their personal data, unless the request is “manifestly unfounded or excessive.”
North and South America
ANPD Seeks Public Commenting on Defining the Role of Data Protection Officer
On November 7, 2023, Brazil's data protection authority, ANPD, seeks public commenting on draft regulation defining the role of data protection officer. This regulation will reflect requirements under Article 41 of the GDPR. The comment period will end December 7, 2023. A public hearing will be scheduled in the future. The press release can be found here.
Quebec CAI Guidelines on Valid Consent
On October 31, 2023, Quebec's regional data protection authority, the CAI, released a 45 page guidance document on the requirements for valid consent under its recently updated provincial privacy law. The guidance appears to be only in French for the time being, and is here.
Canada Bans China’s WeChat on State Devices Over Privacy Risks
On October 30, 2023, Canada announced a ban on the use of China’s WeChat on government-issued mobile devices after implementing similar restrictions on popular short-video application TikTok earlier this year.
The ban was announced after an assessment by Canada’s chief information officer that the Tencent-owned messaging app presented “an unacceptable level of risk to privacy and security.”
Asia-Pacific, Middle East, and Africa
EU and Japan Reach Agreement on Cross-Border Data Transfers
On October 28, 2023, the EU and Japan finalized cross-border data transfer terms that will be included in the EU-Japan Economic Partnership Agreement after it has been ratified. The deal removes data localizations requirements and was deemed consistent with EU privacy law.
New Zealand's Privacy Commissioner releases 2023 Annual Report
On November 6, 2023, the New Zealand Office of the Privacy Commissioner (OPC) released their 2023 Annual Report. The report highlights the OPC’s recent work on an increasing number of privacy breach complaints, establishing the children and young people's privacy policy project, detailing expectations for agencies implementing AI, working on biometric regulations, and completing an inquiry into police conduct when photographing members of the public.
Hintze Law PLLC is a Chambers-ranked, boutique privacy firm that provides counseling exclusively on global data protection. Its attorneys and privacy analysts support technology, ecommerce, advertising, media, retail, healthcare, and mobile companies, organizations, and industry associations in all aspects of privacy and data security.