Here is a snapshot of some privacy developments from the last month. If you missed our last post, you can find it here.
US STATE LAW
California Legal Protections for Abortion, Contraception and Gender-Affirming Care Providers
On September 27, 2023, Senate Bill 345 relating to the provision of abortion, contraception, and gender-affirming healthcare services was signed by the Governor Newsome. Among other things, the Act prohibits a person or business from collecting, using, disclosing, or retaining the personal information of a person who is physically located at, or within a precise geolocation of, a family planning center, except as necessary to perform the services or provide the goods requested. The Act also prohibits the sale or sharing of this information, authorizes an aggrieved person or entity to institute and prosecute a civil action for a violation of these provisions, and specifies damages and costs authorized to be recovered.
California Delete Act Signed into Law
Governor Newsom signed the California Delete Act into law, which will require, among other things, the California Privacy Protection Agency to establish an accessible deletion mechanism by January 1, 2026. The deletion mechanism must allow “a consumer, through a single verifiable consumer request, to request that every data broker that maintains any personal information delete any personal information related to that consumer held by the data broker or associated service provider or contractor.”
New York Bans Facial Recognition in Schools
Following a report by the Office of Information Technology Services that concluded the risks to student privacy and civil rights outweigh potential security benefits, New York state banned the use of facial recognition technology in schools. The report noted “the potentially higher rate of false positives for people of color, non-binary and transgender people, women, the elderly, and children.” You can find the press release here.
Ohio HB 33 and the “Social Media Parental Notification Act”
On July 5, 2023, buried among other legislation, Ohio passed the Social Media Parental Notification Act (SMPNA) as part of an omnibus bill. Section 1349.09 describes the requirements for operators that meet specific criteria, such as permitting users to interact socially with other users, constructing a public or semi-public profile, or creating or posting content viewable by others. The SMPNA requires operators to obtain verifiable parental or legal guardian’s consent for any contract with a child under the age of 16 (and not emancipated). SMPNA also provides several possible options for this consent to be “verifiable.” Additionally, SMPNA requires operators to provide a parent or guardian with specific details about the content moderation or “censoring” features of the service, including any that can be disabled.
The Ohio attorney general has exclusive authority to bring a civil action and civil penalties are scaled starting at up to $1,000 for each of the first sixty days of non-compliance, and up to $5,000 for each subsequent day the operator fails to comply between the 61st and 90th day, and up to $10,000 per day beginning on the 91st day. The attorney general must first provide notice, and the operator has 90 days to cure the violation.
The following services are specifically excluded: (a) cloud storage or cloud computing services; (b) broadband internet access services; and (c) search engine services. The law takes effect on January 15, 2024.
Blackbaud to Pay $49.5M in Multi-State Data Breach Settlement
South Carolina-based fundraising software company Blackbaud has reached a settlement agreement with 49 states and the District of Columbia following a 2020 data breach and ransomware attack that exposed the sensitive information of donors and clients for 13,000 nonprofits. The state attorneys general alleged that Blackbaud failed to represent the scope and severity of the breach, failed to provide affected customers with information on which data were accessed during the breach, and misled consumers through its marketing of strong data security practices. In addition to the $49.5M Blackbaud will pay to the states, the settlement terms require Blackbaud to comply with applicable laws, not make misleading statements about privacy and security, and implement incident response, breach notification, and information security programs. Blackbaud previously settled with the SEC for $3M for charges of making misleading disclosures regarding the breach.
Virginia Governor Issues Executive Order on Artificial Intelligence
Virginia’s governor issued an Executive Directive, which directs the exploration of ethical and transparent use of artificial intelligence technology by the state’s government. It requires the Office of Regulatory Management to work with Virginia’s chief information officer, among others, to “identify the best uses and practices across state government in a timely manner.”
US FEDERAL LAW
Department of Justice Adds UK as a Qualifying State for Redress
The DOJ updated its website designating ‘qualifying states” for purposes of implementing the redress mechanism under Executive Order 14086, which paved the way for the Data Privacy Framework and the subsequent UK-US data bridge. The site indicates that as of Sept. 18, 2023, the UK is a “qualifying state,”, and the designation will become effective on the date of entry into force of the UK regulations (Oct. 12). More information on the qualifying states and the AG's redress mechanism can be found here.
Consumer Financial Protection Bureau Proposes Personal Financial Data Rights Rule
The Consumer Financial Protection Bureau (CFPB) proposed a new rule to give consumers increased access and portability rights to their financial data, which it hopes will promote competition and a shift towards open banking. The proposed rule implements a dormant provision from the 2010 Dodd-Frank Act (Sec. 1033), and, if finalized, would require covered financial institutions to provide consumers and authorized third parties with certain transaction and account data upon request. It also would establish privacy obligations for authorized third parties accessing a consumer’s data, including limits on the collection, use, and retention of covered data.
Comments are open until December 29, 2023, and the final rule is expected to be published in late 2024.
Equal Employment Opportunity Commission (EEOC) 2024-2028 Strategic Enforcement Plan
The EEOC published its final Strategic Enforcement Plan (SEP) in the Federal Register on September 21, 2024. The SEP establishes the agency’s subject matter priorities and strategies for the EEOC’s private, public, and federal sector activities and “ . . . will help guide the EEOC’s work through all of the agency’s activities, including outreach, public education, technical assistance, enforcement, and litigation.”
Included among the EEOC's priorities in the SEP is recognizing “employers” increasing use of technology including artificial intelligence or machine learning to target job advertisements, recruit applicants, and make or assist in hiring and other employment decisions, practices, or policies. Learn more about the agency's priorities here.
FTC Highlights Growing Consumer Concerns About AI
The US Federal Trade Commission (FTC) issued a blog post on October 3, 2023, on consumer concerns about AI. The blog post highlights that “consumers are voicing concerns about harms related to AI—and their concerns span the technology’s lifecycle, from how it’s built to how its applied in the real world.” The FTC distilled three core concerns including, (i) concerns about how AI is built; (ii) concerns about how AI works and interacts with users; and (iii) concerns about how AI is applied.
California Attorney General Files Notice of Appeal to Overturn Preliminary Injunction Blocking Children’s Online Safety Law
On October 18, 2023, California Attorney General Rob Bonta filed a notice of appeal with the US Ninth Circuit Court of Appeals to overturn a preliminary injunction that would prevent the California Age-Appropriate Design Code Act (CA AADC) from going into effect. The motion for preliminary injunction was filed by NetChoice, a national trade association for online businesses and was granted based on the US District Court for the Northern District of California’s finding that NetChoice is likely to succeed on its claim that the CA AADC violates the First Amendment.
HHS OCR Issues Guidance for Health Care Providers and Patients to Educate Patients about Telehealth Privacy and Security of PHI
On October 18, 2023, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS), issued two resources to help explain to patients the privacy and security risks to their protected health information (PHI) when using telehealth services and ways to reduce these risks. The first guidance document is for health care providers. The second guidance document is for patients.
Federal Communications Commission Seeks Comments on Net Neutrality Rules
The FCC is seeking comments on its Notice of Proposed Rulemaking (NPRM) to revive Net Neutrality rules. In the NPRM, the FCC proposes reclassifying broadband Internet access services (Broadband Services) as a telecommunications service instead of an information service. It also proposes classifying Broadband Services as a commercial mobile service. This would subject Broadband Services to the FCCS 's privacy and security framework and would establish rules related to the "protection and use of information obtained from their customers or other carriers and calibrates the protection of such information based on its sensitivity." Comments are due on December 14, 2023.
Federal Communications Commission Proposing an Inquiry into A.I. + Telephone Consumer Protection Act
The FCC is proposing an inquiry into AI + the TCPA. The inquiry would seek commentary on AI’s impact on robocalls/texts, clarifying how AI technologies apply under the TCPA and the obligations thereunder as well as potential uses of AI to protect against unwanted communications. While there are several steps left before this proposed inquiry could turn into guidance from the FCC, it is something to keep in mind when considering AI-related activities that may fall under the TCPA.
US House Subcommittee Discussions on AI Center Around Need for a Federal Privacy Law as a First Step
On October 18, 2023, a subcommittee of the U.S. House Committee on Energy and Commerce held a dedicated hearing on AI. The conversation, which was intended to be AI-focused, reverted to discussions around privacy and the need for a federal privacy law before any meaningful AI legislation can be addressed.
NORTH & SOUTH AMERICA
Canadian Privacy Commissioner Seeks Input on Draft Biometrics Guidance Documents
The Office of the Privacy Commissioner of Canada (OPC) released two draft guidance documents related to handling biometric information for public and private sector organizations, which updates existing guidance that was published in 2011. One of the draft documents addresses risks under Personal Information Protection and Electronic Documents Act (PIPEDA) - Canada's federal private sector privacy law, and the other pertains to the Privacy Act, which governs how federal institutions handle personal information. Both drafts are available here and here.
PIPEDA Right to Be Forgotten Applies to Google Search
Canada’s Federal Court of Appeal ruled that Google is not exempt from the Personal Information Protection and Electronic Documents Act’s (PIPEDA) right to be forgotten in rendering its search results. The ruling comes in a case involving a man who sought to have Google delist search results that allegedly contained outdated and inaccurate information about him in news articles.
Canada's Privacy Commissioner Seeks Comment on Draft Biometrics Guidance
Canada’s Privacy Commissioner has released draft guidance on biometrics privacy considerations for both public sector and private sector institutions. The Commissioner is seeking public input through January 12, 2024. Input can be provided via the form located here.
Canadian Guidance on Children's Privacy
The Canadian OPC announced two guidance documents on children’s privacy issues. The first is a webpage with information about how organizations can protect young people online, intended for young people and people who care for them. The second is a webpage with information for organizations.
Both guidance documents build upon the resolution.
EUROPE & UK
UK-US Data Bridge in Effect
The UK-US Data Bridge has been finalized. As of October 12, 2023, UK businesses can transfer personal data to US organizations which have certified to the “UK Extension to the EU-US Data Privacy Framework.” The UK-US data bridge factsheet can be found here.
EU Commission Publishes AI Clauses for Procurement of AI
The community on the Procurement of AI (a community of public buyers established by the EU Commission), published EU model contract clauses for use by public organizations as they procure AI technology. The clauses establish responsibility and set forth various requirements addressing trustworthy, transparent, and accountable development of AI technologies between the AI supplier and the public buyer. While the clauses include provisions specific to AI technology and matters covered by the proposed AI Act, they exclude other obligations that may arise under related laws (such as the General Data Protection Regulation).
Like the EU’s model clauses for data transfers, these AI procurement clauses do not comprise a full contract but are meant to be appended to a broader services agreement. To that end, the model clauses intentionally do not address intellectual property, acceptance, payment, delivery times, applicable law, or liability. Also like the model transfer clauses, the AI procurement clauses need to be customized to each specific procurement relationship.
Note that the clauses are “final” but in a pilot stage as public organizations have been asked to test the clauses and provide feedback to the community. To this end, it is expected that further iterations of the clauses will be developed over time.
AI Act: European Data Protection Supervisor Issues Final Recommendations
The European Data Protection Supervisor (EDPS) issued an opinion on the AI Act. The opinion includes various recommendations, including:
The full prohibition of AI systems posing unacceptable risk to individuals and their rights, including, in the EDPS’s opinion, the use of AI systems for automated recognition of human features and other behavioral signals in public spaces as well as the categorization of individuals based on their biometric features.
Confirmation of the EDPS’s role as AI supervisor of EU institutions, bodies and agencies and request for additional clarification under the AI Act of its authority and tasks.
Confirmation in the AI Act of the EDPS’s competence to receive complaints of infringements of the AI Act.
The EDPS plays an important role as the independent supervisory authority for the protection of personal data and privacy across EU institutions and public bodies.
UK Information Commissioner's Office Issues Updated Worker Monitoring Guidance
The UK ICO issued updated guidance for employers on data protection issues that need to be addressed when conducting workplace monitoring to ensure it is lawful under data protection requirements.
CNIL Publishes FAQs for French Entities EU-US DPF
France’s data protection authority published FAQs on the European Commission's adequacy decision regarding the EU-U.S. Data Privacy Framework. Among other things, the FAQ details the process by which French entities can transfer data to U.S. organizations that have not adopted the DPF.
CNIL Sanctions SAF LOGISTICS for Excessive Data Collection
Pursuant to an employee report that SAF LOGISTICS collected data relating to its employee’ private lives, the CNIL investigated and found several violations of the GDPR, including excessive data collection, non-compliance with the ban on processing sensitive data and a lack of cooperation with the CNIL services. In particular, the company collected a large amount of information on employees’ family members, including their identity, contact details, position, employer, and marital status and that some of the information collected was sensitive data such as blood type, ethnicity, and political affiliation.
Croatia Fines Hotel €15K for Multiple GDPR Violations
AZOP, Croatia’s data protection authority, fined a hotel based on five separate GDPR violations. The hotel processed a guest’s bank card security number (i.e., CVC number) and copies of other personal documents without a lawful basis, failed to notify the guest of all personal data processing connected to booking online (including through its general terms and conditions), inadequately described personal data processing in connection with requests for consent, failed to protect personal data with adequate technical measures (such as encryption), and appointed the hotel’s manager as its data protection officer despite the conflict of interest.
Croatia Fines Two Processors €50K Total for Cookie-Related GDPR Violations
AZOP, Croatia’s data protection authority, fined two processors in the gambling and betting industry separately for identical GDPR violations. Each processor processed personal data through use of cookies without any legal basis and failed to adequately notify data subjects of this processing as related to the cookie use (negating their consent for cookies) and in general. AZOP emphasized that as part of failing to adequately inform the data subjects about the cookie use, the processors failed to enable visitors to give separate consent for each type of cookie.
Danish Court of Appeals Fines Hotel DKK 1M for National Law Violations
One of Denmark’s federal courts of appeal fined hotel chain Arp-Hansen Hotel group DKK 1M, equivalent to about €134K, under Danish data protection law. The fine was based on a lower court's conclusion that the hotel chain failed to comply with its own retention schedule, maintaining over 500,000 customer profiles past the scheduled deletion date. This fine displaces the original fine of DKK 1.1M issued by Denmark's data protection authority in 2020.
Denmark Data Protection Agency Criticizes Employee Disclosure of Coworker’s Potential Criminal Activities
Denmark's data protection authority publicly criticized an employee of the grocery store chain Meny for disclosing another employee’s alleged criminal activities to their supervisor without a lawful basis. The data protection authority found the disclosure was not necessary to safeguard Meny's legitimate interests or serve any other lawful basis. The opinion noted that the alleged criminal activities were separately captured on security video recordings of the store, potentially implying that Meny's legitimate interests in store security were already sufficiently supported.
Denmark Publishes Guidance on Colocation Providers as Processors
Denmark's data protection authority published guidance on the potential status of colocation providers as processors. The guidance states that while a colocation provider is not a data processor because it does not necessarily process the personal data it stores, several circumstances could tilt the scale, such as the provider having access to data kept on its servers.
HR Director in France Sentenced in the Case of Employee Registration
An HR manager in France was given a suspended 6-month prison sentence for an egregious GDPR violation. The manager maintained a database of about 180 employees with the manager’s ill opinions about them, such as laziness and suspected alcohol addiction.
Court of Justice of the European Union Rejects French MP's Challenge to DPF
The CJEU rejected Philippe Latombe's challenge to the EU-US Data Privacy Framework, mostly on procedural grounds. Mr. Latombe is a member of the French Parliament and is a member of the CNIL. The CJEU found that Mr. Latombe had not “established that he would suffer serious harm if the operation of the contested decision were not suspended.” And, based on this finding, the application for interim measures “must be dismissed without it being necessary to rule on the admissibility of the present application for interim measures, to examine whether there is a prima facie case or to weigh up the interests.”
Hungarian Government Sets Cybersecurity Fines
Under Government Decree 305/3023 (archived here and not yet published), the supervising authority enforcing the Act XXIII of 2023 on Cybersecurity (available here only in Hungarian) can fine violators. Fines range from 50,000 HUF (about $139 USD) to 50,000,000 HUF ($139,500) in egregious cases.
Case Studies from the Irish Data Protection Commission
The Irish DPC published their Annual Report covering their complaint handling unit’s work in 2022 and is inclusive of case studies. In addition to their 2022 Annual Report, the DPC also published a booklet containing 126 of their case studies between 2018-203. Both resources can be found on the DPC website.
Poland’s DPA Investigating OpenAI
Poland's data protection authority (DPA), the Urząd Ochrony Danych Osobowych, announced an investigation into OpenAI's chatbot ChatGPT. The investigation follows a complaint alleging that ChatGPT's operations violate the EU General Data Protection Regulation (GDPR), including processing "data in an unlawful and unreliable manner" with opaque rules under which the processing is done.
ASIA-PACIFIC, MIDDLE EAST, & AFRICA
Proposed AI + Privacy Measures in China
There are several draft measures/rules that Chinese regulators have posted to a commentary period.
Security requirements for generative AI services. High-level security standards tailored to generative AI services. Note that while these requirements would be specific to services offered to the public within China, it is also expected that Chinese companies will push these standards down to their own generative AI service providers (whether those providers offer services directly to the Chinese public).
Implementation rules for data security risk assessments. These rules are intended to specifically address “important and core data in the industrial and information technology fields.” However, regulators have stated that the rules will also serve as a reference point for other security risk assessments.
Regulations to standardize and promote cross-border data flows. These regulations are expected to substantially impact the current understanding of cross-border data flow requirements. In particular, the draft regulations seem to exempt significant categories of data from the required transfer mechanisms under PIPL and related laws and regulations, including (amongst others): personal data that was not collected in China; certain personal data that is necessary for the establishment and performance of a contract with the data subject; and certain employee personal data, from the required transfer mechanisms.
South Korea’s PIPC announced the formation of an Artificial Intelligence Privacy Team
South Korea's Personal Information Protection Commission (PIPC) announced the formation of an Artificial Intelligence Privacy Team. The team will: (a) serve as a focal point for government-private communication and cooperation in the field of artificial intelligence privacy; (b) resolve uncertainty by interpreting personal information protection laws and presenting specific standards for individual cases in a rapidly changing AI environment; and (c) promote the establishment of the ‘AI Prior Appropriateness Review System’ and the ‘AI Privacy Public-Private Policy Council.'
NEW ZEALAND & AUSTRALIA
New Zealand Privacy Commissioner Issues Guidance on AI Tools
On September 21, 2023, the New Zealand Privacy Commissioner released new guidance on the use of AI tools and meeting obligations under New Zealand's Privacy Act. This guidance builds off the initial set of expectations around AI use, which was published by the Commissioner's office in May of this year. The guidance notes that privacy should be a starting point for the responsible use of AI tools, including completing a privacy impact assessment, and considering privacy principles when using AI tools.
Australia's Office of the Information Commissioner Releases Annual Report
Australia’s Office of the Information Commissioner (OAIC) released their 2022-2023 Annual Report, detailing statistics around the number of privacy complaints, privacy inquiries, notable data breaches, and freedom of information requests handled by the office. The report also contains information about the OAIC’s management and accountability, and financial statements.
Hintze Law PLLC is a Chambers-ranked and Legal 500-recognized boutique privacy firm that provides counseling exclusively on global data protection. Its attorneys and privacy analysts support technology, ecommerce, advertising, media, retail, healthcare, and mobile companies, organizations, and industry associations in all aspects of privacy and data security.