Hintze Law Global Privacy & Security Updates

By Zachary Douglas

Here is a snapshot of some privacy developments from the last month. If you missed our last post, you can find it here. 

US STATE LAW 

California Supreme Court Opinion Regarding Liability for Screening Providers  

The California Supreme Court held that applicant screening providers can be held directly liable under state civil rights law, as the definition of “employer” under the CA Fair Employment and Housing Act includes “any person acting as an agent of an employer.” In the case at issue, the plaintiffs received job offers conditioned on the successful pre-employment medical screening that was to be conducted by the defendant (U.S. Healthworks Medical Group or USHW) engaged by the prospective employer to perform the health screening. USHW required the applicants to complete a written health history that included questions unrelated to the plaintiffs' ability to perform job-related functions.  

Illinois Court Rejects Argument that a Fundamental Difference Exists Between the Identification of “Biometric Features” and “Biometric Identifiers” Under IL BIPA  

In May 2023, United States District Court for the Northern District of Illinois (IL) denied CVS’s motion to dismiss based the argument that there is a fundamental difference between the identification of “biometric features” and "biometric identifiers” under IL Biometric Information Privacy Act (BIPA). The court stated that for CVS to identify abstract binary facial features, like whether eyes are opened or closed, it is necessary for CVS to scan an individual's face, thereby collecting biometric data capable of identifying an individual.  

Multi-State Coalition Asks Congress to Investigate AI Exploitation of Children  

The Attorneys General of South Carolina and 53 other states and territories wrote an open letter to the US Congress requesting a commission be formed to study how Artificial Intelligence (AI) can be used to exploit children. The letter calls out using deepfakes and other generative AI to create child sexual abuse material as a top concern, but also mentions AI exploitation of children in general. In addition to the investigation by the commission, the state coalition urges Congress to legislate on the issue.  

Massachusetts Sports Wagering Data Privacy Rules in Effect September 1, 2023  

The Massachusetts Gaming Commission approved rules regarding data privacy and security for sports betters in the state, following the legalization of sports betting in the state in 2022. The Sports Wagering Data Privacy Rules, approved in August 2023, became effective on September 1, 2023. All licensed sports betting operators in Massachusetts are now required to follow data use, sharing, and retention restrictions, provide certain patron (data subject) rights, maintain appropriate data privacy and security programs, provide a privacy notice with required disclosures, and provide a required breach notification to the Gaming Commission within five days of a suspected data breach involving confidential information (CI) or personally identifiable information (PII). 

California Passes the Delete Act  

The California Senate recently passed a bill known as the Delete Act. This bill gives consumers the right to have data brokers delete their personal information via a single data deletion request. The governor has until October 14 to sign the bill into law. 

Delaware Signs Personal Data Privacy Act  

The Governor of Delaware signed the Delaware Personal Data Privacy Act (DPDPA) into law. The DPDPA will give consumers the right to access, correct, delete, and opt out of the processing of their personal data by companies that conduct business in Delaware. Companies will also have to provide notice and transparency about their practices and implement security measures to protect personal data. The DPDPA will become effective on January 1, 2025.  

US FEDERAL LAW 

New National Institute of Standards and Technology (NIST) Publications  

  • On August 17th, NIST released a draft internal reportNIST IR 8477 on Mapping Relationships between Documentary Standards, Regulations, Framework, and Guidelines: Developing Cybersecurity and Privacy Concept Mappings. This draft is meant to assist in developing a single concept system that links cybersecurity and privacy concepts from many sources into a cohesive set of relationship mappings. The public comment period is open until October 6, 2023.   

  • NIST also released Special Publication SP1800-35 on August 22nd, a third preliminary draft from the National Cybersecurity Center of Excellence (NCCoE), on Implementing a Zero Trust Architecture. The practice guidance includes several approaches to zero trust architecture for enterprise IT infrastructure both in the cloud and on-premises.   

  • NIST released a new draft version 2.0 of the Cybersecurity Framework (CSF) on August 8, 2023. The standard, originally published in 2014 and last updated in 2018, is meant to help organizations understand, reduce, and communicate about cybersecurity risk. The comment period for this draft is open until November 5, 2023. There will not be another round of comments after this one until the final 2.0 version is published in early 2024. 

  • NIST released Interagency Report (NIST IR) 8270, “Introduction to Cybersecurity for Commercial Satellite Operations.” This report addresses cybersecurity risk management for the commercial satellite industry as they seek to start managing cybersecurity risks in space. 

National Highway Traffic Safety Administration (NHTSA) Approves Auto Data-Sharing 

The NHTSA approved a Massachusetts measure on Tuesday, August 22nd that would require automakers to share vehicle data with independent repair shops. Voters in Massachusetts had approved a ballot initiative in 2020 that gives independent repair shops access to vehicle diagnostic data, which newer cars can send directly to dealers and manufacturers, to allow consumers to seek repair options outside of dealerships. Previously, the NHTSA said that automakers should not comply with the law because it could potentially allow hackers to manipulate critical functions of cars like steering, braking, and other safety features. Automakers must now comply with the law using “short-range wireless technology,” but the NHTSA said long-range wireless signals could pose risks.  

The Digital Advertising Alliance has New Token-ID Based Opt-Out  

The DAA has launched new opt-out functionality based on hashed phone numbers, in addition to the hashed email address functionality available since Aprile 2021. The newly enhanced tool is live and available for use in the United States and Canada.    

FTC Finalizes Order Against 1Health  

In June, the FTC announced a complaint and proposed settlement with 1Health, a DNA testing company, for failures to protect sensitive personal data and for making unfair retroactive changes to its privacy policy. The complaint states that the FTC Act prohibits companies from unilaterally applying material privacy policy changes to previously collected data. 

Network Advertising Initiative Releases Legal Analysis and Guidance for Sensitive Health Information in Advertising  

The NAI released a legal analysis of recent enforcement actions and US privacy laws relevant to the use of health information in digital advertising. The analysis also includes practical, operational, and compliance recommendations for participants in the digital advertising industry.  

SEC Sues Broker-Dealer for Allegedly Misleading Consumers About Data Security  

On September 12, 2023, the US Securities and Exchange Commission (SEC) filed charges against broker-dealer Virtu, alleging that Virtu failed to establish and maintain appropriate “information barriers” protecting sensitive data. The SEC claims that a database holding identifying, nonpublic customer data was accessible to almost anyone in Virtu through “widely known and frequently shared” database credentials. The SEC further alleges that when customers specifically asked about Virtu's data practices, Virtu overstated existing protections and falsely represented that the database used need-based access controls. 

NIST Updates to Implementing the HIPAA Security Rule  

The National Institute for Standards and Technology (NIST) published a press release on September 5, 2023, regarding the draft NIST Special Publication (SP) 800-66 Revision 2 titled, “Implementing the HIPAA Security Rule: A Cybersecurity Resource Guide.” The final version will be published later this year. The most impactful changes include:   

  • More specific resources for small, regulated entities  

  • Clarifications on the terms “risk analysis” and “risk assessment”   

  • Adjusting the appendices   

  • Making Appendix E, Security Rule Standards and Implementation Specifications Crosswalk, more useful  

  • Reorganizing HIPAA Security Rule Resources and making them available online  

FTC FCRA Settlement with Background Report Providers  

The Federal Trade Commission (FTC) has settled with Checkmate, TruthFinder, and three related companies (The Control Group Media Company, Intelicare Direct, and PubRec) for $5.8 million related to charges alleging the companies marketed and provided consumer background reports to prospective employer and landlords in violation of the Fair Credit Reporting Act (FCRA) and the FTC Act.  

New Version of HIPAA Security Risk Assessment Released  

The Office for Civil Rights (OCR) and the Office of the National Coordinator for Health Information Technology (ONC) at the U.S. Department of Health and Human Services (HHS) released version 3.4 of the Security Risk Assessment Tool (SRA). The downloadable SRA Tool is a desktop application that walks users through the security risk assessment process using multiple-choice questions, threat and vulnerability assessments, and asset and vendor management. References and additional guidance are also provided. 

OCR Settles Potential HIPAA Security Rule Violations with Health Plan  

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) announced a settlement of potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Rules with Local Initiative Health Authority for Los Angeles County (L.A. Care Health Plan), the nation's largest publicly operated health plan that provides health care benefits and coverage through state, federal, and commercial programs. The settlement concludes two OCR investigations initiated from a large breach report and a media article regarding a separate security incident.  Under the agreement, L.A. Care agreed to pay $1,300,000 and to implement a corrective action plan.  

OCR and FTC Publish Warning Letters Sent about Privacy and Security Risks from Online Tracking Technologies  

The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) and the Federal Trade Commission (FTC) have published the joint letters that were sent in July 2023 to approximately 130 hospital systems and telehealth providers. The letters emphasize the risks and concerns about the use of online tracking technologies, such as the Meta/Facebook pixel and Google Analytics, which can track a user’s online activities.  

FTC and HHS Update Joint Guidance on Consumer Health Information  

The Federal Trade Commission (FTC) and the Department of Health and Human Services have updated their joint guidance “Collecting, Using, or Sharing Consumer Health Information?,” which highlights some of the obligations that businesses that collect, use, or share health information may have under: 1) HIPAA; 2) the HIPAA Privacy Security and Breach Notification Rules; 3) FTC Act; and 4) the FTC’s Health Breach Notification Rule. The article provides links to other more detailed guidance. 

NORTH & SOUTH AMERICA 

Reminder on Quebec Law  

Many provisions of Quebec's Law 25 (Bill 64) went into effect on 9/22/2023. Quebec's privacy modernization law for the private sector, which passed in September 2021, has many substantive provisions, including requirements for privacy notices, new data subject rights, privacy impact assessments, and data processing agreements.  Penalties for non-compliance also increase, including the potential for GDPR-style fines of up to $25M Canadian or 4% of global turnover, and a private right of action for certain violations of the law. 

Employer Liability under British Columbia Privacy Act  

The Court of Appeal for British Columbia found an employer (Insurance Corporation of British Columbia or “ICBC”) liable for its employee's breach of privacy of ICBC's customers under the British Columbia Privacy Act.  According to the decision's summary, the employee allegedly “sold private information linking the customers' license plates to their home addresses. Several customers were then targeted with arson and shooting attacks.”  The court held that the lower court did not err when imposing vicarious liability on ICBC, holding that “ICBC materially created the risk and provided the opportunity for this employee to commit the wrong and the employee's conduct was sufficiently related to her authorized duties to justify the imposition of vicarious liability.” 

Updated Saskatchewan Health Privacy Regs  

Amendments to the Saskatchewan Health Information Protection Act have gone into effect on 8/1/2023.  An announcement can be found here, the FAQs can be found here and the updated regulations can be found here.  New definitions are included, there are new data protection obligations, and policies are required regarding retention and destruction of personal health data.  

 

EUROPE & UK 

GDPR Data Subject Rights  

The European Data Protection Board (EDPB) has published a helpful graphic to understand which data subject rights are applicable under the respective General Data Protection Regulation (GDPR) legal bases. Please click here for the full EDPB Data Protection Guide. 

European Commission Designates “Gatekeepers” Under Digital Markets Act  

The European Commission designated six “gatekeepers” under the Digital Markets Act (DMA) on September 6, 2023: Alphabet, Amazon, Apple, ByteDance, Meta, and Microsoft. While the goals of the DMA extend well beyond privacy and data security, there are some specific data use requirements for gatekeepers that are noteworthy:  

  • Providing companies that advertise on a gatekeeper’s platform with access to the gatekeeper’s performance measuring tools and information necessary to allow advertisers and publishers to conduct their own independent verification of their advertisements hosted by the gatekeeper;  

  • A ban on using the data of a business user (meaning a natural or legal person acting in a commercial or professional capacity using core platform services) if the gatekeeper competes with the business user on the gatekeeper’s own platform;  

  • A ban on tracking end users outside of the gatekeepers’ core platform service for targeted advertising without obtaining appropriate consent.  

French MP Challenges the EU-U.S. Data Privacy Framework    

 French member of parliament (MP), Philippe Latombe, filed an application to annul the Data Privacy Framework. Latombe requested the Framework be suspended immediately and has also challenged the text of the Framework. Additionally, he cited procedural concerns stating that the Framework was only notified to Member States in English and was not published in the EU's Official Journal.  

Denmark's DPA Critical of Google Analytics Use  

Denmark's DPA, Datatilsynet, rejected media reports suggesting business use of Google Analytics was legalized in Denmark by virtue of the EU-U.S. Data Privacy Framework (DPF). Datatilsynet cautioned that while the DPF means that Google Analytics use could be legal, they will still be critical of Google Analytics compliance with other General Data Protection Regulation (GDPR) requirements and Datatilsynet’s guidance on privacy in the cloud (available only in Danish). Datatilsynet also announced it will be updating its cloud and data transfer guidance to reflect the DPF. 

Denmark Criticizes Housing Association for Denying Right to Access  

Datatilsynet, Denmark's DPA, condemned a public-sector housing association's practice of categorically denying residents access to their case records until those cases were resolved. This practice was based on the housing association's incorrect interpretation of Denmark's Public Information and Administration Act, which Datatilsynet clarified does not allow publicly owned companies to unilaterally deny data subjects' access. Instead, the housing company can deny residents access only to limited portions of records where another residents' privacy interests are overriding. 

Denmark Criticizes Food Ordering Platform for Slow Responses to Data Subject Requests  

Datatilsynet, Denmark's DPA, found that food ordering platform OrderYOYO exceeded the time allowed for processing and responding to a consumer's request for OrderYOYO to explain certain data processing and delete the consumer's data. OrderYOYO began processing the request to delete immediately, but failed to respond to the consumer's request for information until they learned the consumer complained to Datatilsynet, five months after the data subject request was made. Datatilsynet specifically criticized the company for appearing to honor the request only because their regulatory powers became involved. 

NOYB Files Complaints Against Fitbit  

NOYB (None of Your Business), a digital-rights group based in Vienna, filed complaints on August 31 against Fitbit, a fitness-tracking company owned by Google. In the complaint, NOYB alleges that Fitbit requires mandatory consent to transfer personal data outside the EU and does not provide a way to withdraw consent--other than by deleting one's Fitbit account. NOYB also asks that Fitbit share mandatory information about the data transfers and allow use of the app without the need to consent to transfers outside the EU. 

Danish DPA Publishes Guidance on Email Address “Auto-Complete”  

Denmark's DPA, Datatilsynet, announced a stricter position on use of “auto-complete” in email systems. This function attempts to predict the full email address a user has begun typing and offers to auto-complete the “To,” “Cc,” and “Bcc” lines based on this prediction. Datatilsynet now mandates that certain controllers handling sensitive information must implement technical measures to reduce the risk of emails being incorrectly addressed due to auto-complete. Datatilsynet will enforce this position beginning March 1, 2024. 

Netherlands - Algorithmic Risks Report  

The Department for the Coordination of Algorithmic Oversight at the Dutch Data Protection Authority (DPA) has released the inaugural “Algorithmic Risks Report Netherlands“ identifying intelligent chatbots and the “inadequate understanding by organizations of existing algorithms” as the most significant algorithmic risks in the Netherlands.  Autoriteit Persoonsgegevens (AP) Chair Wolfsen is calling for the need for clear regulations and standards and welcomes creation of an algorithm register for government organizations that would align with the anticipated classification of high-risk systems currently under negotiation in upcoming European legislation. The AP plans to publish an Algorithmic Risks Report Netherlands every six months to provide insight into recent developments, risks, and challenges.  

Dutch Consumers' Association Sues Google for Alleged “Large-Scale Privacy Violations”  

The Dutch consumers' association, Consumentenbond, along with the Privacy Protection Foundation have issued legal proceedings against Google for alleged large-scale privacy violations. The groups have demanded that Google stop “its constant surveillance and sharing of personal data through online advertising auctions” and that Google pays 750 euros in damages for “every consumer who has used Google.”  

Croatia DPA Fines Municipal Company €25K for GDPR Violations  

AZOP, Croatia's data protection authority (DPA), fined Zagreb Holding under the General Data Protection Regulation (GDPR) for multiple violations. The penalty is primarily based on Zagreb Holding's lack of adequate authentication for customers requesting copies of their information and includes the municipal company's failure to adequately inform data subjects about its legal basis for processing government ID information. AZOP's statement on the fine breaks down the technical problems in the company's noncompliant protocols in detail. 

ASIA-PACIFIC, MIDDLE EAST, & AFRICA 

The Singapore PDPC Publishes Enforcement Action Related to Telemarketing Messages to Numbers Obtained Prior to the Enactment of Personal Data Protection Act (PDPA)  

In the Wee Jing Kai Leon case decision, the Personal Data Protection Commission (PDPC) recognized that a subscriber of a Singapore telephone number is deemed to have given their consent to telemarketing messages if the subscriber consented before 2 January 2014 (i.e., before the Do Not Call [DNC] Provisions), and that consent has not been withdrawn, even if the subscriber subsequently add their number to the DNC registry. However, this does not relieve an individual's or organization's duty to obtain clear and unambiguous consent or to check the DNC Registry before sending telemarketing messages under the DNC provisions. 

India Digital Personal Data Protection Act 

India has passed an updated, comprehensive data privacy law. The law passed in the face of significant criticism that it enables significant access to personal data by the government without user consent or control.  India's minister of state for electronics and IT has suggested that companies will have six months to get into compliance with the Digital Personal Data Protection (DPDP) Act. Exact timelines are still to be determined, however, and the actual transition timeline will be discussed further in a consultation with industry this month. 

India Privacy - Dark Patterns Guidelines  

Draft guidelines on the prevention of dark patterns have been published by the Department of Consumer Affairs, Government of India, for public consultation. The comment period ends October 5th. These guidelines will list various deceptive practices that have been adopted by online platforms.  

China Privacy - Enforcement Action Arising Out of Mandatory Cybersecurity Review  

The Cyberspace Administration of China (CAC) has fined the China National Knowledge Infrastructure, an academic research database, nearly $7M USD for the collection of personal information without consent and other improper data handling practices. Notably, this fine arises out of a mandatory cybersecurity review that the CNKI was obligated to complete by virtue of the scale and scope of the data it processed. This is an important data point for clients as many have expressed concerns about completing the detailed cybersecurity reviews mandated under the China Personal Information Protection Law (PIPL) and other laws. 

NEW ZEALAND & AUSTRALIA 

New Zealand Privacy Commissioner Opens Consultation on Children and Young People's Privacy  

The New Zealand Office of the Privacy Commissioner (OPC) has launched a children and young people's privacy project, considering whether current laws and regulations protecting children and young people's privacy rights are working. This project is a part of the 2020 reforms to the New Zealand Privacy Act, which introduced specific requirements on the collection of children's and young people's personal information. The OPC is currently looking for feedback from professionals who work with children and non-governmental organizations (NGOs) who advocate for children and young people. The comment period is open until November 30, 2023. The OPC will be seeking comments from children, young people, and the wider community starting in early 2024. 

OAIC Releases Notifiable Data Breaches Report  

The Office of the Australian Information Commissioner (OAIC) released its latest Notifiable Data Breaches Report on September 5, 2023. The report covers a period from January to June 2023, with 409 data breaches reported to the OAIC. Key findings include:   

  • The top three attack methods were ransomware, compromised or stolen credentials, and phishing.   

  • The health and finance sectors remained the top reporters of breaches.   

  • Malicious or criminal attacks remained the leading cause of breaches.  

Hintze Law PLLC is a Chambers-ranked and Legal 500-recognized boutique privacy firm that provides counseling exclusively on global data protection. Its attorneys and privacy analysts support technology, ecommerce, advertising, media, retail, healthcare, and mobile companies, organizations, and industry associations in all aspects of privacy and data security.