Hintze Law continuously tracks privacy and security updates around the world to bring you a regular update of the latest developments. Below is a snapshot of updates from the last month. If you missed our last round of updates, you can find those here.
United States: State Law Updates
Connecticut Attorney General Reports on Privacy Act Enforcement
The Connecticut Attorney General issued a report required under the Connecticut Data Privacy Act (CTDPA) detailing its 2023 enforcement activities. The report includes the following information as well as the AG’s suggestions for improving the Act:
the number of notices of violation the Attorney General has issued;
the nature of each violation;
the number of violations cured; and
any other matter the Attorney General deems relevant.
The report includes categories of businesses who received notices of alleged deficiencies as well as an aggregated summary of the deficiencies identified.
The types of violations the AG found included:
Inadequate disclosures and rights mechanisms;
Inappropriate use or protections of sensitive data (including regarding biometrics in retail environments for identification, age verification and payment; connected vehicles; and genetic testing and ancestry services);
Use of teen data for targeted advertising; and
The right to deletion of data held by data brokers.
The AG further advocated for revisions to CTDPA that include:
Reducing exemptions;
Enacting a one-stop deletion mechanism similar to California’s Deletion Act;
Adding a right to know the specific third parties that receive personal data from covered businesses;
Expanding the definition of “biometrics’ to include data that would be capable of identifying an individual;
Clarify permissible uses of teen data based on consent of the teen; and
Revise the definition of “publicly available information.”
Democratic Leaders Poised to Revisit Illinois Biometric Information Privacy Act (BIPA) after Court Rulings
Illinois Senate Bill 2979 is a proposal filed by State Senator Bill Cunningham that could change Illinois' Biometric Information Privacy Act. The new bill aims to "strike a balance between business groups' concerns over the law and its original intent," after complaints from some industry groups that the law does not accurately reflect the way they collect data.
One of the key changes being proposed is that each initial collection of a fingerprint or other biometric data would amount to one violation, rather than a violation per scan.
This comes after a decision against White Castle in February 2023, that could see them owing up to $17 billion in penalties. After that decision, the state's high court 'respectfully suggest[ed]" the General Assembly review BIPA "and make clear it's intent regarding the assessment of damages under the Act."
United States: Federal Updates
NIST Updates Cybersecurity Framework, Weighs in on Ethical AI Research, Publishes HIPAA Security Rule Resource, and
Cybersecurity Framework: On February 26th, the National Institute of Standards and Technology (NIST) released version 2.0 of the Cybersecurity Framework (CSF). This is the first major update to the CSF since 2014. The updated framework is designed for organizations across all industries, not just critical infrastructure. Along with the framework, NIST has also released Quick Start Guides for tailored guidance for enterprise risk management, cybersecurity supply chain risk management, organizational tiers and profiles, guidance specifically for small businesses, and Informative Reference Mappings showing how NIST resource documents overlap and share themes.
Ethical AI: NIST announced on February 15, 2024 that a team of NIST researchers published a paper on ethical AI research in the February issue of the Institute of Electrical and Electronics Engineers (IEEE)'s Computer magazine. The paper is titled, "Avoiding Past Mistakes in Unethical Human Subjects Research: Moving From Artificial Intelligence Principles to Practice". The researchers suggest that existing principles of human subjects research could apply to AI research. This would continue decades of best practices based on the 1978 Belmont Report, a key milestone in ethical research studies. The core principles of the Belmont Report - respect for persons, beneficence and justice, could be applied to AI research in a straightforward manner, the researchers suggest, "there's no need to reinvent the wheel. We can apply an established paradigm to make sure we are being transparent with research participants, as their data may be used to train AI."
HIPAA Security Rule Resource: On February 14th, NIST published Special Publication 800-66 Revision 2, Implementing the HIPAA Security Rule: A Cybersecurity Resource Guide. This supersedes previous guidance issued in 2008. The revision contains substantive updates including Security Rule standards and implementation specifics, aligning risk assessment and risk management sections with NIST SP 800-30 and NIST IR-8286 documents, and considerations when applying the HIPAA security rule.
Election Infrastructure: NIST published NIST VTS 200-1, Cybersecurity Framework Election Infrastructure Profile, on February 1, 2024. The document is meant to be utilized by IT professionals and election administrators managing election infrastructure systems to reduce risks. This framework was developed to broadly consider the entire election infrastructure. Election systems were designated as critical infrastructure in 2017 by the Department of Homeland Security (DHS). The document also notes that this framework is meant to be utilized along with best practices from the Cybersecurity & Infrastructure Security Agency (CISA) and the Election Assistance Commission (EAC).
For More Information about NIST’s Work, Consider Attending April Workshops: The NIST’s CHIPS Research and Development Office is hosting two workshops in April of 2024. One workshop will be on Digital Twin Data Interoperability Standards on April 4-5. The other workshop will be on Semiconductor Supply Chain Trust and Assurance Data Standards on April 2-3. The workshops will help to identify community priorities for specific standards efforts. Both events will be hybrid virtual and in-person. Registration for both workshops closes March 28, 2024.
FTC Issues Complaint and Proposed Order Against Avast That Would Require Model Deletion and Fine Avast $16.5 Million
The FTC alleges antivirus software company, Avast, (1) failed to inform consumers that it collected and sold their browsing data, and (2) claimed that it would block trackers from collecting data on consumers’ browsing activities. The FTC’s complaint also includes claims regarding Jumpshot, a competitor antivirus software provider Avast bought and rebranded as an analytics company. The FTC complaint alleges that Jumpshot sold data Avast collected in a non-aggregate form after, contradicting Avast’s claim that it only transfers consumers personal information in an aggregate and anonymous form. In addition to a fine of $16.5 million, this case marks the 8th time the FTC has sought model deletion.
No Sovereign Immunity for FCRA Claims
The Supreme Court unanimously ruled in Department of Agriculture Rural Development Rural Housing Service v. Kirtz that federal government agencies can be sued for FCRA violations. The Court held that the statutory provision allowing people to sue any "person" for damages precludes sovereign immunity defenses since "person" was defined in relevant part to include any government agency.
HHS and SAMHSA Finalize Modifications to Part 2 Rules
On February 8, the U.S. Department of Health and Human Services (HHS) and the Substance Abuse and Mental Health Services Administration (SAMHSA), finalized modifications to the Confidentiality of Substance Use Disorder (SUD) Patient Records regulations at 42 CFR part 2, commonly referred to as the Part 2 Rules. Among other things, the final rule permits use and disclosure of Part 2 records based on a single patient consent given once for all future uses and disclosures for treatment, payment, and health care operations and redisclosure of Part 2 records by HIPAA covered entities and business associates in accordance with the HIPAA Privacy Rule and expands prohibitions on the use and disclosure of Part 2 records in civil, criminal, administrative, and legislative proceedings.
DAA Announces Self-Regulatory Principles Inquiry into Indeed and Glassdoor
The BBB Digital Advertising Accountability Program recently announced an investigation and resolution regarding Glassdoor and Indeed's compliance with the Digital Advertising Alliance's Self-Regulatory Principles for online interest-based advertising. The resolution included commitments regarding enhanced notice for website data collection and pertaining to Principles compliance for cross-app data collection.
U.S. AI Safety Institute Executive Leadership Announced
U.S. Commerce Secretary Gina Raimondo announced key members of the U.S. AI Safety Institute (AISI) on February 7, 2024. The AISI will be established at the National Institute for Standards and Technology (NIST). Elizabeth Kelly, currently an economic policy advisor for President Biden, will lead the AISI. Elham Tabassi, currently leader of NIST's Trustworthy and Responsible AI program, will be the AISI's Chief Technology Officer.
DOJ Office of Civil Liberties Publishes FAQ on the Data Protection Review Court
The U.S. Dept. of Justice, Office of Privacy and Civil Liberties published an FAQ responding to questions about the Data Protection Review Court (DPRC), which acts as a redress mechanism for the EU-U.S. Data Privacy Framework. The FAQ provides details on the DPRC, how complaints can be filed, covered violations and qualifying states, as well as information about judge selection and independence.
OMB seeking input on how PIAs can be updated to better address privacy risks caused by AI
On January 30, 2023, the Office of Management and Budget (OMB) issued a public request for information regarding how privacy impact assessments (PIAs) may be updated to better identify and mitigate the privacy risks, including those caused or further exacerbated by artificial intelligence. Public input will be used to inform potential updates by the OMB to its guidance on privacy impact assessments. The call for public input closes April 01.
FTC and DOJ Update Language in Preservation Letters
The FTC and DoJ are updating language in preservation letters, voluntary access letters, and compulsory legal process, and grand jury subpoenas to require companies retain data from ephemeral messaging applications when they must preserve and produce responsive documents during investigations and litigation.
CFPB Issues Advisory Opinions on FCRA File Disclosure Requirements and on Background Report Accuracy
FCRA File Disclosure Requirements: The CFPB issued an advisory opinion regarding the obligations consumer reporting agencies have to disclose complete files of consumer report information to consumers upon request. It addresses what information must be disclosed, when it must be disclosed, and obligations to identify the specific sources from which the information came.
Background Report Accuray: The CFPB issued an advisory opinion with guidance on consumer reporting agency obligations when preparing consumer reports to validate the the information is accurate, even when obtained from public records. It notes that procedures are required to prevent sharing duplicative information, or information that is legally restricted from public access, and if certain criminal information is reported then disposition information about the proceedings needs to be shared as well.
HHS Publishes Voluntary Cybersecurity Performance Goals and Launches Cybersecurity Gateway
On January 24, 2024, the U. S. Department of Health and Human Services (HHS) published Healthcare and Public Health Sector-Special: Cybersecurity Performance Goals. The goals are a voluntary subset of cybersecurity practices and are informed by common industry cybersecurity frameworks (e.g., NIST’s Cybersecurity Framework), guidelines, best practices, and strategies. It is anticipated that these goals will inform future HHS rulemaking. In addition to the goals, HHS also launched the Healthcare and Public Health Sector Cybersecurity Gateway, which provides cybersecurity resources and tools to support the sector.
Europe and the United Kingdom
Uber Fined €10 Million for Infringement of Privacy Regulations
The Dutch Data Protection Authority (AP) has fined Uber Technologies, Inc. and Uber B.V. €10 million for a lack of transparency in how Uber was handling the personal data for European drivers after more than 170 French drivers complained to a French human rights organization. The DPA found that it was "unnecessarily complicated for drivers to submit requests to view or receive copies of their personal data," and the request form was buried deep in the app and across various menus. The DPA also found that Uber did not disclose full details of its retention periods for driver data, nor did they disclose which non-European countries with whom they were sharing data. The French DPA forwarded the complaint to the Netherlands, as Uber's European headquarters is in the Netherlands.
CNIL Fines Amazon France 32 Million Euros for Excessive Worker Surveillance
The French data protection regulator (CNIL) has fined Amazon France Logistique 32 million Euros for breaches of GDPR resulting from its warehouse surveillance practices. In its decision, the CNIL noted the GDPR breaches in the following areas:
Warehouse stock and order management
Work schedule and employee appraisal
Video surveillance processing
Specifically, the GDPR breaches cited included:
Data minimization (Art. 5.1c): The CNIL found that activities such as providing employee assistance or reassignment in real time, scheduling work in the warehouses, and employee assessment and training does not require "access to every detail of the employee's quality and productivity indicators collected using scanners over the last month." And the supervisors should be able to rely on the reported data and a selection of aggregated data to manage their employment relationship, including reassignment and coaching. The CNIL also took issue with the fact that Amazon France retained scanner data for 31 days, finding the retention period "excessive."
Lawful processing (Art. 6): The CNIL found three indicators processed by the company to be "illegal" and excessively intrusive, including the "stow machine gun" which signaled when a worker scanned an item too quickly, "idle time" which indicated scanner downtime of 10 minutes or more, and "latency under 10 minutes" which signaled a scanner interruption between one and ten minutes. The CNIL held that processing two of the three indicators at a time required employees to justify any interruption of a scanner, and such activity is excessively intrusive. And that Amazon France had other indicators, both identifiable and aggregated, that could be used accomplish the same goals.
Notice and Transparency (Art. 12 & 13): The CNIL found that temporary workers were not properly informed before they used scanners and that neither employees nor visitors were properly informed of video surveillance systems.
Security (Art. 32): The CNIL found the access password to CCTV footage was not strong enough and that the account credentials were shared among several users, which made tracing user access to video images difficult.
Asia-Pacific, Middle East, and Africa
Australia Information Commissioner Releases Notifiable Data Breaches Report
The Australian Office of the Information Commissioner (OAIC) released their Notifiable Data Breaches Report on February 22, 2024. The report covers July through December 2023. Highlights from the report include health and finance sectors remaining the top reporters of breaches and malicious or criminal attacks remaining the leading cause of breaches. Supply-chain attacks are also of particular note in the report, as the OAIC reports a high number of multi-party breaches, with most resulting from the breach of a software or cloud provider.
ASEAN and EU Finalize Joint Guide for Cross-Border Transfers
The European Union (EU) and the Association of Southeast Asian Nations (ASEAN) published the final Joint Guide to ASEAN Model Contractual Clauses and EU Standard Contractual Clauses January 31, 2024, adding an Implementation Guide to the previously published Reference Guide. The 73-page document highlights similarities and differences between the model clauses of each region and highlights best practices for successful implementation of transfers from each region to the other and within the ASEAN region.
Text of the EU AI Act Leaked
While the final text of the Act is not expected until early 2024, we can expect to see:
A ban on a limited set of practices that constitute an "unacceptable risk" to the safety, security and fundamental rights of humans.
A complex framework for regulating "high risk" AI Systems and applications including, amongst other obligations, required fundamental rights impact assessments and conformity assessments, requirements to implement risk and quality management systems, public registration requirements, specific testing, monitoring and human oversight obligations and proscriptive data governance and transparency requirements.
Enhanced transparency, labeling and in limited instances consent obligations for certain AI systems that pose a "limited risk," including certain AI Systems that interact directly with people or produce or manipulate content.
Voluntary compliance practices, such as AI codes of conduct, recommended for providers of AI Systems posing a "minimal risk," (which by default includes all other AI Systems that do not fall into the other categories).
A separate tiered compliance framework for providers of general-purpose AI models (including certain generative AI models) with enhanced obligations for general purpose AI models that pose systemic risks.
Hintze Law PLLC is a Chambers-ranked and Legal 500-recognized boutique privacy firm that provides counseling exclusively on global data protection. Its attorneys and privacy analysts support technology, ecommerce, advertising, media, retail, healthcare, and mobile companies, organizations, and industry associations in all aspects of privacy and data security.