By Leslie Veloz
Here’s a snapshot of a few privacy developments from the past few weeks. If you missed our last post, you can find it here.
US STATE LAW
Amazon and Microsoft Granted Summary Judgement in Biometric Data Privacy Lawsuits
A Washington federal judge dismissed two putative class actions by Chicago residents, accusing Microsoft and Amazon of violating Illinois’ Biometric Information Privacy Act (BIPA). Amazon and Microsoft successfully argued that they could not be held liable because they never used or benefited from the biometric data.
Texas Sues Google
Texas has filed a lawsuit against Google for allegedly collecting people's faces, voices, and other biometric data of millions of Texans without obtaining advanced, informed consent. This lawsuit is one of several filed by states against Google alleging unfair practices concerning privacy.
California Publishes a Second Version of Proposed CPRA Regulations
Last week, the CA Privacy Protection Agency published V2 of proposed CPRA regulations and scheduled a public meeting to discuss on October 28-29 via Zoom video and telephone. Key modifications affect consent, cookie banners, non-profits, dark patterns, privacy statements, limiting rights, and service providers.
US FEDERAL
Executive Order on Enhancing Safeguards For United States Signals Intelligence Activities
On October 7, 2022, President Biden signed an Executive Order that outlines steps the U.S. government will take to implement a new EU-U.S. data privacy framework. The framework seeks to restore a legal basis for transatlantic data flows, address concerns raised in the CJEU decision by strengthening privacy and civil liberties protections for foreign individuals, and create an independent and binding process for non-U.S. citizens to seek redress if they believe their data was improperly collected through U.S. signals intelligence. The EU Commission will review the framework and determine if it provides adequate safeguards and protections for EU data and individuals, the equivalent level of protection under GDPR.
FCC To Start New Robotext Proceeding
The Federal Communications Commission has noted that the number of illegal, unwanted texts has grown significantly over the last few years as a result has released a notice of proposed rulemaking (NPRM) seeking comment on regulations it could adopt to fight Scam and Spam text messages with Network-Level Blocking and Sender ID Authentication.
New FDA Guidance to Protect Children Who Participate in Clinical Trials
The U.S. Food and Drug Administration issued draft guidance to provide the agency's perspective on the ethical considerations for including and protecting children in clinical trials. In addition, the guide will assist industry, sponsors, and institutional review boards (IRBs) when considering the enrollment of children in clinical investigations of drugs, biological products, and medical devices.
NIST 2021 Cybersecurity and Privacy Annual Report
The NIST annual report highlights the FY 2021 research activities for the ITL Cybersecurity and Privacy Program, including the ongoing participation and development of international standards, the enhancement of privacy and security risk management models, the continued advancement of cryptographic technologies, and improved infrastructure protection.
EUROPE & UK
CNIL Publishes a Compliance Checklist for Health Warehouse Repository
The French National Data Protection Authority, Commission nationale de l'informatique (CNIL), created a checklist to help data controllers easily verify their compliance with the warehouse repository. The checklist can be used by any organization wishing to set up a data warehouse in the field of health.
20 Million Euros Penalty Against Clearview AI
The CNIL imposed the maximum financial penalty of 20 million euros, according to article 83 of the GDPR, and ordered CLEARVIEW AI to stop collecting and using data on individuals in France without a legal basis and to delete the data already collected.
The Nordic Data Protection Authorities Meet to Discuss Children’s Privacy & Health Data
The Nordic Data Protection Authorities met for their annual meeting on October 13th-14th, 2022. Data Protection Authorities from Finland, Sweden, Norway, Denmark, Iceland, the Åland Islands, and the Faroe Islands met to discuss the protection of children's privacy, best practices in solving cases, information legislation in the Nordic countries, and a draft of new legislation on a common European area for health information (the European Health Data Space).
Switzerland’s New Federal Act on Data Protection
Switzerland is implementing new legislation to protect its citizens' data better. The new Federal Data Protection (nFADP) improves the processing of personal data and grants Swiss citizens new rights. Swiss companies must comply with this legislation starting September 1, 2023.
Poland’s Pregnancy Record Ordinance
Poland’s new ordinance requiring doctors to record pregnancies in the national medical database went into effect October 1. Poland has stringent abortion laws, and women’s groups are concerned this new regulation will further restrict reproductive choices. However, the health ministry denies government officials will use the information. “Only medics will have access to the information,” a Ministry spokesman told the Lancet.
ASIA-PACIFIC, MIDDLE EAST & AFRICA
China Releases 13 New National Cybersecurity Standards
The people’s republic of China approved and released 14 national cybersecurity standards addressing topics like biometrics, voice, facial and gait recognition, internet communication and others.
NEW ZEALAND AND AUSTRALIA
OAIC Released a 2021-22 Annual Report
The Office of the Australian Information Commissioner (OAIC) has released an annual 2021-22 report on the OAIC’s operations, including a report on freedom of information matters and privacy matters. The freedom of information matters includes a summary of the data collected from Australian Government ministers and agencies in relation to activities under the Freedom of Information Act 1982.
OAIC Opens Investigation into Optus over Data Breach
The Office of the Australian Information Commissioner (OAIC) commenced an investigation into the personal information handling practices of Singtel Optus Pty Ltd, Optus Mobile Pty Ltd, and Optus Internet Pty Ltd regarding the data breach made public by Optus on Thursday, 22 September 2022.
Hintze Law PLLC is a Chambers-ranked, boutique privacy firm that provides counseling exclusively on global data protection. Its attorneys and privacy analysts support technology, ecommerce, advertising, media, retail, healthcare, and mobile companies, organizations, and industry associations in all aspects of privacy and data security.