Hintze Global Privacy & Security Updates

in

By Zachary Douglas

Here’s a snapshot of some privacy developments from this summer. If you missed our last post, you can find it here

US STATE LAW 

Coalition of 16 States Defend Transgender Student Privacy 

A coalition of 16 states, including Massachusetts; California; Colorado; Connecticut; Washington, D.C.; Hawaii; Illinois; Maine; Maryland; Minnesota; New Jersey; New York; Oregon; Rhode Island; Vermont; and Washington, have filed an Amicus Brief in the First Circuit Court of Appeals in support of a Massachusetts school’s ability to protect the privacy of transgender students. In the Ludlow, Massachusetts school district, information about a student’s transgender or nonconforming identity can only be shared with their parents with the student’s consent--a practice the coalition supports. 

CA AG Seeks Information from California Employers on Compliance with California Consumer Privacy Act 

The California Attorney General (AG) has sent inquiry letters to employers regarding their compliance with CCPA. The AG has also posted case examples of how businesses have responded to notices of alleged noncompliance. 

CPPA Preview of Key Issues for Future Board Discussion 

The California Privacy Protection Agency (CPPA) Rules Subcommittee has provided key considerations and potential language for future CCPA regulations governing cybersecurity audits, risk assessments, and automated decision-making technology (ADMT). Of note, and as flagged by others, draft language on ADMT differs significantly from US state and global privacy laws. The subcommittee is also considering a right to opt-out of ADMT that encompasses any computational process that uses personal information “as whole or part of a system to make or execute a decision or facilitate human decision making,” as opposed to being bound to ‘solely automated’ or ‘final’ decisions. 

Connecticut Governor Signs AI Law for State Agencies 

Under SB 1103, Connecticut state agencies are required to conduct an annual inventory of systems that use Artificial Intelligence (AI) and to conduct ongoing impact assessments on systems that use AI to ensure the use of AI does not unlawfully discriminate or create a disparate impact on individuals. The law also calls on the Office of Policy and Management to implement policies and procedures about how state agencies can procure, implement, and assess AI. 

Connecticut and Nevada Legislatures Pass Consumer Health Privacy Laws 

Both the Connecticut and Nevada legislatures passed consumer health privacy laws following in the footsteps of, though not as stringently as, Washington’s My Health, My Data Act. Connecticut’s SB3 would amend the Connecticut Data Privacy Act, which goes into effect July 1, 2023. Both bills are awaiting signature by the states’ respective governors. The laws introduce more stringent protections for consumer health data, such as prohibiting the selling or processing of consumer health data without obtaining consent. 

Illinois License Plate Reader Privacy Law 

The Illinois Legislature has passed HB 3326 which regulates law enforcement agencies’ and private entities’ use of automated license plate readers, and sharing of data from them: (1) for certain law enforcement purposes (including laws related to reproductive health services, lawful health care services, or immigration status); or (2) with out-of-state law enforcement agencies absent obtaining a written declaration from the agency that it will use the data in compliance with this law. The bill is awaiting signature from the governor.  

Illinois District Court Rules Insurance Company Has Duty to Defend in BIPA Suit 

Society Insurance claimed it has no duty to defend Cermak Produce against a former employee’s BIPA suit because its exclusion provision includes “personal and advertising injury” alleged to violate federal, state, or local statutes that prohibit the collecting, recording, or transmitting of information. The Northern District Court of Illinois ruled the language is too broad, such that it would eliminate claims for “personal and advertising injury” that Society Insurance policies claim it covers elsewhere. Thus, Society is not exempt from providing insurance coverage to Cermak Produce in this suit. This decision comes after a Seventh Circuit opinion last month that became the first to pinpoint language as too vague to exclude coverage. 

Illinois Civil Liability for Doxing Act

On August 4, 2023, the Illinois governor approved H.B. 2954 creating the Civil Liability for Doxing Act, which creates a civil cause of action for intentionally publishing another person's personally identifiable information without their consent and with the intent to harm them, when the publishing causes harm or a substantial life disruption. The Act is effective January 1, 2024.

Indiana Medical Board Fines Doctor for Privacy Law Violation 

An Indiana doctor was reprimanded and fined $3,000 by Indiana’s Medical Licensing Board for violating privacy laws in discussing the abortion of a 10-year-old patient. The complaint was filed by Indiana Attorney General Todd Rakita, who is opposed to abortion rights, after publicly criticizing the doctor’s conduct in the wake of Dobbs. A previous review by her employer, Indiana University Health, found that she complied with patient privacy laws. 

Louisiana Passes Three New Laws 

Three laws in Louisiana have been signed or are on the Governor’s desk. The first places restrictions on social media for users under 16, the second amends Louisiana’s recent porn age-verification law, and the third bans TikTok on government devices/networks. 

  • Louisiana’s legislature sent SB 162 to the Governor’s desk on June 8. The law impacts social media companies’ treatment of users under age 16. 

  • The Louisiana governor signed HB 77 on June 8. The law empowers Louisiana’s AG to fine companies that do not comply with porn age verification law, subject to a 30-day right to cure. 

  • Louisiana’s HB 361 HB 361 was sent to the governor’s desk on June 9. The law prohibits TikTok and any successor applications or services that are developed or provided by TikTok’s parent company, ByteDance, from being used on any state-owned or -leased devices and networks. 

Massachusetts Insurance Firm Faces Proposed Class Action Based on Data Breach 

A class action was proposed against Harvard Pilgrim Health Care (HPHC), an insurance firm that maintains a Harvard Medical School affiliation, based on a Spring 2023 data breach involving names, addresses, SSNs, and health information. The lawsuit follows HPHC notifying consumers of the data breach in May and is based on four counts including negligence. 

Lender and Mortgage Servicer Settles with NYDFS for $4.25M 

OneMain Financial Group settled with the NY Department of Financial Services (NYDFS) based on alleged violations of the state Cybersecurity Regulation. Specifically, NYDFS alleges OneMain allowed local administrative users to keep the default password provided at onboarding and failed to conduct due diligence for high- and medium-risk vendors, contravening internal policy. 

Mississippi Sues Two Robocall Companies Under State Law 

On July 5, 2023, Mississippi’s Attorney General filed suit against two robocall companies based on allegedly unauthorized calls to state residents on the Do Not Call Registry. The suit argues that the two companies engaged in approximately 1,000 violations of the Mississippi Telephone Solicitation Act. 

Pornography Website Blocks Access in Mississippi 

Pornhub banned Mississippi users from accessing its website beginning July 1 in response to the state’s obscene material age-verification law, SB 2346, taking effect the same day. Pornhub’s choice to comply with the law in this way is based on concerns that the age verification process “will put both user privacy and children at risk.” 

NYDFS Publishes Updated Proposed Second Amendment to Cybersecurity Regulation 

The New York State Department of Financial Services (NYDFS) published an updated proposed Second Amendment to DFS’s Cybersecurity Regulation on June 28, 2023, because of comments received during the comment period for the initial version of the proposed Amendment. Comments on the updated proposal closed on August 14, 2023. 

New Jersey Supreme Court Holds Wiretap Protections Apply to Real-Time Electronic Communications Access 

The Supreme Court of New Jersey decided Facebook, Inc v. State last month, putting guardrails on police conduct in the state when it comes to law enforcement access to digital communications. Police had been using Communications Data Warrants (CDWs), the equivalent of a search warrant and based only on probable cause, to attempt to compel Facebook to provide the content of two users’ accounts every 15 minutes for 30 days into the future. The court held that this contemporaneous seeking of electronic communications was the functional equivalent of wiretap surveillance and is therefore entitled to greater constitutional protection. 

Governor Signed the Oregon Data Broker Registration Law 

Oregon’s governor signed the data broker registration law HB 2052. The law requires data brokers to register with the Department of Consumer and Business Services before collecting, selling, or licensing brokered personal data in the state. The substantive requirements take effect on January 1, 2024. 

Oregon Enacts Broad Privacy Law 

Oregon Governor signed SB 619 and joins the growing list of US states passing privacy laws this year. Most provisions are effective on July 1, 2024; non-profits are not broadly exempt, but have until July 1, 2025 to comply. The law notably only provides data-level exemptions and not entity-level exemptions for HIPAA- and GLBA-covered entities. 

Tennessee’s Extended Do-Not-Call / Do-Not-Text Law 

The Tennessee Do-Not-Call / Do-Not-Text Telephone Sales Solicitation law went into effect July 1, 2023, extending existing protections against unsolicited telephone solicitations to unsolicited text solicitations. Exceptions to the law, which carries fines up to $2,000 per instance, include prior permission, existing business relationships, and non-profit fundraising (done directly by the nonprofit). 

Texas Governor Signs Act Relating to the Protection of Minors in the Use of Certain Digital Services 

The Texas bill, HB 18, requires social media companies to receive explicit consent from a minor’s parent or guardian before the minor is allowed to create their own account starting in September of next year. It also forces these companies to prevent children from seeing “harmful” content, for example, content related to eating disorders, substance abuse, or “grooming,” by creating new filtering systems. 

Texas Passes Comprehensive Privacy Law 

The Texas legislature passed the Texas Data Privacy and Security Act (TDPSA), a comprehensive privacy law. While similar in many respects to other state privacy laws, the TDPSA includes novel provisions relating to scope, sales of sensitive personal data, treatment of pseudonymous data, and required disclosures. 

Texas Shortens Regulatory Notification Timeline for Data Breaches 

The Texas governor signed SB 768 into law on May 27. This amendment to the state breach notification law shortens the timeline for notifying the state AG, where required, from 60 to 30 days, and requires this notification be made electronically. 

Texas Enacts Data Broker Registration Law 

Texas has joined California and Vermont in enacting a data broker registration law: 88(R) SB 2105

Google Settles Location Tracking Dispute with Washington for $39.9M 

The settlement with the state of Washington is based on Google’s alleged misleading location-tracking practices. As part of the settlement, Google must implement several court-ordered measures designed to improve its transparency practices. This settlement is separate from other multistate investigations into Google; Washington’s Attorney General filed a solo lawsuit. 

Online Apparel Company Ordered to Pay $695K In Restitution for Insufficient Consent 

Adore Me was ordered to pay the amount, to be distributed across about 5,700 Washington residents, based on violations of Washington’s Consumer Protection Act. Specifically, the court found Adore Me’s inconspicuous, pre-selected checkboxes did not constitute sufficient consent to opt in users to a monthly paid-subscription program. 

US FEDERAL LAW 

FTC Charges Ring with Compromising Its Customers’ Privacy 

The Federal Trade Commission (FTC) released a proposed order against Amazon for its employee’ misuse of Ring data and failure to take basic precautions to prevent hacking. The proposed order appears to include algorithm destruction. 

Microsoft to Settle FTC Charges Related to Alleged Violation of COPPA 

Microsoft will pay $20 million to settle FTC charges that it allegedly violated the Children’s Online Privacy Protection Act (COPPA) by collecting personal information from children who signed up to its Xbox gaming system without notifying their parents or obtaining their parents’ consent, and by illegally retaining children’s personal information. 

White House Listening Session on Automated Worker Surveillance and Management 

On May 25, the White House convened a listening session with workers, researchers, labor and civil rights leaders, and policymakers on “the use of automated technologies by employers to surveil, monitor, evaluate, and manage their workers.“ This session followed a request for information that was distributed by the Biden-Harris administration earlier in the month. 

FTC Takes Enforcement Action Against Genetic Testing Company 

In the Federal Trade Commission’s (FTC) first case focused on the privacy and security of genetic information, the FTC alleges that San Francisco-based Vitagene, Inc. – now known as 1Health.io – failed to live up to its promises and unfairly changed material privacy terms without customers’ consent. The proposed settlement and other recent actions send a loud-and-clear message that the FTC is fully committed to the protection of consumers’ health information. 

National Institute of Standards and Technology (NIST) New Publications 

  • The National Cybersecurity Center of Excellence (NCCoE) has published a preliminary public draft of NIST SP 1800-36B-E: Trusted Internet of Things (IoT) Device Network-Layer Onboarding and Lifecycle Management. The comment period closed June 20, 2023. 

  • NIST has published draft NIST IR 8467, the Cybersecurity Framework Profile for Genomic Data, providing voluntary guidance to help organizations manage, reduce, and communicate cybersecurity and privacy risks for systems, networks, and assets that process genomic data. The comment period closed July 17, 2023. 

  • NIST also published NIST IR 8454, a Status Report on the Final Round of NIST Lightweight Cryptography Standardization Process. 

  • The National Cybersecurity Center of Excellence (NCCoE) released an initial public draft on July 14, 2023 of NIST Interagency Report (IR) 8473, Cybersecurity Framework Profile for Electric Vehicle Extreme Fast Charging Infrastructure. The comment period is open until August 28, 2023. 

CFPB Responds to White House Office of Science and Technology Policy Inquiry 

The response from the Consumer Financial Protection Bureau (CFPB) outlines possible harms for workers whose earnings, hours, and more are determined by algorithms. The response addresses concerns related to sale of worker data to data brokers, data available for purchase by employers, “worker surveillance” products designed to “augment employers’ decision about everything from hiring to promotions, reassignment, and retention,” the lack of transparency around these tools, and FCRA compliance obligations. 

CFPB Launches Rulemaking on Data Brokers

Because artificial intelligence (AI) depends on ingesting large amounts of personal data, financial incentives have been created for increased digital surveillance. The Consumer Financial Protection Bureau (CFPB) has announced its intention to “launch a rulemaking to ensure that modern-day digital data brokers are not misusing or abusing our sensitive data.”

“To ensure that modern-day data companies assembling profiles about us are meeting the requirements under the Fair Credit Reporting Act, the CFPB will be developing rules to prevent misuse and abuse by these data brokers. Two of the proposals under consideration are worth highlighting here:

First, our rules under consideration will define a data broker that sells certain types of consumer data as a “consumer reporting agency” to better reflect today’s market realities. The CFPB is considering a proposal that would generally treat a data broker’s sale of data regarding, for example, a consumer’s payment history, income, and criminal records as a consumer report, because that type of data is typically used for credit, employment, and certain other determinations. This would trigger requirements for ensuring accuracy and handling disputes of inaccurate information, as well as prohibit misuse.

A second proposal under consideration will address confusion around whether so called “credit header data” is a consumer report.”

Software Company CISO Notified of Pending SEC Charges 

SolarWinds, via a shared filing, stated that some of its current and former executives received a Wells notice from the SEC, indicating the SEC is planning to bring enforcement action against them, in connection with a 2020 data breach SolarWinds experienced. Notably, the June 23, 2023  filing names SolarWinds Chief Information Security Officer as receiving one of these notices. 

Amazon Agrees to Injunctive Relief and $25 Million Civil Penalty 

Amazon has agreed with the US Department of Justice (DOJ) and the Federal Trade Commission (FTC) to a permanent injunction and $25M penalty for the alleged violations of federal children’s privacy laws. The complaint filed in the U.S. District Court for the Western District of Washington alleged that Amazon violated the FTC Act, the Children’s Online Privacy Protection Act (COPPA), and the COPPA Rule with respect to Alexa and Alexa’s child-directed offerings. 

Digital Advertising Alliance (DAA) Issues Best Practices for Connected Device Privacy 

The DAA issued Best Practices for the Application of the DAA Self-Regulatory Principles of Transparency and Control to Connected Devices. These provide guidance for how to apply the DAA Principles, for companies that agree to comply with them, to connected devices like TVs, wearables, smart speakers, and other internet-connected devices. 

SEC Adopts New Cyber Reporting Rules

SEC has adopted updated rules on cybersecurity risk management, strategy, governance, and incident disclosure for public companies on July 26, 2023. The new rules include a required disclosure within four business days after a cybersecurity incident is determined to be material, and must be disclosed via new Item 1.05 of Form 8-K. There are also new rules, such as Regulation S-K Item 106 which requires businesses to describe processes for “assessing, identifying, and managing material risk from cybersecurity threats as well as material effects or reasonably likely material effects from cybersecurity threats AND previous cybersecurity incidents.”

Additionally, S-K Item 106 requires information describing board of directors’ oversight of risks associated with cybersecurity threats. These disclosures will be required on Form 10-K. These rules will become effective 30 days from the date of publication of the adopting release in the Federal Register.

NORTH & SOUTH AMERICA 

New Canada Employer Privacy Guidance 

The Office of the Privacy Commissioner of Canada (OPC) has released updated guidance related to Privacy in the Workplace, which includes general requirements for addressing employee privacy requirements and employee monitoring. This guidance applies where the employer is subject to federal privacy legislation (there are also provincial laws and regulations specific to this issue). 

EUROPE & UK 

US and UK Commit to “Data Bridge” Extension for Data Privacy Framework 

After more than two years of discussions, the United States (US) and the United Kingdom (UK) announced an agreement in principle to establish a “Data Bridge” between the two countries. The Data Bridge would be an extension of the EU-U.S. Data Privacy Framework and would allow organizations that meet certain criteria to participate. During the Inaugural Meeting of the U.S.-UK Comprehensive Dialogue on Technology and Data, officials from both governments noted their intent to finalize the Data Bridge in 2023. 

Spotify Fined €5 Million for Improper Response to Access Request 

Following a complaint from noyb (“none of your business”) and litigation over inactivity, the Swedish Data Protection Authority (IMY) has issued a fine of 58 Mln Swedish Crown (about €5 Million) against Spotify. 

Croatia DPA Fines Sports Betting Company €380,000 Under GDPR 

Croatia’s DPA, AZOP, fined a sports-betting company based on alleged GDPR violations including processing without any legal basis, failing to adequately inform data subjects about the processing, and failing to implement appropriate security measures. 

Denmark DPA Determines Facebook Business Tools Make Real Estate Website a Joint Controller with Meta 

Denmark’s DPA, Datatilsynet, found that Boligportal’s use of Facebook Business Tools made it a joint controller with Meta for impacted personal data. Datatilsynet also determined that, as co-controllers, the company and Meta did not sufficiently clearly define their roles and responsibilities, particularly regarding transfer of data outside the EU/EEA. As a result, Boligportal could not demonstrate compliance with GDPR and Datatilsynet ordered it to take corrective action. 

Denmark Considering Additional Data Protections for Individuals Aged 16 and Younger 

Denmark intends to pass legislation by the end of 2023 focused on protecting data of persons aged 16 and younger, potentially including data-minimization and age-verification measures. These initiatives have not been introduced yet but have the support of Denmark’s business minister. The proposed legislation would provide guidance on privacy in research, direct marketing and monitoring TV activities

EDPB Publishes Dispute-Resolution Guidelines for Supervisory Authorities 

The European Data Protection Board (EDPB) published General Data Protection Regulation (GDPR) dispute-resolution Guidelines 03/2021 governing disagreements amongst the lead supervisory authority (LSA) and cooperating supervisory authorities (CSAs) during an investigation of cross-border processing. The Guidelines address application of the relevant GDPR provisions and Rules of Procedure, emphasizing the EDPB’s competence to make a legally binding decision as to whether CSA objections are “relevant and reasoned” and whether an LSA is justified in nevertheless not following the objections. 

Guidelines for GDPR Administrative Fines 

The European Data Protection Board (EDPB) published Guidelines 04/2022 on the calculation of administrative fines under the General Data Protection Regulation (GDPR), harmonizing the methodologies that supervisory authorities use for the calculations. The Guidelines set forth five steps for arriving at a penalty: accounting for the “number of instances of sanctionable conduct,” the starting point for the fine calculation, “aggravating or mitigating factors,” maximum fine amount, and “requirements of effectiveness, dissuasiveness and proportionality.” 

EU AI Act Moves into Final Stages with New Prohibitions and Requirements 

The European Parliament has adopted the Artificial Intelligence Act in a plenary vote by an overwhelming majority, moving the Act into the final stages of the legislative process in the European Union (EU). 

  • Full Ban on Artificial Intelligence (AI) for Biometric Surveillance, Emotion Recognition, Predictive Policing: MEPs expanded the list of prohibited AI practices to include bans on intrusive and discriminatory uses of AI, such as: “real-time” remote biometric identification systems in publicly accessible spaces; “post” remote biometric identification systems, with the only exception for use by law enforcement for the prosecution of serious crimes and only after judicial authorization; biometric categorization systems using sensitive characteristics (e.g., gender, race, ethnicity, citizenship status, religion, political orientation); predictive policing systems (based on profiling, location, or past criminal behavior); emotion-recognition systems in law enforcement, border management, the workplace, and educational institutions; and untargeted scraping of facial images from the internet or CCTV footage to create facial recognition databases (violating human rights and the right to privacy). 

  • Social Media Recommender Systems and Election-Related AI Deemed High Risk: MEPs expanded the list of high-risk AI to include AI systems used to influence voters and the outcome of elections. Recommender systems used by social media platforms with over 45 million users were also added to the high-risk list. 

  • New General-Purpose AI Requirements: Foundation model providers (such as OpenAI, Stability, etc.) would have to assess and mitigate possible risks (to health, safety, fundamental rights, the environment, democracy, and rule of law) and register their models in the EU database before their release on the EU market. Generative AI systems built on foundation models like ChatGPT now face transparency requirements such as disclosing that the content was AI-generated and ensuring safeguards against generating illegal content. 

Finland DPA issues Google Analytics Data Transfer Decision 

After the invalidation of the EU-U.S. Privacy Shield Framework in July 2020, the Finnish Meteorological Institute continued to rely on Privacy Shield for data transfers. Finland’s Office of the Data Protection Ombudsman ordered the Meteorological Institute to halt EU-US data transfers using Google Analytics and Google’s reCAPTCHA. 

CNIL Fines Criteo €40M for GDPR Violations 

The Commission Nationale de l’Informatique et des Libertés (CNIL) has imposed an administrative fine on CRITEO SA “in the amount of €40,000,000 with regard to the breaches constituted in Articles 7, 12, 13, 15, 17 and 26 of the GDPR.” Criteo allegedly breached its duty to obtain adequate consent for processing, which is the only legal basis for the collection of personal information (PI) via cookies and/or online trackers under the ePrivacy directive, and its requirements for transparency under Articles 12 and 13. The CNIL also found that CRITEO breached Article 15 by providing only partial responses to access requests and because the responses did not provide data subjects with an explanation of the information they were provided (the information was not “intelligible” to the user). 

CNIL Raises Concern Over Worldcoin’s Biometric Data Collection 

Worldcoin, a cryptocurrency project launched by OpenAI’s Sam Altman, requires users to provide iris scans in exchange for digital IDs, and in certain countries, free cryptocurrency. France’s Data Protection Authority (DPA), the CNIL, has initiated an investigation into Worldcoin’s collection, use, and storage of biometric data; however, because the Bavarian DPA in Germany has jurisdiction, it is leading the investigation with CNIL’s support. 

Norway Consumer Council Releases Generative AI Risks Report 

The Norwegian Consumer Council published a report regarding Artificial Intelligence (AI). It covers the risks and harms posed to consumers using AI along with recommendations for consistent strategies and regulations to combat these risks. The recommendations include a call to action for enforcement agencies and new legislative measures among other things. 

Norway’s DPA Temporarily Bans Behavior-Based Marketing on Facebook and Instagram 

Meta was relying on Article 6(1)(b) (contractual obligation) and Article 6(1)(f) (legitimate interests) of the General Data Protection Regulation (GDPR) for its processing of personal data for behavioral advertising. Norway’s data protection authority (DPA), Datatilsynet, found that neither basis covered behavioral advertising. The ban lasts until November 3, 2023. 

Spain DPA Publishes Guidance on Data Accuracy and AI Systems 

Spain’s DPA, AEPD, published guidance emphasizing the importance of using accurate training and input data in implementing Artificial Intelligence (AI) systems. The guidance provides several recommendations to improve an AI system’s alignment with the principles in the General Data Protection Regulation (GDPR). 

Spain DPA Updates Guidance on Cookies 

Spain’s DPA, AEPD, updated its guidance on the use of cookies to adapt to the European Data Protection Board’s (EDPB) February 2023 guidance on deceptive patterns. The updated guidance focuses on how businesses offer users the choice to accept or reject different types of cookies. The AEPD will consider this update as binding on January 11, 2024. 

Spain DPA Finalizes Prohibitions on Unsolicited Commercial Calls  

Spain’s DPA, AEPD, announced the final prohibition on unsolicited commercial calls on June 28, 2023, one day before the prohibition takes effect. The prohibition has exceptions where an individual has given prior consent or when another legitimate basis applies under GDPR. Prior to this law taking effect, individuals could receive unsolicited commercial calls on an opt-out basis. 

Spain DPA Updates Resource for Evaluating Processing Risks 

Spain’s DPA, AEPD, launched a new version of its “Gestiona” tool, which enables small entities to keep a record of up to 500 processing activities, track potential risks of each activity, and identify where data protection impact assessments are required. Features in the new version include tool-recommended risk mitigations, internal organization privacy management, and data security management. 

IAPP Creates Comparison Guide for EU and UK SCCs, PRC Standard Contracts, and ASEAN MCCs 

The IAPP has created a key-features comparison of the European Union (EU) Standard Contractual Clauses (SCCs) and the U.K. International Data Transfer Addendum to the EU SCCs; People’s Republic of China (PRC) Standard Contract; and the Association of Southeast Asian Nations (ASEAN) Model Contractual Clauses (MCCs). Key features of the comparison include applicability, fixed form, modules, data transfer and personal information protection impact assessments, data breaches, onward transfers, suspension of transfers, filing/retention requirements, governing law and forum, and supervisory authority. 

ASIA-PACIFIC, MIDDLE EAST & AFRICA 

Chinese Regulators (CAC) Publish Interim Measures on Generative AI 

The interim measures released by the Cyberspace Administration of China (CAC) govern the creation and use of generative Artificial Intelligence (AI) and touch on the topics of discrimination, intellectual property (IP) rights, and public safety and transparency, amongst others. The measures also include several specific requirements for generative AI service providers including obtaining consent of individuals when using personal information, entering into specific terms with users, transparency requirements, rules around marking generated AI content in line with other China regulations, and unique rules for when minors use an AI tool. Measures entered into effect on August 15th, 2023. 

New Privacy Law in India Likely Coming Late Summer 

India's new comprehensive privacy bill has received final approval from the Cabinet and will now be moving its way through Parliament late summer. Stay tuned and advise any clients with operations or customers in India to be prepared for potential new law. 

South Korean PIPC’s Publishes Evaluation Criteria for Personal Information Processing Policies 

The South Korean Personal Information Protection Commission (PIPC) published its evaluation criteria for personal information processing policies on June 21, 2023. In efforts to enhance accountability and transparency, the document is meant to establish standards and procedures for evaluating policies for the processing of personal information. 

President Tinubu Signs Data Protection Bill into Law 

Nigerian President Tinubu has signed the Nigeria Data Protection Act, 2023 into law. The Nigeria Data Protection Act provides a legal framework for the protection of personal information, and the practice of data protection in Nigeria. The Act mandates the establishment of a Commission with the authority to register major data controllers and processors, raise awareness, and penalize violations. A National Commissioner, appointed by the President, will manage daily operations, with a Governing Council responsible for policy direction. 

Data controllers must provide information to data subjects prior to collection, including their identity, lawful processing basis, data recipients, retention period, and the subjects’ right to lodge complaints. The Commission has the power to enforce compliance and issue orders, which can be subject to judicial review. Non-compliance is criminalized, with the possibility of fines, imprisonment, or damages sought by data subjects. 

The law outlines data processing principles, requiring it to be fair, lawful, transparent, and minimized. The burden of proof lies on the data controller to show consent was obtained. Data subjects can withdraw consent, with the controller obliged to stop processing unless they can demonstrate overriding public interest. Subjects have a right to access information regarding their personal data processing. Data controllers must report breaches to the Commission and, where high risk is likely, to the data subject. This Act signifies major progress in safeguarding privacy and promoting responsible data use. 

AUSTRALIA & NEW ZEALAND 

Australia’s Federal Court Fines Meta $17.9M (USD) for Collecting User Data Without Notice 

The Australian Competition and Consumer Commission (ACCC) brought a civil lawsuit against Meta under breach of breach of the Australian Consumer Law. The Federal Court found two subsidiaries of social media giant Meta, Facebook Israel and Onavo Inc, misled the public by failing to adequately disclose personal data would be used for purposes other than providing services from Onavo Protect (a free VPN), including for Meta’s commercial purposes. 

New Zealand OPC Releases Guidance 

The New Zealand Office of the Privacy Commissioner (OPC) released guidance to set expectations on the use of generative Artificial Intelligence (AI)I by New Zealand agencies and businesses, including the potential privacy risks and pre-implementation considerations. The OPC also released a report for New Zealanders on the five areas where their privacy is most at risk online. 

New Zealand Privacy Commissioner Recommends Two-Factor Authentication 

Deputy Privacy Commissioner of New Zealand, Liz MacPherson, recommends all business in New Zealand, large or small, implement two-factor authentication to project the personal information businesses hold. Businesses in New Zealand should expect to be found in breach of the Privacy Act if they have a cyber-related privacy breach and do not have, at least, two-factor authentication in place. Two-factor authentication can be as simple as a password, confirmed by a text message to a phone. 

Hintze Law PLLC is a Chambers-ranked and Legal 500-recognized boutique privacy firm that provides counseling exclusively on global data protection. Its attorneys and privacy analysts support technology, ecommerce, advertising, media, retail, healthcare, and mobile companies, organizations, and industry associations in all aspects of privacy and data security.