On 6 October 2021, the European Parliament (“EP”) voted in favor of a resolution banning the use of facial recognition technology (“FRT”) by law enforcement in public spaces. The resolution forms part of a non-legislative report on the use of artificial intelligence (“AI”) by the police and judicial authorities in criminal matters (“AI Report”) published by the EP’s Committee on Civil Liberties, Justice and Home Affairs (“LIBE”) in July 2021. The AI Report will now be sent to the European Commission, which has three months to either (i) submit, or indicate it will submit, a legislative proposal on the use of AI by the police and judicial authorities as set out in the AI Report; or (ii) if it chooses not to submit a proposal, explain why.
On Wednesday, October 6th, Governor Gavin Newsom signed SB 41, the Genetic Information Privacy Act, which expands genetic privacy protections for consumers in California, including those interacting with direct-to-consumer (“DTC”) genetic testing companies. In a recent Inside Privacy blog post, our colleagues discussed SB 41 and the growing patchwork of state genetic privacy laws across the United States. Read the post here.
On 5 September 2021, the UAE announced plans to introduce a new federal data protection law (“UAE Data Law”) in the coming weeks, its first-ever comprehensive data privacy and protection law to be issued. The new law forms part of the UAE’s Projects of the 50, a set of economic and developmental initiatives designed to mark the country’s 50th anniversary, and launches the next phase of the UAE’s growth.
The UAE Data Law was developed in consultation with major technology companies. H.E. Omar Bin Sultan Al Olama, Minister of State for Artificial Intelligence, has stated that “every single data law on the planet” was considered when drafting the new legislation. The new law aims to be a “global law” that will provide international companies with a smooth mechanism for cross-border transfers, as well as have a low cost of compliance for SMEs. Some aspects of the UAE Data Law will include:
- the right to be forgotten, the right of access, the right of correction, and the right to be informed, all of which are already included in EU GDPR, Dubai International Financial Centre (DIFC) and Abu Dhabi Global Market (ADGM) data protection laws;
- consent obligations regarding marketing of data by companies seeking to monetize data;
- minimal restrictions on cross-border data flows or references to sensitive or restricted data; and
- provisions for a new national data privacy regulator.
The UAE Data Law is likely to be issued before the end of November 2021, prior to the country’s 50th anniversary. Once enacted, the UAE Data Law might also provide an adequate level of protection for the purposes of data transfers from other regulated jurisdictions, including the DIFC and ADGM.
The UAE Data Law will not likely apply to data privacy and protection related to government data or health data, which will be covered by separate new or revised legal regimes.
We will continue to monitor these developments at Inside Privacy.
Last Friday, October 1, the Protecting DNA Privacy Act (HB 833), a new genetic privacy law, went into effect in the state of Florida establishing four new crimes related to the unlawful use of another person’s DNA. While the criminal penalties in HB 833 are notable, Florida is not alone in its focus on increased genetic privacy protections. A growing number of states, including Utah, Arizona, and California, have begun developing a net of genetic privacy protections to fill gaps in federal and other state legislation, often focused on the privacy practices of direct-to-consumer (“DTC”) genetic testing companies. While some processing of genetic information is covered by federal law, the existing patchwork of federal genetic privacy protections do not clearly cover all forms of genetic testing, including DTC genetic tests. Continue Reading Newly Effective Florida Law Imposing Criminal Sanctions Adds to Developing Nationwide Patchwork of State Genetic Privacy Laws
On 22 September 2021, the UK Government published its 10-year strategy on artificial intelligence (“AI”; the “UK AI Strategy”).
The UK AI Strategy has three main pillars: (1) investing and planning for the long-term requirements of the UK’s AI ecosystem; (2) supporting the transition to an AI-enabled economy across all sectors and regions of the UK; and (3) ensuring that the UK gets the national and international governance of AI technologies “right”.
The approach to AI regulation as set out in the UK AI Strategy is largely pro-innovation, in line with the UK Government’s Plan for Digital Regulation published in July 2021.
On September 28, 2021, the European Data Protection Board (“EDPB”) issued its opinion on the European Commission’s (“Commission”) draft decision on the adequate protection of personal data in the Republic of South Korea. Once the Commission approves the decision, it will allow for personal data to flow freely from the EEA to commercial operators and public authorities in South Korea, without the need to implement other transfer mechanisms provided in the General Data Protection Regulation (“GDPR”), such as standard contractual clauses.
The EDPB’s opinion is overall favorable with respect to the Commission’s finding that South Korea’s data protection laws offer a level of protection essentially equivalent to that provided by the GDPR. In particular, the EDPB highlights that there are “numerous similarities” between the South Korean data protection laws (which include the Personal Information Protection Act (PIPA), its adjoining Enforcement Decree, and Notification No. 2021-1) and the European data protection framework, in particular the GDPR. Continue Reading EDPB Adopts Overall Favorable Opinion on European Commission’s Draft Adequacy Decision for South Korea
Last week, the Ninth Circuit held in United States v. Wilson, No. 18-50440, 2021 WL 4270847, that a law enforcement officer violated a criminal defendant’s Fourth Amendment rights when he opened images attached to the defendant’s emails without a warrant, even though the images had previously been flagged as child sexual abuse materials (“CSAM”) by Google’s automated CSAM-detection software. The court based its ruling on the private search exception to the Fourth Amendment, which permits law enforcement to conduct a warrantless search only to the extent the search was previously conducted by a private party. Because no individual at Google actually opened and viewed the images flagged as CSAM, the court held that law enforcement “exceeded the scope of the antecedent private search,” thereby “exceed[ing] the limits of the private search exception.” Op. at 20-21.
On September 21, 2021, the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) issued an “Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments” (the “Updated Advisory”). The Updated Advisory updates and supersedes an earlier OFAC Advisory released on October 1, 2020, and is directed toward not only organizations victimized by ransomware attacks, but also financial institutions, cyber insurance firms, and forensic and incident-response firms that assist organizations victimized by ransomware attacks.
The Updated Advisory is largely consistent with the previous version released in October 2020, restating the U.S. government’s opposition to ransomware victims making payments to cyber threat actors and making clear OFAC’s commitment to bringing enforcement actions in connection with such payments when they constitute U.S. sanctions violations. However, the Updated Advisory adds important new guidance on “the proactive steps companies can take to mitigate [sanctions enforcement] risks,” including implementing strong cybersecurity practices before an attack; and promptly reporting a ransomware attack to, and engaging in timely and ongoing cooperation with, law enforcement or other relevant agencies. Taking these steps would constitute “mitigating factors” in any OFAC enforcement action resulting from sanctions violations in connection with ransomware payments.
In conjunction with the new Advisory, OFAC for the first time designated for sanctions a Russian cryptocurrency exchange, SUEX OTC, that OFAC alleges has been involved in facilitating numerous ransomware payments for malicious cyber actors. As a result of this designation, U.S. persons (that is, all individual U.S. citizens and permanent residents, U.S.-incorporated entities and their branch offices, and anyone physically within the United States) are now prohibited from engaging in or facilitating virtually all transactions with or involving SUEX OTC.
On September 29, 2021, the Senate Committee on Commerce, Science, and Transportation held a hearing entitled “Protecting Consumer Privacy.” The hearing centered on strengthening consumer privacy rights, including by increasing the FTC’s resources and creating a comprehensive federal privacy law.
To explore these issues, the Committee invited David Vladeck, Professor and Faculty Director of the Center on Privacy and Technology at Georgetown Law and former Director of the FTC Bureau of Consumer Protection; Morgan Reed, President of The App Association; Maureen Ohlhausen, Partner and Section Chair (Antitrust & Competition Law) at Baker Botts and former Acting Chairman of the FTC; and Ashkan Soltani, Independent Researcher and Technologist and former Chief Technologist of the FTC. Continue Reading Consumer Privacy Hearing Focuses on Expanding FTC Resources, Creating Federal Privacy Law
In putative privacy class action Hodges v. Comcast Cable Communications, LLC, involving Comcast’s privacy and data-collection practices, Comcast moved to compel arbitration based on its subscriber agreement. The district court denied the motion based on California’s McGill rule, which may invalidate arbitration agreements that purport to waive the right to seek public injunctive relief in any forum. Continue Reading Ninth Circuit Narrowly Defines “Public Injunctive Relief” in Privacy Case, Limiting Plaintiffs’ Ability to Circumvent Arbitration Agreements.