On Jul 22, 2021, the Irish Joint Committee on Justice (“Committee“) published a report that included a series of recommendations on the work of the Irish Data Protection Commission (“DPC“). The Committee, made up of 14 politicians from across the political spectrum and drawn from both the Dáil (the elected first house) and Seanad (the senate), issued this report following a public hearing held on April 27, 2021 (see our prior blog post here). The recommendations in the report address, among other things, concerns raised about the Irish DPC’s oversight and enforcement of the EU General Data Protection Regulation (“GDPR“).
Yesterday, Rep. Kathy Castor (D-FL) introduced an updated version of the “Protecting the Information of our Vulnerable Children and Youth Act” (Kids PRIVCY Act), which would make broad changes the Children’s Online Privacy Protection Act (COPPA). Rep. Castor introduced a similar bill in early 2020, but it stalled alongside other proposals to overhaul the federal children’s privacy law last year. Continue Reading Rep. Castor Reintroduces Bill to Rewrite the Children’s Online Privacy Protection Act
On July 7, 2021, the European Data Protection Board (“EDPB”) published draft guidelines on codes of conduct for personal data transfers for consultation. These guidelines complement the EDPB’s earlier guidelines on codes of conduct and monitoring bodies. Interested parties have until October 1, 2021 to respond to the consultation.
The guidelines focus on the requirements for a code of conduct to be approved as a legal mechanism for transferring personal data outside the European Economic Area (“EEA”) to third countries that do not provide an adequate level of data protection. They emphasize that such a code of conduct can be used to cover multiple transfers between companies belonging to the same sector and/or carrying out similar processing activities.
In this update, we detail the key legislative developments in the second quarter of 2021 related to artificial intelligence (“AI”), the Internet of Things (“IoT”), connected and automated vehicles (“CAVs”), and federal privacy legislation. As we recently covered on May 12, President Biden signed an Executive Order to strengthen the federal government’s ability to respond to and prevent cybersecurity threats, including by removing obstacles to sharing threat information between private sector entities and federal agencies and modernizing federal systems. On the hill, lawmakers have introduced a number of proposals to regulate AI, IoT, CAVs, and privacy. Continue Reading U.S. AI, IoT, CAV, and Privacy Legislative Update – Second Quarter 2021
Last year, Apple’s iOS14 incorporated a new feature notifying users when an app copied from the iPhone’s clipboard. The feature resulted in media scrutiny for a number of well-known apps, some of which faced putative class action lawsuits as a result. A court in the Eastern District of California recently dismissed one such suit, Mastel v. Miniclip SA, No. 2:21-cv-00124 (E.D. Cal.). In that decision, the court rejected a broad interpretation of telephone “instrument” under the California Invasion of Privacy Act (“CIPA”), concluding that non-telephonic smartphone functionality does not constitute a telephone instrument. Continue Reading California Federal Court Adopts Narrow Reading of Telephone “Instrument” Under the California Invasion of Privacy Act
Last week, Virginia’s Joint Commission on Technology and Science held its second meeting of the Consumer Data Protection Work Group.
Instead of following a detailed rulemaking process for implementation like that provided for in the California Privacy Rights Act (CPRA), the Virginia Consumer Data Protection Act (VCDPA) is being reviewed over the next few months by a group of state officials, business representatives, and advocates. This group will publish recommendations by November 1, 2021, which the state legislature can consider if it amends the law before the VCDPA goes into effect on January 1, 2023. A stated goal of the group is to align the VCDPA with other privacy laws that states are enacting around the country.
At the meeting, the group heard public comments as well as a presentation by Deputy Attorney General Samuel Towell on behalf of the Office of the Attorney General of Virginia (OAG). The presentation covered issues that the OAG sees with the VCDPA’s implementation and proposed a number of recommendations for the group to consider: Continue Reading Virginia Consumer Data Protection Work Group Holds Second Meeting, Hears Recommendations from the Office of the Virginia Attorney General
On July 15, 2021, the Belgian Supervisory Authority (“SA”) released a 40-page draft recommendation on the use of biometric data and launched a public consultation to solicit feedback about it.
Most notably, the SA points out that there is no valid legal basis other than explicit consent (with all the GDPR limitations attached to it) that would enable the processing of biometric data for authentication purposes (e.g., security), because Belgian lawmakers failed to adopt the required national legislation to supplement the GDPR (specifically, to underpin the public interest exception found in Art. 9(2)(g) GDPR for processing sensitive personal data). The SA considers this outcome a departure from the rules that applied prior to the GDPR, and will therefore allow a one-year grace period to give controllers and lawmakers sufficient time to address the issue.
With the rollout of COVID-19 vaccination programs across the EU and the UK, employers are faced with questions about whether or not they are legally permitted to ask employees about their vaccination status and, if so, how that information may be used.
Employers may wish to inquire about the vaccination status of their employees in order to comply with their general obligation to ensure a safe workplace and minimize the risk of exposure to COVID-19. This raises privacy issues under the General Data Protection Regulation (“GDPR”), because employees’ vaccination status falls within a special category of personal data that concerns the health of individuals (Art. 9(1)). This category is subject to more stringent data protection measures due to the sensitive and personal nature of data, and can only be processed in very limited circumstances (Art. 9(2)).
In a new post on the Covington Digital Health blog, our colleagues discuss proposed legislation that would expand the definition of “provider of health care” under California’s Confidentiality of Medical Information Act (“CMIA”). Continue Reading Proposed Bill Would Expand the Scope of the CMIA
South Africa’s Information Regulator (the “Regulator”) issued, on June 22, 2021, a Guidance Note on Exemptions from the Conditions for Lawful Processing of Personal Information (“Guidance Note”), arising under sections 37 and 38 of the Protection of Personal Information Act, 4 of 2013 (“POPIA”). The purpose of the Guidance Note is to provide guidance to “responsible parties” who: (i) intend to apply for an exemption from one or more of the eight conditions for the lawful processing of personal information, as prescribed by POPIA (section 37 of POPIA), or (ii) may automatically be exempt from some of these conditions where the processing occurs in the performance of a “relevant function” (section 38 of POPIA). In a media statement, also issued on June 22, 2021, the Regulator confirmed that the June 20, 2021 deadline for responsible parties to register their Information Officers (“IOs”) and Deputy Information Officers (“DIOs”) was postponed indefinitely.