We’ve noticed that people seemed more determined than usual this year to really unplug during their vacations. That was no doubt a healthy reaction to months of pandemic-related stress. For those who took some true summer downtime, and anyone else who’d find a roundup useful – here are some quick notes on how the world of data strategy and security marched on over the last month or so:
- CCPA B2B, HR Exemptions Extended: The California legislature has just passed a bill that would extend, for another year, the business to business and human resources exemptions to the California Consumer Privacy Act (CCPA). Businesses have been depending on these exemptions to omit B2B and HR data from their CCPA compliance programs – and fretting about their imminent sunset on January 1, 2021. If Governor Gavin Newsom signs the bill, the exemptions will sunset instead on January 1, 2022 – subject to possible further extension.
- CCPA Regulations Finalized with Last-Minute Changes: The final-final version of the California Attorney General’s regulations under CCPA took effect. A few provisions present in the last draft of the regulations were withdrawn at the last minute. Although the Attorney General made no public comment about why, the changes seem to be a move in the direction of being business-friendly. Among other changes, final version eliminates the previously proposed requirements that (1) a business would need explicit consent from a consumer to use their personal information for a materially different purpose than was stated in the notice of collection; (2) businesses that substantially interact with consumers offline would have to provide notice to consumers via an offline method; and (3) a business’s methods for submitting requests to opt out would have to entail minimal steps for consumers and not be designed to subvert or impair the opt out right.
- Collection of Metadata Held To Violate FISA: In a long-awaited decision, the Ninth Circuit U.S. Court of Appeals ruled that the U.S. government’s mass collection of telephony metadata was a violation of the Foreign Intelligence Surveillance Act, or FISA. This collection is the program that Edward Snowden disclosed to the world in 2013. The Court came close to saying, but did not ultimately rule, that the collection program was also a constitutional violation. These legal views from the court offered little comfort to the individual defendant-appellants, as the court upheld their convictions for sending, or conspiring to send, funds to Somalia to support a terrorist organization. The Court ruled that the FISA violation, and the potential constitutional violation, did not cause prejudice to the defendants.
- Facial Recognition Used In TSA’s New Self-Service Check-In: In the latest example of how COVID-19 is pushing the boundaries of technology and privacy, the U.S. Transportation Security Administration has just launched a new program that allows airline passengers themselves (not a TSA employee) to scan their photo IDs, while a machine photographs them and uses facial recognition to match the ID to the photo. Anticipating data privacy and security concerns, the TSA maintains that it does not store the photos and in fact “there is no capacity to do so.”
- Data Breach Class Action Filed Against Blackbaud in SC: The latest high-profile defendant in a post-data-breach class action is Blackbaud, the company that provides services to many nonprofits. When Blackbaud experienced a ransomware attack and data breach, many of the organizations it services – prominent museums, healthcare organizations, universities, and other charitable entities- found themselves issuing breach notifications and otherwise responding to the incident. The class action complaint is brought on behalf of a purported class of individuals whose information was compromised, including nonprofit donors. The complaint alleges, in particular, that Blackbaud did not adequately prepare for ransomware attacks. The complaint also asserts that class members’ data remains at risk, despite Blackbaud paying the ransom and publicly stating its view that it now believed the compromised data to be secure.
- Claire’s Faces Data Breach Class Action: The retailer Claire’s – familiar to anyone whose tween daughter ever got her ears pierced at the mall – likewise faces a new class action complaint in Illinois state court. Plaintiffs allege a failure to meet the increasingly well-settled “reasonable security” legal standard. Claire’s previously disclosed a breach in which malware lifted customers’ personal data out of its systems during the online checkout process.
- NIST Promotes Standards for “Explainable” AI: The National Institute of Standards and Technology (NIST) issued its draft white paper, Four Principles of Explainable Artificial Intelligence. In a nutshell, NIST proposes that (1) systems using AI should provide evidence/reasons for their outputs; (2) explanations should be meaningful to their recipients; (3) explanations should be accurate; and (4) systems should not give outputs in circumstances that go beyond the system’s design or authorization, or confidence in the output is otherwise lacking. Given NIST’s stature as creator of the highly influential Cybersecurity Framework, this paper has the potential to stand out in the sea of AI discussion documents and drive the development of law and regulation. NIST remains open for public comment on the paper until October 15.
- FTC “Tidies Up” COPPA FAQs: The U.S. Federal Trade Commission Marie Kondo’d its FAQs under the Children’s Privacy Protection Act, or COPPA. The newly “decluttered” FAQs clear out dated references to the no-longer-new COPPA regulations. The new FAQs incorporate FTC guidance on newer technologies like the Internet of Things, modern-day enforcement actions such as the $170 million penalty imposed last year against Youtube, and the latest approved methods for obtaining verifiable parental consent.
- Schrems II aftershocks continue: The European Data Protection Board announced that a new task force would investigate the more than 100 complaints filed against data controllers since the Schrems II ruling that invalidated Privacy Shield and cast doubt on Standard Contractual Clauses. Keep an eye out tomorrow for a post with our monthly roundup of key EU developments.
- Brazil’s new data protection law takes effect: Brazil’s new privacy law, the LGPD, went suddenly from being pending to being imminently in effect, after a series of parliamentary maneuvers cleared away a presidential effort to delay the law. As we have previously reported, the LGPD is closely modeled on the GDPR.
- Egypt’s new data protection law published: Egypt published its new data protection law in the Official Gazette, setting the law on track to take effect in October. Full Arabic text available here, English summary here. Like the LGPD, the law is clearly modeled on the GDPR. Key features include the controller-processor framework; obligations of controllers to rely on statutory legal grounds, such as consent or legitimate interest, to support acts of data processing; data subjects’ rights of access and rectification; limitations on cross-border transfer; and 72-hour breach notification. Going beyond the GDPR, Egypt is establishing a new national data protection center that will issue licenses for the processing of personal data.
- India launches proposal to regulate non-personal data: A committee formed by the government of India launched a proposal to extensively regulate non-personal data. Under the proposal, foreign companies would have to share non-personal data with the government and even with Indian competitors. “Critical” and “sensitive” non-personal data would be subject to new data localization requirements. Other proposed requirements would include obtaining consent to process anonymized data. At last report, a coalition of U.S. business interests was organizing to oppose the proposal.
Readers may also be interested in our August posts on Artificial Intelligence and Consumer Protection Risks; Updating the Safeguards Rule; Cybersecurity Requirements for Insurance Companies; The UK School Algorithm Debacle: 5 Lessons for Corporate AI Programs;Are Antitrust and Data Protection Rules Converging? and Schrems II: Where Are We Now?
Welcome back to work!