Privacy & Information Security Law Blog

On November 15, 2022, the Italian Supreme Court held that an Italian court or competent data protection authority has jurisdiction to issue a global delisting order. A delisting order requires a search engine to remove certain search results about individuals if the data subject’s privacy interests prevail over the general right to expression and information, and the economic interest of the search engine. The case was brought by an Italian individual, who requested a worldwide delisting order, concerning all versions of the search engine, due to potential damage to the applicant's professional interests outside of the European Union.

On November 30, 2022, the UK government confirmed that the Network and Information Systems (“NIS”) Regulations 2018 (“NIS Regulations”) will be strengthened to protect essential and digital services against cyber attacks. The changes bring providers of outsourced IT and managed service providers (“MSPs”) into scope of the NIS Regulations. The announcement comes in response to a public consultation held in January this year.

The Cybersecurity and Infrastructure Security Agency (“CISA”) recently released a draft of the agency’s Cross-Sector Cybersecurity Performance Goals (“CPGs”) for critical infrastructure in the United States. The CPGs provide a common set of fundamental cybersecurity practices to guide critical infrastructure entities in measuring and improving their cybersecurity maturity.  

On November 21, 2022, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth filed comments on the Federal Trade Commission’s Advanced Notice of Proposed Rulemaking (“ANPR”) on commercial surveillance and data security. The ANPR sought public comment on, among other things, whether the FTC should implement new rules addressing the ways in which companies collect, aggregate, protect, use, analyze and retain consumer data.

On November 25, 2022, the UK Information Commissioner’s Office (“ICO”) and the UK’s communications regulator, Ofcom, issued a joint statement setting out how they intend to work together to “ensure coherence between the data protection and the new online safety regimes.” The regulators noted that the statement is primarily intended for online service providers that are likely to be regulated under the online safety regime, but it also will be of interest to other stakeholders as an indication of their joint direction.

On November 9, 2022, the New York Department of Financial Services (NYDFS) released its second, proposed amendments to the Part 500 Cybersecurity Rule. The proposed amendments revise several aspects of the draft Cybersecurity Rule amendments released on July 29, 2022. These changes reflect several comments made in response to the draft Cybersecurity Rule to further clarify, strengthen and clarify various requirements, as highlighted below.

On November 23, 2022, the UK government’s Department for Digital, Culture, Media & Sport (“DCMS”) announced that it had completed its assessment of South Korea’s personal data legislation, and concluded that sufficiently strong privacy laws are in place to protect UK personal data transferred to South Korea while upholding the rights and protections of UK citizens.

As reported in the the Retail Industry Law Resource blog:

Plaintiff’s firms continue to file variations of state law wiretapping lawsuits over “session replay” software and “live chat” or “chatbot” applications in various jurisdictions. These filings typically allege that companies use such software tools to record users’ interactions with a website without first obtaining users’ consent, thereby violating the wiretapping, eavesdropping, or interception provisions of various state laws. Session replay software allows companies to record and play back user’s interactions on its websites. The “live chat” or “chatbot” feature allows a website user to engage in text conversations with an assistant, to which chat the company has access. These wiretapping claims threaten substantial penalties. Companies that use these web-tracking tools, however, can take steps to protect themselves from these lawsuits by a careful examination of the software being used and by evaluating what disclosures or consent may be warranted.

Kochhar & Co. reports that, on November 18, 2022, the Government of India (“Government”) released the long-awaited fourth draft of India’s proposed privacy law, now renamed the Digital Personal Data Protection Bill.

Terms and Application

The draft law uses terminology similar to past versions: the data controller is called the “data fiduciary,” the data subject is called the “data principal,” and personal information is referred to as “personal data.” There is no separate category of sensitive personal data.   

On November 15, 2022, the Federal Trade Commission announced a six-month extension for companies to comply with certain updated requirements of the Gramm-Leach-Bliley Act’s Safeguards Rule, a set of data security provisions covered  financial institutions must implement to protect their customers’ personal information. The new deadline is June 9, 2023.

On November 17, 2022, the UK data protection regulator, the Information Commissioner’s Office (“ICO”), published updated guidance on international transfers that includes a new section on transfer risk assessments (“TRAs”) and a TRA tool.

In its statement regarding the updated guidance, the ICO describes the TRA guidance as “an alternative approach to the one put forward by the European Data Protection Board” and says its aim is “to find an alternative, achievable approach delivering the right protection for the people the data is about, whilst ensuring that the assessment is reasonable and proportionate.”

On November 14, 2022, Judge Edward J. Davila of the Northern District of California approved a $90 million privacy settlement against Meta Platforms, Inc. (formerly Facebook, Inc.) for unlawfully tracking user information when users were logged out of the site. Under the order granting plaintiffs’ motion for final approval of the class action settlement and attorney fees, Facebook must pay $90 million dollars in settlements, of which $26.1 million will be for attorney fees, and delete certain “wrongfully collected” data. Despite numerous objections that the settlement ...

On November 14, 2022, Google LLC (“Google”) agreed to a $391.5 million settlement with the attorneys general of 40 U.S. states over the company’s location tracking controls available in its user account settings.   

The investigation by the state attorneys general found that, between 2014 and 2020, Google misled users by failing to disclose that toggling the “Location History” setting to off did not disable all tracking activities. The settlement noted that Google retained the ability to track users’ location via the “Web & App Activity” setting, and used the information for targeted advertising purposes.

On October 26, 2022, House Energy and Commerce Committee and Consumer Protection and Commerce Subcommittee leaders (“Committee Leaders”) sent letters to several toy manufacturers, including Bandai Namco, Hasbro, Mattel, MGA Entertainment, LEGO Group and the Toy Association, asking how they plan to protect children and their information from BigTech companies like TikTok and YouTube. Given the shift of marketing efforts from traditional television outlets to social media platforms, Committee Leaders are concerned about failure to protect children’s privacy, security and mental health on social media platforms.

On November 1, 2022, the Federal Trade Commission hosted their annual PrivacyCon 2022, which was available to the public via webcast. The FTC held seven different panels highlighting the latest research and trends in consumer privacy and data security.

On November 3, 2022, Pennsylvania Governor Tom Wolf signed Senate Bill 696 into law (the “Act”), amending Pennsylvania’s breach notification law. 

On October 31, 2022, the Consumer Financial Protection Bureau (“CFPB”) announced that it will re-open the public comment period on their October 2021 Orders for six large technology companies operating payments platforms to provide information about their business practices. The October 2021 Orders requested that Amazon, Apple, Facebook, Google, PayPal and Square provide information about their data collection and use, their policies for removing individuals and businesses from their platforms, and their policies and practices for providing consumer protections such as addressing disputes and errors.

On November 1, 2022, the Digital Markets Act (the “DMA”) entered into force. The DMA introduces new rules for certain core platforms services acting as “gatekeepers” in the digital sector (including search engines, social networks, online advertising services, cloud computing, video-sharing services, messaging services, operating systems and online intermediation services). The DMA also aims to prevent such platforms from imposing unfair conditions on businesses and consumers, and to ensure the openness of important digital services.

On October 25, 2022, the U.S. Department of Justice (“DOJ” or the “Department”) announced that Google had entered into an agreement to resolve a dispute over the loss of data responsive to a search warrant issued in 2016.

On November 3, 2022, the Federal Trade Commission announced a proposed order to settle an action against an internet phone service provider, Vonage, that would require Vonage to pay $100 million in refunds to customers harmed by its practices, which the FTC alleged included “dark patterns” that made it difficult for customers to cancel their service. The order also would require Vonage to not use dark patterns and provide a simple and transparent way for customers to cancel their service. 

SHIFT Counsellors at Law reports from Indonesia that The People’s Representative Council of the Republic of Indonesia has ratified Indonesia’s draft law on personal data protection. The draft law came into effect on October 17, 2022. The law, which is partly modeled on the EU General Data Protection Regulation, is Indonesia’s first “umbrella regulation” on personal data protection. The law will provide certain protections to Indonesian citizens’ data, and provide more legal certainty to parties processing such data.

Read SHIFT Counsellors’ article on the ...

On November 3, 2022, the California Privacy Protection Agency (“CPPA”) released new modified proposed California Privacy Rights Act (“CPRA”) regulations, which make updates to the draft CPRA regulations released on October 17, 2022. The CPPA also released an updated list of documents and other information relied upon for this most recent rulemaking.

On  November 2, 2022, the ICO issued to the UK Department for Education (“DfE”) a formal reprimand following an investigation into the sharing of personal data stored on the Learning Records Service (“LRS”), a database which provides a record of pupils’ qualifications that the DfE has overall responsibility for. The investigation found that the DfE’s poor due diligence meant the LRS database was being used by Trust Systems Software UK Ltd (trading as Trustopia), a third party screening firm, to check whether people opening online gambling accounts were 18. Trustopia was found to have had access from September 2018 to January 2020, during which it performed over 20,000 searches on children whose personal data was in the LRS database.

On October 28-29, 2022, the California Privacy Protection Agency (“CPPA”) held a Board Meeting to discuss the modified proposed regulations promulgated for compliance with the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (“CCPA/CPRA”), as well as the remainder of the rulemaking process. The CPPA previously released the modified proposed regulations on October 17, 2022.  

On October 31, 2022, the Federal Trade Commission announced a proposed settlement with education technology provider Chegg in connection with the company’s alleged poor cybersecurity practices. 

On October 1, 2022, the Colorado Attorney General’s Office submitted an initial draft of the Colorado Privacy Act Rules (“CPA Rules”), which will implement and enforce the Colorado Privacy Act (“CPA”). The CPA Rules, which are currently about 38 pages, address many recent issues in state data privacy regulation, including data profiling, data protection, automated data processing, biometric data, universal opt-out mechanisms and individual data rights.

On October 18, 2022, the European Commission published a report, titled Information Frictions and Public Policies: Approaching the Regulation and Supervision of Decentralized Finance (“DeFi”) (the “Report”). The Report discusses the need to adapt existing policy frameworks to account for the change brought about by DeFi to the underlying information structure upon which financial services are provided. Unlike traditional finance, DeFi applications provide financial services based on blockchain technology, i.e., without requiring any intermediary agent and instead relying on automated protocols that are encoded in public digital contracts universally accessible and maintained by an open pool of pseudonymous miners.