From JDSupra, David Anthony, Christopher Carlson, Noah DiPasquale, Molly DiRago, Robyn Lin, and Rachel Miklaszewski provide an update on privacy developments in June, 2022. David, Christopher, Noah, Molly, Robyn, and Rachel write:
Editor’s Note: This past month featured increased activity in privacy and data protection. U.S. Legislation and Regulation. Connecticut’s governor signed a comprehensive privacy bill, and President Biden has before him a bill that would improve information sharing among Tribal, state, and local governments about cybersecurity. The U.S. House of Representatives also passed a bill to support research on privacy-enhancing technologies and promote responsible data use (while the Government Accountability Office (GAO) criticized the Department of Defense’s (DOD) component agencies for lack of compliance with cybersecurity policies). Industry. Business leaders joined to issue guidance to lawmakers and regulators on artificial intelligence and machine learning, and two federal judges called for further funding to combat cybersecurity threats and enhance courthouse safety. The Federal Trade Commission (FTC) announced further scrutiny of children’s educational technology. U.S. Litigation and Enforcement. State attorneys general have announced a new Center on Cyber and Technology to enhance the technical capabilities of state AGs. Illinois continues to see privacy litigation, including one against the popular social media application Snapchat, and the Illinois Supreme Court heard oral arguments on the nature of BIPA damages. District courts continue to see class action privacy litigation, including class certifications for classes of consumers who experienced a data breach, and dismissal of another class alleging violation of the Driver’s Privacy Protection Act (DPPA). International Regulation and Enforcement. Uber was fined €4.24M, the European Data Protection Board released guidelines on calculating GDPR fines, and the Canadian Office of the Privacy Commissioner has issued an interpretative guideline on the definition of “sensitive information.”
US Laws and Regulation
- Connecticut Governor Signs Comprehensive Privacy Bill. On May 10, Connecticut Gov. Ned Lamont signed an act concerning personal data privacy and online monitoring, making Connecticut the fifth state in the country to enact a comprehensive privacy regime. This legislation closely resembles the laws adopted in Virginia and Colorado, and will take effect on July 1, 2023. The Connecticut law does not include a private right of action and provides a temporary 60-day right to cure that sunsets on December 31, 2024. For more information click here.
- GAO Urges DOD To Do More To Protect Unclassified Information. Recent reports from the GAO show that none of the DOD’s component agencies are fully compliant with the cybersecurity policies for protecting controlled unclassified information (CUI). On average, the agencies are only 70% compliant with the policies, despite DOD regulations requiring 100% compliance. The DOD’s cybersecurity rules fall into three broad compliance requirements: (1) categorize systems containing CUI accurately and determine whether compromising those systems would have a low, moderate, or high impact on DOD operations; (2) implement specific levels of cybersecurity controls depending on the expected impact of a breach; and (3) determine whether systems that contain CUI have a valid authorization to operate on the DOD’s network and perform periodic risk assessments.
- Federal Judges Request $8.6B to Combat Cybersecurity Threats and Courthouse Safety. Two federal judges, Amy J. St. Eve and Roslynn R. Mauskopf, testified that a Judiciary budget of $8.6 billion is needed to keep pace with inflation and to pay for important new investments in courthouse security, IT modernization, and cybersecurity. According to the judges, the investment is needed for functionality purposes, but also to combat cyber threats and protect the safety of courthouses and judges. Judge Mauskopf additionally called for the passage of the Daniel Anderl Judicial Security and Privacy Act of 2021, which would prohibit the distribution of personal information that could put judges and their families at risk.
- Federal Trade Commission to Tackle Edtech Surveillance of Children. On May 19, the FTC adopted a new policy statement, announcing a crackdown on education technology companies that surveil children when they go online to learn. The statement warns that edtech providers must comply with the Children’s Online Privacy Protection Act (COPPA). COPPA imposes data minimization requirements, use prohibitions, notice requirements, retention limitations, and security obligations. Companies that fail to follow COPPA could face potential civil penalties and new requirements and limitations on their business practices.
- New Cybersecurity Legislation Passes House. On May 17, the State and Local Government Cybersecurity Act of 2021 (S.2520) passed the House, and now awaits President Biden’s signature. The act would update the House Homeland Security Act and direct the Department of Homeland Security to improve information sharing and coordination with state, local, and Tribal governments. It would encourage federal cybersecurity experts to share information regarding cybersecurity threats, vulnerabilities, and breaches, as well as resources to prevent and recover from cyberattacks. The bill would also build on previous efforts by the Multi-State Information Sharing and Analysis Center (MS-ISAC) to prevent, protect, and respond to future cybersecurity incidents.
- Business Roundtable Issues Guidance to Regulators and Lawmakers on Artificial Intelligence and Machine Learning. At the start of the year, the Business Roundtable—a group of 230 CEOs from some of the largest companies in the world—developed guidance for policymakers who regulate Artificial Intelligence (AI) and Machine Learning (ML). This guidance aims to strike a balance between providing some governmental oversight while ensuring that new technology and innovation are not unduly curbed. Additionally, the Business Roundtable issued a set of core principles to encourage companies in this space to self-regulate. To read more on these recommendations, click here.
- Promoting Digital Privacy Technologies Act Passes House. On May 11, the Promoting Digital Privacy Technologies Act (H.R. 847) passed the House by a vote of 401-19. The act seeks “to support research on privacy-enhancing technologies and promote responsible data use.” Notably, this legislation would require the National Institute of Standards and Technology (NIST) director to work with private, public, and academic stakeholders to develop privacy-enhancing technologies and “voluntary, consensus-based technical standards, guidelines, methodologies, procedures, and processes” aimed at increasing the “integration of privacy-enhancing technologies in data collection, sharing, and analytics performed by the public and private sectors.” H.R. 847 now heads to the U.S. Senate Committee on Commerce, Science, and Transportation. For more information, click here.