More Privacy, Please – November 2022 | Troutman Pepper

[co-author: Jenny Ji]*

Editor’s note: The California Privacy Protection Agency has released amendments to its draft regulations, and the Consumer Financial Protection Bureau is considering rules for sharing financial information. In a US court case, the first jury trial of the Biometric Information Privacy Act was held in Illinois, and the Third Circuit provided further guidance on data breach litigation. In international news, the French Data Protection Authority has fined Clearview AI for personal data collection violations.


US Laws and Regulations

  • The CPPA publishes updates to the draft regulations. On November 3, the California Privacy Protection Agency (CPPA) released a draft of the updated regulations and opened a 15-day comment period that will run until November 21. The draft includes five factors for businesses to consider when determining whether the collection of personal data is appropriate. reasonable expectation of the average consumer. The publication of the final regulations remains unclear.

  • CFPB Publishes Proposed Draft Rules Regarding Personal Financial Information Rights. On October 27, the Consumer Finance and Consumer Protection Bureau (CFPB) released a draft of the proposals and alternatives under consideration. Under the plan, consumers can easily share personal financial information with third-party fintechs. Once shared, these aggregators and other companies must protect this confidential personal information. The plan also addresses data security requirements.

  • White House Releases AI Bill of Rights. On October 4, the White House Office of Science and Technology Policy released the “AI Draft Bill of Rights” to “help guide the design, use, and deployment of automated systems to protect the rights of the American public in the modern era.” ” The non-binding white paper calls for greater AI transparency, accountability and privacy to address concerns that automated systems could replicate or deepen existing inequalities in society. Specifically, the plan proposes five main principles that should be built into AI technology: safe and effective systems, algorithmic discrimination protection, data privacy, notice and explanations, and alternative options. Although the White House’s plan is not binding, it shows a strong interest in regulating AI technology.

Also Read :  Entrepreneurs won’t create enough jobs without a rethink in how they are supported

US Judiciary and Enforcement

  • The Third Circuit Court of Appeals offers additional guidance on how to proceed with a class action. In Clemens v. ExecuPharm, Inc., the third court recently analyzed and applied the decisions of the Supreme Court TransUnion LLC v. Ramirez standing order in the context of a data breach class action. Clemens held that a plaintiff should pursue contract and tort claims based on his increased risk of future harm arising from the known misuse of his personal information by a specific threat actor. The Third Circuit’s decision is notable not only because it improves upon the Court’s previous precedent Reilly v. Ceridian Corp.but also because it complements Article III’s requirement that the actual harm be both imminent and specific to grant standing.

  • BNSF Fails First Biometric Privacy Test. On October 12, the federal jury in Rogers v. BNSF Railway Co. found that defendant BNSF negligently or knowingly violated the Illinois Biometric Information Privacy Act (BIPA), resulting in a $228 million judgment. The jury deliberated for about an hour and found that BNSF unlawfully scanned the fingerprints of the plaintiff and more than 44,000 truck drivers for the purpose of identity verification without written authorization, notice or notice when the individuals entered BNSF rail yards. BNSF successfully raised the defense of strict liability, arguing that because the third-party vendor processed driver fingerprints at Illinois railroad gates and was the only party collecting the driver fingerprints, the third-party vendor violated BIPA instead of BNSF. . Rogers is an important case for biometric privacy law because it is (1) the first BIPA case to go to trial; (2) indicates that companies can be held liable for violations of BIPA under a theory of strict liability; (3) emphasizes the urgency of companies and employers to comply with BIPA and also confirms that vendors and other third parties they hire are in compliance with BIPA; and (4) serves as a reminder that negligent or intentional infringers will face higher damages.

  • Ancestry.com cannot arbitrate claims by minors. On Sept. 30, an Illinois federal judge ruled that popular genetic testing site Ancestry.com cannot arbitrate lawsuits filed by minors alleging Ancestry.com shared their information with third parties. The primary basis for the ruling was that the minors did not have direct accounts with Ancestry.com and therefore never agreed to its terms and conditions. Because minors never agreed to Ancestry.com’s terms and conditions, they were not bound by its arbitration clause. To read more, click here.

  • A federal court in Washington found that Illinois’ BIPA is not extraterritorially applicable. On Oct. 17, the U.S. District Court for the Western District of Washington granted summary judgment, ending two related class actions alleging that tech companies violated BIPA by using data sets containing geometric facial scans of the plaintiffs without their permission. The court held that the statute did not apply extraterritorially to conduct outside Illinois and that plaintiffs had failed to meet their burden of establishing that the relevant conduct was “substantially and substantially” in Illinois.

Also Read :  Masayoshi Son Now Owes SoftBank $4.7 Billion on Side Deals

International Regulation and Implementation

  • Dutch employee who refused to monitor webcam will be fined €75,000 for wrongful termination. On September 28, a Dutch court awarded an employee €75,000 for wrongful dismissal after he was fired for refusing to activate his webcam during the workday. The Dutch court disagreed with the US company’s grounds for termination of “reluctance to work” and “insubordination” and instead found the company’s requirement that he use his webcam throughout the work day unlawful. In particular, the Dutch court ruled that the company’s webcam surveillance practice was inconsistent with respect for workers’ privacy and violated Article 8 of the European Convention on Human Rights.

  • France fines Clearview AI 20 million euros for breaching GDPR. The French data protection authority “CNIL” found that facial recognition company Clearview AI illegally collected millions of photos of French residents in violation of the European Union’s General Data Protection Regulation (GDPR). The CNIL described Clearview AI’s violations as (1) unlawful processing of personal data because there is no legal basis for the collection and use of biometric data (Article 6); (2) failure to respect the rights of individuals, such as ineffective response to data requests (Articles 12, 15, 17); and (3) lack of cooperation with the CNIL (Article 31). After Clearview AI failed to respond to the CNIL’s official notification in 2021, the CNIL imposed a fine of 20 million euros – the maximum financial penalty allowed under Article 83. In addition, the CNIL ordered the company to cease and delete the collection of personal data of French residents without legal grounds. Personal information of individuals has been illegally collected for two months. Furthermore, the CNIL warned Clearview AI that the company has two months to make changes to its photo collection behavior or face an additional fine of €100,000 per day until compliance.

  • Global Privacy adopts the CPPA. On October 27, the Global Privacy Assembly voted to adopt the CPPA as a full voting member. Founded in 1979 to promote privacy by facilitating cooperation and information sharing among privacy authorities around the world, the Global Privacy Assembly is made up of more than 130 data protection and privacy authorities around the world. The first US voting member recognized by the Global Privacy Assembly was the FTC.

Also Read :  Here's what to know about year-end mutual fund distributions for 2022

*Jenny G is not licensed to practice law in any jurisdiction; Application for admission to the California Bar is pending.

Source

Leave a Reply

Your email address will not be published.

Related Articles

Back to top button