Privacy & Information Security Law Blog

On June 23, 2022, Italy’s data protection authority (the “Garante”) determined that a website’s use of the audience measurement tool Google Analytics is not compliant with the EU General Data Protection Regulation (“GDPR”), as the tool transfers personal data to the United States, which does not offer an adequate level of data protection. In making this determination, the Garante joins other EU data protection authorities, including the French and Austrian regulators, that also have found use of the tool to be unlawful.

On June 13, 2022, the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) released guidance to help covered entities understand how they can use remote communication technologies for audio-only telehealth in compliance with the HIPAA Privacy and Security Rules (the “Guidance”). Specifically, the Guidance clarifies how audio-only telehealth can be conducted after OCR’s Notification of Enforcement Discretion for Telehealth (the “Telehealth Notification”), put in place during the COVID-19 pandemic, is no longer in effect.

On June 21, 2022, the Colorado Attorney General’s Office announced it is seeking informal input from the public on its rulemaking related to the Colorado Privacy Act (“CPA”). Before starting its formal rulemaking process, the Office has indicated it wants to better “understand the community’s thoughts and concerns about data privacy.”

On June 16, 2022, the Federal Trade Commission issued a report to Congress titled Combatting Online Harms Through Innovation (the “Report”) that urges policymakers and other stakeholders to exercise “great caution” about relying on artificial intelligence (“AI”) to combat harmful online content.

On June 23, 2022, the U.S. House of Representatives Subcommittee on Consumer Protection and Commerce passed by voice vote H.R. 8152, the American Data Privacy and Protection Act (“ADPPA”). This bipartisan legislation, sponsored by House Energy and Commerce Committee Chairman Frank Pallone (D-NJ), committee Ranking Republican Cathy McMorris Rodgers (R-WA), subcommittee Chairman Jan Schakowsky (D-IL) and subcommittee Ranking Republican Gus Bilirakis (R-FL), is based on the bipartisan, bicameral “Three Corners” draft bill released on June 2, 2022 with the support of Pallone, Rodgers and Senate Commerce Committee Ranking Republican Roger Wicker (R-MS). 

On May 29, 2022, the Maryland legislature enacted House Bill 962, which amends Maryland’s Personal Information Protection Act (the “Act”). The amendments update and clarify various aspects of the Act, including, but not limited to, the timeframe for reporting a data breach affected individuals, and content requirements for providing notice to the Maryland Attorney General.

On June 16, 2022, Industry Minister François-Philippe Champagne and Justice Minister David Lametti introduced the Digital Charter Implementation Act, 2022 (Bill C-27), a bill that would overhaul Canada’s existing legal framework for personal information protection in the private sector. In the Canadian government’s news release, Industry Minister Champagne stated that Bill C-27, if enacted, will “give businesses clear rules to support their efforts to innovate with data and will introduce a new regulatory framework for the responsible development of artificial intelligence systems, while recognizing the need to protect young people and their information.” Bill C-27 is similar to former Bill C-11, which died in the 2021 legislative session. 

On June 10, 2022, the Centre for Information Policy Leadership at Hunton Andrews Kurth published a white paper entitled “Local Law Assessments and Online Services – Refining the Approach to Beneficial and Privacy-Protective Cross-Border Data Flows A: Case Study from British Columbia.” The paper discusses recent developments in British Columbia that demonstrated a recognition by law- and policy-makers of the importance of cross-border data flows to an efficient and effective public sector.

On June 3, 2022, the Federal Trade Commission announced it is seeking public comment on its 2013 guidance, “.com Disclosures: How to Make Effective Disclosures in Digital Advertising” (the “Guidance”). The FTC indicated that it is updating the Guidance to better protect consumers against online deceptive practices, particularly because some companies have interpreted the current version of Guidance to “justify practices that mislead consumers online.” For example, the FTC explains that companies have wrongfully claimed they can avoid FTC Act liability by placing required disclosures behind hyperlinks. The updated Guidance will address issues such as advertising on social media, in video games, in virtual reality environments, and on mobile devices and applications, as well as the use of dark patterns, manipulative user interface designs, multi-party selling arrangements, hyperlinks and online disclosures.

On June 3, 2022, House Energy and Commerce Chair Rep. Frank Pallone (D-NJ), Ranking Member Rep. Cathy McMorris Rodgers (R-WA) and Senate Commerce, Science and Transportation Committee Ranking Member Sen. Roger Wicker (R-MS) released a new comprehensive federal privacy bill, the American Data Privacy and Protection Act (“ADPPA”).

On April 29, 2022, the National Information Security Standardization Technical Committee of China issued a draft version of the Cybersecurity Standard Practice Guidelines – Technical Specification on Certification of Personal Information Cross-border Transfer Activities (the “Guidelines”). The public comment period for the Guidelines closed May 13, 2022. The Guidelines establish the basic requirements for personal information protection certifications, which are one of four cross-border transfer mechanisms permitted under Article 38 of China’s Personal Information Protection Law (“PIPL”).

On May 12, 2022, the European Data Protection Board (“EDPB”) adopted Guidelines 04/2022 on the calculation of administrative fines under the EU General Data Protection Regulation (“GDPR”) (the “Guidelines”). The Guidelines are intended  to harmonize the methodology supervisory authorities (“SAs”) use when calculating the amount of a GDPR fine and provide illustrative examples to help organizations understand the calculation method.

On May 16, 2022, the U.S. Department of State, U.S. Department of Treasury and the Federal Bureau of Investigation issued combined guidance (“IT Workers Advisory”) on efforts by North Korean nationals to secure freelance engagements as remote information technology (“IT”) workers by posing as non-North Korea nationals. The IT Workers Advisory provides employers with detailed information on how North Korean IT workers operate; highlights red flag indicators for companies hiring freelance developers and for freelance and payment platforms to identify these workers; and provides general mitigation measures for companies to better protect against inadvertently engaging these workers or facilitating the operations of the North Korean government (“DPRK”) in violation of U.S. sanctions.

On May 27, 2022, Vermont Governor Phil Scott signed H.515, making Vermont the twenty-first state to enact legislation based on the National Association of Insurance Commissioners Insurance Data Security Model Law (“MDL-668”). The Vermont Insurance Data Security Law applies to “licensees”—those licensed, authorized to operate or registered, and those required to be licensed, authorized or registered, under Vermont insurance law, with few exceptions. The new law generally follows MDL-668’s provisions, adopting the model law’s broad definition of nonpublic information and requiring licensees to, in part, maintain a written information security program (“WISP”) and investigate cybersecurity incidents. Unlike other state laws based on MDL-668, however, the Vermont Insurance Data Security Law declines to establish separate cybersecurity event notification requirements for licensees.

On May 26, 2022, California Attorney General Rob Bonta issued a press release reminding health app providers that California’s Confidentiality of Medical Information Act (“CMIA”) applies to mobile apps that are designed to store medical information, which includes health apps such as fertility trackers. The press release reminds health app providers that the CMIA requires businesses to preserve the confidentiality of medical information and prohibits the disclosure of medical information without proper authorization. It also urges mobile app providers to adopt robust security and privacy measures to protect reproductive health information. According to the press release, this should include, at a minimum, “assess[ing] the risks associated with collecting and maintaining abortion-related information that could be leveraged against persons seeking to exercise their healthcare rights.”

On May 11, 2022, the French Data Protection Authority (the “CNIL”) published its Annual Activity Report for 2021 (the “Report”). The Report provides an overview of the CNIL’s enforcement activities in 2021. The report notably shows a significant increase in the CNIL’s activity.

On June 1, 2022, Thailand’s Personal Data Protection Act (“PDPA”) entered into force after three years of delays. The PDPA, originally enacted in May 2019, provides for a one-year grace period, with the main operative provisions of the law originally set to come into force in 2020. Due to the COVID-19 pandemic, however, the Thai government issued royal decrees to extend the compliance deadline to June 1, 2022.