We are pleased to provide you with our law firm partners newsletter for March, 2023. The most important developments in privacy come from the legislatures of certain states such as New York and West Virginia that have proposed new privacy bills, as well as Australia, which proposed multiple amendments to the Australia Privacy Act 1988 (see below). In addition, it appears that there is some opposition to the EU-US data transfers framework, which you can read more about below as well. We hope that you find this newsletter helpful for staying up to date with the myriad changes in the privacy field.
What’s new in privacy?
Below are some of the most notable news in privacy from this month:
Privacy in the State of the Union Address. Much has been written about the mentions of privacy in President Biden’s State of the Union address. Highlighting the need for both regulation and enforcement in hot topic data privacy issues, he focused on children’s privacy and online mental health, as well as Big Tech, data minimization, algorithmic transparency and health data. The volume and breadth of privacy topics in the speech far outnumber his predecessors, perhaps signaling a shift in priorities. Read the official speech here, the fact sheet here and commentary by Wired here.
Executive Order and FTC Shakeup. Perhaps following up on the State of the Union address, agencies received instructions from the White House and some restructuring in the FTC. President Biden issued an executive order directing federal agencies to address algorithmic discrimination. He renominated FTC Commissioner Rebbeca Kelly Slaughter for another term, while FTC Commissioner Christine Wilson, the agency’s sole Republican commissioner, resigned. Finally, FTC Chair Lina Khan announced the creation of an Office of Technology, to be led by Chief Technology Officer Stephanie Nguyen. Read more about the executive order here, Commissioner Slaughter’s renomination here, Commissioner Wilson’s resignation here, and the Office of Technology here.
MEP Opposition to the EU-US Data Privacy Framework. The European Parliament Committee on Civil Liberties, Justice and Home Affairs issued a draft resolution discouraging the Commission from finding adequacy for the US under the EU-US Data Privacy Framework. Holding that the agreement fails to create “actual equivalence” in the level of privacy protections, the Committee took issue with the relevant executive order’s scope and reversibility, as well as the lack of a federal data privacy law in the US, the breadth of US state surveillance and the limitations of available remedies. Read the full release here. Notably, the US Supreme Court recently declined to review Wikimedia’s case against the NSA “upstream surveillance” program, which is covered more extensively here.
European Commission Bans TikTok on Corporate Devices, Canada investigates TikTok. Citing data protection concerns, the European Commission has banned TikTok from corporate devices, with their IT service asking for employees to uninstall the app from corporate devices and personal devices using corporate apps. The same week, Canada’s privacy authorities announced an investigation into TikTok’s privacy practices, especially as they relate to children’s data. More on the Commission ban here and Canada’s investigation here.
Australian Privacy Act Reform. Australia’s Attorney-General released its highly anticipated Privacy Act Review Report, seen as a key step in its privacy law reform. The report includes 116 recommendations acquired from stakeholders over a two-year period of review of the 1988 Privacy Act. Public comments are accepted until March 31. The report can be found here and some commentary here.
Norwegian DPA finds that Google Analytics is not compliant. Norway’s Data Protection Authority issued a preliminary conclusion ruling that Google Analytics breaches GDPR’s data transfer rules. The formal decision will come at the end of April but the DPA states that companies should seek alternatives to Google Analytics. Learn more here.
US Marshals Service hit with ransomware attack. The US Marshals Service recently confirmed that it was subject to a ransomware attack that compromised sensitive information. The attack occurred on a server, which was taken off its network after the ransomware was discovered. The attack did not target the Witness Security Program databases but certain other sensitive information such as PII relating to employees and subjects of investigations was accessed. Learn more here.
Researchers uncover ChatGPT Android malware and phishing campaigns. Cybersecurity firm Cyble found phishing websites containing malware that are spread via a spoofed social media page for ChatGPT and OpenAI. Other phishing sites posed as payment portals for users to pay for ChatGPT services in order to steal credit card information. Read more here.
CPPA to hold board meeting. The California Privacy Protection Agency will hold a board meeting on March 3. The agenda will focus on the first draft of CPRA regulations, the annual budget, agency priorities and the second CPRA rulemaking procedure. Learn more here.
What privacy bills are we tracking?
As part of our service, we keep track of privacy bills that would affect the way Privacy Policies are written. Below is our most recent list of privacy bill proposals in the United States. You can access the privacy bill tracker any time on our blog.
- Hawaii – HI SB1110/HB1497;
- Hawaii – HI SB 974;
- Illinois – IL HB3385;
- Indiana – IN SB5;
- Indiana – IN HB 1554;
- Iowa – IA House File 2506;
- Iowa – IA House Study Bill 12;
- Kentucky – KY S 15;
- Maryland – MD HB807;
- Massachusetts – MA HD2281/SB745;
- Massachusetts – MA HD3263/SD1971;
- Mississippi – MS SB 2080;
- Minnesota – MN SF950;
- Montana – MT DB1086;
- New Hampshire – NH SB255;
- New York – NY S2277;
- New York – NY SB365;
- New York – NY SB3162;
- New York – NY AB4374;
- New Jersey – NJ S 332;
- New Jersey – NJ A505;
- New Jersey – NJ A 1971;
- Oklahoma – OK HB1030;
- Tennessee – TN SB73;
- Washington – WA HB1616;
- West Virginia – WV HB3453;
- Vermont – VT HB121
Here are some great virtual events that you can attend to learn more about the hottest issues in privacy and meet other privacy professionals:
- 2023 Antitrust Spring Meeting – March 29 – March 31;
- Cross-Border Institute: The Intersection of Global Discovery, Privacy and Data Security – July 20 – July 21;
- Body Worn Video and Privacy in Nova Scotia – March 2;
- What In-House Counsel Should Know About BIPA – March 9.
Donata is the Co-founder and President of Termageddon, an auto-updating generator of website and application policies. She is a licensed attorney and Certified Information Privacy Professional. She also serves as the Vice-Chair of the American Bar Association’s ePrivacy Committee and the Chair of the Chicago Chapter of the International Association of Privacy Professionals. In her free time, Donata enjoys beekeeping, hunting for morel mushrooms, and walks with her husband and two dogs.