Privacy Law Update: November 8, 2021
The European Commission has confirmed it will develop a supplemental set of standard contractual clauses to cover data transfers to data importers already subject to the EU General Data Protection Regulation. The confirmation appears in the minutes of the Sept. 14, 2021, European Data Protection Board meeting, where it discussed the upcoming EDPB guidelines on the interplay between Article 3 GDPR (on scope) and Chapter V (on data transfers). This announcement is a change in course for the EC. When the EC launched the 2021 SCCs this summer, Recital 7 stated they are unnecessary when the data processing by the data importer is already directly governed by GDPR. According to the EDPB meeting minutes, the EC will develop a set of additional SCCs specifically for these transfers, it can be inferred that the EDPB viewed the issue differently and that the EDPB considers such transfers still subject to the transfer rules (otherwise, no supplemental SCCs would be required for this situation).
From the disparities that online monitoring software can exacerbate among remote learners, to the harms teens are exposed to via dark patterns and algorithms, an increasingly complex batch of privacy problems revolve around the use of children’s data. Many of these problems surfaced in public last month when The Wall Street Journal published an investigative series entitled “The Facebook Files” that sought to document the “ill effects” of these platforms. According to one internal study leaked in the reports, about one in three (32%) teen girls who felt bad about their bodies said that using Instagram made them feel even worse. Sizeable minorities of teens, especially girls, also said social media compounded their struggles with problems such as anorexia, self-harm and suicidal thoughts.
Mark Zuckerberg’s pursuit of the metaverse, the reason behind Facebook’s rebranding as Meta, raises significant questions about data privacy in the next frontier of tech. A bit of genetics, a world of potential. Despite Facebook’s repeated data lapses over the years, Zuckerberg said during his company’s Connect event on Thursday that he’s taking a thoughtful approach to privacy as he attempts to build the immersive, virtual world for users known as the metaverse.
Facebook said it will shut down its face-recognition system and delete the faceprints of more than 1 billion people. “This change will represent one of the largest shifts in facial recognition usage in the technology’s history,” said a blog post Tuesday from Jerome Pesenti, vice president of artificial intelligence for Facebook’s new parent company, Meta. “Its removal will result in the deletion of more than a billion people’s individual facial recognition templates.”
Data privacy has become a top priority for businesses over the past few years. As penalties for improper data use and storage continue to escalate, the typical motivator for businesses has been to avoid the regulatory consequences of non-compliance. While this may be seen as a reasonable commercial approach, many businesses fail to realize that ensuring data privacy for consumers is not just a box to check off to mitigate the risk of financial consequences. The fact is, building trust with consumers by ensuring their privacy may just be your next greatest competitive advantage.
Starting in January of 2023, businesses subject to California Privacy Rights Act (CPRA) may be required to publish the retention periods for all categories of personal and sensitive information they collect, manage, store, share, or sell. CPRA Section 1798.100.
Sen. Catherine Cortez Masto (D-Nev.) is introducing legislation aimed at strengthening data privacy protections for American consumers. The Digital Accountability and Transparency to Advance Privacy Act would apply standards to all data collection, processing, storage and disclosure — including that it only be done for legitimate business or operational purposes. The legislation would also bar companies from using consumer data in discriminatory ways and from engaging in deceptive data practices.
China has recently joined the list of countries that have adopted the world’s strictest data-privacy laws. Given China’s desirability as both a market for and a source of data, companies worldwide have started making early efforts to mitigate the impact of these new requirements on their businesses. This client alert provides five concrete steps that an organization can take now that China’s new privacy law has become effective.
Whilst European and North American businesses are well accustomed to dealing with complex data protection legislation, businesses in the MENA region have by and large not had to consider the same in their local markets. From a Saudi standpoint, the recently published Personal Data Protection Law (published on 24 September 2021 and effective as of 23 March 2022 (“Effective Date”)) (“PDPL”) changes this, imposing national regulation of data protection on companies across the Kingdom.