Global News Roundup: July 21–27, 2020

In this week’s global legislative roundup, the European Data Protection Board released FAQ guidance related to the Court of Justice of the European Union’s “Schrems II” decision and guidance for companies seeking to maintain the use of binding corporate rules as a data transfer mechanism following Brexit. IAPP Senior Westin Research Fellow Müge Fazlioglu, CIPP/E, CIPP/US, analyzed data protection authorities’ guidance released after the “Schrems II” ruling. The U.K. Information Commissioner’s Office released its 2019 annual review, as well as reports from its Regulatory Sandbox. In the U.S. Facebook agreed to a higher settlement in a case alleging violations of Illinois’ Biometric Information and Privacy Act, and California’s secretary of state released the draft copy of the Official Voter Information Guide, which includes information on the California Privacy Rights Act.

THE LATEST

The Australian Competition & Consumer Commission announced proceedings with the Federal Court of Australia alleging Google misled users into providing consent for the use of their personal information.
More

The European Data Protection Supervisor published its opinion on the European Commission’s outline for the prevention of money laundering and terrorism funding and stated data protection must be considered as the commission moves forward with its prevention and regulatory plan.
More

The U.S. Consumer Financial Protection Bureau announced its intentions to propose new rules for consumer-authorized access to financial data.
More

California Secretary of State Alex Padilla unveiled the draft copy of the Official Voter Information Guide for this November’s election, which includes, Proposition 24, which would clear the way for the California Privacy Rights Act.
More

ICYMI

Data protection authorities and government agencies are publishing initial guidance for how to handle the post-“Schrems II� data transfer world. This IAPP Resource Center page collects DPA government guidance as it comes out.
More

In this piece for Privacy Tracker, IAPP Senior Westin Research Fellow Müge Fazlioglu, CIPP/E, CIPP/US, collected together and analyzed DPA guidance that has been released thus far after the “Schrems II” ruling.
More

The Turkish data protection, the KVKK, extended the Data Controllers’ Registry registration deadline to Sept. 30. In this piece for Privacy Tracker, ÖzdaÄŸistanli Ekici Attorney Partnership Managing Partner Burak ÖzdaÄŸistanli detailed registration requirements and procedures data controllers need to know before the deadline.
More

ENFORCEMENT

In an open letter to video teleconferencing companies on the Office of the Australian Information Commissioner’s website, data protection and privacy authorities from around the world stress companies’ responsibility to safeguard individuals’ personal information.
More

Colombia’s data protection authority, the Superintendencia de Industria y Comercio, issued a reminder that “express and informed authorization� must be obtained to process data through technologies like robocalls.
More

The European Data Protection Board released an FAQ with guidance related to the Court of Justice of the European Union’s ruling on the EU-U.S. Privacy Shield and standard contractual clauses.
More

The European Data Protection Board released an information note on the actions required of those organizations seeking to maintain the use of binding corporate rules as a data transfer mechanism following the U.K.‘s Brexit transition period.
More

The U.K. Information Commissioner’s Office announced the release of its 2019 annual report.
More

The first two reports from participants in the U.K. Information Commissioner’s Office Regulatory Sandbox have been published. 
More

The U.S. Department of Health and Human Services’ Office for Civil Rights announced a $25,000 settlement with Metropolitan Community Health Services over violations of the Health Insurance Portability and Accountability Act Security Rule.
More

The New York State Department of Financial Services charged First American Title Insurance over alleged data protection missteps that resulted in a 2019 data breach, The New York Times reports.
More

BRAZIL

Facebook is asking users’ permission to use certain types of personal data in Brazil as part of compliance with data protection regulations set to be enforced Aug. 14, ZDNet reports.
More

ASIA-PACIFIC

The Independent National Security Legislation Monitor released a 316-page report on Australia’s Telecommunications and Other Legislation Amendment Act 2018, dubbed the “anti-encryption” law, according to a blog post from Corrs Chambers Westgarth.
More

CANADA

British Columbia Information and Privacy Commissioner Michael McEvoy said Canadian companies should be aware of the “Schrems II� ruling and its implications, noting privacy laws should be examined, Tri-City News reports.
More

EUROPE

Germany‘s federal Constitutional Court in Karlsruhe ruled the Telecommunications Act unconstitutional as it violates citizens’ rights to phone and internet privacy.
More

Four Uber drivers in the U.K. filed a lawsuit seeking to access Uber’s algorithms through the EU General Data Protection Regulation, Vice reports.
More

US

U.S. District Court Judge James Donato seems inclined to approve a $650 million Facebook settlement over alleged violations of Illinois‘ Biometric Privacy Information Act, a $100 million increase over an initially proposed figure, MediaPost reports.
More

A U.S. district court judge dismissed a lawsuit against Alabama’s Sarrell Regional Dental Center for Public Health over a 2019 ransomware attack that affected more than 391,000 patients, ruling there is no evidence data was misused, GovInfoSecurity reports.
More

Loews Chicago Hotel reached a $1.05 million settlement with a former employee in Illinois over claims the company unlawfully collected, stored and used workers’ biometric data.
More

The New York State Legislature approved a bill placing a moratorium on the use of facial recognition in schools across the state until 2022, VentureBeat reports.
More