Privacy & Information Security Law Blog

On May 24, 2023, the UK Information Commissioner’s Office (“ICO”) announced it published new guidance for businesses and employers on responding to subject access requests (“SARs”). The right of access, commonly referred to as a subject access request, gives someone the right to request a copy of their personal information from organizations. The ICO received over 15,000 complaints related to SARs during April 2022 and March 2023.

On May 23, 2023, the UK Information Commissioner, John Edwards, delivered the opening remarks at the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (“LIBE”). The Commissioner opened his speech by stating his “principal reason” for being present was to provide “reassurance” that he takes his “responsibility of protecting Europeans data in the United Kingdom very seriously” and “will continue to do so through the process of law reform, and beyond.” The Commissioner went on to discuss several points, including the following:

On May 17, 2023, the Federal Trade Commission issued a consumer alert regarding the Premom Ovulation Tracker app (“Premom”) sharing sensitive information with third parties without users’ permission. According to the alert, Premom is a free app that is marketed as an accurate fertility calendar, which can be used to assist users who are trying to become pregnant.

On May 22, 2023, the Irish Data Protection Commission (the “DPC”) announced a €1.2 billion fine against Meta Ireland for unlawfully transferring personal data to the U.S.

On May 3, 2023, New York Governor Kathy Hochul signed into law fiscal bill A.3007C/S.4007, which contains provisions prohibiting the establishment of a geofence around health care facilities.

On May 18, 2023, the Federal Trade Commission issued a policy statement on “Biometric Information and Section 5 of the Federal Trade Commission Act.”  The statement warns that the use of consumer biometric information and related technologies raises “significant concerns” regarding privacy, data security, and bias and discrimination, and makes clear the FTC’s commitment to combatting unfair or deceptive acts and practices related to the collection and use of consumers’ biometric information and the marketing and use of biometric information technologies.

On May 17, 2023, the European Data Protection Board (EDPB) adopted the final version of its Guidelines on facial recognition technologies in the area of law enforcement (the “Guidelines”). The Guidelines address lawmakers at the EU and EU Member State level, and law enforcement authorities and their officers implementing and using facial recognition technology. 

On May 4, 2023, the Florida Senate and House of Representatives voted in favor of sending the Florida Digital Bill of Rights (“FDBR”) and other amendments related to government moderation of social media and protection of children in online spaces (S.B. 262) to Governor Ron DeSantis for signature. Unlike the other comprehensive state privacy laws that have been enacted, the FDBR applies to a much narrower subset of entities.

On May 16, 2023, the French Data Protection Authority (the “CNIL”) announced its action plan on artificial intelligence (the “AI Action Plan”). The AI Action Plan builds on prior work of the CNIL in the field of AI and consists of a series of activities the CNIL will undertake to support the deployment of AI systems that respect the privacy of individuals.

On May 4, 2023, the Biden-Harris Administration announced new actions to promote responsible American innovation in artificial intelligence (“AI”). The Administration also met with the CEOs of Alphabet, Anthropic, Microsoft and OpenAI as part of the Administration’s broader, ongoing effort to engage with advocates, companies, researchers, civil right organizations, not-for-profit organizations, communities, international partners, and others on critical AI issues. These efforts build upon the steps the Administration has taken so far, including the Blueprint for an AI Bill of Rights issued by the White House Office of Science and Technology Policy (“OSTP”) and the  AI Risk Management Framework released by the National Institute of Standards and Technology (“NIST”). The Administration is also actively working to address national security concerns raised by AI, especially in critical areas like cybersecurity, biosecurity and safety.