Privacy & Information Security Law Blog

As previously posted in our Hunton Employment & Labor Perspectives blog, on January 10, 2023, the Equal Employment Opportunity Commission (“EEOC”) published a draft of its Strategic Enforcement Plan (“SEP”) in the Federal Register, which outlines the EEOC’s enforcement goals for the next four years. While the EEOC aims to target a number of new areas – such as underserved workers and pregnancy fairness in the workplace – it is notable that it listed as priority number one the elimination of barriers in recruitment and hiring caused or exacerbated by employers’ use of artificial intelligence (“AI”). 

On February 9, 2023, the Court of Justice of the European Union (“CJEU”) issued its judgment in the X-FAB Dresden case (C-453/21). In this decision, the CJEU clarified the criteria for assessing whether a conflict of interest exists between the Data Protection Officer (“DPO”) position, and other tasks or duties assigned to the DPO.

On February 10, 2023, the California Privacy Protection Agency (“CPPA”) issued an Invitation for Preliminary Comments on Proposed Rulemaking on cybersecurity audits, risk assessments and automated decisionmaking, topics that have not yet been addressed by the existing final draft CPRA Regulations.

On February 6, 2023, Texas State Representative Giovanni Capriglione submitted H.B. 1844, a comprehensive privacy bill modeled after the Virginia Consumer Data Protection Act (“VCDPA”). The bill could make Texas the sixth U.S. state to enact major privacy legislation, following California, Virginia, Colorado, Utah, and Connecticut. Although the bill closely follows the VCDPA, it departs from the Virginia law in several key areas, most notably in the definition of “personal data” and its applicability.

On January 26, 2023, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth responded to a call for input from the UK’s Digital Regulation Cooperation Forum (DRCF) on its workplan for 2023 – 2024.

On February 3, 2023, the California Privacy Protection Agency (“CPPA”) Board unanimously approved for submission to California’s Office of Administrative Law (“OAL”) proposed final California Privacy Rights Act (“CPRA”) regulations released on January 31, 2023 which update the draft CPRA regulations released on November 3, 2022.

On February 2, 2023, the Illinois Supreme Court reversed in part and remanded a judgment of the lower appellate court in a class action lawsuit alleging violation of the Illinois Biometric Information Privacy Act (“BIPA”).

On February 1, 2023, the Federal Trade Commission announced that it entered into a proposed order with GoodRx, a telehealth and prescription drug discount provider, for violations of the FTC’s Health Breach Notification Rule stemming from GoodRx’s unauthorized disclosures of consumers’ personal health information to third party advertisers and other companies. This is the first enforcement action taken under the FTC’s Health Breach Notification Rule, which was issued in 2009.

On January 26, 2023, the National Institute of Standards and Technology (“NIST”) released the Artificial Intelligence Risk Management Framework (“AI RMF 1.0”), which provides a set of guidelines for organizations that design, develop, deploy or use AI to manage its many risks and promote trustworthy and responsible use and development of AI systems.

On January 27, 2023, California Attorney General Rob Bonta announced a new enforcement sweep aimed at businesses with mobile apps and other businesses that fail to comply with the California Consumer Privacy Act (“CCPA”).