Privacy & Information Security Law Blog

Stephen Mathias from Kochhar & Co. reports that on December 16, 2021, the Indian Joint Parliamentary Committee (the “JPC”) submitted its report on India’s draft Data Protection Bill (the “Bill”). The Bill is now likely to be passed by Parliament in its next session, beginning in February 2022, and likely will enter into force in the first half of 2022. In its report, the JPC recommended a phased approach to implementing the law, beginning with the appointment of various government officers, such as the Data Protection Authority (“DPA”), with full implementation of the law to be completed within 24 months. The JPC’s report also contained a revised draft of the Bill. Certain key aspects of the revised Bill are summarized below.

On December 20, 2021, the UK Information Commissioner’s Office (“ICO”) launched a public consultation on its regulatory approach. The consultation involves three separate documents – the ICO’s Regulatory Action Policy (“RAP”), Statutory Guidance on the ICO’s Regulatory Action, and Statutory Guidance on the ICO’s PECR Powers. The RAP sets forth the ICO’s risk-based approach to regulatory action and explains the factors the ICO considers before taking regulatory action, how the ICO works with other regulators, and enforces the legislation for which it is responsible. Together, the three documents illustrate how the ICO aims to enforce information rights for data subjects in the UK.

On December 15, 2021, the New Jersey Acting Attorney General Andrew J. Bruck announced that its Division of Consumer Affairs had reached a $425,000 settlement with New Jersey-based providers of cancer care, Regional Cancer Care Associates LLC, RCCA MSO LLC and RCCA MD LLC (collectively, “RCCA”), over alleged failures to adequately safeguard patient data.

On December 15, 2021, the European Parliament adopted its position on the proposal for a Digital Markets Act (“DMA”), ahead of negotiations with the Council of the European Union.

The DMA introduces new rules for certain core platforms services acting as “gatekeepers,” (including search engines, social networks, online advertising services, cloud computing, video-sharing services, messaging services, operating systems and online intermediation services) in the digital sector and aims to prevent them from imposing unfair conditions on businesses and consumers and to ensure the openness of important digital services.

On December 17, 2021, the European Commission announced that it had adopted its adequacy decision on the Republic of Korea. The adequacy decision allows for the free flow of personal data between the EU and Korea, without any further need for authorization or additional transfer tool. The adequacy decision also covers transfers of personal data between public authorities.

On December 15, 2021, the Federal Trade Commission announced a $2 million settlement with OpenX Technologies (“OpenX”) in connection with alleged violations of the Children’s Online Privacy Protection Act Rule (“COPPA Rule”) and the FTC Act. According to the FTC’s complaint, OpenX knowingly collected personal information from children under age 13 without parental consent, and collected geolocation data from users of all ages who opted out of being tracked.

Last month, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth submitted a response to the UK Department for Digital, Culture, Media & Sport (“DCMS”) on its Consultation on Reforms to the Data Protection Regime (the “Response”). The Response also reflects views gathered from CIPL members during two industry roundtables organized in collaboration with DCMS to obtain feedback on the reform proposals. Key takeaways from the Response include the following:

On December 6, 2021, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP published a white paper on “Bridging the DMA and the GDPR – Comments by the Centre for Information Policy Leadership on the Data Protection Implications of the Draft Digital Markets Act” (the “White Paper”).

On November 10, 2021, the New York City Council passed a bill prohibiting employers and employment agencies from using automated employment decision tools to screen candidates or employees, unless a bias audit has been conducted prior to deploying the tool (the “Bill”).

On  November 27, 2021, the UAE Cabinet Office enacted its first federal Personal Data Protection Law (Federal Decree Law No. 45 of 2021, the “UAE Data Protection Law”). The UAE Data Protection Law will come into force on January 2, 2022.