Privacy & Information Security Law Blog

On September 29 and 30, 2021, the U.S. Senate Committee on Commerce, Science and Transportation convened hearings on how to better protect consumer and children’s privacy.

On September 27, 2021, the transition period allowing companies to continue using the old EU Standard Contractual Clauses (“SCCs”) for new transfers from the EU to a third country ended. Companies entering into new transfer agreements incorporating the SCCs must now use those published by the European Commission on June 4, 2021 (the “new SCCs”). Transfers from the UK that rely on SCCs must continue to use the old SCCs.

On September 22, 2021, Secretary of Homeland Security Alejandro N. Mayorkas and Secretary of Commerce Gina Raimondo released a joint statement on the Department of Homeland Security’s (“DHS’s”) issuance of preliminary Critical Infrastructure Control Systems Cybersecurity Performance Goals and Objectives (the “Preliminary Goals”). As we previously reported, on July 28, 2021, the Biden Administration signed a National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems (the “Memo”), which instructed DHS to lead the development of cybersecurity performance goals for critical infrastructure firms. The Memo described the initiative as “a voluntary, collaborative effort between the Federal Government and the critical infrastructure community to significantly improve the cybersecurity of these critical systems.”

On September 27, 2021, the European Data Protection Board (“EDPB”) announced that it had adopted an opinion on the European Commission’s draft adequacy decision for the Republic of Korea (the “Opinion”).

On September 27, 2021, the European Data Protection Board (the “EDPB”) announced that it established a taskforce to coordinate the response to complaints filed with several EU data protection authorities (“DPAs”) by the non-governmental organization None of Your Business (“NOYB”) in relation to cookie banners.

On October 1, 2021, Connecticut’s two new data security laws become effective. As we previously reported, the new laws modify Connecticut’s existing breach notification requirements and establish a safe harbor from certain Connecticut Superior Court assessed damages for businesses that create and maintain a written cybersecurity program.

On September 14 and 15, 2021, the National Institute of Standards and Technology (“NIST”) held a public workshop, as part of its effort to create a consumer labeling program to communicate the security capabilities of consumer Internet of Things (“IoT”) devices and software development practices, as mandated by the Biden administration’s May 2021 Executive Order on Improving the Nation’s Cybersecurity. NIST, in coordination with the Federal Trade Commission  and other agencies, must identify the criteria and components of such a labeling program by February 6, 2022.

On September 22, 2021, the California Privacy Protection Agency (“CPPA” or “Agency”) issued an Invitation for Preliminary Comments on Proposed Rulemaking Under the California Privacy Rights Act of 2020 (“CPRA”). The CPPA was established by the CPRA, which vested the Agency with full administrative power, authority and jurisdiction to implement and enforce the CCPA. The Agency’s responsibilities include updating existing regulations and adopting new regulations.

On September 17, 2021, in Tims v. Black Horse Carriers Inc., Ill. App. Ct., 1st Dist., No. 1-20-563, the Illinois Appellate Court, in a case of first impression at the appellate level, addressed the statute of limitations under the state’s Biometric Information Privacy Act (“BIPA”), holding that a five-year period applies to BIPA claims that allege the failure to (1) provide notice of the collection of biometric data, (2) take care in storing or transmitting biometric data, or (3) develop a publicly-available retention and destruction schedule for biometric data. The Court also held that a one-year period applies to claims alleging the improper disclosure of, or improper sale, lease, trade or profit from, biometric data.

On September 22, 2021, the Canadian province of Quebec enacted a new privacy law, which will impose obligations beyond what is currently required under Canada’s federal privacy law. Most of the new law’s requirements will take effect in September 2023, but some will take effect earlier (in 2022) or later (2024).