Privacy & Information Security Law Blog

This week, the United Arab Emirates (“UAE”) Minister of State for Artificial Intelligence, Digital Economy and Remote Work Applications (the “Minister”) announced that the UAE would introduce a new federal data protection law (“Data Protection Law”), the first federal law of its kind in the UAE. The Data Protection Law is one of the initiatives to be implemented under the recently published “Principles of the 50,” a charter of 10 strategic principles that will guide the political, economic and social development of the UAE for the next 50 years.

On September 1, 2021, the Federal Trade Commission banned Support King, LLC, the operator of SpyFone.com (“SpyFone”), and its CEO, Scott Zuckerman, from offering, promoting, selling or advertising any surveillance app, service or business. The FTC alleged SpyFone allowed purchasers to illegally surveil other individuals by surreptitiously monitoring a device user’s activity without the device user’s knowledge. The FTC also alleged that SpyFone failed to safeguard such illegally harvested personal information by failing to put in place basic security measures.

On August 27, 2021, the Federal Data Protection and Information Commissioner (“Swiss DPA”) announced that the new EU Standard Contractual Clauses (the “SCCs”) may be relied on to legitimize transfers of personal data from Switzerland to countries without an adequate level of data protection, provided that the necessary amendments and adaptations are made for use under Swiss data protection law.

On August 9, 2021, Baltimore joined Portland, Oregon and New York City in enacting a local ordinance regulating the private sector’s use of facial recognition technology. Baltimore’s ordinance will become effective on September 8, 2021. Read our earlier post for more details about Baltimore’s ban on the use of facial recognition technology by private entities and individuals within its city limits.

On September 2, 2021, Ireland’s Data Protection Commission (“DPC”) announced a fine of €225 million ($266 million) against WhatsApp Ireland Ltd (“WhatsApp”) for failure to meet the transparency requirements of Articles 12-14 of the EU General Data Protection Regulation (“GDPR”). This fine represents a more than four-fold increase in the €30-50 million fine that was proposed in a draft decision issued by the DPC in December 2020. Due to the cross-border nature of WhatsApp’s data processing activities, the DPC’s draft decision was reviewed by other relevant supervisory authorities, as required by the cooperation and consistency mechanism under Chapter VII of the GDPR. Eight other EU regulators objected to the DPC’s draft decision. Their objections were referred to the European Data Protection Board (“EDPB”), in accordance with the dispute resolution procedure under Article 65(1)(a) of the GDPR, after the DPC failed to reach a consensus with the objecting regulators.

On September 1, 2021, the South Korean Personal Information Protection Commission (“PIPC”) issued fines against Netflix and Facebook for violations of the Korean Personal Information Protection Act (“PIPA”).

On August 30, 2021, the U.S. Securities and Exchange Commission (“SEC”) announced that it had settled three administrative cases involving a total of eight registered broker-dealers and investment advisers for failures in their cybersecurity policies and procedures. These failures led to email account takeovers that exposed personal information of thousands of customers at each firm. The cases are In the Matter of Cetera Advisor Networks LLC, Release No. 34-92800; In the Matter of Cambridge Investment Research, Inc., Release No. 34-92806; and In the Matter of KMS Financial Services, Inc., Release No. 34-92807, August 30, 2021.

On August 16, 2021, the U.S. Securities and Exchange Commission (“SEC”) announced that Pearson plc (“Pearson”), a publicly traded British multinational educational publishing and services company, agreed to pay a $1 million civil penalty in a settlement related to charges that Pearson misled investors about a 2018 data breach resulting in the theft of millions of student records. The SEC’s order found that Pearson made material misstatements and omissions about the data breach in a report furnished to the SEC and in a media statement.

On August 25, 2021, New Mexico Attorney General (“AG”) Hector Balderas sued Rovio Entertainment (“Rovio” or the “Company”), the developer of the popular Angry Birds mobile app games, alleging that the Company violated the federal Children’s Online Privacy Protection Act (“COPPA”) by knowingly collecting data from players under age 13 and sharing it with advertisers. Under COPPA, developers of child-directed apps are required to provide notice to parents of their data collection practices and obtain verifiable parental consent to collect personal information from children under 13.

On August 19, 2021, the UK Information Commissioner’s Office (“ICO”) approved the criteria for three certification schemes, as required under Article 42(5) of the UK General Data Protection Regulation (“UK GDPR”). Certification schemes are one method for organizations to demonstrate compliance with the UK GDPR.