Privacy & Information Security Law Blog

On June 25, 2021, the U.S. Supreme Court in TransUnion LLC v. Ramirez held in a 5-4 decision that certain members of a class action lawsuit, whose inaccurate credit reports were not provided to third parties, did not suffer a “concrete” injury sufficient to confer Article III standing. This case builds upon the Court’s 2016 decision in Spokeo, Inc. v. Robins, where the Court first addressed the concrete injury that must be suffered in order to have standing to bring suit under the Fair Credit Reporting Act (“FCRA”). Importantly, while Spokeo’s holding that a bare ...

On June 28, 2021, the European Commission (the “Commission”) adopted two adequacy decisions for the United Kingdom, one under the General Data Protection Regulation (“GDPR”) and another under the Law Enforcement Directive. Their adoption means organizations in the EU can continue to transfer personal data to organizations in the UK without restriction, and will not need to rely upon data transfer mechanisms, such as the EU Standard Contractual Clauses, to ensure an adequate level of protection. The adoption comes just before the conditional interim regime under the EU-UK Trade and Cooperation Agreement, under which data could flow freely from the EU to the UK, was set to expire on June 30, 2021.

On June 24, 2021, Google announced that it will delay its plan to replace the use of third-party cookies on its Chrome web browser with new technologies. This delay comes amid antitrust and privacy concerns, as well as scrutiny from the advertising industry that the changes will strengthen Google’s own advertising business.

On June 17, 2021, Senator Kirsten Gillibrand (D-NY) announced the reintroduction of the Data Protection Act of 2021 (the “bill”), which would create an independent federal agency, the Data Protection Agency, to “regulate high-risk data practices and the collection, processing, and sharing of personal data.” The bill was first introduced in 2020 and has since been revised to include updated provisions intended to protect against privacy harms, oversee the use of “high-risk data practices” and examine the social, ethical, and economic impacts of data collection.

On June 21, 2021, following a public consultation, the European Data Protection Board (“EDPB”) published the final version of its recommendations on supplementary measures in the context of international transfer safeguards, such as Standard Contractual Clauses (“SCCs”) (the “Recommendations”).

On June 16, 2021, the UK Government’s Taskforce on Innovation, Growth and Regulatory Reform published an independent report containing recommendations to the Prime Minister on how the UK can reshape its approach to regulation in the wake of Brexit (the “Report”). Among wide-ranging proposals across a range of areas, the Report recommends replacing the UK General Data Protection Regulation (“UK GDPR”) with a new UK Framework of Citizen Data Rights. The proposed approach would aim to give individuals greater control over their personal data while also allowing increased data flows and driving growth in the digital economy. The Report will be considered by the Government’s Better Regulation Committee.

On June 14, 2021, Texas Governor Greg Abbott signed HB 3746, a bill amending Texas’s data breach notification law. Texas’s breach notification law requires notice to affected residents in the event of a data breach affecting certain sensitive personal data, including Social Security numbers, driver’s license or other government-issued ID numbers, account numbers or payment card numbers in combination with any required security code, access code or password, or certain information about an individual’s health or medical condition or treatment. The law also requires businesses to notify the Texas Attorney General of any data breach affecting at least 250 Texas residents.

On June 14, 2021, the Baltimore City Council passed a bill that would ban the use of facial recognition technology by private entities and individuals within the city limits. If signed into law, Baltimore, Maryland would become the latest U.S. city to enact stringent regulations governing the use of facial recognition technology in the private sector.

After two rounds of public comments, the Data Security Law of the People’s Republic of China (the “DSL”) was formally issued on June 10, 2021, and will become effective on September 1, 2021.

Compared to previous drafts of the law, the final version of the DSL differs with respect to:

• establishing a work coordination mechanism and clarifying the duties of each governmental authority;
• establishing an administration system for state core data;
• encouraging data development and use to make public service more intelligent and requiring consideration of the needs of the elderly and people with disabilities when providing intelligent public services;
• protecting the security of government data; and
• increasing the punishment dynamics for violations of the law. 

On June 15, 2021, the Court of Justice of the European Union (the “CJEU”) released its judgment in case C-645/19 of Facebook Ireland Limited, Facebook Inc., Facebook Belgium BVBA v. the Belgian Data Protection Authority (“Belgian DPA”). We previously reported on the background of the case and the Advocate General’s opinion.