Privacy Archives - Page 3 of 32

China SCC Measures Officially Release a Path for Outbound Personal Information Transfer

On February 24, 2023, the Cyberspace Administration of China (CAC) released the much-awaited Measures for the Standard Contract for Outbound Transfer of Personal Information (China SCC Measures) together with the issuance of finalized version of the standard contract for outbound transfer of personal information (China SCC), which will officially come into effect on June 1, 2023. For outbound transfers of personal information which have already been carried out before that date, the China SCC Measures require that the rectification shall be completed within six months from its effective date, i.e, before December 1, 2023.

As one of the three “legitimate grounds” for outbound personal information transfer of personal information under the Personal Information Protection Law of China (PIPL), the China SCC shares quite a number of similarities with the EU Standard Contractual Clauses (EU SCCs) under the GDPR, such as the protection of the data subject’s third-party beneficiary rights, the establishment of a “long-arm” jurisdiction for the exporting country through the execution of SCC-based contractual and other mandatory security requirements for the exported personal information. However, the China SCC Measures still vary significantly from the concept of SCCs under the GDPR. Rather than the four-module approach (controller – controller, controller – processor, processor – processor and processor – controller) under the EU SCCs, the China SCC adopts a one-size-fits-all approach towards exporting personal information by the personal information processor (PIP, a concept similar to the “data controller” under the GDPR) to the overseas recipient. There is no differentiation according to the role of the overseas recipient as a controller, processor or sub-processor. This article offers some key highlights of the newly released China SCC Measures.

Continue reading “China SCC Measures Officially Release a Path for Outbound Personal Information Transfer”

CJEU Rules on Dismissal of DPOs and Conflict of Interest

In a recent judgment, the Court of Justice of the European Union (the CJEU) has confirmed that Data Protection Officers (DPOs) can maintain other tasks and duties within their role, provided they do not result in a conflict of interest. The CJEU also held that the GDPR allows for EU member states to legislate to give greater protection to DPOs against dismissal than those set out in the GDPR.

Background to Ruling

In October 2020, the Federal Labour Court of Germany, Bundesarbeitsgericht, requested a preliminary ruling from the CJEU relating to proceedings between X-FAB Dresden GmbH & Co. KG (X-FAB) and its former DPO (“FC”) to clarify under what circumstances an organisation may be allowed to lawfully dismiss its appointed DPO. FC had been DPO for X-FAB and several related companies within its group and had held the role of chair of the works council and vice-chair of the central works council for a few group companies, alongside the DPO position for those companies. FC had been dismissed by X-FAB in December 2017 at the request of the state officer for data protection and freedom of information of Thüringen, Germany. Subsequently, on the coming into force of the GDPR in May 2018, X-FAB had repeated this dismissal as a precautionary measure. FC sought a declaration by the German courts that he retain the DPO position. X-Fab argued FC’s dismissal was justified, stating “a risk of a conflict of interests” in performing both functions, i.e., as both DPO and chair/vice-chair of the works council, on the grounds of incompatibility between the roles. The courts at both first instance and appeal upheld FC’s claim.

Continue reading “CJEU Rules on Dismissal of DPOs and Conflict of Interest”

Artificial Intelligence Briefing: NIST Releases AI Risk Management Framework and Playbook

Our latest briefing dives into the public launch of the NIST’s long-awaited AI Risk Management Framework, the EEOC’s new plan to tackle AI-based discrimination in recruitment and hiring, and the New York Department of Financial Services’ endeavor to better understand the potential benefits and risks of AI and machine learning in the life insurance industry.

Continue reading “Artificial Intelligence Briefing: NIST Releases AI Risk Management Framework and Playbook”

State AG Updates: Arizona, Texas, California, North Carolina, Washington, New York and an AG Coalition

In this edition of Faegre Drinker’s State Attorneys General Update, we discuss:

Arizona AG Enters $85 Million Settlement With Google for Alleged Improper Use of Consumer Location Data

Google agreed to an $85 million settlement for alleged violations of Arizona’s Consumer Fraud Act. Specifically, the Arizona AG alleged that Google violated the Act by building “coercive design tactics used to manipulate users’ behavior,” known as “dark patterns,” into its Android phone software. In this instance, the AG alleged that Google created misleading settings, so even if a consumer turned off location tracking in the “Location History” menu, location data would still be tracked and used to sell advertisements through other settings — specifically, the “Web & App Activity” menu.

Continue reading “State AG Updates: Arizona, Texas, California, North Carolina, Washington, New York and an AG Coalition”

First Biometric Information Privacy Act Trial Results in $228M Verdict

Last week, the first jury trial under the Illinois Biometric Privacy Act (BIPA) resulted in a $228 million verdict in favor of the plaintiff and the class.

The case, Rogers v. BNSF Railway Co., was filed in May 2019 and was pending in the U.S. District Court for the Northern District of Illinois. A class was certified in March 2022. Plaintiff alleged that BNSF unlawfully scanned his and other truck drivers’ fingerprints for identity verification when he and they visited BNSF rail yards. He claimed the company took this scan without written notice or consent as required under BIPA. BNSF argued, among other things, that the third-party vendor it hired to control gate access was the only party to collect drivers’ fingerprints, and that BNSF therefore had not independently violated BIPA.

Pretrial briefing in the case was extensive. Each side filed several motions in limine seeking to bar or include certain evidence in the trial. For example, the Plaintiff found several references to use of “biometrics” or “biometric identities” on BNSF’s website that they alleged were responsive to former document requests. Anticipating objections from BNSF, Plaintiff filed a preemptive motion asking the court to permit them to introduce these exhibits at trial. Plaintiff were able to use this information at the trial and suggest that BNSF was aware of the biometric collection and that BNSF itself was collecting the information.

Continue reading “First Biometric Information Privacy Act Trial Results in $228M Verdict”

Artificial Intelligence Briefing: FTC Holds Forum on Commercial Surveillance and Data Security

Our latest briefing explores the recent FTC commercial surveillance and data security forum (including discussion on widespread use of AI and algorithms in advertising), California’s inquiry into potentially discriminatory health care algorithms, and the recent California Department of Insurance workshop that could shape future rulemaking regarding the industry’s use of artificial intelligence, machine learning and algorithms.

Continue reading “Artificial Intelligence Briefing: FTC Holds Forum on Commercial Surveillance and Data Security”

DISCERNING DATA

A Faegre Drinker Blog Covering the Latest in Privacy, Cybersecurity and Data Strategy

Category: Privacy