On July 13, 2020, a Committee of Experts within India’s Ministry of Electronics and Information Technology (“the Committee”) published the first draft of a Non-Personal Data Governance Framework for India for public consultation.
On August 4, 2020, Senators Jeff Merkley (OR) and Bernie Sanders (VT) introduced the National Biometric Information Privacy Act of 2020 (the “bill”). The bill would require companies to obtain individuals’ consent before collecting biometric data. Specifically, the bill would prohibit private companies from collecting biometric data—including eye scans, voiceprints, faceprints and fingerprints—without individuals’ written consent, and from profiting off of biometric data. The bill provides individuals and state attorneys general the ability to institute legal proceedings against entities for alleged violations of the act.
On July 30, 2020, the Council of the European Union (the “Council”) imposed for the first time restrictive measures against six individuals and three entities responsible for or involved in various cyber attacks, including the “WannaCry,” “NotPetya” and “Operation Cloud Hopper” attacks and the attack against the Organization for the Prohibition of Chemical Weapons. Sanctions imposed by the Council include a travel ban, an asset freeze and a prohibition against making funds available to the sanctioned EU individuals and entities.
The U.S. Department of Commerce has issued two new sets of FAQs in light of the Court of Justice of the European Union’s (“CJEU’s”) recent decision to invalidate the EU-U.S. Privacy Shield in Schrems II. We previously reported on the Schrems II ruling and its implication for businesses that transfer personal data to the U.S. The new FAQs from the Department of Commerce address the impact of the decision on the EU-U.S. Privacy Shield framework and the Swiss-U.S. Privacy Shield framework.
On July 27, 2020, the Enforcement Bureau of the Federal Communications Commission (the “FCC”) designated the Industry Traceback Group (“ITG”) as the FCC’s official consortium for coordinating efforts to trace illegal robocalls. The ITG is a collaboration of wireline, wireless, VoIP and cable industry companies, led by USTelecom, with the mission of tracing and identifying the source of illegal robocalls. According to the ITG, it conducted more than 1,000 trace-back operations in 2019 and unmasked the source of more than 10 million robocalls.
On July 28, 2020, German supervisory authorities (Datenschutzkonferenz, the “DSK”) issued a statement reiterating the requirement for additional safeguards when organizations rely on Standard Contractual Clauses (“SCCs”) or Binding Corporate Rules (“BCRs”) for the transfer of personal data to third countries in the wake of the Court of Justice of the European Union’s (the “CJEU”) invalidation of the Privacy Shield Framework. In its July 16, 2020 judgment, the CJEU concluded that SCCs issued by the European Commission for the transfer of personal data to data processors established outside of the EU are valid, subject to the need to assess whether additional safeguards are required depending on the recipient jurisdiction. In this same decision, the CJEU struck down the EU-U.S. Privacy Shield Framework.
Texas Attorney General Ken Paxton is investigating Facebook Inc. (“Facebook”) for alleged violations of the Texas Business and Commercial Code, which contains provisions governing the collection, retention and disclosure of biometric data. As we previously reported, Facebook recently reached a $650 million settlement for alleged violations of Illinois’ Biometric Information Privacy Act for their use of facial recognition software without permission from affected users.
On July 23, 2020, the UK Information Commissioner’s Office (the “ICO”) published the first two reports of its Data Protection Regulatory Sandbox Beta phase (the “Beta phase”) involving projects by Jisc (a not-for-profit organization serving the higher and further education and skills sectors) and Heathrow Airport Ltd.
On July 22, 2020, the European Data Protection Board (the “EDPB”) adopted an information note (the “Note”) to assist organizations relying on Binding Corporate Rules (“BCRs”) for international personal data transfers, as well as supervisory authorities, in preparing for the end of the Brexit implementation period on December 31, 2020. The Note is provided specifically for those groups of undertakings and enterprises that have the UK Information Commissioner’s Office (“ICO”) as the competent supervisory authority for their BCRs.
On July 24, 2020, the European Data Protection Board (the “EDPB”) published a set of Frequently Asked Questions (the “FAQs”) on the judgment of the Court of Justice of the European Union (the “CJEU”) in the Schrems II case (case C-311/18). In its judgment, the CJEU concluded that the Standard Contractual Clauses (the “SCCs”) issued by the European Commission for the transfer of personal data to data processors established outside of the EU are valid, but it struck down the EU-U.S. Privacy Shield framework. With its FAQs, the EDPB sought to provide responses to some of the many questions organizations are asking in the aftermath of the Schrems II ruling.