Listen to this post

On March 1, 2024, the UK Information Commissioner’s Office (“ICO”) announced that it had issued an enforcement notice and a warning to the UK Home Office for failing to sufficiently assess the privacy risks posed by the electronic monitoring of people arriving in the UK via unauthorized means. The Home Office is the ministerial department of the UK government responsible for immigration, security, and law and order.

Continue Reading UK ICO Issues Enforcement Notice and Warning to UK Home Office
Listen to this post

On February 28, 2024, the European Data Protection Board (“EDPB”) announced the launch of its latest Coordinated Enforcement Framework action on the right of access. Through the course of 2024, 31 data protection authorities across the European Economic Area, including seven German state-level authorities, will take part in this initiative on the implementation of the right of access. The EDPB selected the right access for its third coordinated enforcement action as it is “at the heart of data protection,” is a right that is very frequently exercised by individuals, and one that is often the basis of complaints to authorities.

Continue Reading EDPB Launches Coordinated Enforcement Framework on Right of Access
Listen to this post

On February 21, 2024, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) entered into a resolution agreement and corrective action plan with Green Ridge Behavioral Health LLC (“GRBH”) stemming from the organization’s failure to comply with the Privacy and Security Rules of the Health Insurance Portability and Accountability Act (“HIPAA”) and subsequent failure to protect against a 2019 ransomware attack that impacted the personal health information (“PHI”) of more than 14,000 patients. This marks the second such settlement with a HIPAA-regulated entity for violations that were discovered following a ransomware attack, according to HHS.

Continue Reading HHS Targets Small Behavioral Health Clinic for HIPAA Violations Following Ransomware Investigation
Listen to this post

On February 22, 2024, the Federal Trade Commission announced a settlement order against Avast Limited (“Avast”) requiring Avast to pay $16.5 million and prohibiting Avast from selling or licensing any web browsing data for advertising purposes. This ban is to settle charges that the company and its subsidiaries sold such information to third parties after promising that its products would protect consumers from online tracking.

Continue Reading FTC Announces $16.5 Million Settlement Against UK Service Provider and Ban from Selling Browsing Data for Advertising Purposes
Listen to this post

On February 23, 2024, the UK Information Commissioner’s Office (the “ICO”) reported that it had ordered public service providers Serco Leisure, Serco Jersey and associated community leisure trusts (jointly, “the Companies”) to stop using facial recognition technology (“FRT”) and fingerprint scanning (“FS”) to monitor employee attendance.

Continue Reading ICO Orders Companies to Cease Using Facial Recognition Technology and Fingerprint Scanning to Monitor Attendance
Listen to this post

As reported on the Hunton Employment & Labor Perspectives blog, on February 15, 2024, California lawmakers introduced the bill AB 2930. AB 2930 seeks to regulate use of artificial intelligence (“AI”) in various industries to combat “algorithmic discrimination.” The proposed bill defines “algorithmic discrimination” as a “condition in which an automated decision tool contributes to unjustified differential treatment or impacts disfavoring people” based on various protected characteristics including actual or perceived race, color, ethnicity, sex, national origin, disability and veteran status. 

Continue Reading California Seeks to Regulation Employer Use of AI
Listen to this post

On February 20, 2024, The Centre for Information Policy Leadership at Hunton Andrews Kurth LLP  (“CIPL”) and Theodore Christakis, Professor of International, European and Digital Law at University Grenoble Alpes, released a comprehensive study titled The “Zero Risk” Fallacy: International Data Transfers, Foreign Governments’ Access to Data and the Need for a Risk-Based Approach. In the study, Prof. Christakis makes the case that the EU General Data Protection Regulation (“GDPR”), the Charter of Fundamental Rights of the European Union and EU law, more generally, allow a more nuanced and risk-based approach to data transfers than the restrictive approach often applied. CIPL and Prof. Christakis provide an approach that outlines data protection measures that are proportionate to the risks at hand, and takes into account the nature of the data, the likelihood of access by foreign governments, and the severity of the potential harm.

Continue Reading CIPL Publishes The Zero Risk Fallacy Paper
Listen to this post

On February 15, 2024, the Federal Trade Commission proposed a rule that would ban the use of AI to impersonate individuals, which would extend protections of a recently finalized FTC rule against government and business impersonation.  The FTC announced a public comment period for a supplemental Notice of Proposed Rulemaking (“NPR”) regarding the proposed rule that ends 60 days after being published in the Federal Register. The FTC’s swift action is in response to an AI-generated robocall mimicking President Biden that encouraged voters not to vote in the New Hampshire primary. FTC Chair Lina Khan described the FTC’s supplemental NPR as a key step in “strengthening the FTC’s toolkit to address AI-enabled scams impersonating individuals,” as malicious actors “us[e] AI tools to impersonate individuals with eerie precision and at a much wider scale.”

Continue Reading FTC Proposes Measures to Combat AI Impersonation Threats
Listen to this post

On February 8, 2024, the Centre for Information Policy Leadership at Hunton Andrews Kurth LLP (“CIPL”) published a discussion paper on Comparison of U.S. State Privacy Laws: Data Protection Assessments. The paper analyzes the data protection assessment requirements set forth in an ever-growing number of comprehensive U.S. state privacy laws. The paper represents the first deliverable of CIPL’s ongoing project on U.S. state privacy laws, in which CIPL is collaborating with its member organizations to identify areas of alignment and divergence between state privacy laws. The paper also examines the compliance challenges organizations face as a result of the divergences, and provides recommendations to state law and policymakers who may be considering changes to existing laws or the introduction of new ones.

Continue Reading CIPL Publishes Discussion Paper on Data Protection Assessment Requirements Under U.S. State Privacy Laws
Listen to this post

On February 21, 2024, the Centre for Information Policy Leadership at Hunton Andrews Kurth LLP (“CIPL”) published a white paper on Building Accountable AI Programs: Mapping Emerging Best Practices to the CIPL Accountability Framework. The white paper showcases how 20 leading organizations are developing accountable AI programs and best practices.

Continue Reading CIPL Releases White Paper on Accountable AI Best Practices