Privacy News Roundup – November 15, 2021

Employers are struggling with the balance between creating a safe work environment and managing privacy and data-handling issues that come with requiring vaccinations or regular COVID-19 testing for employees.

Three U.S. Senators sent a letter to four educational technology companies regarding AI discrimination. The letter notes the expanding use of monitoring software to track students’ online activities and describes unintentional, but harmful consequences including:

• Mischaracterization of activity
• Disproportionate flagging of minority students
• Poor analysis of language and dialects used by people of color

The letter raises concerns that these results perpetuate racial bias and impact the mental health of those affected. The Senators requested that the companies share plans to mitigate these harms.

The California governor signed AB 694, which adds new and amends several existing definitions to the California Privacy Protection Act (CCPA). Most notably, the CCPA amended the definition for “personal information” and added a definition for consent.

The CCPA also announced Ashkan Soltani, the former chief technologist for the U.S. FTC and senior advisor to the White House, will be the first Executive Director.

President Biden has signed the K-12 Cybersecurity Act of 2021 into law, which will require the Cybersecurity and Infrastructure Security Agency (CISA) to study cybersecurity risks specific to elementary and secondary schools. Additional requirements include developing cybersecurity guidelines to be adopted on a voluntary basis by schools facing such risks.

The FTC has proposed new privacy rules which impose significant new obligations on businesses. The rules would impact how businesses handle consumer data, including how the data of children is handled.

Facebook attempted to bypass the strict requirements the General Data Protection Regulation (GDPR) imposes on consent for data processing. The company included data processing specifications in its general terms and conditions, interpreting the agreement as a contract rather than consent.

A draft decision from Ireland’s Data Protection Commissioner endorsed this approach, but has been met with much criticism.

The Italian data protection authority fined Luigi Bocconi University €200,000 for using Respondus, a US proctoring application used to supervise remote exams. The fine comes after the university had various violations of the GDPR.

The violations included failing to sufficiently inform students of:

• Processing their personal data through the software
• Tracking of their behavior during tests
• Processing by profiling
• Recording audio-video of tests
• Taking pictures of students at the beginning of tests

The Federal Office of Justice (FOJ) issued a report on the US CLOUD Act.

The report found that the disclosure and processing of personal data carried out under CLOUD ACT production orders is fundamentally problematic regarding both fundamental rights and compatibility with the GDPR and Swiss data protection law.