November 15, 2021 |

Privacy News Roundup – November 15, 2021

US Federal

COVID-19 regulations also impose new privacy issues

Employers are struggling with the balance between creating a safe work environment and managing privacy and data-handling issues that come with requiring vaccinations or regular COVID-19 testing for employees.

AI discrimination in education

Three U.S. Senators sent a letter to four educational technology companies regarding AI discrimination. The letter notes the expanding use of monitoring software to track students’ online activities and describes unintentional, but harmful consequences including:

  • Mischaracterization of activity
  • Disproportionate flagging of minority students
  • Poor analysis of language and dialects used by people of color

The letter raises concerns that these results perpetuate racial bias and impact the mental health of those affected. The Senators requested that the companies share plans to mitigate these harms.

New legislation and leadership

The California governor signed AB 694, which adds new and amends several existing definitions to the California Privacy Protection Act (CCPA). Most notably, the CCPA amended the definition for “personal information” and added a definition for consent.

The CCPA also announced Ashkan Soltani, the former chief technologist for the U.S. FTC and senior advisor to the White House, will be the first Executive Director.

President Biden has signed the K-12 Cybersecurity Act of 2021 into law, which will require the Cybersecurity and Infrastructure Security Agency (CISA) to study cybersecurity risks specific to elementary and secondary schools. Additional requirements include developing cybersecurity guidelines to be adopted on a voluntary basis by schools facing such risks.

The FTC has proposed new privacy rules which impose significant new obligations on businesses. The rules would impact how businesses handle consumer data, including how the data of children is handled.


European Union

Facebook attempted to bypass the strict requirements the General Data Protection Regulation (GDPR) imposes on consent for data processing. The company included data processing specifications in its general terms and conditions, interpreting the agreement as a contract rather than consent.

A draft decision from Ireland’s Data Protection Commissioner endorsed this approach, but has been met with much criticism.


The Italian data protection authority fined Luigi Bocconi University €200,000 for using Respondus, a US proctoring application used to supervise remote exams. The fine comes after the university had various violations of the GDPR.

The violations included failing to sufficiently inform students of:

  • Processing their personal data through the software
  • Tracking of their behavior during tests
  • Processing by profiling
  • Recording audio-video of tests
  • Taking pictures of students at the beginning of tests


The Federal Office of Justice (FOJ) issued a report on the US CLOUD Act.

The report found that the disclosure and processing of personal data carried out under CLOUD ACT production orders is fundamentally problematic regarding both fundamental rights and compatibility with the GDPR and Swiss data protection law.


Use of, access to, and information exchanged on this web page or any of the e-mail links contained within it cannot and does not create an attorney-client relationship between Han Santos, PLLC, and the user or browser. Please do not post any personal or confidential information. You should contact your attorney to obtain advice with respect to any particular issue or problem. Contact us for additional information. One of our lawyers will be happy to discuss the possibility of representation with you. The opinions expressed at or through this site are the opinions of the individual author and may not reflect the opinions of the firm or any individual attorney.