Privacy News Roundup – February 2, 2022

On January 6, New York saw several consumer privacy bills introduced in the House and Senate.

Meanwhile, the proposed Senate Bill 5062, the Washington Privacy Act (WPA) didn't find common ground among business and privacy groups and failed to pass for the third year in a row in 2021. Many of the issues the WPA has faced are due to the debate over including a private right of action.

In Alabama, a class-action lawsuit was filed against Facebook for violating US antitrust laws and profiting from minors’ biometric data. Even though images are destroyed by Facebook themselves, the data has already been disseminated to other third parties. The plaintiffs are seeking $32 billion for a national class of 285 million minors and $240 million for a smaller class in Alabama.

While in Illinois - one of the strictest states in the US addressing biometric privacy - a class action lawsuit was filed against Amazon by a former employee that claimed Amazon collected facial and other data without proper consent under the Illinois Biometric Information Privacy Act (BIPA). The employee alleged that Amazon sites were scanning faces and checking temperatures of employees for COVID protocols without obtaining informed consent. He also claimed the company did not have a publicized data retention plan.

The European Data Protection Supervisor (EDPS) sanctioned the European Parliament for a series of data protection violations on its COVID-19 testing website.

The EDPS found the website's cookie banners had inaccurate information, unclear options to reject third-party tracking, and a deceptive design, which might manipulate consent. They also found that no measures were being taken to raise the level of protection of EU residents’ personal data that was being transferred to the US through Google Analytics and Stripe. This violation clearly goes against the requirements made by the Schrems II decision.

The EDPS issued a reprimand against Parliament and gave them one month to update their data protection notice and address the remaining issues of transparency.

The Cyberspace Administration of China (CAC) has issued a new rule that will go into effect on February 15, 2022, requiring that Chinese platform companies with data on more than 1 million users must undergo a security review before listing their shares on overseas stock markets.

Additionally, a new rule will take effect on March 1, 2022, that will increase oversight of news providers that use algorithm recommendation technology to disseminate information to users.

On April 1, 2022, amendments to the Act on Protection of Personal Information (APPI) will take effect and businesses in Japan should revise their privacy notices in accordance with the APPI. The revisions focus on businesses’ transparency with consumers about how their personal information is handled.

The National Commission on Informatics and Liberty (CNIL) has published a draft position on the use of “intelligent” and “augmented” video devices in public spaces. With the increased use of such devices in public spaces to improve safety and collect marketable data, the CNIL will analyze the devices’ use from an ethical, technical, and legal point of view.