More privacy, please – October 2021 | Man’s pepper with trout

Do you want an easy way to stay on top of important privacy changes? Avoid sleepless nights wondering if you’ve missed a speed bump or pothole between annual updates? Do not worry anymore. Troutman Pepper is happy to offer More privacy, please – a monthly newsletter summarizing important industry and legal developments, as well as trends in the areas of cybersecurity, information governance and privacy.


  • The Uniform Data Protection Act: A New Approach to Scoping. The Uniform Laws Commission (ULC) recently approved a final draft of the Uniform Personal Data Protection Act (UPDPA), in the hope of widespread adoption by the state. The final draft departs significantly from existing state privacy laws, especially in its scope. Among other things, the UPDPA applies to organizations that retain personal data, regardless of volume or revenue threshold, unless the organization processes the data “using only compatible data practices”. Compatible data practices are determined taking into account six factors, including the relationship of the data subject with the controller and the type and nature of the data collected. For a more detailed analysis of the UPDPA, click here.

  • Biden will appoint privacy advocate Alvaro Bedoya as FTC commissioner. As detailed in our recent Client Alert, on September 13, President Biden announced his intention to appoint privacy advocate Alvaro Bedoya as Commissioner of the Federal Trade Commission (FTC). Bedoya’s research focuses on the idea that privacy is a civil right, the violation of which involves civil liberties. So, if confirmed, it will likely focus on the damage done to marginalized groups, both in terms of consumer protection and competition. He is also likely to join FTC President Lina Khan in pushing the FTC to adopt a more aggressive enforcement and rule-making agenda.

  • Movement from all sides towards broader oversight of privacy and data security by the FTC. This month, the House Committee on Energy and Commerce voted to allocate $ 1 billion over 10 years to the FTC to establish and operate a new privacy office, which is a significant achievement. significant increase in the FTC budget. This again signals a trend towards broader national oversight of data privacy and security issues. More information can be found here.

  • FTC issues policy statement “On Violations by Health Apps and Other Connected Devices.” “ On September 15, the FTC released a policy statement, “On Violations by Health Apps and Other Connected Devices,” to reiterate the scope of the FTC’s violation notification rule and remind providers of its past guidelines. While the FTC has acknowledged that it “never enforced the [r]ule, ”he warned that the policy statement should“ warn entities of their continued obligation to shed light on violations, ”signaling that it intends to take enforcement action in the future. For entities not covered by HIPAA, this rule kicks in and requires providers of personal health records (PHRs) to notify consumers and the FTC (and in some cases, the media) of violations or significant civil penalties. The FTC specifically “advised mobile health apps to review their obligations under the [r]ule, including through the use of an interactive tool “previously provided by the FTC.

  • The Senate Trade Committee launches a series of hearings on the protection of consumer privacy. On September 29, the Senate Trade Committee held the first in a series of hearings on consumer privacy protection. The hearing, titled “Protecting Consumer Privacy,” covered key topics of discussion, including the need for comprehensive privacy legislation and the recently proposed $ 1 billion FTC Privacy Bureau credit. Senators on both sides expressed general support for the comprehensive privacy legislation, however, it was clear that the parties still disagreed on many of the key substantive provisions. Senators were also divided over the credit offered by the FTC. The next hearing in this series, “Enhancing Data Security”, is scheduled for October 6.


  • State secrets privilege prevents Wikimedia’s upstream surveillance case. On September 15, the Fourth Circuit determined that the state secrets privilege required the rejection of the Wikimedia Foundation’s case against the National Security Agency (NSA) for allegedly spying on Wikimedia communications via “upstream surveillance.” Upstream monitoring involves collecting communications as they travel across the Internet with the help of telecommunications service providers. In Wikimedia Foundation v. National security agency, Wikimedia and eight other plaintiffs argued, among other things, that the NSA’s upstream surveillance violated the First and Fourth Amendments. During the jurisdictional discovery, however, the NSA invoked state secret privilege, allowing it to withhold information if disclosure could harm national security. The Fourth Circuit determined that because there is “simply no conceivable defense” to Wikimedia’s claims that would not also reveal how the NSA conducted upstream surveillance, the court must dismiss Wikimedia’s claims in favor. national security.

  • CFPB is seeking feedback on study plans for electronic disclosure on mobile devices. On September 10, the comment period on the Consumer Financial Protection Bureau’s (CFPB) information collection initiative, “Electronic Disclosure on Mobile Devices” ended. The CFPB issued the initial request on August 11, before seeking formal approval of the initiative from the Bureau of Management and Budget. The CFPB intends to conduct several studies using methodologies rooted in psychology and behavioral economics to understand electronic disclosure on mobile devices.

  • The CFPB publishes the long-awaited notice of a draft regulation on the collection of data on loans to small businesses. On September 1, the CFPB issued a 900+ page notice of regulatory proposal (NPRM) to implement small business loan data collection requirements under Section 1071 of the Dodd- Act. Frank on Wall Street Reform and Consumer Protection. This rule applies to “covered financial institutions”, which are broadly defined and include a variety of entities that engage in small business loans. Financial institutions should take this rule into account when determining what types of customer information to collect and retain. To read a more detailed summary of the proposal, click here.

  • Tims v. Black Horse Carriers, Inc. The decision clarifies the limitation periods for BIPA claims. On September 17, the Illinois Court of Appeals released its long-awaited decision in Tims v. Black Horse Carriers, Inc., 2021 IL App (1st) 200563 (1st Dist. Sept. 17, 2021), dealing with the applicable limitation period for claims invoked under the Illinois Biometric Information Privacy Act (BIPA). The question before the court asked which statute of limitations should apply to BIPA claims: the Illinois “catch-all” statute of limitations or the one-year statute of limitations used in actions involving a publication “violating the right to privacy ”. The court ultimately concluded that the claims under Sections 15 (c) and (d) of the BIPA followed the one-year limitation period, while the claims under Sections 15 (a), (b) and (e) BIPA benefited from the longer five-year period. limits. For more information on the recent ruling, please see our Troutman Pepper Legal Alert available here.


  • New UK standards for digital services for children come into force, providing a framework for the new US law. On September 2, the UK’s Age-Appropriate Design Code (also known as the ‘Children’s Code’) came into effect. The Children’s Code designates a set of 15 flexible standards that apply to online services, such as apps, online games, and websites and social media, that may be viewed by children. Notably, US lawmakers have urged online companies, such as Microsoft, Walt Disney, and Nintendo, to comply with the Children’s Code in the United States. In fact, Representative Kathy Castor recently introduced an update to the Privacy of Our Vulnerable Children and Youth Act (the Children’s Privacy Act), which incorporates key elements of the Code of to amend the Children’s Online Privacy Protection Act (COPPA). If enacted, the Kids PRIVCY Act would create a protected class of adolescents beyond the enforcement of COPPA (that is to say, children aged 13 to 17) and apply to all sites “likely to be viewed by children and adolescents”, not just “children-only” services. The Kids PRIVCY Act would also repeal the safe harbor regulations allowing industry self-regulation. To learn more about the 15 flexible standards of the Children’s Code, click here.

  • The new EU CCPs come into force on September 27. From September 27, all new data transfer agreements under the General Data Protection Regulation (GDPR) must use the new Standard Contractual Clauses (CPS) updated in June to reflect the Court’s decisions. justice of the European Union. Schrems II Organizations have until December 27, 2022 to migrate existing SCC agreements to integrate new SCCs. To learn more about the new SCCs, click here.

  • EMSA imposes trade repository fines of € 238,500 for data breaches occurring over a two-year period. The European Securities and Markets Authority (ESMA), the EU’s stock market regulator, has fined UnaVista Ltd., a UK-based trade repository, € 238,500 for eight violations of the European regulation on market infrastructures (EMIR). The EMIR regulation requires trade repositories like UnaVista to regularly provide information to regulators on various aspects of their business. According to a public notice from ESMA, over a two-year period, UnaVista (1) mishandled data that resulted in incorrect or unreliable regulatory reporting, and (2) failed to provide regulators with direct access and immediately to the required information. This fine emphasizes the importance of maintaining adequate data integrity and providing rapid regulatory access.

Comments are closed.