In this week’s global legislative roundup, Gov. Andrew Cuomo, D-N.Y., proposed privacy legislation, and a Washington Senate Committee held a public hearing on a third iteration of the Washington Privacy Act. In India, the final draft of the Personal Data Protection Bill, 2019 will likely be tabled during Parliament’s Budget session beginning Jan. 29. In the EU, the European Data Protection Board and European Data Protection Supervisor published their joint opinions on the European Commission’s Implementing Decision on standard contractual clauses.

LATEST NEWS

In the U.S., Gov. Andrew Cuomo, D-N.Y., proposed a privacy bill that would require companies to disclose their data collection practices and create a “Bill of Rights” to give residents increased data subject rights.
More

Also in the U.S., New York–based Excellus Health Plan will pay $5.1 million to settle potential violations of the Health Insurance Portability and Accountability Act Privacy and Security Rules related to a 2015 data breach that affected more than 9.3 million people.
More

The European Data Protection Board and European Data Protection Supervisor published their joint opinions on the European Commission's Implementing Decision on standard contractual clauses.
More

The German Federal Government passed a draft law adapting the country’s information technology laws to the increasing digitalization of products and services.
More

ICYMI

During a panel at the 2021 Consumer Electronics Show, privacy leaders from Twitter, Google and Amazon said they are “cautiously” optimistic over the prospects of omnibus privacy legislation coming from U.S. Congress in the coming years. IAPP Associate Editor Ryan Chiavetta, CIPP/US, has the details for The Privacy Advisor.
More

As part of a series for The Privacy Advisor examining the top operational impacts of the California Privacy Rights Act, IAPP Legal Extern Anna Daniels looks at two new rights under the legislation: the right to correct inaccurate personal information and the right to limit the use of “sensitive personal information.”
More

The Washington Senate Environment, Energy & Technology Committee held a public hearing on a third iteration of the Washington Privacy Act. IAPP Staff Writer Jennifer Bryant reports the details for The Privacy Advisor.
More

Also for The Privacy Advisor, IAPP Staff Writer Joe Duball breaks down Court of Justice of the European Union Advocate General Michal Bobek’s non-binding opinion supporting the future application of the EU General Data Protection Regulation's one-stop-shop mechanism.
More

ENFORCEMENT

The Danish data protection authority, Datatilsynet, highlighted areas of focus in 2021, including monitoring television surveillance and transferring personal data to third countries.
More

France's data protection authority, Commission nationale de l'informatique et des libertés, announced sanctions against the Ministry of the Interior for its unlawful deployment of drones to oversee and enforce "containment measures."
More

Germany's State Commissioner for Data Protection in Lower Saxony issued a 10.4 million euro fine to retailer notebooksbilliger.de for monitoring its employees over a two-year span without a legal basis.
More

The Irish Times reports Ireland's Data Protection Commission acknowledged in a pre-budget submission for 2021 that its work, including GDPR enforcement of multinationals, has been hampered by limited resources.
More

Poland's data protection authority, Urząd Ochrony Danych Osobowych, announced a PLN 1 million fine against ID Finance Poland for insufficient data security measures that led to a data breach.
More

Singapore’s government issued legislative provisions to limit the future use of COVID-19 contact-tracing data by law enforcement.
More

A motor industry employee has been sentenced following a prosecution by the U.K. Information Commissioner’s Office for conspiracy to secure unauthorized access to computer data and selling unlawfully obtained personal data.
More

The U.S. Department of Health and Human Services Office for Civil Rights announced it reached a settlement with Banner Health over alleged violations of the HIPAA Privacy Rule’s right of access standard.
More

The U.S. Federal Trade Commission reached a settlement with Flo Health over the data-sharing practices related to its women's health-tracking application.
More

The FTC also announced a settlement with California-based photo app developer Everalbum regarding alleged facial recognition misuse.  
More

ASIA-PACIFIC

The final draft of India's Personal Data Protection Bill, 2019 will likely be tabled during the Budget session of Parliament beginning Jan. 29, the Economic Times reports.
More

Pakistani Minister for Science and Technology Chaudhry Fawad Hussain said his ministry is considering a federal privacy law, Dawn.com reports.
More

CANADA

Canada's Department of Justice announced the public consultation on the modernization of Canadian privacy law has been extended to Feb. 14.
More

EUROPE

Ireland's Data Protection Commission will proceed with a complaint challenging Facebook’s transborder data transfers, Reuters reports.
More

The Russian State Duma announced amendments to the Federal Law on Personal Data were adopted Dec. 23, 2020, and take effect March 1.
More

The U.K. High Court ruled against a mass surveillance practice, deeming it illegal for intelligence agencies to search large numbers of phones and computers under a single “general warrant.”
More

US

Walmart will pay a total of $10 million to approximately 21,677 Illinois employees to settle a 2019 lawsuit alleging the company used a palm screening device in violation of Illinois' Biometric Information Privacy Act, the Chicago Tribune reports.
More

Nearly 1.6 million Illinois Facebook users will each receive $350 as part of a $650 million settlement over alleged BIPA violations, the Chicago Tribune reports.
More

The Minnesota Legislature is considering a privacy bill, including “rights regarding personal data, data transparency obligations placed on businesses, private right of action created, and enforcement provided by the attorney general."
More

GUIDANCE

The European Data Protection Supervisor launched its Website Evidence Collector tool for privacy and data protection inspections on websites.
More

Spain's data protection authority, Agencia Española de Protección de Datos, released guidance on controls to implement for conducting audits of personal data processing that involve artificial intelligence components.
More