In this week’s Privacy Tracker global legislative roundup, a U.S. Senate committee discussed the need for a federal privacy law, while in Washington, a third version of the Washington Privacy Act has been introduced. In the U.K., YouTube faces a $3 billion lawsuit alleging it violates the EU General Data Protection Regulation by sending “addictive” programming to children under 13. And in Brazil, the Public Ministry of the Federal District and Territories filed the first lawsuit for alleged violations of the country’s General Data Protection Law.

LATEST NEWS

The U.S. Department of Health and Human Services’ Office for Civil Rights fined Premera Blue Cross $6.85 million over Health Insurance Portability and Accountability Act violations that led to a 2015 breach involving 10.4 million individuals.
More

The California Attorney General’s Office sent letters July 1 warning businesses of alleged California Consumer Privacy Act violations, targeting mainly businesses missing key privacy disclosures from their websites. AdExchanger reports on where enforcement currently stands.
More

Also in California, Gov. Gavin Newsom, D-Calif., signed a law that will force the Economic Development Department to stop mailing full Social Security numbers, putting people at risk of identity theft, CBS13 reports.
More

ICYMI

For Privacy Tracker, IAPP Senior Westin Research Fellow Müge Fazlioglu, CIPP/E, CIPP/US, analyzed the proposed U.S. Setting an American Framework to Ensure Data Access, Transparency, and Accountability Act and where the bill stands on some of the more divisive elements surrounding the federal privacy law debate.
More

Meanwhile, the U.S. Senate Committee on Commerce, Science and Transportation discussed the need for a federal privacy law during a hearing in which current and former regulators testified, IAPP Associate Editor Ryan Chiavetta, CIPP/US, reported for The Privacy Advisor.
More

Also, Fazlioglu and Sara Collins of Public Knowledge discussed with host Angelique Carson, CIPP/US, the U.S. SAFE DATA Act’s provisions and the Senate Committee’s hearing in this episode of The Privacy Advisor Podcast.
More

In Washington, a third version of the Washington Privacy Act has been introduced which includes new sections related to COVID-19, precludes a private right of action, and proposes changes to enforcement and preemption, according to a Privacy Tracker analysis from IAPP Legal Research Fellow Cathy Cosgrove.
More

EUROPE

A $3 billion lawsuit against YouTube, filed on behalf of 5 million British children, alleges the company illegally sends “addictive” programming to children under the age of 13, a violation of the EU General Data Protection Regulation, Business Insider reports.
More

Switzerland’s Parliament voted to adopt revisions to the country’s Federal Act on Data Protection that will modernize the 28-year-old law to be more closely aligned with laws in the European Union.
More

US

A safe harbor rule is proposed in Indiana to help protect residents from cyberattacks.
More

LATIN AMERICA

Brazil’s Public Ministry of the Federal District and Territories filed the first lawsuit for alleged violations of the country’s General Data Protection Law against a computer company it alleges sold the personal information of 500,000 people.
More

A bill introduced in Brazil seeks to protect students’ privacy on remote-learning platforms by requiring the platforms to abide by provisions of the General Data Protection Law.
More

ENFORCEMENT

Colombia’s data protection authority, the Superintendencia de Industria y Comercio, fined Banco Popular 269,046,492 pesos for violating the right to deletion under the Personal Data Protection Law.
More

France’s data protection authority, the Commission nationale de l’informatique et des libertés, published guidance on the principles employers should follow when potentially collecting employee data to monitor COVID-19 symptoms or for contact-tracing purposes.
More

Lithuania’s data protection authority, the State Data Protection Inspectorate, released an FAQ on binding corporate rules, stating they can be used as a basis for companies to transfer personal data to third countries in accordance with the GDPR.
More

The U.K. Information Commissioner’s Office fined Digital Growth Experts Limited 60,000 GBP for sending more than 16,000 text messages touting products it claimed are “effective against coronavirus” without recipients’ consent, a violation of the Privacy and Electronic Communications Regulations 2003.
More

The U.S. Department of Health and Human Services’ Office for Civil Rights announced a $2.3 million fine against management company CHSPSC for violations stemming from a 2014 data breach that affected 6.1 million individuals.
More

The U.S. DHHS also announced Athens Orthopedic Clinic agreed to pay $1.5 million to settle violations of HIPAA Privacy and Security Rules.
More