Privacy & Information Security Law Blog

On December 13, 2022, the European Commission launched the process for the adoption of an adequacy decision for the EU-U.S. Data Privacy Framework. If adopted, the long-awaited adequacy decision will provide EU companies transferring personal data to the U.S. with an additional mechanism to legitimize their transfers.

An adequacy decision would foster trans-Atlantic data flows and address the concerns raised by the Court of Justice of the European Union (“CJEU”) judgment in the Schrems II case.

On December 12, 2022, at the “POLITICO Live” event presented in cooperation with Hunton Andrews Kurth LLP’s Centre for Information Policy Leadership ("CIPL")—titled “EU-U.S. Data Flows: Game Changer or More Legal Uncertainty?”—featured speakers from both sides of the Atlantic optimistic that the new EU-U.S. Data Privacy Framework will withstand an anticipated legal challenge.

On December 7, 2022, the Federal Trade Commission released a tentative agenda for its Open Commission Meeting, which will take place on December 14, 2022. The event will feature opening remarks by FTC Chair Lina Khan, and include a presentation by the Chief Technology Officer’s team on the FTC’s data security efforts.

On November 30, 2022, the Second District Appellate Court of Illinois reversed and remanded a grant of summary judgement in favor of defendant, J&M Plating, Inc., for alleged violation of the Illinois Biometric Information Privacy Act (“BIPA”). In Mora v. J&M Plating, Inc., the plaintiff claimed that J&M Plating had violated BIPA by collecting workers’ fingerprints without a proper data retention and destruction policy for biometric information.

On November 22, 2022, the Department of Commerce’s National Telecommunications and Information Administration (“NTIA”) announced that it filed comments with the Federal Trade Commission that call for new limits on how companies can collect and use personal information about consumers. The comments were filed in response to the FTC’s request for public comment on its Advanced Notice of Proposed Rulemaking on commercial surveillance and lax data security practices.

On December 6, 2022, the California Privacy Protection Agency (“CPPA”) announced that it will hold a virtual public meeting to discuss the status of the California Privacy Rights Act of 2020 (“CPRA”) rulemaking process and other topics. Anticipated topics for discussion include:

On November 25, 2022, Ireland’s Data Protection Commission (“DPC”) released a decision fining Meta Platforms, Inc. (“Meta”) €265 million for a 2019 data leak involving the personal information of approximately 533 million Facebook users worldwide.

The UK Information Commissioner’s Office (“ICO”) recently published a package of detailed guidance and checklists for direct marketing activities. The ICO’s new webpage on direct marketing now includes various resources, including specific guidance for SMEs, business-to-business marketing, and organizations using the marketing services of data brokers, as well as direct marketing FAQs and checklists, and a training module for businesses.

On November 21, 2022, Meta Platforms, Inc. (“Meta”) announced updated practices designed to protect the privacy of young people on Facebook and Instagram, including default privacy settings for new accounts, measures to limit unwanted interactions with adult users, and a tool to limit the spread of teens’ intimate images online.

On November 22, 2022, the Court of Justice of the European Union (“CJEU”) determined in a preliminary ruling that the general public’s access to information on beneficial ownership constitutes a serious interference with the fundamental rights to respect for private life and to the protection of personal data, enshrined in Articles 7 and 8 of the Charter of Fundamental Human Rights (the “Charter”).