Privacy & Information Security Law Blog

On May 11, 2021, the European Parliament issued a press release requesting that the European Commission amend its draft decisions on UK adequacy to more closely align with EU court rulings and the opinion of the European Data Protection Board (“EDPB”). The request came after the Parliament’s Civil Liberties Committee (the “Committee”) passed a resolution evaluating the Commission’s approach regarding the adequacy of the UK’s data protection regime. The Members of European Parliament (“MEPs”) stated that if the Commission’s implementing decisions are adopted without amendment, transfers of personal data to the UK should be suspended when there is the potential for indiscriminate access to personal data.

On May 12, 2021, President Biden signed an Executive Order on Improving the Nation’s Cybersecurity. The Order outlines a number of initiatives intended to improve cybersecurity in the U.S. and protect federal government networks, including:

On April 29, 2021, the New York City Council passed the Tenant Data Privacy Act (“TDPA”), which would regulate the collection, use, safeguarding and retention of tenant data by owners of “smart access” buildings. The TDPA has been sent to the New York City Mayor’s desk for signature.

On May 11, 2021, Senators Edward Markey (D-MA) and Bill Cassidy (R-LA) introduced the Children and Teens’ Online Privacy Protection Act (the “Bill”). The Bill, which would amend the existing Children’s Online Privacy Protection Act (“COPPA”), would prohibit companies from collecting personal information from children ages 13 to 15 without their consent.

On May 2, 2021, the Norwegian data protection authority, Datatilsynet, notified Disqus Inc. (“Disqus”), a U.S. company owned by Zeta Global, of its intention to issue a fine of 25 million Norwegian Krone (approximately 2.5 million Euros). The preliminary fine was issued for failure to comply with the General Data Protection Regulation’s (“GDPR”) accountability, lawfulness and transparency requirements, primarily due to Disqus’ tracking of website visitors.

On May 6, 2021, Google announced that beginning in the second quarter of 2022, mobile app developers submitting new apps and app updates to the Google Play store will be required to disclose certain information regarding their apps’ data collection, use, sharing and security practices, as well as provide a privacy policy for their apps. This information will be displayed in a new “safety section” of Google Play.

On April 29, 2021, China issued a second version of the draft Personal Information Protection Law (“Draft PIPL”). The Draft PIPL will be open for public comments until May 28, 2021.

While the framework of this version of the Draft PIPL is the same as the prior version issued on October 21, 2020, below we summarize the material changes in the second version of the Draft PIPL.

On April 29, 2021, China issued a second draft version of the Data Security Law (“Draft DSL”). The Draft DSL will be open for public comments until May 28, 2021.

While the framework of this version of the Draft DSL is the same as the prior version issued on July 3, 2020, below we summarize the material changes in the second version of the Draft DSL.

On April 23, 2021, the National Information Security Standardization Technical Committee of China published a draft standard (in Chinese) on Security Requirements of Facial Recognition Data (the “Standard”). The Standard, which is non-mandatory, details requirements for collecting, processing, sharing and transferring data used for facial recognition.

On April 27, 2021, the Portuguese Data Protection Authority (Comissão Nacional de Proteção de Dados, the “CNPD”) ordered the National Institute of Statistics (the “INE”) to suspend, within 12 hours, any international transfers of personal data to the U.S. or other third countries that have not been recognized as providing an adequate level of data protection.