Data & Privacy Update: Biometric, Ransomware, PIPEDA and EU-UK Data Transfers

Williams Mullen

Williams Mullen

2021 promises to be an exciting year in the data and privacy space. With the adoption of technologies that collect, analyze, aggregate, distribute and share data, and the implementation of new laws and regulations in response, businesses need to be aware of the impact these developments will have on current and future operations.

The following is a summary of recent developments in this evolving area of law.

University subject to class action lawsuit in connection with students’ biometric data.  Northwestern University (“Northwestern”) was named in a lawsuit that alleges that it failed to properly notify students about the collection, use and storage of biometric data through online test proctoring systems as required under the Illinois Biometric Information Privacy Act (BIPA). According to the complaint, Northwestern failed to comply with BIPA with respect to “facial recognition data, facial detection data, recorded patterns of keystrokes, eye monitoring data, gaze monitoring data, and camera and microphone recordings” collected through online testing.

U.S. Customs and Border Protection (CBP) reopens Notice of Proposed Rulemaking for Collection and Use of Biometric Data. The CBP announced that the comment period for the Notice of Proposed Rulemaking (NPRM) for the Department of Homeland Security’s (DHS) biometric entry and exit system (the “Proposed Rule”) had been reopened until March 12, 2021. The Proposed Rule would amend the DHS entry/exit regulations requiring foreign travelers to take photographs upon entry to and/or departure from the United States. It would also amend the DHS entry/exit regulations to eliminate references to pilot programs and associated limitations to permit the collection of photographs or other biometrics from non-U.S. travelers departing from airports, land ports, seaports or any other authorized point of departure. According to the report, the rulemaking had been reopened due to CBP’s commitment to “privacy principles and transparency”.

Cybersecurity guidelines recommend against making ransomware payments. The New York Department of Financial Services (DFS) has taken a leadership role in developing cybersecurity regulations for the financial services industry. Many of the principles in the regulations are well suited for other industries. Earlier this month, DFS published Insurance Circular Letter No. 2 (2021), that includes a Cyber Insurance Risk Framework outlining practices for managing cyber insurance risk. One item of note - DFS recommends against making ransomware payments claiming it creates a vicious cycle of ransomware, as cybercriminals use the payments to fund additional ransomware attacks.

Canadian agency finds popular facial recognition software violates data protection law. Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) requires an individual’s consent to the collection, use and disclosure of personal information. Clearview AI, Inc. (“Clearview”) collects images of faces posted online and then runs the images through facial recognition software to facilitate use by law enforcement. PIPEDA contains a number of exceptions in which an individual’s consent to collection and use of personal information is not required. However, in a joint report (PIPEDA Report of Findings #2021-001), several federal and provincial data protection offices stated that Clearview’s collection and use of the images taken off the internet without consent were illegal.

European Commission adopts draft adequacy decisions for transfers of data from the EU to the UK. On February 19, the European Commission published two draft adequacy decisions pertaining to the transfer of personal data to the United Kingdom from the European Union. These drafts are subject to further review by the European Data Protection Board (EDPB) and a committee of representatives of the EU Member States before adoption by the European Commission.

Stay tuned for more legal developments related to data management, including privacy and data protection, cybersecurity, intellectual property rights and data quality.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Williams Mullen | Attorney Advertising

Written by:

Williams Mullen

Williams Mullen on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.