Do you want a simple way to keep current on important privacy changes? Avoid sleepless nights wondering whether you missed a privacy speed bump or pothole between annual updates? Worry no longer. Troutman Pepper is pleased to offer More Privacy, Please — a monthly newsletter recapping significant industry and legal developments, as well as trends in the areas of cybersecurity, information governance, and privacy.

U.S. LAWS AND REGULATION

• The Uniform Personal Data Protection Act: A New Approach to Scoping. The Uniform Law Commission (ULC) recently approved a final draft of the Uniform Personal Data Protection Act (UPDPA), hoping for widespread state adoption. The final draft deviates significantly from existing state privacy laws, most critically in its scope. Among other things, the UPDPA applies to organizations that maintain personal data, regardless of any volume or revenue threshold, unless the organization processes the data “solely using compatible data practices.” Compatible data practices are determined by considering six factors, including the data subject’s relationship with the controller and the type and nature of the data collected. For a more detailed analysis of the UPDPA, click here.

• Biden To Nominate Privacy Advocate Alvaro Bedoya as an FTC Commissioner. As detailed in our recent client alert, on September 13, President Biden announced his intent to nominate privacy advocate Alvaro Bedoya to serve as a commissioner of the Federal Trade Commission (FTC). Bedoya’s scholarship focuses on the idea that privacy is a civil right, the violation of which implicates civil liberties. Thus, if confirmed, he will likely focus on harms to marginalized groups, both in consumer protection and competition matters. He is also likely to join FTC Chair Lina Khan in pushing the FTC to adopt a more aggressive enforcement and rulemaking agenda.

• Movement on All Sides Toward Broader Data Privacy and Security Oversight by FTC. This month, the House Committee on Energy and Commerce voted to appropriate $1 billion over 10 years to the FTC to establish and operate a new privacy bureau, representing a significant increase to the FTC’s budget. This again signals a trend toward broader national oversight over data privacy and security issues. More information can be found here.

• FTC Issues Policy Statement “On Breaches by Health Apps and Other Connected Devices.” On September 15, the FTC issued a policy statement, “On Breaches by Health Apps and Other Connected Devices,” to reiterate the scope of the FTC Breach Notification Rule and remind vendors of its prior guidance. While the FTC acknowledged that it “has never enforced the [r]ule,” it cautioned that this policy statement should “place entities on notice of their ongoing obligation to come clean about breaches,” signaling that it intends to bring enforcement actions in the future. For those entities not covered by HIPAA, this rule steps in and requires vendors of personal health records (PHR) to notify consumers and the FTC (and in some cases, the media) in the event of a breach or face significant civil penalties. The FTC specifically “advised mobile health apps to examine their obligations under the [r]ule, including through the use of an interactive tool” previously provided by the FTC.

• Senate Commerce Committee Kicks Off Consumer Privacy Hearing Series. On September 29, the Senate Commerce Committee held the first of a series of hearings on consumer privacy. This hearing, titled “Protecting Consumer Privacy,” covered major discussion topics, including the need for comprehensive privacy legislation and the recently proposed $1 billion dollar FTC Privacy Bureau appropriation. Senators from both sides expressed their general support for the comprehensive privacy legislation, however, it was clear that the parties still disagree on many of the major substantive provisions. Senators were also divided on the proposed FTC appropriation. The next hearing in this series, “Enhancing Data Security,” is scheduled for October 6.

U.S. LITIGATION AND ENFORCEMENT

• State Secrets Privilege Prevents Wikimedia’s Upstream Surveillance Case. On September 15, the Fourth Circuit determined that the state secrets privilege required dismissal of Wikimedia Foundation’s case against the National Security Agency (NSA) for allegedly spying on Wikimedia’s communications via “upstream surveillance.” Upstream surveillance involves collecting communications as they travel through the internet with the assistance of telecommunications service providers. In Wikimedia Foundation v. National Security Agency, Wikimedia and eight other plaintiffs argued, among other things, that the NSA’s upstream surveillance violated the First and Fourth Amendments. During jurisdictional discovery, however, the NSA invoked the state secrets privilege, permitting it to withhold information if disclosure could harm national security. The Fourth Circuit determined that because there is “simply no conceivable defense” to Wikimedia’s claims that would not also reveal how the NSA conducted upstream surveillance, the court must dismiss Wikimedia’s claims in favor of national security.

• CFPB Requests Comments on Plans to Study Electronic Disclosure on Mobile Devices. On September 10, the period to comment on the Consumer Financial Protection Bureau’s (CFPB) information collection initiative, “Electronic Disclosure on Mobile Devices” closed. The CFPB issued the original request on August 11, in advance of seeking formal approval for the initiative from the Office of Management and Budget. The CFPB intends to conduct several studies using methodologies rooted in psychology and behavioral economics to understand electronic disclosure on mobile devices.

• CFPB Issues Long-Awaited Notice of Proposed Rulemaking on Small Business Lending Data Collection. On September 1, the CFPB issued a 900+-page notice of proposed rulemaking (NPRM) to implement the small business lending data collection requirements under Section 1071 of the Dodd-Frank Wall Street Reform and Consumer Protection Act. This rule applies to “covered financial institutions,” which is broadly defined and includes a variety of entities that engage in small business lending. Financial institutions must consider this rule when determining what types of customer information to collect and retain. To read a more detailed summary of the proposal, click here.

• Tims v. Black Horse Carriers, Inc. Ruling Clarifies Statute of Limitations Periods for BIPA Claims. On September 17, the Illinois Appellate Court provided its long-awaited decision in Tims v. Black Horse Carriers, Inc., 2021 IL App (1st) 200563 (1st Dist. Sept. 17, 2021), addressing the applicable statute of limitations for claims asserted under Illinois’ Biometric Information Privacy Act (BIPA). The question before the court asked which limitations period should apply to BIPA claims: Illinois’ “catch-all,” five-year limitations period or the one-year limitations period utilized in actions involving a publication “violating the right to privacy.” The court ultimately concluded that claims under Sections 15(c) and (d) of BIPA follow the one-year limitations period, while claims under BIPA Sections 15(a), (b), and (e) enjoy the longer five-year limitations. For more detailed information about the recent ruling, please see our Troutman Pepper legal alert found here.

INTERNATIONAL REGULATION AND ENFORCEMENT

• New UK Standards for Children’s Digital Services Take Effect, Providing Framework for New US Law. On September 2, the U.K.’s Age-Appropriate Design Code (also known as the “Children’s Code) took effect. The Children’s Code denotes a set of 15 flexible standards that apply to online services — such as apps, online games, and web and social media sites — likely to be accessed by children. Notably, U.S. lawmakers have urged online businesses, such as Microsoft, Walt Disney, and Nintendo, to comply with the Children’s Code within the United States. In fact, Rep. Kathy Castor recently introduced an updated Protecting the Information of Our Vulnerable Children and Youth Act (the Kids PRIVCY Act), which incorporates key elements of the Children’s Code to amend the Children’s Online Privacy Protection Act (COPPA). If enacted, the Kids PRIVCY Act would create a protected class of teenagers beyond COPPA’s application (i.e., children ages 13-17) and apply to all sites “likely to be accessed by children and teens,” not just “child-directed” services. The Kids PRIVCY Act would also repeal safe-harbor regulations allowing for industry self-regulation. To read more about the Children’s Code’s 15 flexible standards, click here.

• New EU SCCs Go Into Effect September 27. Beginning September 27, all new data transfer agreements under the General Data Protection Regulation (GDPR) must use the new standard contractual clauses (SCCs) updated in June to reflect the European Union Court of Justice’s Schrems II Organizations have until December 27, 2022, to migrate existing SCC arrangements to incorporate the new SCCs. To read more about the new SCCs, click here.

• EMSA Fines Trade Repository €238,500 for Data Breaches Occurring Over Two-Year Period. The European Securities and Markets Authority (ESMA), the EU’s securities markets regulator, imposed a fine of €238,500 against UnaVista Ltd., a UK-based trade repository, for eight violations of the European Market Infrastructure Regulation (EMIR). The EMIR requires trade repositories like UnaVista to regularly provide information to regulators concerning various aspects of their business. According to an ESMA public notice, over a two-year period, UnaVista (1) incorrectly processed data that resulted in incorrect or unreliable regulatory reports, and (2) failed to provide regulators with direct and immediate access to required information. This fine highlights the importance of maintaining adequate data integrity and providing prompt regulatory access.