Meta Ireland (Meta) has recently been issued with two fines by the Irish Data Protection Commission (DPC) for breaches of the EU General Data Protection Regulation (GDPR) relating to advertisements run on its Facebook and Instagram services. The decisions highlight some fundamental issues for all data controllers in respect of identifying the appropriate legal basis for their data processing operations and the need to be transparent about how personal data is used. The decisions also reveal some core differences in approach between the DPC, the Irish national privacy regulator in this case, and the European Data Protection Board (EDPB). It signals the likelihood of ongoing wrangling between the various European data regulators as they seek to interpret the decisions and as they are (inevitably) challenged through the courts.
The penalty imposed against Meta Ireland
The substantial fines of €210m (approximately $223m) with respect to Facebook and €180m (approximately $191m) with respect to Instagram reflect the consolidated turnover of the Meta group and the level of fines which, in the EDPB’s view, are required to be effective, proportionate and dissuasive in accordance with Article 83(1) of the GDPR. Meta now has 3 months to take corrective action and amend its privacy policies (including identifying an appropriate legal basis for processing) and its operations to bring its data processing in line with the GDPR.
Continue reading “Meta Fines Expose EU Regulators’ Differences and Highlight Fundamental Issues for Data Controllers”
Prompted by a rapid increase in frequency, sophistication, and scale of data leaks and data breach legislation in recent years, the Federal Communications Commission (FCC) unanimously voted to kick off a proceeding aimed at adopting new proposals to update data breach response obligations involving Customer Proprietary Network Information (CPNI). These proposals aim to ensure timely notification to affected customers, the FCC, and federal law enforcement agencies and require effective measures to mitigate and prevent harm.
CPNI is a subset of personal information with regard to telecommunications carriers’ customers and the FCC has maintained rules about safeguarding the confidentiality of CPNI data for many years. Examples of CPNI are rate plan, minutes used, type of services subscribed to, type of device, location information, call detail records, and other proprietary information about a customer’s telecommunications services accounts.
Continue reading “Keeping Pace with Today’s Challenges: FCC Proposes New Data Breach Rules for CPNI”
In October 2022, the U.K. Medicines and Health products Regulatory Agency (MHRA) published its Guidance, Software and AI as a Medical Device Change Programme – Roadmap, setting out how it will regulate software and AI medical devices in the U.K. by balancing patient protection and providing certainty to industry.
Background to the Reforms
The MHRA initially announced the Software as a Medical Device (SaMD) and Artificial Intelligence as a Medical Device (AIaMD) Change Programme in September 2021, designed to ensure that regulatory requirements for software and AI are clear and patients are kept safe. This builds on the broader reform of the medical device regulatory framework detailed in the Government response to consultation on the future regulation of medical devices in the United Kingdom, which recently saw its timetable for implementation extended by 12 months to July 2024.
Continue reading “Update: AI Regulation in the U.K. — New Government Approach”
In this edition of Faegre Drinker’s State Attorneys General Update, we discuss:
Arizona AG Enters $85 Million Settlement With Google for Alleged Improper Use of Consumer Location Data
Google agreed to an $85 million settlement for alleged violations of Arizona’s Consumer Fraud Act. Specifically, the Arizona AG alleged that Google violated the Act by building “coercive design tactics used to manipulate users’ behavior,” known as “dark patterns,” into its Android phone software. In this instance, the AG alleged that Google created misleading settings, so even if a consumer turned off location tracking in the “Location History” menu, location data would still be tracked and used to sell advertisements through other settings — specifically, the “Web & App Activity” menu.
Continue reading “State AG Updates: Arizona, Texas, California, North Carolina, Washington, New York and an AG Coalition”
Last week, the first jury trial under the Illinois Biometric Privacy Act (BIPA) resulted in a $228 million verdict in favor of the plaintiff and the class.
The case, Rogers v. BNSF Railway Co., was filed in May 2019 and was pending in the U.S. District Court for the Northern District of Illinois. A class was certified in March 2022. Plaintiff alleged that BNSF unlawfully scanned his and other truck drivers’ fingerprints for identity verification when he and they visited BNSF rail yards. He claimed the company took this scan without written notice or consent as required under BIPA. BNSF argued, among other things, that the third-party vendor it hired to control gate access was the only party to collect drivers’ fingerprints, and that BNSF therefore had not independently violated BIPA.
Pretrial briefing in the case was extensive. Each side filed several motions in limine seeking to bar or include certain evidence in the trial. For example, the Plaintiff found several references to use of “biometrics” or “biometric identities” on BNSF’s website that they alleged were responsive to former document requests. Anticipating objections from BNSF, Plaintiff filed a preemptive motion asking the court to permit them to introduce these exhibits at trial. Plaintiff were able to use this information at the trial and suggest that BNSF was aware of the biometric collection and that BNSF itself was collecting the information.
Continue reading “First Biometric Information Privacy Act Trial Results in $228M Verdict”
In current times where an online presence is just as crucial as a business’s physical assets, it is more important than ever to proactively protect and maintain your organization’s brand and identity. In this episode of the Faegre Drinker on Law and Technology Podcast, host Jason G. Weiss discusses strategies and solutions to protect your brand with intellectual property partner Tore DeBella.
The conversation tackles a number of questions, including:
- How do we protect a company’s brand and how does that affect the organization’s identity?
- What are the primary ways bad actors can attack a company’s brand or identity online?
- How can an organization protect their domain?
- What steps can clients take to protect their brands and identities online?
Continue reading “Protecting Your Internet Brand and Online Identity – Faegre Drinker on Law and Technology Podcast”