Privacy & Information Security Law Blog

In July 2022, Maria Ostashenko from ALRUD Law Firm reports that the Russian Parliament passed, and the President of the Russian Federation signed into law, major reforms in data protection and information governance. The reforms include:

• Significant changes to Federal Law No. 152-FZ on Personal Data, including the scope of its application, new rules for cross-border transfer of personal data, data breach notifications, and additional protections for data subjects;
• New amendments to the Unified Biometric System regulations;
• Establishment of a countersanction-information ...

Stephen Mathias from Kochhar & Co. reports that, on August 3, 2022, the Government of India withdrew the Indian Data Protection Bill (the “Bill”) that was pending before the Indian Parliament. As we previously reported, the Bill was expected to be tabled during the Monsoon session of Parliament, which commenced on July 18, 2022. While the Government was contemplating making certain changes to the existing Bill, it is now considering drafting fresh legislation, including a bill that addresses a broader range of issues in the digital ecosystem beyond data protection alone.

On July 28, 2022, the California Privacy Protection Agency (“CPPA”) Board held a special public meeting to discuss agency staff’s recommendations that the Board formally oppose the draft federal American Data Privacy and Protection Act (“ADPPA”). The latest version of the ADPPA recently was voted out of the U.S. House Energy and Commerce Committee, and is set to advance to the House Floor.

On July 22, 2022, T-Mobile entered into an agreement to settle a class action lawsuit stemming from its 2021 data breach. The breach involved the personal information of 76.6 million U.S. residents and was T-Mobile’s fifth breach over a four year period. The proposed settlement will require T-Mobile to pay $500 million to settle customers’ claims and to bolster its cybersecurity practices.  

On July 24, 2022, the Financial Express published an article on Rajeev Chandrasekhar, the Indian Minister of State for Electronics and Information Technology, noting that the introduction of the Indian Data Protection Bill (the “Bill”) before Parliament will be delayed by a few months. The Bill was expected to be tabled during the Monsoon Session of Parliament, which commenced on July 18, 2022.

On July 22, 2022, companies are required to notify the Arizona Department of Homeland Security when they experience a data breach impacting more than 1,000 Arizona residents. This notification requirement is in addition to obligations to notify affected individuals, the Arizona state attorney general and the three largest national consumer reporting agencies. The notification to the Arizona Department of Homeland Security must be made within “45 days after a determination that there has been unauthorized acquisition and access that materially compromises the security or ...

On July 28, 2022, the California Privacy Protection Agency (“CPPA”) Board will hold a remote, special public meeting at 9AM PDT to discuss possible action on proposed federal privacy legislation, including the American Data Privacy and Protection Act (“ADPPA”), according to the Board’s publicly released agenda.

On July 1, 2022, amendments to Florida’s State Cybersecurity Act (the “Act”) took effect, imposing certain ransomware reporting obligations on state agencies, counties and municipalities and prohibiting those entities from paying cyber ransoms.

On July 20, 2022, the U.S. House of Representatives Committee on Energy and Commerce (the “Committee”) passed H.R. 8152, the American Data Privacy and Protection Act (“ADPPA”) (as amended), by a vote of 53-2. The ADPPA next will be put before the full House for a vote.

Following the ruling in Dobbs, the National Institutes of Health’s (“NIH’s”) certificates of confidentiality offer an important layer of privacy protection to reproductive health research data. The Public Health Service Act created the certificates of confidentiality program, which prohibits the disclosure of identifiable, sensitive research data “in any Federal, State, or local civil, criminal, administrative, legislative, or other proceeding” without the research subject’s consent. These certificates add a layer of protection to abortion and fertility data collected as part of NIH research.