Privacy & Information Security Law Blog

On November 17, 2021, the Senate Committee on Commerce, Science, and Transportation held its confirmation hearing on FTC Commissioner nominee, Alvaro Bedoya.

On November 14, 2021, the U.S. Department of the Treasury announced a bilateral cybersecurity partnership with the Israeli Ministry of Finance “to protect critical financial infrastructure and emerging technologies” and combat the use of ransomware. The initiative includes the launch of a U.S.-Israeli Task Force on Fintech Innovation and Cybersecurity (the “Task Force”), which seeks to advance the twin goals of encouraging fintech innovation while protecting against cyber threats from nation-state and criminal actors.

On November 5, 2021, the Federal Trade Commission suggested two preventative steps small businesses can take to protect against ransomware risks:

On November 8, 2021, New York Governor Kathy Hochul signed into law A.430/S.2628 (the “Act”), which requires private employers with a place of business in New York State to provide their employees prior written notice, upon hiring, of any electronic monitoring, as defined in the Act, to which the employees will be subjected by the employer.

On November 5, 2021, IAB Europe (“IAB EU”) announced that, in the coming weeks, the Belgian Data Protection Authority plans to share with other data protection authorities a draft ruling on the IAB EU Transparency & Consent Framework (“TCF”). The TCF is a GDPR consent solution built by IAB EU that has become a widely used approach to collecting consent to cookies under the GDPR. The draft ruling is expected to find that the TCF does not comply with the GDPR, in part because IAB EU acts as a controller, and the digital signals the TCF creates to capture individuals’ consent to cookies are personal data under the GDPR. Because IAB EU does not consider itself a controller with respect to the TCF, it does not currently comply with the GDPR’s controller obligations.

On November 10, 2021, the UK Supreme Court issued its long-awaited judgment in the Lloyd v Google case. The decision is expected to make it difficult in practice for a future class action lawsuit that is brought on behalf of a class of individuals who have not actively opted in to being represented by the lead claimant to proceed under UK law.

On November 3, 2021, the Cybersecurity and Infrastructure Security Agency (“CISA”) announced Directive 22-01 - Reducing the Significant Risk of Known Exploited Vulnerabilities (the “Directive”), establishing a CISA-managed catalog of vulnerabilities and compelling federal agencies to remediate such vulnerabilities on government information systems. The Directive targets vulnerabilities that pose a significant risk to the federal government and applies to all software and hardware found on federal information systems, including those managed on an agency’s premises, as well as those hosted by third parties on an agency’s behalf. The Directive is the latest in a series of executive branch efforts to address U.S. cybersecurity in the public and private sectors.

On November 8, 2021, law enforcement agencies in both the United States and European Union announced that a series of actions, including a number of arrests, were taken against the Russia-linked ransomware group, “REvil.” The U.S. Department of Justice (the “DOJ”) unsealed documents relating to an August indictment against two individuals in Dallas for alleged involvement in REvil ransomware attacks against several U.S. businesses. The European authorities, Europol, also announced that police in Romania and South Korea had arrested five people alleged to be REvil affiliates.

Beginning in 2022, Apple and Google will impose new privacy requirements on mobile apps available for download in the Apple App Store and Google Play Store, respectively. As described further below, Apple’s new account deletion requirement will apply to all mobile app submissions to the Apple App Store beginning January 31, 2022. Similarly, Google’s new Data Safety section will launch in February 2022, and app developers will be required to submit to the Google Play Store Data Safety forms and Privacy Policies by April 2022.

On November 2, 2021, Facebook parent Meta Platforms Inc. announced in a blog post that it will shut down its “Face Recognition” system in coming weeks as part of a company-wide move to limit the use of facial recognition in its products. The company cited the need to “weigh the positive use cases for facial recognition against growing societal concerns, especially as regulators have yet to provide clear rules.”