The importance of information privacy has been highlighted by key developments over the last few years. One of the most important has been the growth in oversight. The data privacy sphere is vitally important to professional service firms as they handle vast amounts of confidential client data. This article will provide an overview of 2023 developments.

EU-US Data Flow Resumes

In July 2023, three years after the invalidation of the EU-U.S. Privacy Shield, a new mechanism to facilitate the free flow of information was agreed. The EU-U.S. Data Privacy Framework includes many new safeguards to protect the personal information of EU residents, notably empowering Europeans with the right to challenge how their data is processed.

According to the European Data Protection Board (EDPB) the agreement displayed “substantial improvements” compared with its predecessor. Nevertheless, prominent privacy activist Max Schrems vowed to challenge the accord in court, claiming the deal did not include sufficient privacy protection for EU residents.

An extension to the EU-U.S. agreement will also help ensure the free flow of data from the UK to the U.S. Beginning in October 2023, a UK-U.S. “data bridge” allows for personal data from the UK to be transferred to U.S. organizations, provided certain conditions have been met.

Seems a bit Phishy!

A new wave of phishing attacks involving the use of accounting software QuickBooks has been branded “business email compromise 3.0” or “BEC 3.0”. Hackers send fake invoices via QuickBooks to fool victims into relinquishing login or payment data. The phishing emails in the BEC 3.0 wave of attacks are largely able to bypass email authentication or domain checks, thereby placing added pressure on email recipients to detect and thwart the phishing activity.

Beyond the software vulnerabilities, the use of artificial intelligence (AI) has reportedly led to a rise in ransomware attacks. Industry experts believe that the surge in ransomware incidents can be linked to the use of AI automation tools, enabling a higher frequency of attacks with less effort or preparation. AI is also being used to generate new forms of malware more quickly, which are also more difficult to detect.

Focus on BIPA & Biometric Data

The Biometric Information Privacy Act (BIPA) introduced by the state of Illinois in 2008 has generated a lot of attention. The statute “regulates the collection, use and handling of biometric information by private entities”. Biometric identifiers include “facial features, voice patterns, fingerprints” and retina scans. With technological advancements having allowed for the increased use of biometric information, businesses need to be mindful of the associated risk of BIPA-related claims, including Employee Practice Liability matters.

Though Washington and Texas have also enacted state-level biometric privacy laws, only BIPA grants individuals a private right of action.

In September 2023, a confidential settlement was made in BNSF Railway Co. (BNSF), the first BIPA case to go to trial. BNSF agreed to settle claims of unlawfully collecting drivers’ fingerprints for identification purposes without obtaining proper consent. A US$228 million judgment against BNSF was vacated in June 2023 following a precedent setting decision of the Illinois Supreme Court in which the court ruled that damages under BIPA were “discretionary”.

In February 2023, the Illinois Supreme Court clarified that the statute of limitations for all BIPA claims was five years, thereby overturning an appellate court’s ruling that the period should be one year for certain types of claims. An increase in BIPA-related claims has been noted following these two decisions of the Illinois Supreme Court.

GDPR Turns Five!

Five years after its entry into force, the GDPR’s impact on the European and international data privacy landscape is still palpable. Many companies around the world have adopted the GDPR as a “global standard” for data privacy and many countries have enacted GDPR-like legislation.

The potential to generate big fines ensured business leaders’ attention well before GDPR’s 2018 entry into force. Five years later, significant GDPR fines continue, recent examples including Ireland’s Data Protection Commission (DPC) imposing fines against Facebook parent company Meta (€1.2 billion) and TikTok (€345 million).

The enforcement action against Meta resulted in the largest fine under GDPR, surpassing the Luxembourg data regulator’s 2021 fine against Amazon (€746 million). Meta was sanctioned for not ensuring the proper security safeguards when transferring data from the EU to the U.S. The fine against TikTok was for failing to protect the personal information of children.

A May 2023 decision of the European Court of Justice (ECJ) may have opened the door for an increase in GDPR litigation. The ECJ ruled that plaintiffs have the right to compensation for “non-material, or non-economic” damages, even when such damage does not reach a “certain level of seriousness”. Industry experts claim that the court’s decision could lead to more data breach lawsuits as it lowers the threshold for the types of damages that can be claimed by plaintiffs.

Rapid-Fire: Data Privacy Legislation Roundup

• In August 2023, India passed the Digital Personal Data Protection Bill, which will ensure protection of online data and the regulation of the internet in the world’s most populous country.
  
  
• In July 2023, Oregon became the 12th state to enact consumer data privacy legislation. Unlike most other state-level consumer privacy laws, the Oregon Consumer Privacy Act (OCPA) will apply to nonprofit organizations.
  
  
• As of September 2023, the following U.S. states have enacted comprehensive consumer privacy laws: California, Colorado, Connecticut, Delaware, Indiana, Iowa, Montana, Oregon, Tennessee, Texas, Utah and Virginia.
  
  
• Canada’s GDPR-inspired overhaul of its data privacy legislation, the Digital Charter Implementation Act (Bill C-27) is still being reviewed by Parliament.
  
  

The Professional Services Practice will continue to monitor major developments relating to the data privacy landscape.