Data & Privacy Update: Biometric, Ransomware, PIPEDA and EU-UK Data Transfers

2021 promises to be an exciting year in the data and privacy space. With the adoption of technologies that collect, analyze, aggregate, distribute and share data, and the implementation of new laws and regulations in response, businesses need to be aware of the impact these developments will have on current and future operations.

The following is a summary of recent developments in this evolving area of law.

University subject to class action lawsuit in connection with students’ biometric data.  Northwestern University (“Northwestern”) was named in a lawsuit that alleges that it failed to properly notify students about the collection, use and storage of biometric data through online test proctoring systems as required under the Illinois Biometric Information Privacy Act (BIPA). According to the complaint, Northwestern failed to comply with BIPA with respect to “facial recognition data, facial detection data, recorded patterns of keystrokes, eye monitoring data, gaze monitoring data, and camera and microphone recordings” collected through online testing.

U.S. Customs and Border Protection (CBP) reopens Notice of Proposed Rulemaking for Collection and Use of Biometric Data. The CBP announced that the comment period for the Notice of Proposed Rulemaking (NPRM) for the Department of Homeland Security’s (DHS) biometric entry and exit system (the “Proposed Rule”) had been reopened until March 12, 2021. The Proposed Rule would amend the DHS entry/exit regulations requiring foreign travelers to take photographs upon entry to and/or departure from the United States. It would also amend the DHS entry/exit regulations to eliminate references to pilot programs and associated limitations to permit the collection of photographs or other biometrics from non-U.S. travelers departing from airports, land ports, seaports or any other authorized point of departure. According to the report, the rulemaking had been reopened due to CBP’s commitment to “privacy principles and transparency”.

Cybersecurity guidelines recommend against making ransomware payments. The New York Department of Financial Services (DFS) has taken a leadership role in developing cybersecurity regulations for the financial services industry. Many of the principles in the regulations are well suited for other industries. Earlier this month, DFS published Insurance Circular Letter No. 2 (2021), that includes a Cyber Insurance Risk Framework outlining practices for managing cyber insurance risk. One item of note - DFS recommends against making ransomware payments claiming it creates a vicious cycle of ransomware, as cybercriminals use the payments to fund additional ransomware attacks.

Canadian agency finds popular facial recognition software violates data protection law. Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) requires an individual’s consent to the collection, use and disclosure of personal information. Clearview AI, Inc. (“Clearview”) collects images of faces posted online and then runs the images through facial recognition software to facilitate use by law enforcement. PIPEDA contains a number of exceptions in which an individual’s consent to collection and use of personal information is not required. However, in a joint report (PIPEDA Report of Findings #2021-001), several federal and provincial data protection offices stated that Clearview’s collection and use of the images taken off the internet without consent were illegal.

European Commission adopts draft adequacy decisions for transfers of data from the EU to the UK. On February 19, the European Commission published two draft adequacy decisions pertaining to the transfer of personal data to the United Kingdom from the European Union. These drafts are subject to further review by the European Data Protection Board (EDPB) and a committee of representatives of the EU Member States before adoption by the European Commission.

Stay tuned for more legal developments related to data management, including privacy and data protection, cybersecurity, intellectual property rights and data quality. Please contact Kevin Pomfret (703.760.5204 | kpomfret@williamsmullen.com) with any questions.