Welcome to “Last Week in Privacy!” Each week, OneTrust’s in-house privacy experts will give you the top international privacy industry highlights from last week.

  1. The Washington Privacy Act has taken another step forward, having passed through the Washington State Senate and is now set for consideration in the House of Representatives later this week. The bill is heavily influenced by the California Consumer Privacy Act and the EU General Data Protection Regulation, and has received extensive support from both lawmakers and the private sector. Among other things, the bill would give residents of Washington state rights to access, correct and delete their personal information, while also restricting certain uses of facial-recognition technology.
  2. A bipartisan federal bill was introduced in the U.S. Senate that would require companies to obtain explicit consent before collecting or sharing facial recognition data of individuals. The bill also includes requirements for third-party testing of facial recognition technology for signs of bias before releasing it to the market. The bill has received support in the private sector as well, with Microsoft President Brad Smith stating that while facial recognition technology provides many benefits and should continue to be developed, it “needs to be regulated to protect against acts of bias and discrimination, preserve consumer privacy, and uphold our basic democratic freedoms.”
  3. A new internet-of-things bill is set to be introduced in the U.S. Senate and House. The bi-partisan Internet of Things Cybersecurity Improvement Act would require devices purchased by the U.S. government to meet minimum security requirements, and would mandate the U.S. National Institute of Standards and Technology (or “NIST”) and the Office of Management and Budget to collaborate on the creation of new guidelines for federal agencies to follow. Coincidentally, the bill is arriving during a time of ongoing litigation between Chinese tech company, Huawei, and the U.S. government regarding the constitutionality of a ban on U.S. government agencies purchasing Huawei devices, a result of concerns about the devices being vulnerable to surveillance by the Chinese government.
  4. The European Data Protection Board held its eighth plenary session, where it adopted its opinion on the interplay between the ePrivacy Directive and the GDPR, and called for EU lawmakers to increase their efforts to adopt the ePrivacy Regulation, which they stated is essential to completing the EU’s data protection framework. The session also included the adoption of opinions on Spain and Ireland’s draft lists of processing activities that would require a data protection impact assessment under the GDPR; as well as discussion around draft guidelines on territorial scope, standard contractual clauses, and more.
  5. A recent freedom of information request filed with the UK Information Commissioner’s Office revealed that prior to the GDPR, businesses waited an average of three weeks after detecting a breach before reporting it to authorities, and an average of two months (and in some cases, over three years) before even realizing that a breach had occurred. Moreover, 93% of companies reviewed were found to have not assessed or specified the impact of these breaches when reporting them. It’s clear that these numbers have changed drastically over the past year however, as there has been an exponential increase in breaches being reported since the GDPR came into effect—a result of the GDPR’s 72 hour notification requirement, and risk of severe financial penalties for noncompliance.
  6. The Dutch data protection authority has published a policy for administering fines under the GDPR. The policy consists of a four-tiered structure for fines based on the severity of the violation, ranging from the first category resulting in fines of zero to two-hundred-thousand euros, to the fourth category resulting in fines of up to one-million euros. The policy also gives discretion to administer more severe fines reserved for especially egregious cases that do not fit into one of the four categories.

That’s all for today. Thanks for watching Last Week in Privacy, helping you to prepare for this week in privacy. See you next time.