In news that is likely to concern individuals and privacy activists alike, it has been reported that the NHS booking system for COVID-19 vaccinations has led to complaints that it could be used to reveal the vaccination status of individuals through the use of simple personal information.
The website allows users to book appointments for COVID-19 vaccinations, either by means of their NHS number, or by entering certain basic personal data, (including names, dates of birth and postcodes). The website then provides a variety of responses based on the user’s vaccination status, with different responses being provided based on whether the individual has received no vaccinations, one vaccination, or both. Continue Reading COVID-19 Vaccination Booking Site May Reveal Vaccination Status
The European Commission (EC) may be set to propose extensive new legislation – potentially later this week – which, among other things, would ban the use of facial recognition technology for surveillance purposes and the use of algorithms that influence human behavior, according to recently leaked draft documents. The proposals would also introduce new rules regarding high-risk artificial intelligence (AI).
Building on the momentum of the 
Data security notification requirements could become much stricter under a proposed rulemaking from the Board of Governors of the Federal Reserve System, Office of the Comptroller of the Currency, and Federal Deposit Insurance Corporation. The proposal, published January 12, 2021, would impose new security incident notification requirements on federally regulated “banking organizations” and, notably, their service providers. If adopted, the proposed rule would expand upon existing notification requirements—adding a 36-hour notice window—and would, for the first time, impose direct notification obligations on service providers. 
Florida joined the fray of state legislatures vying to become the third state to enact comprehensive data privacy legislation following the passage of Virginia’s Consumer Data Protection Act (“CDPA”). Introduced in February with the support of Governor DeSantis, House Bill 969 (“HB 969”) shared many similarities with the California Consumer Privacy Act (“CCPA”), including a private right of action. At the same time, the previously identical Senate Bill 1734 (“SB 1734”) was recently amended to limit the scope of the law and remove the private right of action. As with some many other state laws, the Florida bills have died for the present legislative session due to the breakdown over the private cause of action. 
On Thursday, April 22, the Supreme Court released a unanimous decision holding that the Federal Trade Commission’s authority under Section 13(b) of the FTC Act does not grant the agency the right to seek equitable monetary relief such as disgorgement or restitution. The opinion, authored by Justice Breyer, held that the section only permits prospective injunctive relief. The import of this decision is that the FTC, in order to obtain monetary relief for unfair and deceptive trade practices, must first utilize its administrative procedures and can no longer seek such relief directly through a lawsuit in the federal courts. 
In encouraging news for UK-based organizations involved in the processing of personal data, the European Data Protection Board (EDPB) has adopted two Opinions on the draft UK adequacy decisions which, if approved, would allow the transfer of personal data from the European Economic Area (EEA) to the UK to continue freely.