European Commission adopts EU-U.S. adequacy decision

Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.

United States

Washington AG’s Office Issues My Health My Data FAQs

The Washington Attorney General’s Office published “for general educational purposes” a list of FAQs regarding the My Health My Data Act, which goes into effect for the most part March 31, 2024 (one section regarding geofencing goes into effect for everyone in July 2023, and small businesses are not subject to the remainder of the law until June 30, 2024).

Although the FAQs specify that they should not be relied upon regarding specific applications of the law, they do clarify certain ambiguities.

For example, according to the FAQs, an entity that only stores data in Washington (and does not otherwise conduct business in Washington or provide products or services targeted to Washington) is not subject to the law.

Additionally, the mere purchase of toiletries (e.g., deodorant or toilet paper) ordinarily would not be considered consumer health data, according to the FAQs, if it is not used to identify or make inferences about a consumer’s past, present or future physical or mental health status.

In contrast, an app that tracks someone’s digestion or perspiration or a company that uses product purchase data to assign a “pregnancy prediction score”, as examples, would be processing consumer health data.

TAKEAWAY

Although these FAQs may be helpful in understanding the interpretation (and likely enforcement) of this law by the Washington Attorney General’s Office, it’s important to keep in mind that these FAQs are not law, and the Attorney General’s Office is not the only means of enforcement under the law.

The My Health My Data Act includes a private right of action, and the plaintiff’s bar (and courts) will not necessarily apply the same interpretations. 

EUROPE

US Adequacy Decision Officially Approved and Effective July 11

A committee made up of EU Member State representatives voted in favor of approving the European Commission’s draft adequacy decision on the EU-US Data Privacy Framework.

24 Member States approved, and 3 Member States abstained from the vote.

The European Commission then officially adopted the final adequacy decision, which will go into effect July 11. 

TAKEAWAY

Once effective, European companies will be able to rely on the decision for trans-Atlantic data transfers. 

CJEU Rules on Data Collection From Properties Related to Special Categories

The Court of Justice of the European Union, in response to a request for preliminary ruling from the Dusseldorf Higher Regional Court, held that the collection of data by the operator of an online social network from user visits to third-party websites/apps to which one or more “special categories” relate, and subsequent use of the data by the operator, “must be regarded as “processing of special categories of personal data” within the meaning of GDPR, where that data processing allows information falling within one of the special categories to be revealed.

In this case, the “online social network” in question was Meta, and “special categories” can include racial or ethnic origin, political opinions, religious beliefs, health, sex life or sexual orientation, etc.

The CJEU also held that the prohibitions regarding the processing of special categories of data under the GDPR apply “independent of whether or not the information revealed by the processing operation in question is correct and of whether the controller is acting with the aim of obtaining information that falls within one of the special categories”.

TAKEAWAY

Although this ruling is specific to the collection and processing of data by operators of social networks, it may provide insight into the CJEU’s interpretation of special categories of personal data generally, particularly with respect to the collection of data from third-party sites or apps related to special categories.

Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.