The 2022 National Association of Attorneys General (NAAG) Presidential Summit, held last week in Des Moines, Iowa, signaled a clear partnership between state AGs, the Federal Trade Commission (FTC) and the Consumer Financial Protection Bureau (CFPB) to accomplish Iowa AG Tom Miller’s “fight back” presidential initiative: Consumer Protection 2.0: Tech Threats and Tools. Picking up from the 2021 kickoff of Miller’s NAAG initiative this past December, the NAAG Summit featured a variety of speakers from the federal, state, and private sectors, including, most notably, from the FTC and CFPB.
Regulatory
UK announces plan to regulate critical third parties to the financial sector
The UK HM Treasury recently published its proposal for regulating critical third parties (“CTP”) to the finance sector, which was followed by the UK financial regulators’ joint Discussion Paper.
Why regulating CTPs is necessary
Regulating CTPs to the financial sector is by no means a new concept. The EU’s Digital Operational Resilience Act (“DORA”), which looks to regulate critical Information Communication Technologies (“ICT”) service providers to the financial sector, has been provisionally agreed. …
Continue Reading UK announces plan to regulate critical third parties to the financial sector
Government releases proposals to reform UK data protection laws
On 17 June 2022, in response to its consultation in 2021 on the same topic (which we wrote about here), the UK government published more detailed proposals to reform data protection laws in the UK. The response to the consultation can be found here. The intention of the reforms is to achieve greater personal data use enabling economic growth by removing barriers and reducing obstacles for organisations whilst maintaining high standards of personal data protection and EU adequacy.…
Continue Reading Government releases proposals to reform UK data protection laws
ICO enforcement actions in Q1 2022
In Q1 2022, the UK’s Information Commissioner’s Office (ICO) issued 26 enforcement actions. There were 15 monetary penalties issued, ranging between £2k – £200k, and 11 enforcement notices. The majority of the fines and enforcement notices related to unsolicited marketing activities, two related to data subject rights infringements, and one related to a failure to ensure adequate security around personal data. The last related to a ransomware attack and despite the controller being subjected to a malicious cybercrime, it was penalised for a failure to address known vulnerabilities and to prevent the ransomware attack in time.…
Only Sheriff in Town? Not so fast: National Association of Attorneys General announces the formation of the Center on Cyber and Technology.
With the continued rapid growth of both technological innovations and the market power of the companies spurring these innovations, calls for greater regulation and enforcement of companies in the technology sector are only growing louder. However, the same question continues to be asked – “how can governments regulate businesses they don’t fully understand?”…
UK regulators publish two discussion papers on algorithmic systems
On 28 April 2022, the UK Digital Regulation Cooperation Forum (DRCF) published two discussion papers on the benefits and harms of algorithms and on the landscape of algorithmic auditing and the role of regulators, respectively.
About DRCF
The DRCF consists of four UK regulators: the Competition and Markets Authority, Ofcom, the Information Commissioner’s Office and the Financial Conduct Authority, to support regulatory cooperation in digital markets.…
Continue Reading UK regulators publish two discussion papers on algorithmic systems
Get your Update on IT & Data Protection Law in our Newsletter (Winter 2022 Edition)
The Winter 2022 Edition of the quarterly IT & Data Protection Newsletter by Reed Smith Germany has just been released:
Continue Reading Get your Update on IT & Data Protection Law in our Newsletter (Winter 2022 Edition)
SEC proposes cybersecurity rules for registered funds and investment advisers
The Securities and Exchange Commission (SEC) is proposing new rules to require registered funds (RFs) and investment advisers (RIAs) to implement comprehensive cybersecurity programs. Under the proposed rules, the SEC seeks to accomplish four main objectives, requiring RFs and RIAs to:
- Maintain and implement cybersecurity policies and procedures;
- Adopt new recordkeeping standards;
- Report significant cybersecurity incidents to the commission; and
- Disclose cybersecurity risks and incidents to clients and investors.
…
Continue Reading SEC proposes cybersecurity rules for registered funds and investment advisers
Additional cybersecurity measure proposed for CIP Reliability Standards
In response to recent cybersecurity incidents, the Federal Energy Regulatory Commission (FERC) has announced a Notice of Proposed Rulemaking (NOPR) that would task the North American Electric Reliability Corporation (NERC) to impose additional cybersecurity requirements on high-, medium-, and, potentially, low-impact bulk electric systems in its Critical Infrastructure Protection (CIP) Reliability Standards.
Continue Reading Additional cybersecurity measure proposed for CIP Reliability Standards
German court prohibits U.S. data transfers in “Cookiebot” decision: Why this decision is special and should alert, but not upset your organization
On December 1, 2021, in a much-noted decision, the Administrative Court of Wiesbaden (AC Wiesbaden) handed down a preliminary injunction dealing with international data transfers (case 6 L 738/21.WI, available in German here). In the specific case, there was no data transfer mechanism in place and thus the court ordered the defendant to stop using a cookie consent management platform. Contrary to some reports, the court did not rule that U.S.-based consent management solutions or cookies cannot be used anymore. The injunction can still be appealed and could also be lifted in the main proceedings.
…
Continue Reading German court prohibits U.S. data transfers in “Cookiebot” decision: Why this decision is special and should alert, but not upset your organization