On June 27, 2023, the Council of Europe (“CoE”) announced the adoption of its first module of the Model Contractual Clauses (“MCCs”) for cross-border data transfers based on the Protocol amending the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (Convention 108+). These model clauses aim to regulate data flows between data controllers and are recommended for adoption by competent authorities.Continue Reading Convention 108+: The Council of Europe Releases Model Contractual Clauses for Global Data Transfers
ENISA Releases Comprehensive Framework for Ensuring Cybersecurity in the Lifecycle of AI Systems
On 7 June 2023, the European Union Agency for Cybersecurity (ENISA) released a report Multilayer Framework for Good Cybersecurity Practices for AI (“Framework”) in response to the evolving landscape of artificial intelligence (AI) and the associated cybersecurity challenges. The publication aims to establish a robust framework that promotes cybersecurity practices throughout the entire lifecycle of AI, ranging from conceptualization to decommissioning. This blog summarises the main features of the Framework.Continue Reading ENISA Releases Comprehensive Framework for Ensuring Cybersecurity in the Lifecycle of AI Systems
The EDPB makes its mind up about transfers
If you can remember as far back as December 2021, we published a blog post announcing that the European Data Protection Board (EDPB) published draft guidelines on the interplay between the territorial scope of the GDPR and the international transfer requirements. Following what must have been an extensive consultation, we are pleased to report that those guidelines were finally finalised on 14 February 2023 (here) and, are even more pleased to report that they contain some very useful illustrations to help you make sense of the concept of international data transfers.Continue Reading The EDPB makes its mind up about transfers
EU and UK privacy and data predictions for 2023
2022 was another busy year in privacy and data protection. We have seen major new developments at both the EU and the UK level, in terms of new legislation taking effect, changes to the data transfer regime, analytics cookies coming under regulatory spotlight from various EU data protection authorities, and substantial fines issued for breaches of data protection law.
Regulations surrounding privacy and data continue to develop at a rapid pace. Emerging technologies have changed the manner in which personal data is collected and used. These technologies and developments present new challenges for companies and consumers alike. As a result, 2023 could be an exciting and a busy year for privacy and data.
We asked some of our Tech & Data team members in the field to get their opinions on what is likely to happen in privacy and data in 2023:Continue Reading EU and UK privacy and data predictions for 2023
‘Mere upset’ insufficient for compensation under the GDPR
On 6 October 2022, the Advocate General (Campos Sánchez-Bordona) issued his opinion in UI v Österreichische Post AG on the interpretation of the rules on civil liability under the GDPR .
He concluded that a data subject must have suffered harm in order to claim compensation, and that breach of the GDPR alone was not sufficient. There is also a distinction to be drawn between mere upset (which does not give rise to a right for compensation) and non-material damage (which does).Continue Reading ‘Mere upset’ insufficient for compensation under the GDPR
Guardians of the Consumer: State AGs team up with FTC and CFPB to protect consumers online – Consumer Protection 2.0: Tech, Threats, and Tools
The 2022 National Association of Attorneys General (NAAG) Presidential Summit, held last week in Des Moines, Iowa, signaled a clear partnership between state AGs, the Federal Trade Commission (FTC) and the Consumer Financial Protection Bureau (CFPB) to accomplish Iowa AG Tom Miller’s “fight back” presidential initiative: Consumer Protection 2.0: Tech Threats and Tools. Picking up from the 2021 kickoff of Miller’s NAAG initiative this past December, the NAAG Summit featured a variety of speakers from the federal, state, and private sectors, including, most notably, from the FTC and CFPB.Continue Reading Guardians of the Consumer: State AGs team up with FTC and CFPB to protect consumers online – Consumer Protection 2.0: Tech, Threats, and Tools
Only Sheriff in Town? Not so fast: National Association of Attorneys General announces the formation of the Center on Cyber and Technology.
With the continued rapid growth of both technological innovations and the market power of the companies spurring these innovations, calls for greater regulation and enforcement of companies in the technology sector are only growing louder. However, the same question continues to be asked – “how can governments regulate businesses they don’t fully understand?”Continue Reading Only Sheriff in Town? Not so fast: National Association of Attorneys General announces the formation of the Center on Cyber and Technology.
Department for Digital, Culture, Media and Sport launches consultation on app security
On 4 May 2022, the Department for Digital, Culture, Media and Sport (DCMS) launched a consultation (available here) to request views from the tech industry on potential interventions to enhance security and privacy requirements for firms running app stores and developers making apps.Continue Reading Department for Digital, Culture, Media and Sport launches consultation on app security
Maryland and California Propose Biometric Privacy Legislation that Would Include Illinois-Like Private Rights of Action
Maryland and California look to join the list of states that not only regulate biometric data but provide consumers with the opportunity to seek hefty statutory damages and attorney’s fees from offending businesses. Similar to Illinois’ oft-litigated Biometric Information Privacy Act (“BIPA”), both bills would also (i) require written consent prior to the collection of biometric information; (ii) impose BIPA-like security measures, and (iii) mandate specific retention criteria, as described below.
Continue Reading Maryland and California Propose Biometric Privacy Legislation that Would Include Illinois-Like Private Rights of Action
U.S. Data Privacy Compliance Roadmap for 2022
There’s no doubt 2022 will be a big year for data privacy compliance with three new laws going into effect in 2023. On January 1, 2023, the California Privacy Rights Act (CPRA) will replace and amend California’s most recent, comprehensive data privacy law, the California Consumer Privacy Act (CCPA), and Virginia’s first extensive privacy law, the Consumer Data Privacy Act (VCDPA), will also go into effect. Six months later, on July 1, 2023, Colorado will make history when its first, robust privacy law, the Colorado Privacy Act (CPA), goes into effect. If keeping up with the acronyms alone is difficult, ensuring compliance will likely take some work.
Continue Reading U.S. Data Privacy Compliance Roadmap for 2022