The Information Commissioner’s Office (“ICO”) has opened a consultation on new draft guidance on monitoring at work (the “Draft Guidance”).  The Draft Guidance applies in both the private and public sectors in respect of any worker, a term which is used to include employees as well as non-employee workers, independent contractors and volunteers. Continue Reading UK ICO Issues Draft Guidance on Monitoring at Work

Today, after over two years of detailed negotiations, President Joe Biden signed an Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities (the “Order”)  outlining steps the U.S. will take to implement its commitments under the European Union-U.S. Data Privacy Framework, originally announced by President Biden and European Commission President Ursula von der Leyen in March of 2022 (as previously discussed here).[1] Continue Reading President Biden Signs Executive Order on New EU-US Data Privacy Framework

Determined to maintain its position as a pioneer for consumer privacy rights, California is again among the first to take action to tackle issues of children’s safety and privacy online with the enactment of the California Age-Appropriate Design Code (the “Code”), which was signed into law by Governor Gavin Newsom on September 15, 2022.  Once effective on July 1, 2024, the Code would, among other things, prescribe rules that require  businesses to design their online products and services with children’s privacy in mind and identify and mitigate any risks of material detriment to children that arise from businesses’ online data practices. Continue Reading California Refuses to “Kid Around” on Children’s Privacy With Enactment of the California Age Appropriate Design Code

On September 5, 2022, following the election of the new UK Prime Minister, the UK Government decided not to proceed with the second reading and other motions relating to the Data Protection and Digital Information Bill (the “Bill”), which was due to have taken place on the same day.  According to the Leader of the House of Commons, this Bill was pulled as “to allow Ministers to consider the legislation further”. Continue Reading UK’s Data Protection and Digital Information Bill: An Uncertain Direction

On August 1, 2022, Robinhood Crypto LLC (“RHC”) entered into a Consent Order with the New York Department of Financial Services (“DFS”) based on “serious deficiencies” related to anti-money laundering (“AML”), cybersecurity, and virtual currency that were identified in DFS’s examination of RHC covering the period from January to September 2019. Continue Reading DFS Enters Consent Order with Robinhood Crypto for Deficiencies in AML, Cybersecurity, and Virtual Currency Compliance

On May 3, 2022, the European Commission published its proposal for a regulation on the “European Health Data Space”.

The EHDS is a talismanic European healthtech initiative that could revolutionize access to a deeper pool of EU-wide health data and unlock significant tech, AI and data analytics innovation.  As a core part of the Commission’s European Data Strategy, the EHDS seeks to tackle legacy systemic issues that have hindered lawful access to electronic health data.  The Regulation strives to create a “European Health Union” by strengthening individuals’ access to and portability of their electronic health data and allowing innovators and researchers to process this data through reliable and secure mechanisms.  It is worth noting that the EHDS proposal does not to create (nor could it feasibly do so) a unitary central EU database of electronic health data, but seeks to facilitate multilateral exchange of such health data from decentralized databases through the EHDS’s regulatory infrastructure.

The EHDS proposal builds upon other recent and contemporaneous EU data and healthcare reforms, such as Regulation (EU) 2017/745 on medical devices, the proposed AI Act, the Data Governance Act, and the proposed Data Act.  It presents a welcome opportunity to resolve areas of uncertainty as to the lawful bases for health data processing under Regulation (EU) 2016/679 and fragmented Member State national laws that might otherwise inhibit “big data” innovation in the European healthcare sector.  However, work remains to be done to reconcile areas of legislative interplay and ensure that data subjects’ GDPR rights remain protected.

Please click here to read the full alert memorandum.

After a failed attempt in 2021, Connecticut has become the fifth U.S. state to enact comprehensive data privacy legislation with the passing of “An Act Concerning Personal Data Privacy and Online Monitoring” or the Connecticut Data Privacy Act (the “CDPA” or the “Act”). The Act will take effect July 1, 2023 giving covered organizations about 14 months to become compliant. Continue Reading New England’s New Privacy Act: Connecticut Becomes the Fifth State To Enact Comprehensive Data Privacy Act

On May 3, 2022, the SEC announced that it was renaming the Division of Enforcement’s Cyber Unit as the Crypto Assets and Cyber Unit, and significantly increasing its size with the addition of 20 new positions.[1]  In the same announcement, the SEC articulated specific areas of focus within the digital assets space, including:  (i) crypto asset offerings; (ii) crypto asset exchanges; (iii) crypto asset lending and staking products; (iv) decentralized finance (“DeFi”) platforms; (v) non-fungible tokens (“NFTs”); and (vi) stablecoins. Continue Reading SEC Nearly Doubles Size of Digital Asset Enforcement Team

The SEC published in March 2022 a dauntingly complex proposal to require public companies to provide climate-related disclosures.[1]  The period for public comment on the proposal is very short, and it seems clear that a majority of the Commission is determined to proceed quickly. Continue Reading The SEC’s Climate Proposal – Top Points for Comment

Last month, the U.S. Securities and Exchange Commission issued a proposal to enhance and standardize disclosure requirements related to cybersecurity incident reporting and cybersecurity risk management, strategy, and governance. Among other changes, the SEC’s proposal would require disclosure about material cybersecurity incidents within four business days and require annual disclosure regarding a registrant’s policies and procedures for identifying and managing cybersecurity risks. The proposal, which has a short window for public comment, requires close consideration by public companies and other SEC registrants.

Please click here to read the full alert memorandum.