Determined to maintain its position as a pioneer for consumer privacy rights, California is again among the first to take action to tackle issues of children’s safety and privacy online with the enactment of the California Age-Appropriate Design Code (the “Code”), which was signed into law by Governor Gavin Newsom on September 15, 2022. Once effective on July 1, 2024, the Code would, among other things, prescribe rules that require businesses to design their online products and services with children’s privacy in mind and identify and mitigate any risks of material detriment to children that arise from businesses’ online data practices. Continue Reading California Refuses to “Kid Around” on Children’s Privacy With Enactment of the California Age Appropriate Design Code
On September 5, 2022, following the election of the new UK Prime Minister, the UK Government decided not to proceed with the second reading and other motions relating to the Data Protection and Digital Information Bill (the “Bill”), which was due to have taken place on the same day. According to the Leader of the House of Commons, this Bill was pulled as “to allow Ministers to consider the legislation further”. Continue Reading UK’s Data Protection and Digital Information Bill: An Uncertain Direction
On August 1, 2022, Robinhood Crypto LLC (“RHC”) entered into a Consent Order with the New York Department of Financial Services (“DFS”) based on “serious deficiencies” related to anti-money laundering (“AML”), cybersecurity, and virtual currency that were identified in DFS’s examination of RHC covering the period from January to September 2019. Continue Reading DFS Enters Consent Order with Robinhood Crypto for Deficiencies in AML, Cybersecurity, and Virtual Currency Compliance
On May 3, 2022, the European Commission published its proposal for a regulation on the “European Health Data Space”.
The EHDS is a talismanic European healthtech initiative that could revolutionize access to a deeper pool of EU-wide health data and unlock significant tech, AI and data analytics innovation. As a core part of the Commission’s European Data Strategy, the EHDS seeks to tackle legacy systemic issues that have hindered lawful access to electronic health data. The Regulation strives to create a “European Health Union” by strengthening individuals’ access to and portability of their electronic health data and allowing innovators and researchers to process this data through reliable and secure mechanisms. It is worth noting that the EHDS proposal does not to create (nor could it feasibly do so) a unitary central EU database of electronic health data, but seeks to facilitate multilateral exchange of such health data from decentralized databases through the EHDS’s regulatory infrastructure.
The EHDS proposal builds upon other recent and contemporaneous EU data and healthcare reforms, such as Regulation (EU) 2017/745 on medical devices, the proposed AI Act, the Data Governance Act, and the proposed Data Act. It presents a welcome opportunity to resolve areas of uncertainty as to the lawful bases for health data processing under Regulation (EU) 2016/679 and fragmented Member State national laws that might otherwise inhibit “big data” innovation in the European healthcare sector. However, work remains to be done to reconcile areas of legislative interplay and ensure that data subjects’ GDPR rights remain protected.
Please click here to read the full alert memorandum.
After a failed attempt in 2021, Connecticut has become the fifth U.S. state to enact comprehensive data privacy legislation with the passing of “An Act Concerning Personal Data Privacy and Online Monitoring” or the Connecticut Data Privacy Act (the “CDPA” or the “Act”). The Act will take effect July 1, 2023 giving covered organizations about 14 months to become compliant. Continue Reading New England’s New Privacy Act: Connecticut Becomes the Fifth State To Enact Comprehensive Data Privacy Act
On May 3, 2022, the SEC announced that it was renaming the Division of Enforcement’s Cyber Unit as the Crypto Assets and Cyber Unit, and significantly increasing its size with the addition of 20 new positions. In the same announcement, the SEC articulated specific areas of focus within the digital assets space, including: (i) crypto asset offerings; (ii) crypto asset exchanges; (iii) crypto asset lending and staking products; (iv) decentralized finance (“DeFi”) platforms; (v) non-fungible tokens (“NFTs”); and (vi) stablecoins. Continue Reading SEC Nearly Doubles Size of Digital Asset Enforcement Team
The SEC published in March 2022 a dauntingly complex proposal to require public companies to provide climate-related disclosures. The period for public comment on the proposal is very short, and it seems clear that a majority of the Commission is determined to proceed quickly. Continue Reading The SEC’s Climate Proposal – Top Points for Comment
Last month, the U.S. Securities and Exchange Commission issued a proposal to enhance and standardize disclosure requirements related to cybersecurity incident reporting and cybersecurity risk management, strategy, and governance. Among other changes, the SEC’s proposal would require disclosure about material cybersecurity incidents within four business days and require annual disclosure regarding a registrant’s policies and procedures for identifying and managing cybersecurity risks. The proposal, which has a short window for public comment, requires close consideration by public companies and other SEC registrants.
Please click here to read the full alert memorandum.
After nearly two years of detailed negotiations, on March 25, 2022, U.S. President Joe Biden and European Commission President Ursula von der Leyen announced an “agreement in principle” on a new Trans-Atlantic Data Privacy Framework (the “Framework”) to re-establish an important legal mechanism to effectuate cross-border transfers of personal data from the EU to the U.S. The Framework is hoped to address concerns raised by the decision of the Court of Justice of the European Union (the “CJEU”) in Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (2020) (“Schrems II”). Continue Reading Schrems III? The European Commission and U.S. Government Announce New Trans-Atlantic Data Privacy Framework
Following the lead of California, Virginia and Colorado (as previously discussed here, here and here respectively), on March 24, 2022, Utah became the fourth state to enact an omnibus privacy law, creating compliance obligations for businesses that collect and process personal data of Utah residents and providing such residents more control over their data.
Continue Reading Businesses Buzzing With News of Utah’s New Comprehensive Privacy Law