Following on the heels of major developments coming out of the Senate last week to advance privacy protections for children online, the Department of Justice (“DOJ”) officially filed a lawsuit on Friday against TikTok, Inc., its parent company, ByteDance, and certain affiliates (collectively, “TikTok”), over alleged violations of the Children’s Online Privacy Protection Act (“COPPA”) and its implementing rule (the “COPPA Rule”) as well as an existing FTC 2019 consent order (the “2019 Order”) alleging violations of the same.[1]
Continue Reading DOJ Brings Lawsuit Against TikTok Over Alleged Violations of the Children’s Online Privacy Protection ActCybersecurity Law Enters Into Force
On July 17, 2024, Law No. 90/2024 containing provisions for strengthening national cybersecurity and addressing cybercrime (the “Cybersecurity Law”) entered into force.
Continue Reading Cybersecurity Law Enters Into ForceFTC Announces Reforms to the Health Breach Notification Rule
On April 26, 2024, the Federal Trade Commission (“FTC” or the “Commission”) announced changes to the Health Breach Notification Rule (“HBNR”), which requires certain entities not covered by the Health Insurance Portability and Accountability Act (“HIPAA”) to notify consumers, the FTC, and, in some cases, the media of breaches of unsecured personally identifiable health data.[1] The final rule seeks to address technological and industry advancements since the original HBNR was adopted in 2009 by clarifying the rule’s applicability to direct-to-consumer health technologies (such as fitness trackers) which have proliferated in recent years. The final rule also expands the information that covered entities must provide to consumers when notifying individuals of a data breach.
Continue Reading FTC Announces Reforms to the Health Breach Notification RuleEHDS – The EU Parliament formally adopts the Provisional Agreement: Key Takeaways and Next Steps
In our Alert Memorandum of 19 July 2022 (available here), we outlined the European Commission’s (the “Commission”) proposal for a regulation on the “European Health Data Space” (the “Regulation” or the “EHDS”). The proposal, which was published in May 2022, is the first of nine European sector- and domain-specific data spaces set out by the Commission in 2020 in the context of its “European strategy for data”.
Continue Reading EHDS – The EU Parliament formally adopts the Provisional Agreement: Key Takeaways and Next StepsCongress Releases American Privacy Rights Act Discussion Draft
After years of fits and starts—including failed attempts to pass the American Data Privacy and Protection Act in 2022—Congress has renewed its attempt to nationalize privacy protections for American consumers with introduction of the American Privacy Rights Act (the “APRA” or “Act”).[1] The APRA, a new bipartisan, bicameral proposal for comprehensive data protection legislation introduced by the House Committee on Energy and Commerce and the Senate Committee on Commerce, Science and Transportation in early April, is a direct response to a flurry of activity at the state level over the past few years and attempts to harmonize the resulting patchwork of privacy legislation that has created a burdensome and costly labyrinth of shifting compliance obligations for covered organizations that collect and process personal data.
Continue Reading Congress Releases American Privacy Rights Act Discussion DraftEU Court of Justice confirms earlier case law on broad interpretation of “personal data” and offers extensive interpretation of “joint controllership”, with possible broad ramifications in the AdTech industry and beyond
On March 7, 2024, the Court of Justice of the European Union (the “CJEU”) handed down its judgment in the IAB Europe case, answering a request for a preliminary ruling under Article 267 TFEU from the Brussels Market Court.[1] The case revolves around IAB Europe’s Transparency and Consent Framework (“TCF”) and has been closely monitored by the AdTech industry ever since the Belgian DPA investigated and subsequently imposed a 250,000 euro fine on IAB Europe for alleged breaches of GDPR and e-Privacy rules back in 2022.[2]
Continue Reading EU Court of Justice confirms earlier case law on broad interpretation of “personal data” and offers extensive interpretation of “joint controllership”, with possible broad ramifications in the AdTech industry and beyondBiden Administration Executive Order Targets Bulk Data Transactions
The Biden administration recently issued Executive Order 14117 (the “Order”) on “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern.” Building upon earlier Executive Orders[1], the Order was motivated by growing fears that “countries of concern” may use artificial intelligence and other advanced technologies to analyze and manipulate bulk sensitive personal data for nefarious purposes. In particular, the Order notes that unfettered access to American’s bulk sensitive personal data and United States governmental data by countries of concern, whether via data brokers, third-party vendor agreements or otherwise, may pose heightened national security risks. To address these possibilities, the Order directs the Attorney General to issue regulations prohibiting or restricting U.S. persons from entering into certain transactions that pose an unacceptable risk to the national security of the United States. Last week, the Department of Justice (“DOJ”) issued an Advance Notice of Proposed Rulemaking, outlining its preliminary approach to the rulemaking and seeking comments on dozens of issues ranging from the definition of bulk U.S. sensitive personal data to mitigation of compliance costs.
Continue Reading Biden Administration Executive Order Targets Bulk Data TransactionsNew Privacy Laws Enacted in New Jersey and New Hampshire
On January 16, 2024, New Jersey officially became one of a growing number states with comprehensive privacy laws, as Governor Phil Murphy signed Senate Bill 332 (the “New Jersey Privacy Act”) into law.[1] New Hampshire followed closely behind, with its own comprehensive privacy law, Senate Bill 255 (the “New Hampshire Privacy Act” and, together with the New Jersey Privacy Act, the “Acts”), signed into law by Governor Chris Sununu on March 6, 2024.[2]
Continue Reading New Privacy Laws Enacted in New Jersey and New HampshireProposed Rulemaking by U.S. Department of Commerce Introduces New Obligations on U.S. IaaS Providers and Foreign Resellers to Curb Malicious Cyber-Enabled Activities
On January 29, 2024, the U.S. Department of Commerce (“Commerce”) published a notice of proposed rulemaking (the “Notice”) seeking comments on proposed rules promulgated by Commerce’s Bureau of Industry and Security (“BIS”) and newly-created Office of Information and Communications Technology and Services to implement Executive Order 14110, the Biden Administration’s October 2023 executive order on artificial intelligence (“AI”) (“E.O. 14110”, see our prior alert here)[1]. The Notice also implements Executive Order 13984, a 2021 executive order relating to malicious cyber-enabled activities (“E.O. 13984”) (with respect to which Commerce had already issued an advanced notice of proposed rulemaking)[2].
Continue Reading Proposed Rulemaking by U.S. Department of Commerce Introduces New Obligations on U.S. IaaS Providers and Foreign Resellers to Curb Malicious Cyber-Enabled ActivitiesNexus of AI, AI Regulation and Dispute Resolution
The rapid development of AI is introducing new opportunities and challenges to dispute resolution. AI is already impacting the document review and production process, legal research, and the drafting of court submissions. It is expected that the use of AI will expand into other areas, including predicting case outcomes and adjudicating disputes. However, the use of AI in litigation also bears risk, as highlighted by a recent First-tier Tribunal (Tax) decision, where an appellant had sought to rely on precedent authorities that, in fact, were fabricated by AI (a known risk with AI using large language models, referred to as hallucination).[1] While, in this particular case, no further consequences seemed to follow (in light of the fact that the appellant, a litigant in person, “had been unaware that the AI cases were not genuine and that she did not know how to check their validity”[2]), the Tribunal did highlight that “providing authorities which are not genuine and asking a court or tribunal to rely on them is a serious and important issue”,[3] suggesting that litigants may incur certain risks by relying on authorities suggested by AI, unless these are independently verified. On 12 December 2023, a group of senior judges, including the Master of the Rolls and the Lady Chief Justice, issued guidance on AI for judicial office holders, which, amongst other things, discourages the use of AI for legal research and analysis and highlights the risk of AI being relied on by litigants to provide legal advice and/or to produce evidence.[4]
Continue Reading Nexus of AI, AI Regulation and Dispute Resolution