Data Privacy, Cybersecurity, and Artificial Intelligence Insights from Relic Law’s Attorneys & Experts


Intelligence Feed: January 2024


NIST Publishes Genomic Data Security Report
The U.S. National Institute of Standards and Technology National Cybersecurity Center of Excellence released a report focusing on cybersecurity practices and suggestions for securing genomic data. The CSF Profile provides voluntary, actionable guidance to help organizations manage, reduce, and communicate cybersecurity risks for systems, networks, and assets that process any type of genomic data. The guidance aims to help organizations “assess, tailor, and prioritize their risk mitigation strategies and cyber investments for genomic data.”
Quebec Publishes Draft Anonymization Requirement Under Law 25
The government of Quebec published a draft regulation for “respecting the anonymization of personal information” under Law 25 in the Quebec Gazette. The draft law, published December 2023, would require public bodies and applicable private entities to adequately anonymize all personally identifiable information it collects and spell out the criteria under which such anonymized information can be used for processing purposes. The draft regulation is currently under a 45-day public comment period. 
NIST Identifies AI Cybersecurity Vulnerabilities
The U.S. National Institute of Standards and Technology explored how machine learning can be exploited through cyberattacks in a new publication. The report highlighted different ways artificial intelligence systems can be attacked and the current mitigation strategies that exist, although it notes current defenses “lack robust assurances that they fully mitigate the risks.”
New Jersey Passes Comprehensive Privacy Bill 
The New Jersey Legislature granted final passage to a comprehensive privacy bill, Senate Bill 332, on the final day of the 2023 legislative session. The bill was amended to its comprehensive framework in December 2023 before receiving same-day approval from the Senate and Assembly January 8th. SB 332 contains attorney general rulemaking authority as well as provisions for universal opt-out mechanisms and unique children’s privacy provisions. The bill awaits final action from Governor Murphy, who has 45 days to approve, and would take effect one year after its enactment date.
NIST embarks on Privacy Framework 1.1 
According to NIST, “The Privacy Framework is a “living” tool meant to evolve to meet stakeholder needs, and the time has come to update to Version 1.1. The initial version was modeled upon the CSF so that the two frameworks could be used together more easily. We want to maintain the connection by making appropriate adjustments based on CSF 2.0 changes. In addition, stakeholders have had a few years to use the Privacy Framework and have identified areas where targeted improvements can be made. This year, they intend to implement a modest update to the Privacy Framework to support realignment with CSF 2.0, facilitate ease and effectiveness of use, and ensure the tool is responsive to current privacy risk management needs.”
EDPB Creates Website Auditing Tool for GDPR Compliance
The European Data Protection Board (EDPB) has introduced a user-friendly website auditing tool aimed at assessing compliance with data protection laws. Designed for use by both legal and technical auditors within data protection authorities (DPAs), as well as controllers and processors conducting self-assessments, the Free and Open Source Software can be downloaded from code.europa.eu. The tool allows for the seamless preparation, execution, and evaluation of audits, supporting compatibility with other tools like the EDPS website evidence collector. With an emphasis on accessibility for non-technical users, the EDPB developed the tool to simplify enforcement efforts by national DPAs and compliance checks by controllers. The software, initially presented at the EDPB Bootcamp in June 2023, received positive feedback, prompting its consolidation and release as open-source. A second version with additional features is planned for later this year, aligning with the EDPB’s broader 2021-2023 Strategy to enhance DPAs’ enforcement capabilities through common tools and a diverse pool of experts within the Support Pool of Experts.
US AI Executive Order
President Biden’s Executive Order on AI, issued three months ago, has seen substantial progress. The White House AI Council, under Deputy Chief Bruce Reed, has confirmed completion of the initial 90-day actions. Key efforts focus on bolstering AI safety, security, and innovation. Notable steps include using Defense Production Act powers to make AI developers report critical information, proposing rules for U.S. cloud companies involved in foreign AI training, and conducting risk assessments across critical infrastructure sectors. Initiatives like the National AI Research Resource pilot, AI Talent Surge for federal hiring, EducateAI for inclusive AI education, and the creation of AI-focused NSF Engines are also underway. The AI Task Force at the Department of Health and Human Services aims to provide regulatory clarity and drive AI innovation in healthcare, exemplified by the development of guiding principles for addressing racial biases in healthcare algorithms. Visit ai.gov for more details.
CCPA Children’s Privacy Amendment Introduced
Amidst the ongoing legal battle over the California Age-Appropriate Design Code Act (AADCA), California Attorney General Rob Bonta and state lawmakers are taking an alternative legislative route to enhance online safety for children. During a press conference on January 29, Bonta introduced two bills for the 2024 legislative session. The proposed Children’s Data Privacy Act aims to amend the California Consumer Privacy Act, strengthening coverage for minors and imposing penalties for violations. The second bill, the Protecting Youth from Social Media Addiction Act, focuses on moderating content and limiting manipulative features on social media platforms. Despite differences from AADCA, these bills are seen as crucial for children’s privacy. State Assemblywoman Buffy Wicks, the lead sponsor, emphasized the need to address extensive data collection by online advertising firms. The bills are expected to face legal challenges, similar to past instances involving technology association NetChoice. Meanwhile, other states are considering similar legislation, reflecting a broader push for enhanced children’s online safety.
Connecticut Attorney General Publishes Report on Data Privacy Act
Attorney General William Tong has released a report detailing the Office of the Attorney General’s actions to educate and enforce compliance with the Connecticut Data Privacy Act (CTDPA) since its implementation on July 1, 2023. The report, mandated by the Act, discloses over a dozen notices of violation (cure notices) issued by the Office, spanning various industries like retail, fitness, event services, career services, parenting technologies, and home improvement. Identified deficiencies include lacking, inadequate, confusing, burdensome, and broken/inactive disclosures and mechanisms related to consumer rights under the CTDPA. The CTDPA, one of the first comprehensive consumer privacy laws, grants Connecticut residents rights to access, correct, and delete personal data, opt-out of data sale and targeted advertising, and requires businesses to limit data collection and maintain transparent privacy notices. The report also suggests ways to strengthen and clarify the law, emphasizing the ongoing need for a balance between privacy and economic necessity in the global economy.
EU AI Act
Representatives from EU member states unanimously advanced the Artificial Intelligence Act, a groundbreaking set of rules shaping AI governance globally. The Council of the EU’s Committee of Permanent Representatives’ approval removes obstacles, with initial reservations from France, Austria, Germany, and Italy. Germany’s Digital Ministry leader, Volker Wissing, withdrew opposition after securing a clarification that the AI Act excludes medical device AI. The provisional agreement, released on February 2nd, received unanimous endorsement, signaling a balanced and innovative approach, according to European Commissioner Thierry Breton. The European Parliament’s internal market and civil liberties committees are set to vote on February 13th, with a full plenary vote expected on April 10th or 11th. Once adopted, the AI Act would enter into force 20 days after publication, with the European Commission leading delegated acts and establishing an AI Office. Challenges from France, Slovakia, and Austria center on the Act’s potential impact on AI development, critical terms, international alignment, data protection, law enforcement exceptions, and remote biometric identification.

Intelligence Feed: December 2023


Poland’s DPA Launches GDPR Compliance Accreditation
Poland’s data protection authority, announced companies will be able to obtain EU General Data Protection Regulation compliance certifications. The UODO said the certifications will be optional, and aim to “increase transparency and improve compliance with personal data protection standards.”
FCC States to Coordinate on Cybersecurity 
The U.S. Federal Communications Commission announced it signed memorandums of understanding with the state attorneys general of Connecticut, Illinois, New York and Pennsylvania to coordinate cybersecurity and privacy-related investigations. The agreements say the entities share common legal interest in investigating and sometimes prosecuting these crimes under sections 201 and 222 of the Communications Act.
EU Reaches Political Agreement on AI Act
The European Union (EU) has reached a political agreement on the Artificial Intelligence Act. The trilogue process involving the European Commission, Council of the European Union, and European Parliament lasted over 32 hours across three days.The act aims to strike a delicate balance between promoting innovation and updating AI across Europe while respecting the fundamental rights of citizens.

Key elements of the provisional agreement include regulations for general purpose AI with transparency requirements, additional obligations for more powerful models posing systemic risks, national and EU-level governance, prohibitions on certain AI systems like those manipulating human behavior, and requirements for high-risk systems in critical sectors. The act introduces human rights impact assessments, transparency measures for AI systems like chatbots and deepfakes, and various levels of fines for violations, including up to 7% of global annual turnover for unacceptable risks. Overall, the EU sees this agreement as a significant contribution to the development of global rules for human-centric AI.
US House FISA Section 702 Bills Pulled from Consideration
Two U.S. House proposals to reauthorize and narrow Section 702 of the Foreign Surveillance Intelligence Act were abandoned. House members could not agree on which bill to move forward, pushing the reauthorization discussion to April if Congress passes a short-term Section 702 extension in the National Defense Authorization Act.

Intelligence Feed: November 2023


Proposed AI Act Negotiations Enter Final Stages
EU Institutions made progress in their latest trilogue negotiations on the proposed Artificial Intelligence Act. In the most recent negotiations October 24, policymakers agreed on provisions for classifying high-risk AI applications and developed general guidance for using enhanced foundation models. However, negotiations did not include substantial dialogue on provisions for prohibitions and law enforcement use. 
EU Reach Agreement on Political Advertising
The Council of the European Union and the European Parliament have tentatively reached an agreement on how targeted political advertising can work. The provision would only allow for targeted ads if a consumer gave explicit consent and would ban profiling based on personal data. Both parties must adopt the agreement before it can take effect.
Thailand’s PDPC Drafts Data Transfer Regulations
Thailand’s Personal Data Protection Committee released draft regulations on cross-border data transfers in accordance with Sections 28 and 29 of the Personal Data Protection Act. The draft provides for data being transferred to countries with adequate data protection standards, which the PDPC may decide on a case-by-case basis.
EU Institutions Work Toward Final AI Act Compromises
EU institutions are gearing up proposals to try to finalize the proposed Artificial Intelligence Act during the potential final trilogy negotiation December 6. Members of European Parliament circulated a compromise text that replaces a previously proposed full ban on biometric identification technologies with prohibited practices and narrow allowances. Meanwhile, the Spanish Presidency of the Council of the European Union proposed draft obligations tied to use and development of foundation models. 
EDPS Reach Understanding on Data Protection Rights
The U.K. Information Commissioner’s Office and the European Data Protection Supervisor signed a memorandum of understanding regarding their work on individuals’ data protection and privacy rights. The agencies promised to share best practices and information to support their regulatory efforts and cooperate on certain projects of mutual interest. They out how the authorities will continue to share experiences and best practices; cooperate on specific projects of interest; share information or intelligence to support their regulatory work; and, promote dialogue among data protection authorities and other digital regulators.
The IAPP-EY Privacy Governance Report 2023 Unveiled
The IAPP published the IAPP-EY Privacy Governance Report 2023, which builds on previous comprehensive efforts to shine a light on the location, performance and significance of privacy governance within organizations. Research focused on governance and organizational structures, privacy strategy and planning, compensation and budget management, and performance metrics and monitoring. The full report is an IAPP member exclusive while an executive summary is available to the public.
EU AI Act Negotiations 
France, Germany and Italy are pushing for a code of conduct in the proposed Artificial Intelligence Act that would allow companies to self-regulate rather than abide by a previously proposed tiered regulation model. Meanwhile, Spanish Secretary of State for Digitalisation and Artificial Intelligence Carme Artigas said AI Act negotiators should be open to changing proposed foundational model regulations while preserving transparency requirements. The Council of the European Union’s Telecommunications and Information Society Working Party will discuss foundational models in a November 21st meeting. 
FCC Adopts Rules to Safeguard Consumers’ Cellphone Accounts
The U.S. Federal Communications Commission will require wireless providers to adopt more secure methods of authenticating a customer’s identity before putting their account on a new device. The rules are meant to protect users from scammers looking to gain access to their account’s personal data.
European Parliament Tackles Governance Angle of Proposed AI Act
Members of the European Parliament discussed November 21st, how artificial intelligence should be governed under the EU AI Act. A compromise bill would establish an AI Office to oversee enforcement aspects of the law, but would have EU countries carry out its tasks. An appointed AI Board would make sure the law is applied consistently. 
European Council Presidency Circulates AI Act Compromise Text
The Spanish President of the Council of the European Union circulated half of the Artificial Intelligence Act provisions governing law enforcement’s use of AI models within the Committee of Permanent Representatives November 24th. The remaining half, which focuses on issues such as use of foundation models, access to source code, system governance, and the sanction regime, is anticipated to be addressed by the committee December 1st.

Intelligence Feed: October 2023


Argentina’s AAIP Updates SCCs
Argentina’s Agency for Access to Public Information updated standard contractual clauses for international transfers of personal data. The AAIP said the clauses “enable compliance with the principles of personal data protection, and provide companies or organizations with an economically viable alternative.” The SCCs were drafted by the Ibero-American Data Protection Network.
Brazil’s ANPD Sanctions Health Department
Brazil’s data protection authority, sanctioned the Health Department of the State of Santa Catarina for four alleged violations of the General Personal Data Protection Law. The ANPD determined the department neglected “the security of the systems for storing and processing personal data of millions of citizens” and, following a security incident that impacted 300,000 individuals, failed to communicate affected data “in a clear, adequate and timely manner.”
China Launches Global AI Governance Initiative
The South China Morning Post reports the Cyberspace Administration of China released its Global AI Governance Initiative, a framework for artificial intelligence. The framework calls for equal rights when developing AI, regardless of a country’s size, strength or social system. It states, “We oppose drawing ideological lines or forming exclusive groups to obstruct other countries from developing AI.” The initiative said AI could have a “profound influence,” while it presents unpredictable risks and complicated challenges.
CFPB Proposes Personal Financial Data Rights
The U.S. Consumer Financial Protection Bureau filed a Notice of Proposed Rulemaking for open banking that includes proposed rules concerning financial data. The proposed Personal Financial Data Rights rule includes consumer consent for third-party access to data with the aim of providing “robust protections to prevent unchecked surveillance and misuse of data” and to “move away from risky data collection practices.” 

Intelligence Feed: August & September 2023


Biden Administration Suggests Limiting FBI’s FISA Section 702 Access
U.S. President Joe Biden’s Intelligence Advisory Board recommended prohibiting the FBI from fully utilizing warrantless surveillance under Section 702 of the Foreign Intelligence Surveillance Act. The panel proposed barring the FBI from searching communications data for investigations unrelated to foreign intelligence while maintaining access for national security matters.
PETs Research Bill Clears US House Committee
The U.S. House Committee on Science, Space and Technology voted 35-0 on a favorable report for House Resolution 4755 on privacy-enhancing technology research. The bill, which is now eligible for full House consideration, aims to support research on privacy enhancing technologies and promote responsible data use.
US AI Legislation Tracker
The Electronic Privacy Information Center published a U.S. legislation tracker for laws governing various aspects of artificial intelligence. Ten states have laws entering into force that regulate AI, but are part of broader comprehensive state-level consumer privacy laws. Multiple states have introduced tailored AI legislation for the fields of employment, health care, insurance and its use by government agencies. Attached is a list of current, passed, or proposed laws.
Indian Parliament Set to Consider Proposed Data Protection Bill
Indian Parliament can now consider the proposed Digital Personal Data Protection Bill. The 2023 version of the draft bill was introduced in the lower house of Parliament, the Lok Sabha, August 3rd and the Lok Sabha is expected to open its consideration of the DPDPB August 7th. The bill, deemed an “absolutely brand new framework” by Chandrasekhar, covers all India-based organizations that process personal data as well as international entities processing data on Indian residents. Key provisions include a broad definition for personal data, data processing permitted by individual consent and “deemed consent,” designations for approved cross-border data transfers, and the creation of the Data Protection Board of India.
US Government Agencies Tackle Open Source Software Cybersecurity
The U.S. White House’s Office of the National Cyber Director, in coordination with the Cybersecurity and Infrastructure Security Agency, the National Science Foundation, the Defense Advanced Research Projects Agency and the Office of Management and Budget, published a request for information on the cybersecurity of open source software. The request calls for opinions from the public and private sectors as the government works to “strengthen the open-source software ecosystem.” 
US launches AI Cyber Challenge
The U.S. Defense Advanced Research Projects Agency announced the two-year AI Cyber Challenge competition. Leading software companies will compete for $20 million in prizes, developing code to protect digital networks of nationwide critical infrastructures. “With this new challenge, teams will now have the power of modern (artificial intelligence) to work through these complicated problems in support of our national security,” Deputy National Security Advisor for Cyber and Emerging Technology Ann Neuberger said.
ICO opens first phase of biometric guidance
The U.K. Information Commissioner’s Office issued the first phase of its guidance on biometrics use, which is now open for public consultation through 20 Oct. The second phase of the guidance will be issued early in 2024 and will focus on biometric classification and data protection, plus a call for evidence.
Millions Affected by Multi-State Health Data Breach
A sensitive health data breach through hacks of file transfer service MOVEit affected at least three U.S. states. Colorado’s Department of Health Care Policy and Financing reported hackers accessed its database of 4.1 million individuals while third-party data management firm PH Tech confirmed 1.7 million Oregonians had their information exposed through MOVEit. Missouri’s Department of Social Services reported the same cyberattack affected an unknown number of residents.
India Digital Personal Data Protection Act
India passed the Digital Personal Data Protection Act, its long awaited privacy law, which will establish guardrails for how organizations should handle personal data and offers citizens control over the personal data gathered for them. The act will make it mandatory for entities collecting use data to obtain express user consent before processing the data. Personal data may be processed only for a lawful purpose upon consent of an individual.
ANPD Releases Monitoring Cycle Report
Brazil’s data protection authority, the Autoridade Nacional de Protecao de Dado, published its first Monitoring Cycle Report for the assessment of actions carried out by the regulator. The report showed a majority of the ANPD’s 2022 activities focused on data breaches and data subject requests. To improve upon its 2022 work, the ANPD said it will bring more scrutiny against data protection officers and data protection impact assessments.
Federal Privacy Bill Can Address AI Discrimination
U.S. Senator Maria Cantwell, said the Consumer Online Privacy Rights Act, a bill she introduced in 2019 and again in 2021, could “help protect people from discrimination fueled by artificial intelligence.” Cantwell said AI can produce opportunities but there also should be “‘guardrails’ for potential pitfalls.” She said her bill would allow consumers to opt-in to receiving targeted advertisements and impose requirements for companies that deploy algorithms.
Health Data Breach Lawsuits on the Rise
Bloomberg Law reports costly U.S. health data breach lawsuits are on the rise as companies face increased cyberattacks. An analysis of 557 complaints filed in federal courts over the last five years showed many lawsuits seek millions of dollars in civil damages while the monthly average of health data breach class actions filed has nearly doubled from 2022. Attorneys cite increased consumer privacy awareness, public notification requirements and rising ransomware attacks.
US Lawmaker Introduces Federal Cybersecurity Vulnerability Reduction Act
U.S. Rep. Nancy Mace, chair of the House Oversight Committee’s Cybersecurity, Information Technology, and Government Innovation Committee, proposed The Federal Cybersecurity Vulnerability Reduction Act. The proposed legislation would require federal contractors to enact policies consistent with National Institute of Standards and Technology guidelines. Mace said the proposal would “ensure a proactive approach to cybersecurity, enabling contractors to identify and address software vulnerabilities promptly.”
NIST Issues Draft Cybersecurity and Privacy Learning Program Guidance
The U.S. National Institute of Standards and Technology published its initial draft of the government’s cybersecurity and privacy learning program. The document offers recommendations for initiatives, such as integrating privacy with cybersecurity in organization-wide learning programs and creating a data life cycle model allowing for “ongoing, iterative improvements and changes to accommodate cybersecurity (and) privacy.” The consultation period is open until October 27th.
Federal Privacy Law can ‘Lay Strong Foundation’ for AI Regulation
U.S. policymakers “need to lay a strong foundation” for artificial intelligence regulation that “must center around a national data privacy standard,” Representative Suzan DelBene wrote. DelBene said a “national privacy standard would ensure a baseline set of protections, no matter where someone lives in the U.S.” and “would restrict companies from storing and selling our personal data” that could otherwise be used to train AI algorithms.
ICO Publishes Guidance on Email Communications
The U.K. Information Commissioner’s Office warned organizations against using the blind carbon copy function when sending emails containing sensitive personal information. The ICO also published guidance for organizations on protecting personal information when sending bulk emails. “Organizations that use and share large amounts of data, including sensitive personal information, should consider using other secure means to send communications, such as bulk email services, so information is not shared with people by mistake,” the ICO said.
Small Business Cyber Resiliency Act
U.S. Senator Jim Risch, introduced a bill seeking to improve access to cybersecurity tools and resources for small businesses. The Small Business Cyber Resiliency Act would establish a Central Small Business Cybersecurity Unit at the Small Business Administration, enhance cybersecurity resources and training for small businesses, and improve cybersecurity information sharing between federal agencies.
Delaware Personal Data Privacy Act
The Delaware Personal Data Privacy Act was signed by Governor John Carney and will go into effect January 1st, 2025. An outreach period to inform consumers and businesses will begin no later than July 1st 2024. Director of the Department of Justice’s Fraud and Consumer Protection Division Owen Lefkon said the bill “gives consumers choice” and “puts the control back in the hands of the consumer.”
US Health Agencies Update Security Risk Assessment Tool
The Office of the U.S. National Coordinator for Health Information Technology and the Department of Health and Human Services’ Office for Civil Rights updated their Security Risk Assessment Tool for Health Insurance Portability and Accountability Act compliance. The tool is designed for small and medium-sized providers and aims to “help healthcare providers conduct a security risk assessment as required by the HIPAA Security Rule.”
Potential AI Regulation
A pair of U.S. Senate hearings on September 12th laid the foundations for potential forthcoming artificial intelligence regulations across a variety of different applications. Across both hearings, possible AI legislation could include requiring a licensing regime, establishing a new federal regulatory agency, and risk mitigation measures.
California Legislature Approves Data Broker Bill
The California State Legislature passed SB 362, the California Delete Act, which would empower the California Privacy Protection Agency to create a system allowing Californians to apply a single request to delete personal information held by registered data brokers operating in the state. The bill now awaits the signature of Governor Gavin Newsom. 

Intelligence Feed: July 2023


Argentina’s AAPI Proposes Draft Personal Data Protection Bill
Argentina’s data protection authority, the Agency of Access to Public Information, submitted a draft Personal Data Protection Bill to the Honorable Chamber of Deputies of the Nation. The proposed draft amends Personal Data Protection Act 25.326. Provisions under the proposed draft include language to facilitate transborder data flows, enhanced basic data subject and children’s privacy rights, obligations for data controllers and more.
Council of the European Union’s New Leadership Addresses AI Act Plans
The new Spanish Presidency of the Council of the European Union outlined priority topics for its negotiations on the proposed Artificial Intelligence Act. As it works toward a political agreement among member states, the Spanish presidency plans to address the proposal’s definition of AI, high-risk classification, list of high-risk use cases and fundamental rights impact assessments.

US finalizes EU-US Data Privacy Framework Requirements, Awaits EU Adequacy Decision
The U.S. Department of Justice and the Office of the U.S. National Intelligence Director announced the completion of commitments under President Joe Biden’s executive order concerning the EU-U.S. Data Privacy Framework. According to Secretary of Commerce Gina Raimondo, the DOJ designated EU member states along with Iceland, Liechtenstein and Norway as “qualifying states” whose citizens are able to file for redress through the proposed Data Protection Review Court while obtaining enhanced U.S. privacy protections. The designations take effect upon finalization of the European Commission’s adequacy decision with the U.S. Meanwhile, the ODNI released the policies and procedures the U.S. intelligence community will follow as part of the executive order.
European Commission proposes rules to strengthen GDPR enforcement
 The European Commission is proposing new “concrete procedural rules” to strengthen EU General Data Protection Regulation enforcement in cross-border cases. The proposal harmonizes requirements for cross-border complaints, gives parties under investigation the right to be heard “at key stages” including during dispute resolution, and streamlines the dispute resolution mechanism. While the commission said it will mean “quicker remedies for individuals and more legal certainty for businesses,” the European Consumer Organisation said the proposal “is unlikely to be of much help to consumers.
AI Systems Analyzing License Plate Scanning Cameras Pose Constitutional Questions
In a drug trafficking case in New York’s Westchester County, an artificial intelligence-powered Automatic License Plate Recognition system analyzed the county’s 480 traffic cameras and scanned 16 million license plates a week for a two-year period. The suspect’s attorney claimed the information obtained on his client was a “systematic development and deployment of a vast surveillance network” per his motion to suppress evidence. He alleged any New York police officer would be able to initiate an investigation using the system without any court oversight.

European Commission, CFPB Start Dialogue on Financial Consumer Protection
European Commissioner for Justice and U.S.Consumer Financial Protection Bureau announced an “informal dialogue” between their agencies “on a range of critical financial consumer protection issues.” Areas of discussion will include “automated decision making and processing of data in financial services,” including artificial intelligence and “digital transformation that ensures fair choice and access to financial services for consumers, including the unbanked, underbanked, and consumers who want to protect their own data.”
US Announces Smart Device Cybersecurity Labeling Program
The Biden administration announced the “U.S. Cyber Trust Mark” program. Under the cybersecurity labeling program for smart devices, anticipated to launch in 2024, consumers will find a logo on products meeting established criteria published by the National Institute of Standards and Technology. The administration said “several major electronics, appliance, and consumer product manufacturers, retailers, and trade associations” have voluntarily committed to increasing cybersecurity for their products.
US Senators Propose Amendments Addressing AI, Privacy in Defense Act
U.S. senators offered a slew of amendments to the National Defense Authorization Act, with many addressing artificial intelligence, privacy and social media regulation, The Washington Post reports. Amendments concerning AI include requiring financial institutions to issue reports detailing how they use AI and the creation of a task force to “assess the privacy, civil rights, and civil liberties implications” of using AI. Other privacy-centric amendments include the Stop CSAM Act being folded into the legislation, which would allow victims to sue platforms for exploitation, and legislation that would ban TikTok for U.S. consumers.
CPPA Supports Four Privacy Bills
The California Privacy Protection Agency unanimously voted in support of four state privacy bills that support its mission of “protecting the privacy rights of Californians.” Assembly Bill 947 would include personal information that reveals citizenship or immigration status as sensitive personal information under the California Consumer Privacy Act. Assembly Bill 1194 relates to reproductive privacy protections, Assembly Bill 1546 covers the CCPA’s statute of limitations, and Senate Bill 362 would transfer administration and rulemaking authority over the data broker industry to the CPPA.
Biden Calls for Children’s Online Privacy Protections
U.S. President Joe Biden called on lawmakers to pass legislation protecting children’s online privacy and safety. Referencing a Thursday hearing of the Senate Commerce Committee on the Kids Online Safety Act and Children and Teens’ Online Privacy Protection Act, Biden said he has been urging legislation for two years. “It matters. Pass it, pass it, pass it, pass it, pass it,” he said.
SEC Adopts Rules to Update Cybersecurity Incident Reporting
The U.S. Securities and Exchange Commission announced the adoption of new rules pertaining to how public companies report cybersecurity incidents. The SEC will now require disclosures related to “material cybersecurity incidents (companies) experience and to disclose on an annual basis material information regarding their cybersecurity risk management, strategy, and governance.” SEC Chair Gary Gensler said the aim is to make disclosures “consistent, comparable, and decision-useful” for investors.
Doctors using AI could Run Afoul of Health Privacy Law
U.S. physicians using artificial intelligence technologies, like chatbots, may be violating the Health Insurance Portability and Accountability Act. Many physicians are using AI, like ChatGPT to consolidate notes, find quick clinical answers, transcribe, etc. Once this happens, the information is no longer internal to the healthcare system and is technically a data breach.

Intelligence Feed: May & June 2023


Ireland’s DPC Issues Employee Data Protection Guidance
Ireland’s Data Protection Commission announced fresh employer guidance on handling the data of current, former and prospective employees. The DPC said the guidance is aimed at standard data collection, including employees’ names and contact information, but added employers need to also consider nontraditional data like “information on occupational health, sick leave, performance reviews or disciplinary actions.” The guidance also includes guidelines for employee monitoring and tracking.
White House Takes Aim at AI Risk Mitigation
U.S. President Joe Biden announced a series of actions to “further promote responsible American innovation in artificial intelligence and protect people’s rights and safety.” The administration said the U.S. National Science Foundation will allocate $140 million to fund seven new National AI Research Institutes. Additionally, the White House will conduct evaluations of generative AI systems independent from providers while federal agencies will be “leading by example on mitigating AI risks and harnessing AI opportunities.” Biden also met with Alphabet, Anthropic, Microsoft and OpenAI to “emphasize the importance of driving responsible, trustworthy, and ethical innovation with safeguards.”
US Senators Reintroduce COPPA 2.0
U.S. Senators Bill Cassidy and Ed Markey reintroduced the Children and Teens’ Online Privacy Protection Act 2.0, which they said updates online privacy protections for children and teens for the 21st century. The bill prohibits internet companies from collecting personal data of users aged 13-16 without consent, bans targeted advertising to children and teens, covers platforms “reasonably likely to be used” by children, and establishes a “Digital Marketing Bill of Rights for Teens” as well as a Youth Marketing and Privacy Division atthe U.S. Federal Trade Commission.
Florida Lawmakers Pass Privacy Bill
Florida lawmakers passed Senate Bill 262, legislation that would give consumers access to information collected about them by companies and the right to have some data deleted. If signed by Gov. Ron DeSantis, it would also require companies to allow consumers to opt out of targeted ads based on non-pseudonymous data but does not require opt-outs for targeted ads based on pseudonymous data. Consumer Reports said the bill applies “to only the very largest tech companies” and would “leave Florida consumers’ personal information unprotected in a wide variety of contexts.”
Texas Legislature Finalizes Comprehensive Privacy Bill
The Texas Legislature signed off on the final text for a proposed comprehensive privacy bill, HB 4, following a resolution struck between chambers in a conference committee. The bill carries unique applicability standards and requires covered entities to honor universal opt-out signals, perform data protection assessments and establish data processing agreements. The law’s effective date is July 1st, 2024. Following approval by the Texas House and Senate, Gov. Greg Abbott, R-Texas, has 10 days upon transmission to act on the bill, with a definitive veto the only way it will not become a law.
US Intelligence Community Presses for FISA Section 702 Reauthorization
Officials from U.S. intelligence agencies backed the reauthorization of Section 702 of the Foreign Intelligence Surveillance Act ahead of a U.S. Senate subcommittee hearing Tuesday. One official characterized a potential lapse or “unusable” modifications to Section 702 as “grave national security risks.” The support for full reauthorization came as 21 advocacy groups joined on a letter urging reform of Section 702. Meanwhile, the Office of the Director of National Intelligence issued a report regarding purchases of commercially available personal information by the U.S. intelligence community.
Nigerian President Approves Data Protection Bill
President Bola Tinubu signed the Nigeria Data Protection Bill, 2023 into law June 14th, ITEdge Nigeria reports. The law creates the Nigeria Data Protection Commission headed by a national commissioner tasked with regulating how entities process personal information. One of the mandates the NDPC is assigned includes facilitating “the development of personal data protection technologies, in accordance with recognized international good practices.”
State Attorneys General Call for Federal AI Regulation
Twenty-three U.S. state attorneys general, including California Attorney General Rob Bonta, wrote the U.S. National Telecommunications and Information Administration urging action on artificial intelligence policies. The attorneys general proposed the NTIA consider “independent standards for AI transparency, testing, assessments, and audits” while allowing states “concurrent enforcement authority” in a federal AI regulatory regime.
Texas’ Comprehensive Privacy Bill Signed Into Law
Governor Greg Abbott, signed HB 4, the Texas Data and Privacy Security Act, into law on June 18th. The majority of the law takes force on July 1st 2024 while provisions for recognition of universal opt-out mechanisms take effect on January 1st, 2025. “Our goal from the onset was to maximize the utility of consumers’ rights and minimize the compliance costs for businesses,” said State Representative Giovanni Capriglione.
US Senator Schumer Introduces SAFE Innovation Framework
U.S. Senator Chuck Schumer is attempting to rally his colleagues around a new initiative. Schumer introduced his base plan for AI regulation that involves a new legislative process for arriving at the strongest and most balanced rules possible. Speaking at the Center for Strategic and International Studies, Schumer unveiled a two-part strategy to move us forward on AI with one part framework, one part process. The former component of the strategy is the “Securities, Accountability, Foundations, Explain and Innovation Framework,” which Schumer characterized in a formal outline as “a policy response that invests in American ingenuity” and “ensures AI is developed and deployed in a responsible and transparent manner.” 
New Zealand Privacy Commissioner Asks for Submissions for Draft Data Product Bill
New Zealand Privacy Commissioner Michael Webster is encouraging citizens to weigh in on the draft Data Product Bill, which creates a consumer data right. If passed, the bill would make it easier for individuals to share their information with trusted businesses once the individual has given their explicit consent.

Intelligence Feed: April 2023


Washington Senate Passes Health Data Bill
In a 27-21 vote, the Washington Senate passed HB 1155 proposed legislation on the collection, sharing, and selling of consumer health data. The bill grants consumers the right to access, delete and withdraw consent regarding health data, requires regulated entities and small businesses to obtain consent to collect, share or sell consumer health data, and makes violations enforceable under the Consumer Protection Act which includes a private right of action. The bill passed the House on March 4th.
Arkansas Passes Children’s Social Media Bill
The Arkansas House of Representatives voted on the final approval of Senate Bill 396, the Social Media Safety Act. The bill aligns with Utah’s social media bill on age verification and parental consent for use by minors under age 18. The effective date, pending the governor’s signature, is September 1st.
NTIA Seeks Comments on AI Accountability
The U.S. Department of Commerce’s National Telecommunications and Information Administration published an “AI Accountability Request for Comment.” The NTIA is seeking input on creating trust in artificial intelligence through policies supporting the development of AI audits, assessments, certifications and other mechanisms. “Much as financial audits create trust in the accuracy of a business’s financial statements, so for AI, such mechanisms can help provide assurance that an AI system is trustworthy,” the administration said.
EDPB Launches ChatGPT Task Force
The EDPB adopted a dispute resolution decision on the basis of Art. 65 GDPR concerning a draft decision of the IE DPA on the legality of data transfers to the United States by Meta Platforms Ireland Limited (Meta IE) for its Facebook service. The binding decision addresses important legal questions arising from the draft decision of the Irish DPA as a lead supervisory authority (LSA) regarding Meta IE. The EDPB binding decision plays a key role in ensuring the correct and consistent application of the GDPR by the national Data Protection Authorities. More specifically, in its binding decision, the EDPB settles the dispute on whether an administrative fine and/or an additional order to bring processing into compliance must be included in the Irish DPA’s final decision.
Irish DPC Publishes Guides on Children’s Data Protection Rights
Ireland’s Data Protection Commission published four guides for parents on children’s data protection rights under the EU General Data Protection Regulation. The guides outline the basics of children’s data protection rights, when parental consent may be needed for processing children’s data, advice on how parents can protect their children’s data, and limits to exercising children’s data protection rights. The DPC said the guides are meant to help parents understand their children’s rights “and to answer questions that can arise in typical situations where those rights apply.”
DIFC Launches Data Protection Law Consultation
The Dubai International Financial Centre announced a consultation on proposed amendments to Data Protection Law regulations. The proposed updates aim to “establish additional areas of regulation that support robust implementation” of the DPL. Topics covered within the updates include data breaches, controller and processor obligations in digital enablement technology systems, and incorporating privacy by design or default in artificial intelligence deployments. 
OpenAI Could Face GDPR Compliance Challenges
MIT Technology Review reports OpenAI faces challenges in complying with EU data protection laws due to its use of data to train its ChatGPT models. OpenAI would have to prove consent or “legitimate interest” as a legal basis for collecting data to train its algorithms to comply with the EU General Data Protection Regulation. If it can’t, France’s data protection authority, artificial intelligence expert Alexis Leautier said OpenAI could face fines and requirements to delete models and the data used to train them.
European Commission Agrees to Draft Proposal for Cyber Solidarity Act
TheEuropean Commission announced the adoption of a proposal for the EU Cyber Solidarity Act. The draft legislation intends “to strengthen cybersecurity capacities in the EU” by offering “support detection and awareness of cybersecurity threats and incidents, bolster preparedness of critical entities.” The commission said the legislation would lead to greater member-state cooperation and “response capabilities” across the EU.
Israel Committee Approves Adoption of Draft Regulations on Data Transfers from EEA
Israel’s Constitution, Law, and Justice Committee approved the adoption of the draft Privacy Protection Regulations on the transfer of data from the European Economic Area to Israel. The regulations include provisions on deleting data upon request, deleting excess personal data, maintaining the accuracy of personal data, and obligations to notify that data has been transferred.
US House Subcommittee Schedules Latest Privacy Hearing
The U.S. House Committee on Energy and Commerce’s Subcommittee on Innovation, Data, and Commerce will hold a hearing on April 27th focused on federal privacy legislation. It’s the latest Energy and Commerce subcommittee hearing aimed at building momentum toward the reintroduction and passage of the proposed American Data Privacy and Protection Act out of the House during the current legislative session. Energy and Commerce Chair Cathy McMorris Rodgers, and Innovation, Data, and Commerce Chair Gus Bilirakis, said the hearing will show “the gaps that exist in order to strengthen people’s privacy protections on online services and preserve innovation and entrepreneurship.”
Forthcoming US Senate Bill Would Set Age Minimum for Social Media Access
A bipartisan group of U.S. senators is expected to introduce legislation setting age requirements for children to access social media platforms. The bill would prohibit children under 13 from accessing social media altogether, while children ages 13-17 would be allowed with parental consent. However, the anonymous Senate aide who spoke with the publication did not detail how children’s ages would be verified. The bill would also put restrictions on how social media companies use their algorithms to target minors.
Nevada Senate Passes a Health Data Privacy Bill
In a 13-8 vote, the Nevada Senate passed Senate Bill 370, which is “an act relating to data privacy; requiring certain entities to develop a policy concerning the privacy of consumer health data.” The bill would also bar healthcare companies from collecting or sharing patients’ health information “without the affirmative, voluntary consent of a consumer.”

Intelligence Feed: March 2023


Co-Rapporteurs Circulate Latest AI Act Compromises
The proposed Artificial Intelligence Act offered a new set of compromise texts concerning a range of disputed topics in the EU proposal. Updates were offered on provisions for prohibited practices, high-risk AI obligations, regulatory sandboxes and the role of a dedicated AI enforcement office. The new proposals were a product of feedback from a recent political meeting among members of the European Parliament aimed at finalizing their position on the draft.
ICO Publishes ‘SME Data Essentials Pilot’ Report
The U.K. Information Commissioner’s Office published a final report on the findings of its “SME Data Essentials Pilot” program. “The purpose of piloting is to test feasibility, learn how to operationalize a policy, how to overcome implementation barriers, and how to improve processes and outcomes,” the ICO said. Further adding that it achieved “much success” toward that goal and “revealed a range of learnings around design and implementation, all of which will prove significantly valuable for considerations.”
EU Council Releases Cyber Resilience Act Compromise Text
The Swedish Presidency of the EU Council circulated new compromise text of the Cyber Resilience Act, detailing its interplay with the Artificial Intelligence Act, enforcement and penalties. The text clarifies that AI systems considered high risk will comply with the AI Act’s cybersecurity measures if they meet requirements within the Cyber Resilience Act. The new text also mandates EU countries implement an appeal procedure of external audits required of certain products.
White House Announces National Cybersecurity Strategy
U.S. President Joe Biden announced the National Cybersecurity Strategy, which aims to “secure the full benefits of a safe and secure digital ecosystem for all Americans.” Notably, the Biden administration’s strategy seeks to rebalance the responsibility to defend cyberspace” and place obligations on the organizations that are most capable and best-positioned to reduce risks for all of us. Privacy and data security are mentioned under the strategy’s intended approach to shape market forces to drive security and resilience, like including calls for legislation establishing liability for software products and services that are sold with little regard for security, implementing a more active role by cloud providers, and more.
ChatGPT’s Rise Brings New Debate on Proposed AI Act
ChatGPT’s increased use and popularity is causing strain in EU negotiations for the proposed Artificial Intelligence Act. The sudden rise of generative AI systems spurred EU institutions to reconsider their positions on proposed legislation, but European Parliament remains undecided on how to move forward. Officials received pushback regarding a proposal to characterize systems like ChatGPT as high-risk due to their potential to disperse disinformation at mass.
Iowa Senate Unanimously Approves Comprehensive Privacy Bill
TheIowa Senate voted 47-0 to advance Senate File 262, an act relating to consumer data protection, to House consideration. The bill covers companies holding data on more than 100,000 individuals or deriving 50% of annual revenue from data belonging to more than 25,000 consumers. Additionally, the bill does not require data protection impact assessments or the explicit right for users to opt out of targeted advertising, while providing covered entities a 90-day cure period. SF 262’s effective date is Jan. 1, 2025.
India to Propose Open Transfer Regime in Draft Data Protection Bill
India’s government plans to amend draft provisions on data transfers in the proposed Digital Personal Protection Bill.  The data transfer language under Clause 17 of the bill will reportedly be reworked to allow for data to flow freely across borders. A senior government official labeled the framework as an “allowed-by-default model.” The official added, “If the government does not want data to be transferred to a particular region, it will mention that region in its blacklist.”
UK Introduces Draft Data Protection Reform
On Wednesday, the U.K. released a draft data protection reform of its General Data Protection Regulation. U.K. Secretary of State for Science, Innovation and Technology Michelle Donelan introduced the Data Protection and Digital Information (No. 2) Bill to Parliament. “Co-designed with business from the start,” Donelan said, “this new bill ensures that a vitally important data protection regime is tailored to the U.K.’s own needs and our customs.” In line with last summer’s draft bill, the new proposal will increase fines for nuisance calls and texts up to either 4% of global turnover or 17.5 million GBP, whichever is greater. Additionally, the bill would reduce the amount of consent pop-ups on websites, the government stated in a press release.  The reform bill will also reorganize the Information Commissioner’s Office to include a statutory board with a chair and chief executive. Notably, this bill would require businesses to conduct records of processing only when it is high-risk data, such as, for example, someone’s health data. It would also clarify that profiling is subject to the same set of rules as automated decision-making when a “significant decision is taken about a person with no meaningful human involvement.” 
US Chamber of Commerce Publishes AI Commission Report
The U.S. Chamber of Commerce released its Artificial Intelligence Commission Report, highlighting opportunities the technology presents while calling for a risk-based regulatory approach. Without “appropriate” and “reasonable protections,” AI could “adversely affect privacy,” the Chamber said. “Policy leaders must undertake initiatives to develop thoughtful laws and rules for the development of responsible AI and its ethical deployment,” a press release said, noting regulation should be technology neutral, flexible, balanced and proportionate.
FTC Proposes Increased Budget, Seeks Additional Privacy Resources
The U.S. Federal Trade Commission requested a 37% budget increase, approximately $160 million, from U.S. Congress for the fiscal year 2024. In a report outlining its needs, the FTC said it wants to hire 310 full-time employees, including 62 dedicated to consumer protection, with an eye toward helping the agency “investigate and litigate more and increasingly complex matters.” The commission said the additional personnel will help it properly tackle children’s and health data privacy, among other sectoral issues facing consumers.
European Parliament Approves Proposed Data Act Position
European Parliament voted 500-23 with 110 abstentions to adopt its position on the proposed Data Act. Parliament touted the proposal for establishing “common rules governing the sharing of data generated by the use of connected products or related services … to ensure fairness in data sharing contracts.” Lawmakers also mentioned how artificial intelligence-based products will be better supported and enabled by the proposal. The proposal now awaits further negotiations between EU institutions.
Colorado Privacy Act Regulations Finalized
The Colorado attorney general’s office announced the finalization of the Colorado Privacy Act regulations. The office highlighted rules implemented on the topics of universal opt-out mechanisms, data protection impact assessments, user profiling and transparency. The rules were formulated based on feedback from 137 written comments. “Attorneys in my office thoughtfully incorporated feedback throughout the rulemaking to carefully craft rules to both protect consumers and ensure businesses have reasonable direction as they manage Coloradans’ information,” Colorado Attorney General Phil Weiser said.
Iowa Legislature Approves Comprehensive Privacy Bill
Iowa is on the verge of becoming the sixth U.S. state to pass comprehensive privacy legislation. Both chambers of the Iowa Legislature unanimously voted to approve Senate File 262, including final approval from the Iowa House on a 97-0 vote Wednesday, and potential enactment could come shortly after transmission to the governor. Senate File 262 falls into the patchwork of existing state privacy legislation, carrying notable similarities and differences.
EU Member States Reach Agreement on Data Act
EU member states reached a common position on the proposed Data Act, enabling negotiations on the final version of the proposed legislation to begin among the Council of the European Union and European Parliament. Swedish Minister for Public Administration Erik Slottner said the Data Act “will contribute to creating a single market to allow data to flow freely within the EU and across sectors for the benefit of businesses, researchers, public administrations, and society at large.”
Executive Order Prohibits US Government Use of Spyware Posing Security Risks
U.S. President Joe Biden issued an executive order prohibiting government use of commercial spyware that poses national security risks. “The growing exploitation of Americans’ sensitive data and improper use of surveillance technology, including commercial spyware,” threatens the development of an international technology ecosystem that “enables and promotes the free flow of data and ideas with trust” and “protects our security, privacy, and human rights,” the order said. The link below has the official White House statement.
UK Releases White Paper on AI Regulatory Framework
The U.K. Department for Science, Innovation and Technology published a white paper with its approach to regulating artificial intelligence technologies. The regulatory framework seeks to “build public trust in cutting-edge technologies and make it easier for businesses to innovate, grow and create jobs.” The approach consists of five AI principles: safety, transparency, fairness, accountability and governance, and redress. U.K. regulators will roll out guidance within the next 12 months to help organizations implement new rules.
First CPRA Regulations Finalized Following OAL Review
The California Privacy Protection Agency announced the first California Privacy Rights Act rulemaking package was approved by the California Office of Administrative Law following a review. The regulations bring updates and clarification to existing requirements under the California Consumer Privacy Act while also bringing new CCPA requirements brought forth by the CPRA. The finalized rules, which come ahead of the CPRA’s 1 July enforcement, contain no substantive changes to the final draft submitted by the CPPA to the OAL in February.

Intelligence Feed: February 2023


Latest Revisions to Colorado Privacy Act Draft Rules
The Colorado attorney general’s office released the second set of revisions to the Colorado Privacy Act draft regulations. Changes from the last revisions released in January include tweaks to business requirements for privacy notices, universal opt-out mechanisms, and honoring consumer rights and opt-out requests. With rules for universal opt-out mechanisms, the updates work to create more interoperability between U.S. comprehensive state privacy laws. Colorado’s privacy law is effective July 1.
EU, US Announce AI Research Pact
The EU and U.S. governments signed an administrative arrangement to facilitate collaborative research on artificial intelligence. The agreement is part the EU-U.S. joint AI roadmap devised during the third EU-U.S. Trade and Technology Council meeting in December 2022. U.S. National Security Advisor Jake Sullivan said the arrangement “will drive responsible advancements in AI to address major global challenges,” while European Commissioner for the Internal Market Thierry Breton said EU and U.S. researchers “will join forces to develop societal applications of AI and will work with other international partners for a truly global impact.”
Slovenia’s Personal Data Protection Act Enters into Force
Slovenia’s Personal Data Protection Act is now in force. The law, adopted Dec. 15, 2022, includes “transmission of personal data in the public and private sector,” regulation of biometrics, “personal data processing for research, archival and statistical purposes,” and more. Since the regulation’s adoption, the information commissioner has been updating guidelines and materials to assist managers and processors of personal data as well as individuals.
European Commission Publishes Guidelines for Digital Services Act User Reporting
The European Commission released guidance to assist companies in complying with the Digital Services Act’s user reporting requirements. The reporting will help determine whether increased DSA obligations for “very large” online platforms and search engines are to be applied. Under the law, additional obligations are triggered for companies that “show that they reach more than 10% of the EU’s population.” Companies are required to report initial user numbers by Feb. 17 and offer updates at least once every six months after.
EU and Singapore Sign New Digital Partnership
The European Union and Singapore announced an agreement on a new digital partnership, which includes improving cooperation on “cutting-edge technologies” like artificial intelligence and ensuring cross-border data transfers comply with data protection rules. The agreement paved the way for the EU and Singapore to establish Digital Trade Principles, illustrating their shared commitment to an open, fair, and competitive digital economy, without unjustified trade barriers.
US House to Review Draft Financial Data Privacy Bill
A subcommittee of the U.S. House Financial Services Committee will review a draft financial data privacy bill on February 8th. The bill, sponsored by U.S. Rep. Patrick McHenry, would expand the scope of the Gramm-Leach-Bliley Act to include new data rules, including allowing consumers to manage how their personal information will be shared with financial institutions. “This proposal will modernize the current framework to better align with evolving technology and protect against the misuse or overuse of consumers’ personal information,” McHenry said.
CJEU Issues Ruling on DPOs, Conflict of Interest
The Court of Justice of the European Union issued a significant ruling for data protection officers Thursday, which centered around Article 38 of the EU General Data Protection Regulation. In it, the CJEU stated DPOs should “be in a position to perform their duties and tasks in an independent manner” but “cannot be entrusted with tasks or duties which would result in him or her determining the objectives and methods of processing personal data on the part of the controller or its processor.” Data protection officers can maintain other tasks and duties within their role, if they do not result in a conflict of interest, the Court of Justice of the European Union has confirmed. This decision will be an important consideration for privacy pros and organizations. 
European Commission Aims to Harmonize DPA Enforcement Approach
TheEuropean Commission announced its intention to propose legislation to better align national data protection authorities’ EU General Data Protection Regulation enforcement approaches. The European Commission described the proposal as a means to “streamline cooperation” among regulators and “harmonize some aspects of the administrative procedure the national data protection authorities apply in cross-border cases.” 
US Supreme Court Passes on NSA Surveillance Program Claims
The U.S. Supreme Court declined to hear a case attempting to curtail the U.S. National Surveillance Agency’s online communications surveillance program. Advocacy groups sought to raise the case to the highest court after the U.S. Court of Appeals for the Fourth Circuit upheld the NSA’s practices. The NSA’s program allows for warrantless collection of online communications data as it moves through telecommunications systems. The program is authorized under Section 702 of the Foreign Intelligence Surveillance Act, which is up for renewal.
India’s Proposed Digital Personal Data Protection Bill to Cover Minors Under 18
India’s Ministry of Electronics and Information Technology defined a child as someone under 18 years old in the proposed Digital Personal Data Protection Bill. An official said the government would be allowed to revisit the definition after a year with an eye toward moving coverage to minors under 16. The official explained “There is no reason why (the age) cannot be lowered” so long as companies can “assure us that they have put in place a proper framework” for data protection and prohibition of targeted advertising.
EDPB Adopts Guidelines on International Transfers
The European Data Protection Board adopted three sets of guidelines following public consultation. Updates to the EDPB’s guidelines on the application of the EU General Data Protection Regulation’s Article 3 and provisions on international transfers in Chapter 5 clarify a controller’s responsibilities when the data exporter is a processor. Guidelines offering designers and social media users recommendations on how to avoid deceptive design patterns and those on certification as a tool for transfers were also adopted.
Colorado Privacy Act Final Regulations Adopted
Final regulations for the Colorado Privacy Act rules were adopted and filed with the Colorado Secretary of State on February 23. The adopted rules, which take effect July 1, feature updates from the third revision of the draft regulations published on January 27. Updates in the final rules include clarifications on controller obligations for data minimization and privacy policies and consumer rights for universal opt-out signals.

Intelligence Feed: January 2023


California Privacy Law
The California Consumer Privacy Act went into effect in 2020 and was recently amended by the California Privacy Rights Act, which entered into force January 1. Additional targeted privacy legislation passed by the state legislature in 2022, including the California Age-Appropriate Design Code Act. “California Privacy Law,” now in its newly updated fifth edition, provides businesses, attorneys, privacy officers and other professionals with practical guidance and in-depth information to navigate the state’s strict policies.

New in the Fifth Edition:
I. A practical roadmap for compliance with the California Consumer Privacy Act (CCPA and CPRA) and regulations effective January 1, 2023
II. Detailed interpretive guidance on new and existing federal and California laws, including California’s new Genetic Information Privacy Act and Age-Appropriate Design Code Act and myriad other statutes
III. Insights from major federal and California cases, regulatory actions and settlements as of November 2022
IV. Updates on vendor contracting, privacy policy disclosures and risk mitigation measures
Comprehensive Privacy Laws Take Force in California, Virginia
 The California Privacy Rights Act and the Virginia Consumer Data Protection Act took force January 1. The CPRA amends the existing California Consumer Privacy Act and hands enforcement powers to the California Privacy Protection Agency. Final CPRA regulations are pending final approval ahead of July 1 enforcement. Virginia’s law incorporates concepts from the CPRA, while other provisions carry their own nuances. The Virginia General Assembly used the 2022 legislative session to pass amendments to the law before it took effect.
Belarus Implements Cross-Border Transfer Rules
The director of Belarus’ National Center for Personal Data Protection signed an order implementing rules for the cross-border transfer of personal data. The order includes member states of the Eurasian Economic Union and defines allowable cases of cross-border data transfers, including transfers by state bodies and other organizations. The DPA said this will solve “issues related to the cross-border transfer by employers of personal data of their employees in cases necessary for the implementation of their labor functions.”
Attorney General Drops Revised Colorado Privacy Act Draft Rules
According to Husch Blackwell’s “Byte Back,” the Colorado attorney general’s office released revisions to the Colorado Privacy Act draft rules. The updated rules build off the first draft, published in September 2022, and reflect comments from three stakeholder sessions held in November 2022. Modifications include changes to provisions concerning privacy notices, consent, and data protection assessments. Tweaks were also made to language around universal opt-out mechanisms and dark patterns. The latest draft is under public comment through Feb. 1.
EDPB Releases Binding Decisions on Meta’s Legal Basis for Personalized Ads
The European Data Protection Board released its binding decisions on the legal basis used by Meta’sFacebook and Instagram for processing data for personalized advertising. The decisions were adopted under the EU General Data Protection Regulation’s Article 65 following two dispute resolution procedures triggered by Ireland’s Data Protection Commission. EDPB Chair Andrea Jelinek said the decisions “clarify that Meta unlawfully processed personal data for behavioral advertising,” adding the decisions “may also have an important impact on other platforms that have behavioral ads at the center of their business model.”
Canada Could See Federal and Provincial Privacy Bills Advanced in 2023
Canada is poised to potentially pass several major private sector privacy law reforms on both the federal and provincial levels, Dentons Canada Privacy and Cybersecurity National Practice Leader Chantal Bernier writes. She said the provinces of British Columbia and Quebec could implement EU General Data Protection Regulation-level fines and improved privacy rights for individuals. Federally, the omnibus C-27 containing Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act will be brought before Parliament again after being introduced last year.
Czech Republic DPA Publishes Plan for 2023
The Czech Republic’s data protection authority published its action plan for 2023. The DPA said it will focus on the “processing of personal data in attendance systems, when using social networks, in large-scale camera systems and on large processors or bailiffs.” It will also inspect select police information systems and focus on the field of telemarketing with cooperation from the Czech Telecommunications Office.
NIST Explores Potential Updates to Cybersecurity Framework
The U.S. National Institute of Standards and Technology has begun considering revisions to its Cybersecurity Framework 2.0. The agency published a concept paper outlining the first proposed updates since 2018, including modernized cybersecurity best practices, sector-specific requirements, and cybersecurity governance. The NIST said it looks at “making more substantial changes than in the previous update” to reflect “the evolving cybersecurity landscape.” The concept paper is up for public comment through March 3.
NIST Launches AI Risk Management Framework
The U.S. National Institute of Standards and Technology published its Artificial Intelligence Risk Management Framework. NIST said the voluntary framework aims to help the private and public sectors “adapt to the AI landscape as technologies continue to develop and to be used by organizations in varying degrees and capacities.” U.S. Department of Commerce Deputy Secretary Don Graves said the framework “should accelerate AI innovation and growth while advancing rather than restricting or damaging civil rights, civil liberties and equity for all.”
European Council, Parliament Reach Agreement on Access to E-Evidence
The Council of the European Union and the European Parliament reached an agreement on the draft regulation and directive on cross-border access to electronic evidence. The regulation enables judicial authorities to obtain or preserve e-evidence regardless of the data’s location. “With this agreement, we respond to a key request by our judicial authorities. More and more crimes are planned or committed online and our authorities need the tools to prosecute them as they do for crimes offline,” the Swedish Minister of Justice said.

US State Privacy Developments 

A recent summary from IAPP shows the recent state privacy developments:

  • State Sen. Liz Brown reintroduced Senate Bill 5 to the Indiana Senate. Brown’s bill passed the Senate and two readings in the House during the 2022 legislative session. The bill is modeled after Virginia’s comprehensive privacy law. This year’s bill was assigned to the Senate Committee on Commerce and Technology.
  • Maryland House Bill 33 concerning biometric privacy was reintroduced. The bill passed the Maryland House in 2022 before stalling in the Senate.
  • State Sen. Angela Turner-Ford, reintroduced Senate Bill 2080, the Mississippi Consumer Data Privacy Act. The bill was not acted upon after its 2022 introduction.
  • Oregon’s comprehensive privacy bill, Senate Bill 619, was introduced and awaits committee referral from the Senate president. The Oregon attorney general’s office drafted the bill and is the product of a working group established during fall of 2022.
  • Oregon Senate Bill 196, the Oregon Age-Appropriate Design Code, was also introduced. The bill is modeled after the California Age-Appropriate Design Code Act passed in August 2022.
  • The Virginia House and Senate each introduced companion amendments to the state’s Consumer Data Protection Act. House Bill 1688 and Senate Bill 1026 propose updates to children’s privacy provisions in the comprehensive statute, notably raising the coverage to children age 18 and under.
  • Mississippi House Bill 467, the Biometric Identifiers Privacy Act, was introduced and referred to the Committee on the Judiciary A.
  • New York Assembly Bill 1362, the Biometric Privacy Act, was introduced and referred to the Committee on Consumer Affairs and Protection.
  • State Rep. Andrew Stoddard introduced an amendment to the Utah Consumer Privacy Act. House Bill 158 amends Utah’s law to include a carveout for law enforcement’s access to personal data with a warrant.
  • The Virginia Senate took up bills to amend the Virginia Consumer Data Protection Act. Senate Bill 1087 proposes provisions to protect genetic data privacy, while SB 1432 concerns protection of personal health records.
  • State Del. Wayne Clark introduced House Bill 2460, an act concerning children’s privacy, to the West Virginia House. The bill, which would bring privacy protections for children under 18, was referred to the House Committee on the Judiciary. 
  • Two comprehensive privacy bills were introduced to the Hawaii Senate. Senate Bill 974 and SB 1110 passed their first readings on the Senate floor and await committee referrals.
  • A subcommittee of the Iowa House Committee on Economic Growth and Technology passed Iowa House Study Bill 12, an act to consumer data protection, to the full committee on a 3-0 vote.
  • The Massachusetts Legislature will consider two comprehensive privacy bills in addition to Senate Bill 745. Senate Bill 1971, the Massachusetts Information Privacy and Security Act, and House Bill 3245, Internet Bill of Rights, both take aspects from the EU General Data Protection Regulation.

INSIGHTS IS PROVIDED PROVIDED BY RELIC LAW PLLC FOR GENERAL INFORMATION PURPOSES ONLY AND DOES NOT CONSTITUTE LEGAL ADVICE. PLEASE CONSULT YOUR LEGAL COUNSEL. ACCESSING INSIGHTS DOES NOT ESTABLISH AN ATTORNEY-CLIENT RELATIONSHIP. COMMUNICATIONS THROUGH THIS SITE MAY NOT BE PROTECTED BY ATTORNEY-CLIENT PRIVILEGE.

Relic Law PLLC’s Terms and Privacy Policy applies to your use of Insights.

© Relic Law PLLC 2018-2021