Attorney General Publishes Colorado Privacy Act Draft Regulations
The Colorado attorney general’s office released draft regulations for the Colorado Privacy Act. The draft rules include clarity around the definition of biometric information, responses to data subject requests, disclosure requirements for customer loyalty programs, and privacy notice updates. The draft rules also add a category for sensitive data inferences. The attorney general announced stakeholder meetings on the draft rules in November as well as a public hearing February 1, 2023.
UK-US Data Access Agreement Takes Effect
The U.S. Department of Justice announced the Data Access Agreement concerning criminal data sharing between the U.K. and the U.S. entered into force October 3rd. The two countries will share data under “qualifying, lawful orders for electronic data issued by the other country, without fear of running afoul of restrictions on cross-border disclosures.” The DOJ added that the agreement brings “more timely and efficient access to electronic data required in fast-moving investigations through the use of orders covered.” The agreement is authorized under the Clarifying Lawful Overseas Use of Data Act, a law enacted by U.S. Congress in 2018.
Council of the European Union Approves Digital Services Act
The Czech Presidency of the Council of the European Union announced final approval of the Digital Services Act. Czech Minister for Industry and Trade Jozef Sakela touted the law as “the gold standard for other regulators in the world” given how it sets “new standards for a safer and more accountable online environment.” The DSA will apply to companies 15 months after it is published in the EU Official Journal.
White House Issues Executive Order to Stand up EU-US Data Flows
The U.S. took the latest step forward in finalizing a new EU-U.S. data flow agreement. U.S. President Joe Biden issued the long-awaited executive order mandating new legal safeguards over U.S. national security agencies’ access and use of EU and U.S. personal data. The process of finalizing the EU-U.S. Data Privacy Framework now falls to the European Commission, which will begin a ratification process that may take up to six months.
OECD Publishes Cross-Border Data Flows Report
The Organization for Economic Cooperation and Development released a report on examining the global policies and initiatives around data flows. The OECD aims to advance “a common understanding and dialogue” among the G-7 members while supporting “coordinated and coherent progress in policy and regulatory approaches that leverage the full potential of data for global economic and social prosperity.” The report covers unilateral cooperation, inter-governmental processes, and technological and organizational measures.
CPPA Publishes First Modifications of CPRA Draft Regulations
The California Privacy Protection Agency released updated California Privacy Rights Act draft regulations with a summary of the latest modifications. These are the first updates to the initial draft rules published on May 31 covering select topics under the CPRA, including personal data collection and use restrictions, mandatory user opt-out signal acknowledgement and privacy notice requirements.
Council of the European Union Nears Final AI Act Text
The Czech Presidency of the Council of the European Union offered its latest compromise text for the proposed Artificial Intelligence Act, Euractiv reports. The fourth compromise features updates around requirements for law enforcement’s use of AI, additional transparency obligations, an implementing act from the European Commission and additional penalty calculation factors. The text will be discussed by the council’s Working Party on Telecommunications and Information Society October 25 and, if no issues are raised, potentially agreed to by mid-November.
Third Circuit Shows How to Establish Standing in Data Breach Cases
A recent decision by the U.S. Court of Appeals in the case Clemens v. ExecuPharm Inc. gives new hope to plaintiffs in class-action lawsuits over data breaches where it is the first appellate decision on standing in data breach cases since the U.S. Supreme Court seemed to close the door on many such cases in 2021. The ruling is further evidence that some courts will continue to find ways to let data breach litigation go forward even if the affected consumers have not suffered identity theft or fraud from misuse of their information. The court concluded with a very broad statement: “Given that intangible harms like the publication of personal information can qualify as concrete, and because plaintiffs cannot be forced to wait until they have sustained the threatened harm before they can sue, the risk of identity theft or fraud constitutes an injury-in-fact.” However, this has to be read in conjunction with the court’s three-step analysis: risk of future harm must be substantial, the claim must have a close relationship to matters traditionally heard by American, or English, courts at the time the Constitution was adopted, and there must a separate, current injury.
Guidelines 9/2022 on Personal Data Breach Notification Under GDPR
The EDPB published an updated version of the Guidelines on personal data breach notifications under the GDPR. Whereas the previous guidelines provided that “notification should be made to the supervisory authority in the Member State where the controller’s representative in the EU is established” (Guidelines on Personal data breach notification under Regulation 2016/679 – WP250 (rev.01) – endorsed by the EDPB on 25 May 2018 – page 18), the revised Guidelines 9/2022 state that “[…] the mere presence of a representative in a Member State does not trigger the one-stop-shop system. For this reason, the breach will need to be notified to every single authority for which affected data subjects reside in their Member State. This notification shall be done in compliance with the mandate given by the controller to its representative and under the responsibility of the controller.”
Australia Introduces Bill to Significantly Increase Data Breach Penalties
Australia Attorney-General Mark Dreyfus introduced to the Parliament of Australia a bill to “significantly increase penalties for repeated or serious privacy breaches.” The Privacy Legislation Amendment Bill 2022 proposes increases to the current fine scheme under The Privacy Act 1988, which carries a maximum fine of AU $ 2.22 million. Under the proposed three-factor scheme, violators face an AU $50 million fine or penalties based on data monetization and 30% of adjusted quarterly turnover. “It’s not enough for a penalty for a major data breach to be seen as the cost of doing business,” Dreyfus said, noting the bill is a response to recent data breaches involving Optus and MyDeal.
US Dept. of Commerce Appoints 16 Members to IoT Advisory Board
The U.S. Department of Commerce appointed 16 members to the new Internet of Things Advisory Board, according to the U.S. National Institute of Standards and Technology, which will provide administrative support. The board will advise the Internet of Things Federal Working Group in areas including federal regulations, programs or policies involving IoT, IoT-related challenges and opportunities for small businesses and internationally. Members, who will serve two-year appointments, have backgrounds in academia, industry and civil society.
CFPB Launches Financial Data Rights Rule-Making
The U.S. Consumer Financial Protection Bureau launched a financial data rights rulemaking seeking to strengthen access and control for customers over their financial data. The proposed rule would implement section 1033 of the Dodd-Frank Act, which states consumers have the right to access information about their financial accounts. Dominant firms shouldn’t be able to hoard our personal data and appropriate the value to themselves, CFPB Director Rohit Chopra said, adding the rulemaking has the potential to jumpstart competition, giving Americans new options for financial products.
EU Digital Services Act
The Digital Services Act was published in the Official Journal of the European Union October 27th. The DSA, which harmonizes conditions for the provision of intermediary services and increases transparency requirements for online intermediaries, will enter into force November 16th. It aims to harmonize conditions for the provision of intermediary services and increases transparency requirements for online intermediaries.