Washington Senate Passes Health Data Bill
In a 27-21 vote, the Washington Senate passed HB 1155 proposed legislation on the collection, sharing, and selling of consumer health data. The bill grants consumers the right to access, delete and withdraw consent regarding health data, requires regulated entities and small businesses to obtain consent to collect, share or sell consumer health data, and makes violations enforceable under the Consumer Protection Act which includes a private right of action. The bill passed the House on March 4th.
Arkansas Passes Children’s Social Media Bill
The Arkansas House of Representatives voted on the final approval of Senate Bill 396, the Social Media Safety Act. The bill aligns with Utah’s social media bill on age verification and parental consent for use by minors under age 18. The effective date, pending the governor’s signature, is September 1st.
NTIA Seeks Comments on AI Accountability
The U.S. Department of Commerce’s National Telecommunications and Information Administration published an “AI Accountability Request for Comment.” The NTIA is seeking input on creating trust in artificial intelligence through policies supporting the development of AI audits, assessments, certifications and other mechanisms. “Much as financial audits create trust in the accuracy of a business’s financial statements, so for AI, such mechanisms can help provide assurance that an AI system is trustworthy,” the administration said.
EDPB Launches ChatGPT Task Force
The EDPB adopted a dispute resolution decision on the basis of Art. 65 GDPR concerning a draft decision of the IE DPA on the legality of data transfers to the United States by Meta Platforms Ireland Limited (Meta IE) for its Facebook service. The binding decision addresses important legal questions arising from the draft decision of the Irish DPA as a lead supervisory authority (LSA) regarding Meta IE. The EDPB binding decision plays a key role in ensuring the correct and consistent application of the GDPR by the national Data Protection Authorities. More specifically, in its binding decision, the EDPB settles the dispute on whether an administrative fine and/or an additional order to bring processing into compliance must be included in the Irish DPA’s final decision.
Irish DPC Publishes Guides on Children’s Data Protection Rights
Ireland’s Data Protection Commission published four guides for parents on children’s data protection rights under the EU General Data Protection Regulation. The guides outline the basics of children’s data protection rights, when parental consent may be needed for processing children’s data, advice on how parents can protect their children’s data, and limits to exercising children’s data protection rights. The DPC said the guides are meant to help parents understand their children’s rights “and to answer questions that can arise in typical situations where those rights apply.”
DIFC Launches Data Protection Law Consultation
The Dubai International Financial Centre announced a consultation on proposed amendments to Data Protection Law regulations. The proposed updates aim to “establish additional areas of regulation that support robust implementation” of the DPL. Topics covered within the updates include data breaches, controller and processor obligations in digital enablement technology systems, and incorporating privacy by design or default in artificial intelligence deployments.
OpenAI Could Face GDPR Compliance Challenges
MIT Technology Review reports OpenAI faces challenges in complying with EU data protection laws due to its use of data to train its ChatGPT models. OpenAI would have to prove consent or “legitimate interest” as a legal basis for collecting data to train its algorithms to comply with the EU General Data Protection Regulation. If it can’t, France’s data protection authority, artificial intelligence expert Alexis Leautier said OpenAI could face fines and requirements to delete models and the data used to train them.
European Commission Agrees to Draft Proposal for Cyber Solidarity Act
The European Commission announced the adoption of a proposal for the EU Cyber Solidarity Act. The draft legislation intends “to strengthen cybersecurity capacities in the EU” by offering “support detection and awareness of cybersecurity threats and incidents, bolster preparedness of critical entities.” The commission said the legislation would lead to greater member-state cooperation and “response capabilities” across the EU.
Israel Committee Approves Adoption of Draft Regulations on Data Transfers from EEA
Israel’s Constitution, Law, and Justice Committee approved the adoption of the draft Privacy Protection Regulations on the transfer of data from the European Economic Area to Israel. The regulations include provisions on deleting data upon request, deleting excess personal data, maintaining the accuracy of personal data, and obligations to notify that data has been transferred.
US House Subcommittee Schedules Latest Privacy Hearing
The U.S. House Committee on Energy and Commerce’s Subcommittee on Innovation, Data, and Commerce will hold a hearing on April 27th focused on federal privacy legislation. It’s the latest Energy and Commerce subcommittee hearing aimed at building momentum toward the reintroduction and passage of the proposed American Data Privacy and Protection Act out of the House during the current legislative session. Energy and Commerce Chair Cathy McMorris Rodgers, and Innovation, Data, and Commerce Chair Gus Bilirakis, said the hearing will show “the gaps that exist in order to strengthen people’s privacy protections on online services and preserve innovation and entrepreneurship.”
Forthcoming US Senate Bill Would Set Age Minimum for Social Media Access
A bipartisan group of U.S. senators is expected to introduce legislation setting age requirements for children to access social media platforms. The bill would prohibit children under 13 from accessing social media altogether, while children ages 13-17 would be allowed with parental consent. However, the anonymous Senate aide who spoke with the publication did not detail how children’s ages would be verified. The bill would also put restrictions on how social media companies use their algorithms to target minors.
Nevada Senate Passes a Health Data Privacy Bill
In a 13-8 vote, the Nevada Senate passed Senate Bill 370, which is “an act relating to data privacy; requiring certain entities to develop a policy concerning the privacy of consumer health data.” The bill would also bar healthcare companies from collecting or sharing patients’ health information “without the affirmative, voluntary consent of a consumer.”