Latest Revisions to Colorado Privacy Act Draft Rules
The Colorado attorney general’s office released the second set of revisions to the Colorado Privacy Act draft regulations. Changes from the last revisions released in January include tweaks to business requirements for privacy notices, universal opt-out mechanisms, and honoring consumer rights and opt-out requests. With rules for universal opt-out mechanisms, the updates work to create more interoperability between U.S. comprehensive state privacy laws. Colorado’s privacy law is effective July 1.
EU, US Announce AI Research Pact
The EU and U.S. governments signed an administrative arrangement to facilitate collaborative research on artificial intelligence. The agreement is part the EU-U.S. joint AI roadmap devised during the third EU-U.S. Trade and Technology Council meeting in December 2022. U.S. National Security Advisor Jake Sullivan said the arrangement “will drive responsible advancements in AI to address major global challenges,” while European Commissioner for the Internal Market Thierry Breton said EU and U.S. researchers “will join forces to develop societal applications of AI and will work with other international partners for a truly global impact.”
Slovenia’s Personal Data Protection Act Enters into Force
Slovenia’s Personal Data Protection Act is now in force. The law, adopted Dec. 15, 2022, includes “transmission of personal data in the public and private sector,” regulation of biometrics, “personal data processing for research, archival and statistical purposes,” and more. Since the regulation’s adoption, the information commissioner has been updating guidelines and materials to assist managers and processors of personal data as well as individuals.
European Commission Publishes Guidelines for Digital Services Act User Reporting
The European Commission released guidance to assist companies in complying with the Digital Services Act’s user reporting requirements. The reporting will help determine whether increased DSA obligations for “very large” online platforms and search engines are to be applied. Under the law, additional obligations are triggered for companies that “show that they reach more than 10% of the EU’s population.” Companies are required to report initial user numbers by Feb. 17 and offer updates at least once every six months after.
EU and Singapore Sign New Digital Partnership
The European Union and Singapore announced an agreement on a new digital partnership, which includes improving cooperation on “cutting-edge technologies” like artificial intelligence and ensuring cross-border data transfers comply with data protection rules. The agreement paved the way for the EU and Singapore to establish Digital Trade Principles, illustrating their shared commitment to an open, fair, and competitive digital economy, without unjustified trade barriers.
US House to Review Draft Financial Data Privacy Bill
A subcommittee of the U.S. House Financial Services Committee will review a draft financial data privacy bill on February 8th. The bill, sponsored by U.S. Rep. Patrick McHenry, would expand the scope of the Gramm-Leach-Bliley Act to include new data rules, including allowing consumers to manage how their personal information will be shared with financial institutions. “This proposal will modernize the current framework to better align with evolving technology and protect against the misuse or overuse of consumers’ personal information,” McHenry said.
CJEU Issues Ruling on DPOs, Conflict of Interest
The Court of Justice of the European Union issued a significant ruling for data protection officers Thursday, which centered around Article 38 of the EU General Data Protection Regulation. In it, the CJEU stated DPOs should “be in a position to perform their duties and tasks in an independent manner” but “cannot be entrusted with tasks or duties which would result in him or her determining the objectives and methods of processing personal data on the part of the controller or its processor.” Data protection officers can maintain other tasks and duties within their role, if they do not result in a conflict of interest, the Court of Justice of the European Union has confirmed. This decision will be an important consideration for privacy pros and organizations.
European Commission Aims to Harmonize DPA Enforcement Approach
The European Commission announced its intention to propose legislation to better align national data protection authorities’ EU General Data Protection Regulation enforcement approaches. The European Commission described the proposal as a means to “streamline cooperation” among regulators and “harmonize some aspects of the administrative procedure the national data protection authorities apply in cross-border cases.”
US Supreme Court Passes on NSA Surveillance Program Claims
The U.S. Supreme Court declined to hear a case attempting to curtail the U.S. National Surveillance Agency’s online communications surveillance program. Advocacy groups sought to raise the case to the highest court after the U.S. Court of Appeals for the Fourth Circuit upheld the NSA’s practices. The NSA’s program allows for warrantless collection of online communications data as it moves through telecommunications systems. The program is authorized under Section 702 of the Foreign Intelligence Surveillance Act, which is up for renewal.
India’s Proposed Digital Personal Data Protection Bill to Cover Minors Under 18
India’s Ministry of Electronics and Information Technology defined a child as someone under 18 years old in the proposed Digital Personal Data Protection Bill. An official said the government would be allowed to revisit the definition after a year with an eye toward moving coverage to minors under 16. The official explained “There is no reason why (the age) cannot be lowered” so long as companies can “assure us that they have put in place a proper framework” for data protection and prohibition of targeted advertising.
EDPB Adopts Guidelines on International Transfers
The European Data Protection Board adopted three sets of guidelines following public consultation. Updates to the EDPB’s guidelines on the application of the EU General Data Protection Regulation’s Article 3 and provisions on international transfers in Chapter 5 clarify a controller’s responsibilities when the data exporter is a processor. Guidelines offering designers and social media users recommendations on how to avoid deceptive design patterns and those on certification as a tool for transfers were also adopted.
Colorado Privacy Act Final Regulations Adopted
Final regulations for the Colorado Privacy Act rules were adopted and filed with the Colorado Secretary of State on February 23. The adopted rules, which take effect July 1, feature updates from the third revision of the draft regulations published on January 27. Updates in the final rules include clarifications on controller obligations for data minimization and privacy policies and consumer rights for universal opt-out signals.