Tune in to the first episode of Ropes & Gray’s new podcast series, The Data Day, brought to you by the firm’s data, privacy & cybersecurity practice. This series will focus on the day-to-day effects that data has on all of our lives as well as other exciting and interesting legal and regulatory developments in the world of data, and will feature a range of guests, including clients, regulators and colleagues. This edition celebrates World Data Protection Day, which took place on January 28, by answering questions submitted by our clients and contacts about the landscape of the data, privacy and cybersecurity field of law. Join your hosts Fran Faircloth, a partner in Ropes & Gray’s data, privacy & cybersecurity practice based in Washington, D.C., and Edward Machin, a London-based associate in the same group, as they explore topics including the proposed adequacy decision for EU-U.S. data transfers, the likelihood of a U.S. federal privacy law, ransomware demands and other strange and interesting privacy trends as we look ahead into 2023. Click here to listen to their perspective on these matters.

On January 28 we celebrate Data Protection Day, the anniversary of the Council of Europe’s Convention 108, the first legally binding international law on data protection, which was signed on January 28, 1981. Data Protection Day is a chance for us to raise awareness about data protection and privacy, reflect on the progress made over the past four decades, and discuss pressing issues that the field is facing now.

To mark the occasion the Ropes & Gray will be releasing the first episode of our data, privacy and cybersecurity podcast, and we need your help! Send us your most difficult questions. What keeps you up at night? Will the US ever get a comprehensive federal privacy law—and what will it look like? Will there be a Schrems 3—and who will win? My co-host, Edward Machin, and I, along with other members of our team, will respond to as many of your questions and comments as possible.

All industries and topics are welcome. You can direct message us on LinkedIn or send an email to dataphiles@ropesgray.com. We look forward to hearing from you!

The Ropes & Gray Decoding Digital Health podcast series discusses the digital health industry and related legal, business and regulatory issues. In this episode, Digital Health Initiative co-lead and health care partner, Christine Moundas, interviews health care partner and member of the digital health group, David Peloquin. They discuss the legal challenges and potential solutions that health care and life sciences companies face when transferring health data from Europe to the U.S. You can listen to their full discussion here.

We’ve been closely watching the evolution of telemarketing laws since the Supreme Court’s 2021 decision in Facebook v. Duguid, which held that most modern dialing systems are not autodialers—or “automated telephone dialing systems” under the Telephone Consumer Protection Act (TCPA).  The Facebook decision led to a flurry of legislative activity at both the state and federal levels. Florida and Oklahoma enacted state-level statutes that have been interpreted to cover modern dialing systems, and Georgia, Washington, Michigan and other states have considered similar legislation. At the federal level, a new bill was proposed in July 2022 that would have amended the TCPA to cover 21st century dialing technologies—not just those using a random or sequential number generator. The federal bill has not made any meaningful progress, but a recent request from FCC Chairwoman Jessica Rosenworcel may prompt the legislature to act.

Continue Reading Game of Phones: Revisiting the Autodialer

For decades, health care providers that are subject to both HIPAA and to the specialized Confidentiality of Substance Use Disorder (“SUD”) Patient Records regulations (known as “Part 2”) have had to navigate differing, and at times divergent, privacy and confidentiality rules applicable to patient health information and patient records. These disparate privacy rules have, for many providers, served as a hindrance to the information sharing necessary to facilitate coordinated care. On December 2, 2022, OCR and SAMHSA released long-awaited proposed changes to Part 2 through a Notice of Proposed Rulemaking (the “Proposed Rule”) to better harmonize HIPAA and Part 2.

Click here to read Ropes and Gray’s Client Alert on the proposed changes.

Introduction

Throughout 2022, cybersecurity lawyers have kept their eyes firmly fixed on two pieces of EU cybersecurity legislation: the NIS2 Directive (“NIS2”) and the Cyber Resilience Act (the “CRA”). With NIS2 having been formally enacted by the EU and the draft text of the CRA being published by the European Commission in September 2022, businesses should take time in 2023 to digest the implications of NIS2 and the CRA on their cybersecurity compliance programmes, both in terms of organisational measures and product compliance.

Continue Reading 2023 – A Year for Reflection on EU Cybersecurity

In 2022, children’s online privacy and safety has been top of mind in many state legislatures and interest groups, and the California legislature successfully passed legislation focused on children’s privacy. California’s new bipartisan law (AB-2273), the California Age-Appropriate Design Code Act (“CAADCA”), which targets privacy and safety protections for children and teens on online platforms such as TikTok, Instagram, and YouTube, was signed by Governor Gavin Newsom on September 15, 2022, and goes into effect July 1, 2024.

Continue Reading California’s New Children’s Privacy Law is Set to Come into Effect in 2024

The new approach to regulatory and enforcement action adopted by the UK Information Commissioner’s office (ICO) looks set to continue in 2023. The ICO has indicated recently that it is modifying its attitude towards regulatory action in respect of public sector organisations. It has also noted that enforcement does not necessarily equate to fines, but includes various other “corrective powers,” including warnings, reprimands, compliance orders, limitation orders, erasure of data and suspension of data flows.

Going forward, the ICO intends to regulate for outcomes rather than outputs, observing that the number or level of fines should not be used as a yardstick by which to judge the ICO’s success and that achieving preferential outcomes and publicising these may have a more significant impact on UK citizens’ rights than monetary penalties might achieve.

Continue Reading UK Information Commissioner’s Office Highlights New Strategic Approach to Regulatory Action

In the new year, comprehensive privacy laws go into operation in five states:  California (January 1), Virginia (January 1), Colorado (July 1), Connecticut (July 1), and Utah (December 31).  Subsequent blog posts will cover each of these laws in detail.  In this post, we begin a series analyzing the impact of the California Privacy Rights Act (“CPRA”) in greater depth. 

The CPRA will go into operation on January 1, 2023 and will be enforceable by the newly created California Privacy Protection Agency (“CPPA”) beginning on July 1, 2023. Passed by ballot initiative in November 2020, the CPRA amends and expands the California Consumer Privacy Act (together with the CPRA, the “CCPA/CPRA”), already the most far-reaching privacy legislation currently in operation in the United States.  As amended, the CCPA/CPRA expands consumer privacy rights and data processing obligations, creating new rights to limit the use of sensitive personal information and to correct personal information stored by a business.  It implements certain “principles of processing” like the purpose limitation, requiring businesses to evaluate their uses of personal information to ensure they are proportionate to the requirements of disclosed business and commercial purposes.  It also enhances opt-out rights in the context of cross-context behavioral advertising and requires that businesses enter into new contractual terms with service providers to which they disclose the personal information of California residents.

Continue Reading Companies Wrestle with Compliance in the Lead Up to Effectiveness of the CPRA and Other State Privacy Laws

International transfers of personal data under the UK GDPR are set to continue to be a key topic in 2023, in particular, regarding new UK adequacy regulations, transatlantic data flows, and updated guidance regarding the UK’s International Data Transfer Agreement (IDTA).

While 2022 saw the Department for Digital, Culture, Media & Sport (DCMS) and ICO comment on imminent updates on these issues, very little has actually materialised, leaving businesses and commentators alike hopeful that 2023 will be a year of increased certainty when undertaking restricted international transfers subject to the UK GDPR.

Continue Reading UK GDPR: What Will 2023 Hold for International Data Transfers?