On 22 May 2023, the Irish data protection regulator (DPC) announced that it had issued a record-breaking €1.2 billion fine in a decision relating to non-compliant EU-to-U.S. data transfers under the GDPR. This fine imposed by the DPC substantially overshadows the previous record of €746 million under the GDPR, and raises several concerns for organisations transferring personal data from the EU to the U.S.

Continue Reading From Likes to Strikes: The Implications of the Record-Breaking EU €1.2 Billion GDPR Fine

On May 25, 2023 Gov. Ron DeSantis signed into law an amendment (Amendment) to the Florida Telephone Solicitation Act (FTSA), clarifying ambiguities and corralling what has been a runaway gust of telemarketing litigation since the passage of the FTSA almost two years ago. Under the FTSA, an individual could bring suit against a telemarketer for using an automated telephone dialing system (ATDS) that simply selected phone numbers or dialed telephone numbers to place calls or send messages without prior consent. In other words, even if the caller dialed the phone number manually, the call would still be subject to the FTSA if the number was automatically selected using software. This Amendment clarifies that suit can be brought only if the ATDS both selects and dials the phone number. While still not specifically defining what constitutes an ATDS, this two-part test should stem the flow of FTSA litigation by greatly narrowing the present standard.

Continue Reading Sunshine State Clarifies Telemarketing Regulation, Quieting Storm of Litigation Blown In by Florida Telephone Solicitation Act

The debate concerning the UK’s controversial Online Safety Bill (OSB) has continued to rumble on in recent days, with the UK Government reportedly again being warned that there is a real risk that certain messaging apps could be withdrawn from the UK if compromises cannot be reached on a number of issues.  

The OSB, which is currently being debated in the House of Lords, aims to increase the responsibility of social media platforms for their users’ safety.  It is intended to protect both children and adults in various ways.  

Continue Reading Controversy around the UK’s Online Safety Bill continues

Since 2000, technological advances have transformed how customers interact with financial institutions and how such firms store, process and protect personal information. The proliferation of large-scale hacks and data breaches throughout this time simultaneously demonstrated the difficulty of data protection given the ever-evolving nature of cybercrime. Despite these developments, the SEC has failed to update Regulation S-P, or promulgate additional binding cybersecurity rules, until now. A recent article in the New York Law Journal by Ropes & Gray attorneys Edward McNicholas and Briana Fasone takes a deeper dive at this new development.  You can read the full New York Law Journal article here.

On April 27, 2023, Washington Governor Jay Inslee signed into law the “My Health My Data Act,” (the “Act”), beginning the 11-month countdown until this new, broad privacy law takes effect. The Act distinguishes itself from other recent state privacy law legislation in that it is specifically health care focused—aiming to protect health data that falls outside the scope of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). In attempting to safeguard this category of information, Washington has enacted a broad law that will require robust compliance efforts from entities generally considered outside of traditional health care regulatory regimes. Further, the private right of action present in the Act sets a new stage for potential litigation and subsequent changes based on judicial interpretation.

In this Alert, we provide a summary of key provisions of the new law, compliance concerns, and actions businesses can take to prepare for the March 31, 2024 effective date.

Click here to read the full Alert.

On this episode of the R&G Tech Studio, litigation & enforcement partner Ama Adams, who’s also the managing partner of Ropes & Gray’s Washington, D.C. office, sits down with data, privacy & cybersecurity partner Fran Faircloth to discuss how she helps clients bridge the gap between ongoing national security concerns and the rapidly evolving technology landscape.

Click here to listen to their discussion

Find an umbrella. . . .  The recent deluge of state-level privacy legislation continues.  Legislatures in three additional states—Indiana, Montana, and Tennessee—have adopted comprehensive privacy laws.  The Indiana Consumer Data Protection Act (ICDPA) was signed into law on May 1, 2023, making Indiana the seventh state to adopt such a law, and legislatures in Montana and Tennessee have passed legislation that is expected to be signed into law by their respective governors soon.  Only one month ago, Iowa became the sixth state to adopt a comprehensive privacy law, and, of course, California, Colorado, Connecticut, Utah, and Virginia each have laws that either are already in effect or that will go into effect later his year.  Meanwhile, on April 27, 2023, the governor of Washington signed into law the My Health My Data Act, a significant development that will impact many businesses that collect or process consumer health data (expect an update on this topic here soon).  

Continue Reading When It Rains, It Pours (State Privacy Laws)

Tune in to the third episode of Ropes & Gray’s podcast series, The Data Day, brought to you by the firm’s data, privacy & cybersecurity practice. This series focuses on the day-to-day effects that data has on all of our lives as well as other exciting and interesting legal and regulatory developments in the world of data, and features a range of guests, including clients, regulators and colleagues. On this episode, hosts Fran Faircloth, a partner in Ropes & Gray’s Washington, D.C. office, and Edward Machin, a London-based associate, are joined by special guest Jackie Koven, who is head of cyber threat intelligence at blockchain analysis firm, Chainalysis.

Click here to listen as they discuss how Jackie and the Chainalysis team track cybercriminals and nation-state actors who are involved with ransomware payments and other cryptocurrency schemes.

A number of encrypted messaging services have signed an open letter calling on the UK Government to reconsider various aspects of the Online Safety Bill (OSB) pending its final reading in the House of Lords, over concerns that the bill could threaten end-to-end encryption.

End-to-end encryption currently delivers a strong level of security for electronic messages, meaning that messages can only be read on the apps of the sender and intended recipient.  

Continue Reading Messaging Apps Call for Re-evaluation of the Online Safety Bill

On this episode of the R&G Tech Studio, intellectual property transactions and technology co-leader Megan Baca, who’s also co-leader of the firm’s digital health initiative, sits down with data, privacy & cybersecurity partner Fran Faircloth to discuss the innovation of AI and its impacts on collaboration, research and development, particularly in the digital health space. Click here to listen to their discussion.