Rohan Massey and Edward Machin, partner and counsel in Ropes & Gray’s data, privacy & cybersecurity practice will be hosting a webinar on The EU AI Act – The Road to Compliance. The EU AI Act entered into force on August 1st, 2024. The Act is the first piece of comprehensive legislation to regulate the development, deployment and use of AI systems, and seeks to ensure that these systems are safe, transparent, traceable, non-discriminatory and environmentally friendly. Organizations now have a timeline for compliance of between 6 and 24 months, depending on the role they play under the Act and the risk and capabilities of their AI systems. This session will look at the requirements of the EU AI Act, its extra-territorial application and possible sanctions for non-compliance – and will provide an overview of what steps organizations should be taking now to ensure that they can comply with the Act.

The webinar will take place on September 18, 2024, 12-1pm ET. Click here to register.

We request all attendees register by September 16. For any questions, please email Tierney.DeRobertis@ropesgray.com.

Ropes & Gray data, privacy & cybersecurity associate Matthew Cin spoke with  Law360, about Illinois’s recent amendments to its Biometric Information Privacy Act (BIPA). Ever since it was enacted in 2008, BIPA, which can restrict companies from collecting and sharing biometric data without data subjects’ consent, has been a source of privacy-related litigation and prompted confusion around what constitutes a violation for the purpose of calculating damages. The amendments, which were signed into law earlier this month, provide clarity that a company only violates the statute once, even if it collects biometric data multiple times from the same person, using the same means. Read the full Law360 article here, and see further analysis of the amendments in our blog post here.

On Friday, August 2, Governor J.B. Pritzker of Illinois signed into law SB2979, an amendment to the state’s landmark biometric privacy law. The amendment offers a welcome step forward to correcting the rapid overexpansion of potential damages associated with violations of the law without curbing any of its privacy protections. The measure amends the state’s Biometric Information Privacy Act (“BIPA”) in two significant ways. First, the law, as amended now expressly includes electronic signatures as a form of “written release.” Second, the amendment limits actions for recovery to a maximum of one violation per plaintiff, rather than one violation per instance of collection or transmission of biometric information. This post examines the amendment and its impacts on businesses collecting biometric information in the state. We also highlight notable biometric privacy developments in Texas.

Continue Reading Biometric Privacy Update: Illinois Legislature Balances BIPA, but Don’t Mess with Texas

On July 9, 2024, the White House Office of Science and Technology Policy (“OSTP”) issued highly anticipated final guidelines setting forth a framework under which academic research institutions must establish and operate formal research security programs (the “Final Guidelines”).1 These final guidelines will be critically important to research operations at universities, academic medical centers, and other research institutions, and will affect the daily operations of, for example, such institutional offices as information technology, privacy, sponsored research, international programs, in-house legal counsel, export controls, and faculty affairs. Specifically, the Final Guidelines establish a definition of “Covered Institution” and outline standardized requirements that institutions must adopt relating to (1) cybersecurity; (2) foreign travel security; (3) research security training; and (4) export control training.

We have prepared a timeline of the implementation deadlines set forth in the Final Guidelines at the end of this Alert. Click here to read.

Last Friday arrived with the crash of millions of Windows computers used by companies across the globe, including critical infrastructure sectors such as hospitals, banks, airlines, and government agencies. Despite quick retraction of the cause, cascading effects continued throughout the day and into the weekend, demonstrating the widespread impact and significant business interruption losses. The outage is expected to trigger more stringent cybersecurity regulations, changes in cybersecurity governance, and adjustments to cyber insurance policies.

Continue Reading Navigating Cyber Risks: Learning from Outages

On April 4, 2024, the Federal Communications Commission (“FCC”) adopted new rules updating the Telephone Consumer Protection Act’s (“TCPA”) requirements regarding a consumer’s ability to revoke consent to receive calls and messages (collectively “messages”). Generally speaking, the TCPA in part restricts messages sent using an automated telephone dialing system absent the organization obtaining the necessary prior consent from the consumer. Importantly, the rules (1) further clarify the ways in which a consumer may revoke consent; (2) require that organizations honor requests within a reasonable time; and (3) clarify the process by which organizations can confirm the scope of a consumer’s request to revoke consent to receive further messages. We unpack these key developments in more detail below.

Continue Reading FCC Provides Long-Awaited Clarification on Revocation of Consent

With the Rhode Island Data Transparency and Privacy Protection Act (the “Act”), Rhode Island is the latest state to pass a comprehensive privacy law and join the evolving U.S. privacy landscape. The Act will take effect on January 1, 2026, the same date as the Indiana and Kentucky privacy laws.

Continue Reading Rhode Island Joins the Fray with New Comprehensive State Privacy Law

On 12 July 2024, the EU AI Act (“AI Act”) was published in the Official Journal of the European Union. As the AI Act will enter into force 20 days from the date of its publication (1 August 2024), this starts the clock for organisations within the scope of the AI Act to prepare for compliance. 

The exact amount of time organisations have to comply with their relevant provisions under the AI Act will depend on the role they play under the AI Act, as well as the risk and capabilities of their AI systems. For example, providers[1] of general-purpose AI systems will be required to comply with the requirements of the AI Act before providers of high-risk AI systems. 

Continue Reading EU AI Act Published in the Official Journal of the European Union; Clock Starts for Compliance

Tune in to the latest episode of Ropes & Gray’s podcast series, The Data Day, brought to you by the firm’s data, privacy & cybersecurity practice. This series focuses on the day-to-day effects that data has on all of our lives as well as other exciting and interesting legal and regulatory developments in the world of data, and features a range of guests, including clients, regulators and colleagues. On this episode, hosts Fran Faircloth, a partner in Washington, D.C., and Edward Machin, counsel in London, discuss the latest developments keeping the data team busy, including the drive to build AI governance programs in Europe and the U.S. and the launch of a new state privacy law microsite. The microsite features an interactive map of the U.S. that captures the rapidly developing privacy laws emerging from each state.

Click here to listen.

On May 16, 2024, the SEC issued a release (the “Release”) adopting amendments to Regulation S-P (the “Amendments”) that require broker-dealers, registered investment companies (together, with business development companies, “registered funds”) and registered investment advisers to adopt written policies and procedures creating an incident response program to deal with unauthorized access to customer information, including procedures for notifying persons affected by the incident within 30 days. The Amendments are substantially identical to the proposals in the 2023 proposing release.

Click here to read the Ropes & Gray client alert for more details on the Amendments.