On 5 March 2024, the UK data protection regulator (ICO) published guidance on biometric recognition (the Guidance), following a consultation with stakeholders in October 2023. The Guidance clarifies the concept and properties of biometric data and provides practical considerations for organisations contemplating or using biometric recognition systems.

Continue Reading ICO Publishes Biometric Data Guidance

On February 28, 2024, President Biden announced an Executive Order (“EO”) directing the Department of Justice (“DOJ”) to promulgate regulations that restrict or prohibit transactions involving certain bulk sensitive personal data or United States Government-related data and countries of concern or covered persons. As directed by the EO, on February 28, the DOJ published an Advance Notice of Proposed Rulemaking (“ANPRM”) on topics related to the implementation of the EO. The Ropes & Gray team provided detailed analysis on both the EO and ANPRM here.

Continue Reading Lawmakers Pass Milestone Privacy Bill Overshadowed by TikTok Fever

In a Bloomberg Law article, attorneys examined Washington State’s comprehensive new privacy law, the My Health My Data Act, the first state law that specifically safeguards consumer health data.

The article discusses the new law’s scope, applicability, and ensuing company obligations. The Act will apply to many life sciences companies, pharmaceutical and device manufactures and is enforceable through a private right of action, creating a risk of class action litigation related to potential violations.

The Act requires regulated entities and small businesses to develop a website privacy policy; secure opt-in consent prior to collecting and sharing identifiable consumer health data; obtain prior authorization to sell consumer health data; create mechanisms to track, respond to and grant consumer rights; implement reasonable security measures; ensure data protection agreements are in place with processors; and eliminate any geofences around entities that provide in-person health care services.​

On February 26, 2024, the National Institute of Standards and Technology (“NIST”) released version 2.0 of its Cybersecurity Framework (“CSF 2.0”)—the first significant update to the cybersecurity guidance since its initial publication a decade ago.[1] While the original guidance was tailored to critical infrastructure entities, the new version has a broader scope and applies to organizations of all sizes across industries, from large corporations with robust data protection infrastructure to small schools and nonprofits that may lack cybersecurity sophistication.[2] CSF 2.0 notably incorporates new sections on corporate governance responsibilities and supply chain risks; additionally, NIST has released supplemental implementation guides and reference tools that can assist organizations measure cybersecurity practices and hone data protection priorities.[3]

Continue Reading NIST Publishes Long-Awaited Cybersecurity Framework 2.0

Employee monitoring isn’t new, but its extent and how it has been conducted has seen significant changes in the last few decades; we have come a long way from the punch cards of the 1900s to the current use of video surveillance, e-comms monitoring and AI, among other monitoring tools.

Part of this comes from the usual progress of technology, drive to make more data-centric decisions and organisational pressures to maximise efficiency. However part of this also comes particularly as a result of the COVID-19 pandemic, as the rise of hybrid working meant that organisations had to adopt new technologies to monitor employees that were working remotely.

Recent decisions by the CNIL and ICO in the last few months highlight the flipside of using such technologies however, as the use of video surveillance and biometric data (including facial recognition) for employee monitoring purposes led to enforcement action (including a €32 million fine) in these decisions. With the EU’s AI Act looming on the horizon, the use of AI for employee monitoring purposes may also bring the obligations of the AI Act onto an organisation’s already extensive list of compliance considerations.

Click here to read our article exploring the takeaways from these decisions, as well as practical considerations for organisations when conducting employee monitoring using certain technologies. 

On February 28, 2024, President Biden announced an Executive Order directing the Department of Justice to promulgate regulations that restrict or prohibit transactions involving certain bulk sensitive personal data or United States Government-related data and countries of concern or covered persons. The DOJ’s initially identified countries are China (including Hong Kong and Macau), Russia, Iran, North Korea, Cuba, and Venezuela, and the restrictions would also apply to any entity owned by, controlled by, or subject to the jurisdiction or direction of a country of concern as well as any person “knowingly causing or directing, directly or indirectly, a violation” of the regulations.

Click here to read Ropes & Gray’s Client Alert detailing the new EO.

Following up on announcements of sweeps from late January, last week California Attorney General Rob Bonta announced a settlement with the popular food delivery service DoorDash related to allegations that DoorDash breached the California Consumer Privacy Act (CCPA) and the California Online Privacy Protection Act (CalOPPA). The announcement doubles down on the Attorney General’s reiteration that privacy will continue to be priority for his office, while the new California Privacy Protection Agency (CPPA) is getting up to speed.

Continue Reading DoorDash and California Attorney General Reach Settlement Over Privacy Allegations

On February 9, 2024, a California state court of appeal unanimously vacated a lower court ruling, green-lighting the California Privacy Protection Agency’s authority to commence enforcement of the Agency’s first set of regulations. Until now, the Agency’s authority to enforce regulations it has promulgated under the California Consumer Privacy Act (“CCPA”) has been delayed. The Agency had been poised to begin enforcing its latest batch of completed privacy regulations on July 1, 2023, but a trial court’s ruling put this work on hold until March 29, 2024. That hold has now evaporated, and so the Agency can commence enforcement activities with immediate effect. The decision also impacts future Agency rulemaking such as the Agency’s draft regulations on cybersecurity audits, privacy impact assessments, and automated decision-making, which will no longer be subject to the 12-month stay of enforcement.

Continue Reading California Court of Appeal Restores CPPA Authority to Enforce Privacy Regulations

The FCC has issued a declaratory ruling, employing the protection of the Telephone Consumer Protection Act (TCPA) to outlaw robocalls that use AI-generated voices. The Commission’s unanimous decision was spurred by public fallout from the doctored audio message of a purported President Biden urging voters in New Hampshire not to vote in the state’s Democratic primary last month. The announcement makes clear that the potential for malicious actors to use AI to deceive voters and subvert democratic processes is on the government’s top-of-mind this election year. This is not the first time that the TCPA has been used to protect the public from election interference, but rather than go after individual actors for individual instances of election interference as it has in the past, this decision creates a much wider blanket ban on AI-generated voices in robocalls which will cover election-related AI-generated calls among others.

Continue Reading 2024 Is Set To Be Democracy and Deepfakes’ Biggest Year. Is U.S. Legislation …Ready For It?

Tune in to Ropes & Gray’s podcast series, The Data Day, brought to you by the firm’s data, privacy & cybersecurity practice. This series focuses on the day-to-day effects that data has on all of our lives as well as other exciting and interesting legal and regulatory developments in the world of data, and features a range of guests, including clients, regulators and colleagues. On this special episode, in honor of World Data Privacy Day coming up on January 28, hosts Fran Faircloth, a partner in Ropes & Gray’s Washington, D.C. office, and Edward Machin, counsel in the London office, discuss the most important steps they advise clients to take to protect their business and their data from a cybersecurity attack.

Click here to listen.