On February 22, 2023, the Cyberspace Administration of China (“CAC”) promulgated the final version of the Measures for the Standard Contract for Cross-Border Transfer of Personal Information (the “Measures”), along with the final version of the standard contractual clauses for cross-border transfer of personal information stipulated under the Personal Information Protection Law (the “PIPL SCCs”).
On February 17, 2023, the exposure risk of a company found to be violating Illinois’ Biometric Information Privacy Act (BIPA) increased to a potentially crippling amount. What was previously commonly understood to entail a maximum of $1,000 per negligent (or $5,000 for reckless) violation per plaintiff now authorizes a $5,000 fine per instance of collection, turning—for example—the nonconsensual use of an employee’s fingerprint for clocking in and out of work multiple times per day to 1,040 violations of BIPA per year if a full-time employee clocks in and/or out just four times each day, potentially resulting in estimated damages of $1,040,000 for negligent violations or $5,200,000 for reckless violations
On Friday, February 3, 2023, the California Privacy Protection Agency (the “CPPA”) Board (the “Board”) approved draft regulations issued under the California Consumer Privacy Act, as amended and expanded by the California Privacy Rights Act (together, the “CCPA”). The draft regulations will now go through review by the Office of Administrative Law (the “OAL”), the final step in the rulemaking process before the regulations are scheduled to take effect. The draft agreed upon by the Board is in substantially the same form as the draft regulations published in November 2022 with only minor grammatical and stylistic changes. As such, the draft regulations will have a significant impact on many businesses if approved, adding specifics around the CCPA’s proportionality requirements, contracts with service providers and other third parties, opt-out preference signals, and processes for responding to data subject rights requests. In the same meeting, the Board also requested public comment on topics that are likely to be covered in a new set of regulations from February 10, 2023, through March 27, 2023.
Ropes & Gray data, privacy & cybersecurity practice co-lead Ed McNicholas was recently featured on the R&G Tech Studio podcast, a Ropes & Gray podcast focused on showcasing the interesting and exciting work our attorneys are doing in the world of tech. In the interview, McNicholas sits down with Ed Black, technology, media &
2023 will bring with it updates and reforms in relation to data protection and cybersecurity in the UK. The proposed changes are expected to place tighter restrictions on digital content; increase protection around the internet of things and connected products; and, to the delight of some, lighten compliance burdens with respect to personal data. A few highlights to watch out for are set out below:
Continue Reading Incoming Privacy and Cybersecurity Developments in the UK
Security may not be the first word that comes to mind when thinking about GDPR and UK GDPR compliance, but recent matters indicate it should certainly be near the top of any compliance checklist.
Security of personal data is fundamental to every organization, and its significance scales depending on the type of data processing that takes place. Of the penalties issued for data protection infractions across the EU and UK in 2022 so far, over 70 include security, which is almost 20% of the total fines issued. Specifically, these fines were issued due to a breach of Article 32 of the GDPR/UK GDPR: failing to have appropriate technical and organizational measures in place to protect personal data. A breach of Article 32 of the GDPR or UK GDPR technically only attracts the “standard maximum” fine of €10/£8.7 million or 2% of global annual turnover, however the offence is often coupled with other transgressions, which has led to fines over €20 million.
Continue Reading Data Protection: The Increasing GDPR/ UK GDPR Focus on Security
Artificial intelligence-enabled technology tools are capable of dissecting large quantities of data faster than ever before and in some cases, in real time. However, the increasingly widespread use of AI challenges regulators to balance the benefits of innovation while protecting patient safety, health and privacy rights. An Intellectual Property & Technology Law Journal article on
If 2022 has been any indication, the innovations of Web3—the developing, largely decentralized, autonomous internet, enabled by technologies such as blockchain, smart contracts, decentralized autonomous organizations (DAOs), and digital assets—will lead to an era of rethinking the ways that privacy, cybersecurity, and consumer protection are regulated for these technologies. Proponents of Web3 argue that Web3 will promote individual data ownership, transparency, and freedom, but over the last few years, lawmakers have struggled to keep up with the rapidly changing nature of the Web3 space and force the new technology to fit within the existing legal framework.
On 30 September 2022, the Court of Justice of the European Union (CJEU) handed down two judgments in which it ruled, respectively, that Germany’s and France’s data retention laws are incompatible with EU law.
In Joined Cases C‑793/19 and C‑794/19 SpaceNet AG and Telekom Deutschland GmbH (EU:C:2022:702), the CJEU ruled that EU law precludes the general and indiscriminate retention of traffic and location data, except in the case of a serious threat to national security. It also confirmed, however, that to combat serious crime, Member States may, in strict compliance with the principle of proportionality, provide for the targeted or expedited retention of such data and the general and indiscriminate retention of IP addresses.
Continue Reading EU Data Retention: When Member States Get It Wrong
On June 24, 2022, the U.S. Supreme Court issued its ruling in Dobbs v. Jackson Women’s Health Organization, overturning Roe v. Wade and holding that there is no constitutionally protected right to abortion. The significance of the decision cannot be overstated. Dobbs not only rolled back the Court’s prior protection of reproductive rights, it also raised still-unanswered questions about the privacy of digital data and could lead to the overturning of other previous Court opinions that are similarly grounded in privacy interests. In sparking such questions, Dobbs appears to have reinvigorated a national conversation regarding the protection of personal information and, more generally, the need for stronger data privacy safeguards in the United States.
Continue Reading Four Months after Dobbs, Privacy Concerns Remain in the Spotlight