Data, privacy & cybersecurity partners Ed McNicholas and Fran Faircloth authored a chapter in Chambers Global Practice Guide Cybersecurity 2022 on “USA Law & Practice and Trends & Developments.” The chapter provides an overview of cybersecurity regulation in the United States and provides insights on the multitude of cybersecurity threats facing companies and
On Friday 25 March President Biden and the President of the European Commission jointly announced that they had reached an agreement in principle on a revised trans-Atlantic data flow mechanism. The timing could not have been better, as I was moderating a panel on “International Data Transfers in 2022 and Beyond” at the Privacy + Security Forum Spring Forum on the same day.
The panel was made up of William Malcolm, Director of Privacy at Google, Vivienne Artz, OBE Chair of the International Regulatory Strategy Group Data Committee, and Joe Jones, Deputy Director International Data Transfers Data Policy Directorate at the UK’s Department for Culture, Media & Sport. Our plan was to facilitate a discussion focused on recent enforcement actions and statements by data protection authorities in the EU and UK that had highlighted the increasingly complex challenges organizations face in complying with GDPR when transferring personal data out of Europe. Instead we had a very engaging hour discussing how important data transfers are in a digital economy, noting that at the EU-US summit the discussion of data was second only to discussions of the situation in Ukraine; and that although the EU-US announcement had set Twitter feeds alight, it provided no information as to what the actual agreement was or how it would avoid falling foul of being challenged as Schrems III, IV or V. Finally, we brainstormed some ideas as to the direction or detail that could be contained in the new EU-US agreement and which could really drive change in the regulation of international data flows.
It was clear to all that following the CJEU’s ruling in Schrems II, which invalidated the EU-US Privacy Shield and made use of Standard Contractual Clauses more challenging for business, commercial organizations find themselves in the situation in which data transfers are becoming an impediment to business when really they should be the soil of the digital society in which services and societal benefits can grow globally.Continue Reading International Data Transfers in 2022 and Beyond
The California Attorney General’s office (OAG) recently released its first formal written opinion on the scope of the rights granted to consumers under the California Consumer Privacy Act (CCPA), specifically, the right for a consumer to know about the personal information that a business collects from them. The opinion comes in response to a question submitted by California Assembly member Kevin Kiley as to whether a consumer’s right to know the specific pieces of personal information that a business has collected about that consumer applies to internally generated inferences the business holds about them. The OAG asserted that the right to know does apply to such inferences, albeit with certain key exceptions.
Continue Reading California Attorney General’s Office Releases First Formal CCPA Opinion
On March 24, 2022, Utah Governor Spencer Cox signed into law the Utah Consumer Privacy Act (“UCPA”), which was unanimously passed by the state legislature earlier this month. Utah is the fourth U.S. state to pass a comprehensive privacy law, following California, Virginia, and Colorado. The UCPA will go into effect on December 31, 2023.
The Utah law generally resembles the three existing state privacy models, but closely tracks with the Virginia Consumer Data Protection Act (CDPA) and Colorado Privacy Act (CPA), suggesting that states are shifting away from California’s more stringent strand of privacy regulation toward a version that balances the spirit of the EU’s General Data Protection Regulation (GDPR), in terms of purpose limitation and consumer protection, against the need to avoid overly burdening companies. In fact, the UCPA is seen by some as more business-friendly than legislation passed in Virginia and Colorado: Utah’s law does not require businesses to conduct data protection assessments and does not compel companies to provide a mechanism for consumers to appeal denials of requests to exercise personal data rights.Continue Reading Utah Passes Comprehensive Privacy Law
On March 1, 2022, the Senate passed a data breach and cybersecurity bill that could vastly expand data breach notice requirements. The Strengthening American Cybersecurity Act (the “Senate Bill”), which now shifts to the House of Representatives, would require organizations in certain critical infrastructure sectors to report substantial cybersecurity incidents to the Department of Homeland Security within 72 hours after the organization reasonably believes the cyberincident has occurred, among other measures intended to enhance the nation’s cybersecurity posture. Covered organizations would also be required to report ransom payments within 24 hours of making a payment in response to a ransomware attack. These provisions are not limited to data breaches affecting personal data and would significantly expand the breadth of data breach reporting requirements to many commercial enterprises that have not focused on consumer privacy issues.
While the bill was criticized by FBI Director Christopher Wray and Deputy Attorney General Lisa Monaco for shifting cyber-focus from the DOJ/FBI to DHS/CISA, it remains likely to pass the House, where similar legislation was supported last year as part of the annual defense authorization package. In addition to its breach reporting provisions, the Senate Bill would also require or encourage new cybersecurity measures for federal agencies, clarify the roles of certain cybersecurity officials and authorize the federal contractor cybersecurity FedRAMP program for five years.Continue Reading Senate Approves Breach Reporting Legislation; Likely to Pass House
A recent decision by the Austrian Supervisory Authority (“SA”) casts a spotlight on the complexities of data transfers and cookie use, and highlights a shift in regulatory focus onto these topics in the year ahead. Regulators around Europe are increasingly beginning to weigh in on such transfers, and the outcomes of their deliberations will shape the data transfer compliance landscape in the months to come. These decisions present complex questions about the future of data transfers in the EU and UK.
Continue Reading Increased EU Scrutiny of US Data Transfers Through Cookie Use
Since the passage of the California Consumer Privacy Act (CCPA) in 2018, many states have proposed sweeping data protection legislation, but only two others, Colorado and Virginia, have so far succeeded in passing such laws. That may soon change. In 2021, several states came close to enacting comprehensive privacy legislation and that momentum has continued into this year, with data protection bills being carried over, introduced, and reintroduced in state legislatures across the country. As the possibility of a federal privacy law dwindles—particularly during this midterm year—state legislatures are poised to be the source of major data protection developments in 2022. Throughout the year, Ropes & Gray will monitor and analyze these developments in state privacy laws, beginning with a discussion of the latest iteration of the proposed New York Privacy Act.
Continue Reading State Privacy Law Developments: The New York Privacy Act
As 2021 comes to a close, so does our 12 Days of Data series, but we will see you on the other side in 2022 with more posts on the top privacy and data protection issues. 2021 was an interesting year. While vaccinations spread and some sense of normalcy started to return, new strains of COVID-19 led to additional waves of shutdowns that stalled many of the debates. In 2022, we anticipate that the move toward a new normal will continue, and we will once again start to see traction on some of these data, privacy, and cybersecurity issues. As a preview, here are some of the key areas where we expect to see potential developments in 2022.
Continue Reading Closing out the 12 Days of Data: What to Expect in 2022
If 2021 is any indication, the Federal Trade Commission (FTC) shows no signs of slowing down in its pursuit of enforcement actions to address a wide variety of alleged privacy and cybersecurity issues. Under the leadership of new chair, Lina Khan, the past year has seen the FTC engage is a variety of new and expanding enforcement actions exhibiting an increasing interest in regulating data privacy and security, as well as other consumer protection areas.
While the FTC has become the de facto regulator for entities that are not subject to other sector-specific regulations, the Commission’s assertion of authority over privacy and cybersecurity matters is limited by its statutory powers under section 5 of the FTC Act, which prohibits “unfair or deceptive acts or practices” that injure consumers. The FTC’s expansion of that authority to cover privacy and cybersecurity matters has only grown more aggressive in recent years but has also become the subject of close judicial review. Notably, in 2018, the Eleventh Circuit ruled, in LabMD, Inc. v. FTC, that the FTC did not have unlimited authority to dictate the details of companies’ privacy and cybersecurity protections. Earlier this year, the Supreme Court, in AMG Capital Mgmt., LLC v. FTC, held that Section 13(b) of the FTC Act does not allow the FTC to obtain monetary relief in federal court. The FTC has asked Congress to use its authority to remedy this ability, and claims that this constitutes a loss of its “best and most efficient tool for returning money to consumers who suffered losses as a result of deceptive, unfair, or anticompetitive conduct.”
The FTC has pushed for a more expansive view of its authority for several years, and this has only intensified over the last year. Even before the AMG decision, the FTC had been advocating for Congress to address the gap in Section 13(b), which only explicitly provides for the FTC’s ability to order injunctive relief and is silent on monetary relief. While waiting on Congress to address the issue, we expect for the FTC to continue to bring enforcement actions and order restitution and disgorgement via their Section 19 authority, which provides for these types of relief, but only after a final cease-and-desist order, which can be challenged and is subject to review of appellate courts.Continue Reading FTC Signals Increased Focus on Privacy and Data Misuse
The California Attorney General’s office (OAG) recently released a third set of proposed modifications to the California Consumer Privacy Act (CCPA) regulations. This comes on the heels of the second set of modifications the Office of Administrative Law (OAL) approved just two months ago (see article here). The third set of proposed modifications restores certain provisions the OAG had previously withdrawn from its draft regulations submitted to the OAL in July, as well as clarifies and adds illustrative examples to some provisions. Overall, the modifications do not significantly alter the CCPA regulatory landscape, and if accepted, are not likely to impact businesses greatly. Nonetheless, businesses should review the changes, which address the following topics, to confirm that they would not require any adjustment in business practice:
Continue Reading California AG Proposes Third Amended Regulations to CCPA