Privacy & Information Security Law Blog

On March 27, 2024, the U.S. Cybersecurity and Infrastructure Agency (“CISA”) released an unpublished version of a Notice of Proposed Rulemaking (“NPRM”), as required by the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”). The NPRM will be officially published on April 4, 2024, and comments are due by June 3, 2024. Pursuant to the proposed rules, “covered entities” would be required to report (1) “qualifying cyber incidents,” (2) ransom payments made in response to a ransomware attack, and (3) any substantially new or different information discovered related to a previously submitted report to CISA. Covered entities are required to notify CISA within 72 hours in the event of a qualifying cyber incident and within 24 hours, in the event that payment is made in response to a ransomware attack.

On March 26, 2024, the French data protection authority (the “CNIL”) published the 2024 edition of its Practice Guide for the Security of Personal Data (the “Guide”). The Guide is intended to support organizations in their efforts to implement adequate security measures in compliance with their obligations under Article 32 of the EU General Data Protection Regulation. In particular, the Guide targets DPOs, CISOs, computer scientists and privacy lawyers.

On March 22, 2024, the Cyberspace Administration of China (the “CAC”) issued the Provisions on Facilitation and Regulation of Cross-Border Data Flows (the “Provisions”), which were effective the same day. The CAC also held a press conference to introduce and explain the Provisions. The Provisions demonstrate that the regulation of cross-border transfers in China is focused on important data and critical information infrastructure operators (“CIIO”), and that the CAC aims to optimize business environment, stabilize foreign investment, and support the data flow between global companies with a Chinese presence.

Hunton Andrews Kurth released a client alert on the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) settlement with EFG International AG. On March 14, 2024, OFAC announced a settlement (the “Settlement”) with EFG International AG, a global private banking group based in Switzerland with many global subsidiaries (collectively, the “Manager”) regarding violations of OFAC rules alleged to have occurred as a result of the Manager’s buying, selling and, in many cases, merely holding, U.S. securities on behalf of persons sanctioned by OFAC. 

On March 20, 2024, the U.S. House of Representatives passed legislation that will prohibit data brokers from transferring U.S. residents’ sensitive personal data to foreign adversaries, including China and Russia. The House bill HR 7520 (the “Bill”), also known as the Protecting Americans’ Data from Foreign Adversaries Act of 2024, marks a significant development in executive and legislative action related to foreign access to U.S. data. The Bill follows a similarly groundbreaking Executive Order and Department of Justice Notice of Proposed Rulemaking issued at the end of February that will establish strict protective measures against data exploitation by countries considered national security threats for U.S. sensitive personal data and U.S. government-related data. The Bill also comes after the House overwhelmingly passed HR 7521, (the Protecting Americans from Foreign Adversary Controlled Applications Act) resulting from concerns that the Chinese government would compel TikTok (or other foreign adversary-controlled apps) to turn over U.S. data. HR 7521 would effectively require TikTok to divest from parent company ByteDance in order to avoid a ban in the U.S.

On March 19, 2024, Utah’s Governor Spencer J. Cox signed Senate Bill (SB) 98 (the “Bill”), Online Data Security and Privacy Amendments, into law. The Bill amends the Protection of Personal Information Act (§13-44-101 et seq) and the Utah Technology Governance Act in the Utah Government Operations Code (§63A-16-1101 et seq). The Utah Technology Governance Act had previously established the Utah Cyber Center, a state initiative to coordinate efforts between local, state and federal resources by sharing threat intelligence and best practices.

On March 1, 2024, the Virginia legislature passed S.B. 361 (the “Bill”), which amends the Virginia Consumer Data Protection Act to introduce new protections for children’s privacy. If signed by the Virginia Governor, the new children’s privacy protections will go into effect on January 1, 2025.

After potential warning signs spanning several years, on March 14, 2024, the Federal Trade Commission brought an enforcement action against two entities selling virus protection software to consumers via online and telemarketing sales. According to the FTC’s complaint, for several years the entities, Restoro Cyprus Limited and Reimage Cyprus Limited, received excessive chargebacks on purchases, numerous consumer complaints made directly to the entities, and various indirect consumer complaints made to vendors, telecoms service providers and others. 

On March 8, 2024, the Centre for Information Policy Leadership at Hunton Andrews Kurth (“CIPL”) filed its response to the Federal Trade Commission’s notice of proposed rulemaking (“NPRM”), which addresses amendments to the Children’s Online Privacy Protection Rule (“COPPA Rule”).

Bloomberg Law reported that the Federal Communications Commission adopted rules creating a voluntary cybersecurity labeling program for wireless consumer Internet of Things products, as well as a further notice of proposed rulemaking that seeks comments addressing additional disclosure requirements for program participants with respect to national security.

Last week, Utah Governor Spencer J. Cox signed three privacy-related bills into law. The bills are focused on, respectively, protection of motor vehicle consumer data, regulations on social media companies with respect to minors, and access to protected health information by third parties. The Utah legislature appears to be focused on data-related legislation this session, as Governor Cox signed two other bills related to AI into law last week as well.

On March 18, 2024, the UK Information Commissioner’s Office (“ICO”) published new data protection fining guidance on how the ICO determines penalties and calculates fines. The guidance was subject to a consultation process in 2023, and covers a variety of topics and considerations relevant to penalties and fines, including:

On March 8, 2024, the California Privacy Protection Agency (“CPPA”) Board discussed and voted 3-2 in favor of further edits to revised draft regulations regarding risk assessments and automated decisionmaking technology (“ADMT”), which were released in February 2024, but did not initiate the formal rulemaking process for these regulations, which is anticipated to begin in July 2024.

On March 7, 2024, the Court of Justice of the European Union (“CJEU”) issued its judgment in the case of Endemol Shine (Case C‑740/22). In this case, the CJEU was called upon to assess whether oral disclosure of information could be considered as processing of personal data under the EU General Data Protection Regulation (“GDPR”) and to clarify the relationship between personal data protection and public access to documents.

On March 13, 2024, the Federal Communications Commission’s updates to the FCC data breach notification rules (the “Rules”) went into effect. They were adopted in December 2023 pursuant to an FCC Report and Order (the “Order”).

On March 13, 2024, the European Parliament adopted the AI Act by a majority of 523 votes in favor, 46 votes against, and 49 abstentions. The AI Act will introduce comprehensive rules to govern the use of AI in the EU, making it the first major economic bloc to regulate this technology.

On March 6, 2024, Governor Chris Sununu signed into law SB 255, making New Hampshire the 15th state with a comprehensive privacy law.

As reported by Bloomberg Law, on February 27, 2024, at RemedyFest, a conference hosted by Bloomberg Beta and Y Combinator, Federal Trade Commission Chair Lina Khan said that sensitive personal data that is linked to health, geolocation and web browsing history should be excluded from training artificial intelligence (“AI”) models.

The Federal Trade Commission held its eighth annual privacy conference, PrivacyCon, on March 6, 2024. The goal of PrivacyCon is to assemble researchers, academics, industry representatives, consumer advocates and government regulators to consider and discuss cutting-edge research and trends related to consumer privacy and data security. This year’s conference consisted of remarks by FTC Commissioners Lina Khan, Alvaro Bedoya and Rebecca Kelly Slaughter, and a total of seven panels including “Economics”, “Privacy Enhancing Technologies,” “Artificial ...

On March 7, 2024, the Court of Justice of the European Union (“CJEU”) issued its judgment in the case of IAB Europe (Case C‑604/22). In this judgment, the CJEU assessed the role of the Interactive Advertising Bureau Europe (“IAB Europe”) in the processing operations associated with its Transparency and Consent Framework (“TCF”) and further developed CJEU case law on the concept of personal data under the EU General Data Protection Regulation (“GDPR”).

On February 28, 2024, President Biden released an Executive Order (“EO”) “addressing the extraordinary and unusual national security threat posed by the continued effort of certain countries of concern to access Americans’ bulk sensitive personal data and certain U.S. Government-related data.” In tandem with the EO, the Department of Justice’s (“DOJ’s”) National Security Division is set to issue an advance notice of proposed rulemaking (“ANPRM”) pursuant to the EO, which directs the DOJ to “establish, implement and administer new and targeted national security programming” to address the threat. The DOJ regulations will identify specific categories of “data transactions” that are prohibited or restricted due to their “unacceptable risk to national security.” 

On February 13, 2024, New York Attorney General (“NY AG”) Letitia James and New York State Education Department Commissioner (“NYSED”) Betty A. Rosa announced that College Board has agreed to settle charges in connection with allegations that it violated New York Education Law § 2-d, New York’s student privacy law. 

On February 26, 2024, the National Institute of Standards and Technology (“NIST”) announced the release of Version 2.0 of its voluntary Cybersecurity Framework (“CSF”).

The first iteration of the CSF was released in 2014 as a result of an Executive Order, to help organizations understand, manage, and reduce their cybersecurity risks. The original CSF was developed for organizations in the critical infrastructure sector, such as hospitals and power plants, but has since been voluntarily implemented across various sectors and industries, including throughout schools and local governments.

On February 28, 2024, the European Data Protection Board (“EDPB”) announced the launch of its latest Coordinated Enforcement Framework action on the right of access. Through the course of 2024, 31 data protection authorities across the European Economic Area, including seven German state-level authorities, will take part in this initiative on the implementation of the right of access. The EDPB selected the right access for its third coordinated enforcement action as it is “at the heart of data protection,” is a right that is very frequently exercised by individuals, and one that is often the basis of complaints to authorities.

On March 1, 2024, the UK Information Commissioner’s Office (“ICO”) announced that it had issued an enforcement notice and a warning to the UK Home Office for failing to sufficiently assess the privacy risks posed by the electronic monitoring of people arriving in the UK via unauthorized means. The Home Office is the ministerial department of the UK government responsible for immigration, security, and law and order.