Privacy & Information Security Law Blog

On June 7, 2024, following a public consultation, the French Data Protection Authority published the final version of the guidelines addressing the development of AI systems from a data protection perspective.

On May 1, 2024, Utah’s Artificial Intelligence Policy Act entered into effect.

On May 23, 2024, the European Data Protection Board adopted an Opinion on the use of facial recognition technologies by airport operators and airline companies to streamline the passenger flow at airports.

On May 17, 2024, Colorado became the first U.S. state to enact comprehensive artificial intelligence legislation. This blog entry provides highlights of the key requirements.

On April 17, 2024, Colorado enacted H.B. 1058 which amends the Colorado Privacy Act (“CPA”) and makes Colorado the first state to explicitly extend the protections of a state comprehensive privacy law to neural data.

The Act expands the definition of “sensitive data” in the CPA to include two newly-added defined terms: “biological data” and “neural data”.

On May 1, 2024, the UK Information Commissioner’s Office (“ICO”) and the UK regulator for communications and online safety, Ofcom, issued a joint statement regarding their collaboration on the regulation of online services where online safety and data protection intersect. This statement builds on the joint statement published in 2022. The latest statement outlines several areas of collaboration between the ICO and Ofcom.

In April 2024, the Centre for Information Policy Leadership at Hunton Andrews Kurth published a white paper on Leveraging Data Responsibly: Why Boards and the C-Suite Need to Embrace a Holistic Data Strategy.

On April 12, 2024, the UK Information Commissioner’s Office launched the third installment in its consultation series examining how data protection law applies to the development and use of generative AI. 

On March 27, 2024, the National Telecommunications and Information Administration (“NTIA”) issued its AI Accountability Report, and, on March 28, 2024, the White House announced the Office of Budget and Management’s (“OMB’s”) government-wide policy on AI risk management.

On March 26, 2024, the French data protection authority (the “CNIL”) published the 2024 edition of its Practice Guide for the Security of Personal Data (the “Guide”). The Guide is intended to support organizations in their efforts to implement adequate security measures in compliance with their obligations under Article 32 of the EU General Data Protection Regulation. In particular, the Guide targets DPOs, CISOs, computer scientists and privacy lawyers.

On March 22, 2024, the Cyberspace Administration of China (the “CAC”) issued the Provisions on Facilitation and Regulation of Cross-Border Data Flows (the “Provisions”), which were effective the same day. The CAC also held a press conference to introduce and explain the Provisions. The Provisions demonstrate that the regulation of cross-border transfers in China is focused on important data and critical information infrastructure operators (“CIIO”), and that the CAC aims to optimize business environment, stabilize foreign investment, and support the data flow between global companies with a Chinese presence.

Hunton Andrews Kurth released a client alert on the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) settlement with EFG International AG. On March 14, 2024, OFAC announced a settlement (the “Settlement”) with EFG International AG, a global private banking group based in Switzerland with many global subsidiaries (collectively, the “Manager”) regarding violations of OFAC rules alleged to have occurred as a result of the Manager’s buying, selling and, in many cases, merely holding, U.S. securities on behalf of persons sanctioned by OFAC. 

Bloomberg Law reported that the Federal Communications Commission adopted rules creating a voluntary cybersecurity labeling program for wireless consumer Internet of Things products, as well as a further notice of proposed rulemaking that seeks comments addressing additional disclosure requirements for program participants with respect to national security.

Last week, Utah Governor Spencer J. Cox signed three privacy-related bills into law. The bills are focused on, respectively, protection of motor vehicle consumer data, regulations on social media companies with respect to minors, and access to protected health information by third parties. The Utah legislature appears to be focused on data-related legislation this session, as Governor Cox signed two other bills related to AI into law last week as well.

On March 8, 2024, the California Privacy Protection Agency (“CPPA”) Board discussed and voted 3-2 in favor of further edits to revised draft regulations regarding risk assessments and automated decisionmaking technology (“ADMT”), which were released in February 2024, but did not initiate the formal rulemaking process for these regulations, which is anticipated to begin in July 2024.

On March 13, 2024, the Federal Communications Commission’s updates to the FCC data breach notification rules (the “Rules”) went into effect. They were adopted in December 2023 pursuant to an FCC Report and Order (the “Order”).

On March 13, 2024, the European Parliament adopted the AI Act by a majority of 523 votes in favor, 46 votes against, and 49 abstentions. The AI Act will introduce comprehensive rules to govern the use of AI in the EU, making it the first major economic bloc to regulate this technology.

As reported by Bloomberg Law, on February 27, 2024, at RemedyFest, a conference hosted by Bloomberg Beta and Y Combinator, Federal Trade Commission Chair Lina Khan said that sensitive personal data that is linked to health, geolocation and web browsing history should be excluded from training artificial intelligence (“AI”) models.

The Federal Trade Commission held its eighth annual privacy conference, PrivacyCon, on March 6, 2024. The goal of PrivacyCon is to assemble researchers, academics, industry representatives, consumer advocates and government regulators to consider and discuss cutting-edge research and trends related to consumer privacy and data security. This year’s conference consisted of remarks by FTC Commissioners Lina Khan, Alvaro Bedoya and Rebecca Kelly Slaughter, and a total of seven panels including “Economics”, “Privacy Enhancing Technologies,” “Artificial ...

On February 28, 2024, President Biden released an Executive Order (“EO”) “addressing the extraordinary and unusual national security threat posed by the continued effort of certain countries of concern to access Americans’ bulk sensitive personal data and certain U.S. Government-related data.” In tandem with the EO, the Department of Justice’s (“DOJ’s”) National Security Division is set to issue an advance notice of proposed rulemaking (“ANPRM”) pursuant to the EO, which directs the DOJ to “establish, implement and administer new and targeted national security programming” to address the threat. The DOJ regulations will identify specific categories of “data transactions” that are prohibited or restricted due to their “unacceptable risk to national security.” 

On February 26, 2024, the National Institute of Standards and Technology (“NIST”) announced the release of Version 2.0 of its voluntary Cybersecurity Framework (“CSF”).

The first iteration of the CSF was released in 2014 as a result of an Executive Order, to help organizations understand, manage, and reduce their cybersecurity risks. The original CSF was developed for organizations in the critical infrastructure sector, such as hospitals and power plants, but has since been voluntarily implemented across various sectors and industries, including throughout schools and local governments.

On March 1, 2024, the UK Information Commissioner’s Office (“ICO”) announced that it had issued an enforcement notice and a warning to the UK Home Office for failing to sufficiently assess the privacy risks posed by the electronic monitoring of people arriving in the UK via unauthorized means. The Home Office is the ministerial department of the UK government responsible for immigration, security, and law and order.

On February 21, 2024, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) entered into a resolution agreement and corrective action plan with Green Ridge Behavioral Health LLC (“GRBH”) stemming from the organization’s failure to comply with the Privacy and Security Rules of the Health Insurance Portability and Accountability Act (“HIPAA”) and subsequent failure to protect against a 2019 ransomware attack that impacted the personal health information (“PHI”) of more than 14,000 patients. This marks the second such settlement with a HIPAA-regulated entity for violations that were discovered following a ransomware attack, according to HHS.

On February 20, 2024, The Centre for Information Policy Leadership at Hunton Andrews Kurth LLP  (“CIPL”) and Theodore Christakis, Professor of International, European and Digital Law at University Grenoble Alpes, released a comprehensive study titled The “Zero Risk” Fallacy: International Data Transfers, Foreign Governments’ Access to Data and the Need for a Risk-Based Approach. In the study, Prof. Christakis makes the case that the EU General Data Protection Regulation (“GDPR”), the Charter of Fundamental Rights of the European Union and EU law, more generally, allow a more nuanced and risk-based approach to data transfers than the restrictive approach often applied. CIPL and Prof. Christakis provide an approach that outlines data protection measures that are proportionate to the risks at hand, and takes into account the nature of the data, the likelihood of access by foreign governments, and the severity of the potential harm.

On February 15, 2024, the Federal Trade Commission proposed a rule that would ban the use of AI to impersonate individuals, which would extend protections of a recently finalized FTC rule against government and business impersonation.  The FTC announced a public comment period for a supplemental Notice of Proposed Rulemaking (“NPR”) regarding the proposed rule that ends 60 days after being published in the Federal Register. The FTC’s swift action is in response to an AI-generated robocall mimicking President Biden that encouraged voters not to vote in the New Hampshire primary. FTC Chair Lina Khan described the FTC’s supplemental NPR as a key step in “strengthening the FTC’s toolkit to address AI-enabled scams impersonating individuals,” as malicious actors “us[e] AI tools to impersonate individuals with eerie precision and at a much wider scale.”

On February 21, 2024, the Centre for Information Policy Leadership at Hunton Andrews Kurth LLP (“CIPL”) published a white paper on Building Accountable AI Programs: Mapping Emerging Best Practices to the CIPL Accountability Framework. The white paper showcases how 20 leading organizations are developing accountable AI programs and best practices.

On January 24, 2024, the European Commission announced that it had published the Commission Decision establishing the European AI Office (the “Decision”). The AI Office will be established within the Commission as part of the administrative structure of the Directorate-General for Communication Networks, Content and Technology, and subject to its annual management plan. The AI Office is not intended to affect the powers and competences of national competent authorities, and bodies, offices and agencies of the EU in the supervision of AI systems, as provided for by the forthcoming AI Act. The Decision details the functions and tasks of the AI Office, such as:

On February 8, 2024, the Federal Communications Commission declared that calls using AI- generated, cloned voices fall under the category of “artificial or prerecorded voice” within the Telephone Consumer Protection Act (“TCPA”) and therefore are generally prohibited without prior express consent, effective immediately. Callers must obtain prior express consent from the recipient before making a call using an artificial or prerecorded voice, absent an applicable statutory exemption or emergency.

On February 1, 2024, the Federal Trade Commission announced a proposed settlement with Blackbaud Inc. (“Blackbaud”) in connection with alleged security failures that resulted in a breach of the company’s network and access to the personal data of millions of consumers. As part of the settlement, Blackbaud will be required to comply with a variety of obligations, including deleting personal data that the company does not have a need to retain.

On February 6, 2024, the UK government published a response to the consultation on its AI Regulation White Paper, which the UK government originally published in March 2023. The White Paper set forth the UK government’s “flexible” approach to regulating AI through five cross-sectoral principles for the UK’s existing regulators to interpret and apply within their remits (read further details on the White Paper). A 12-week consultation on the White Paper was then held and this response summarizes the feedback and proposed next steps.

On January 22, 2024, a draft of the final text of the EU Artificial Intelligence Act (“AI Act”) was leaked to the public. The leaked text substantially diverges from the original proposal by the European Commission, which dates back to 2021. The AI Act includes elements from both the European Parliament’s and the Council’s proposals.

On January 18, 2024, the Federal Trade Commission announced a proposed order against geolocation data broker InMarket Media (“InMarket”), barring the company from selling or licensing precise location data. According to the FTC’s charges, InMarket failed to obtain informed consent from users of applications developed by the company and its third-party partners.  

On January 15, 2024, the UK Information Commissioner’s Office (“ICO”) announced that it has launched a consultation series on generative AI. The series will examine how aspects of UK data protection law should apply to the development and use of the technology, with the first chapter of the series focusing on when it is lawful to train generative AI models on personal data scraped from the web. The ICO invites all stakeholders with an interest in generative AI to respond to the consultation, including developers and users of generative AI, legal advisors and consultants working ...

On January 9, 2024, in its first settlement with a data broker concerning the collection and sale of sensitive location information, the Federal Trade Commission announced a proposed order against data broker X-Mode Social, Inc. and its successor Outlogic, LLC (“X-Mode”) for unfair and deceptive acts or practices in violation of Section 5 of the FTC Act.

On January 8, 2024, the French Data Protection Authority (the “CNIL”) opened a consultation on its draft guidance for the use of transfer impact assessments (“Guidance”). In describing the Guidance, the CNIL references the decision of the Court of Justice of the European Union in Schrems II and states that exporters relying on tools listed in Article 46(2) and Article 46(3) of the EU General Data Protection Regulation (“GDPR”) for personal data transfers are required to assess the level of protection in the designated third country and the need to put in place additional safeguards (i.e., conduct a transfer impact assessment (“TIA”)). The Guidance is intended to assist data exporters in carrying out TIAs. 

On December 20, 2023, the FTC issued a Notice of Proposed Rulemaking (“Notice”), which would bring long-anticipated changes to the children’s online data privacy regime at the federal level in the U.S. The Notice sets forth several important proposals aimed at strengthening the Children’s Online Privacy Protection Act Rule (“COPPA Rule”). The COPPA Rule has not been updated since 2012. The FTC received over 176,000 comments in response to its call to comment on updating the COPPA Rule.

On December 14, 2023, the Court of Justice of the European Union (“CJEU”) issued its judgment in the case of VB v. Natsionalna agentsia za prihodite (C‑340/21), in which it clarified, among other things, the concept of non-material damage under Article 82 of the EU General Data Protection Regulation (“GDPR”) and the rules governing burden of proof under the GDPR.

On December 12, 2023, the Centre for Information Policy Leadership at Hunton Andrews Kurth LLP (“CIPL”) released a white paper on Privacy-Enhancing and Privacy-Preserving Technologies: Understanding the Role of PETs and PPTs in the Digital Age.

On December 13, 2023, the Federal Communications Commission (FCC) voted to update its 16-year old data breach notification rules (the “Rules”). Pursuant to the FCC update, providers of telecommunications, Voice over Internet Protocol (VoIP) and telecommunications relay services (TRS) are now required to notify the FCC of a data breach, in addition to existing obligations to notify affected customers, the FBI and the U.S. Secret Service.

On December 8, 2023, the European Parliament and the Council reached a political agreement on the EU’s Regulation laying down harmonized rules on Artificial Intelligence (the “AI Act”).

The AI Act will introduce a risk-based legal framework for AI. Specifically, the AI Act will state that: (1) certain AI systems are prohibited as they present unacceptable risks (e.g., AI used for social scoring based on social behavior or personal characteristics, untargeted scraping of facial images from the Internet or CCTV footage to create facial recognition databases, etc.); (2) AI systems presenting a high-risk to the rights and freedoms of individuals will be subject to stringent rules, which may include data governance/management and transparency obligations, the requirement to conduct a conformity assessment procedure and the obligation to carry out a fundamental rights assessment; (3) limited-risk AI systems will be subject to light obligations (mainly transparency requirements); and (4) AI systems that are not considered prohibited, high-risk or limited-risk systems will not be under the scope of the AI Act.

On November 16, 2023, the Federal Trade Commission released a proposed order in connection with a complaint filed in August of 2020 against Global Tel*Link Corp. (“GTL”) and its subsidiaries, Telmate and TouchPay, which offers communication and payment services for incarcerated individuals. The complaint centered around a security breach where a technician for a vendor of GTL placed unencrypted, personally identifiable information in a test environment to test a new search and storage software. The test environment allegedly was accessible on the internet without password protections which permitted an unauthorized actor to access and exfiltrate the data between August 11-13, 2020. Though GTL restricted access to the test environment, GTL allegedly failed to notify its customers for roughly nine months, while also falsely representing to prospective customers that it had never experienced a security breach.

Glass Lewis & Co. recently published its updated Benchmark Policy Guidelines for 2024 (the “Policy”), which reflect investors’ continuing focus on corporate disclosure and board oversight of cyber risks. The Policy indicates that Glass Lewis may recommend “against” directors following a cybersecurity incident if it finds the board’s risk oversight or its post-incident response to be insufficient. The Policy also provides guidance on what Glass Lewis expects companies to disclose after such an incident.  

Patrick Gunning from King & Wood Mallesons reports that, on November 2, 2023, the Australian Information Commissioner filed proceedings in the Federal Court of Australia against Australian Clinical Labs Limited seeking a civil penalty (i.e., a fine) in connection with the company’s response to a data breach that occurred in February 2022. The case is significant because: (1) it is only the second time that the Australian regulator has brought court proceedings of this kind despite having the power to do so since 2014; and (2) it signals the regulator’s priority in ensuring that cybersecurity incidents are responded to swiftly. The Australian legislature increased maximum penalties for ‘serious’ contraventions of the Privacy Act with effect from December 2022 to at least A$50 million. However, the maximum penalty available in this case will be A$2.2 million because the company’s conduct occurred prior to December 2022.

On November 1, 2023, New York Governor Hochul announced that the New York State Department of Financial Services (“NYDFS”) amended its Cybersecurity Regulation applicable to covered financial institutions. Our previous blog post covered key proposed changes to the Cyber Regulation.

The NYDFS, which regulates financial institutions including insurance companies, mortgage brokers and banks, adopted the original Cybersecurity Regulation in 2017. The new amendments strengthen the initial framework and require NYDFS-regulated entities to adhere to a number of ...

On October 19, 2023, the Consumer Financial Protection Bureau (“CFPB”) proposed a new rule that would provide consumers with more control over their financial information and impose certain requirements on the following types of entities:

On October 27, 2023, the Federal Trade Commission announced that it has approved an amendment to the Safeguards Rule that would require non-banking institutions to report certain data breaches to the FTC. The FTC’s Safeguards Rule currently requires certain types of non-banking financial institutions, such as mortgage brokers, motor vehicle dealers, and payday lenders, to develop, implement and maintain a comprehensive security program to keep their customers’ information safe. The amendment will require such financial institutions to notify the FTC as soon as possible, and no later than 30 days after discovery, of a security breach involving the unauthorized acquisition of unencrypted customer  information of at least 500 consumers. The notice to the FTC will need to include certain information about the event, such as the number of consumers affected or potentially affected.

On October 17, 2023, the Office of the Privacy Commissioner of Canada (“OPC”) announced the release of two companion documents that provide further guidance on protecting the privacy of young people. This guidance follows the recently adopted resolution on young people’s privacy by federal, provincial, and territorial regulators earlier in the month.

On October 8, 2023 and October 10, 2023, California Governor Gavin Newsom signed A.B. 947, A.B. 1194, S.B. 362 and S.B. 244 into law. A.B. 947 amends the California Consumer Privacy Act of 2018’s (“CCPA”) definition of “sensitive personal information” to include personal information that reveals a consumer’s “citizenship or immigration status,” while A.B. 1194 amends the CCPA to require a business to comply with the obligations imposed by the CCPA if the personal information collected by the business contains information related to accessing, procuring or searching for services regarding contraception, pregnancy care and perinatal care, including, but not limited to, abortion services, unless the personal information is used for a specified business purposes as defined by the CCPA, is only retained in aggregated and deidentified form and is not sold or shared.

On October 5, 2023, Blackbaud Inc., a software provider for the philanthropy, healthcare, and education sectors, has resolved claims that the District of Columbia and 49 U.S. states raised. The claims stem from a ransomware attack that impacted Blackbaud in 2020. The company was affected by a ransomware attack that exposed user information to unauthorized third parties. The breach not only impacted approximately 13,000 Blackbaud customers, but the customers’ own clients and donors as well.

On September 29, 2023, the Supreme Court of the United States (“SCOTUS”) accepted petitions challenging the constitutionality of social media laws in Florida and Texas. Florida’s law, S.B. 7072, prohibits “a social media platform from willfully deplatforming a [political] candidate.” Texas’s law, H.B. 20, refers to social media platforms as “common carriers” that are “central public forums for public debate,” and requires common carriers to publicly disclose information related to the common carrier’s method of recommending content to users, content moderation efforts, use of algorithms to determine search results, and the common carrier’s ordinary disclosures to its users on user performance data for each of its platforms. Both of these laws were challenged by NetChoice, LLC, a national trade association of large online businesses, who had recent successes in blocking several laws, including the California Age-Appropriate Design Code and a similar social media law in Arkansas.

On September 19, 2023, the Director of the Federal Trade Commission Bureau of Consumer Protection, Samuel Levine, delivered remarks that provided insight into the FTC’s ongoing strategy for regulating artificial intelligence (“AI”) during the National Advertising Division’s annual conference. Levine emphasized that the FTC is taking a more proactive approach to protect consumers from the harmful uses of AI, while ensuring the market remains fair, open, and competitive. Levine expressed the belief that self-regulation is not sufficient to address the regulation of ...

On August 8, 2023, the Massachusetts Gaming Commission approved 205 CMR 257: Sports Wagering Data Privacy, a set of regulations designed to create new rights and obligations with respect to sports betting operators’ use of patrons’ Confidential Information or Personally Identifiable Information. The regulations took effect on September 1, 2023.

On September 21, 2023, the UK Information Commissioner’s Office (“ICO”) published an opinion on the UK Government’s assessment of adequacy for the UK Extension to the EU-U.S. Data Privacy Framework (the “UK Extension”). The ICO provides that, while it is reasonable for the Secretary of State to conclude that the UK Extension provides an adequate level of data protection and lay regulations to that effect, there are four specific areas that could pose risks to UK data subjects if the protections identified are not properly applied. These four risks are: 

On September 15, 2023, the Irish Data Protection Commission (the “DPC”) announced a fine of 345 million Euros against TikTok Technology Limited (“TikTok”) for non-compliance with GDPR rules regarding the processing of personal data of child users. This decision by the DPC reflects the binding decision of the European Data Protection Board (the “EDPB”) pursuant to Article 65 of the GDPR.

On September 21, 2023, UK Secretary of State for Science, Innovation and Technology Michelle Donelan laid regulations in the UK Parliament, giving effect to a UK-U.S. Data Bridge. The regulations are supported by several documents, including a fact sheet and an “explainer.”  The regulations are due to take effect on October 12, 2023. U.S. companies approved to join the “UK Extension to the EU-US Data Privacy Framework” will be able to receive UK personal data under the new Data Bridge.

On September 14, 2023, the California legislature passed S.B. 362 (“Act”), a bill that would impose new requirements on data brokers and grant residents new rights designed to facilitate control over their personal data. S.B. 362 is now awaiting signature by California Governor Gavin Newsom. The Act aims to close a loophole in the California Consumer Privacy Act (“CCPA”) that allows consumers to request that data brokers delete personal information obtained directly from the consumer, but does not require data brokers to delete personal information obtained from other sources. 

On September 15, 2023, the Federal Trade Commission and the Department of Health and Human Services (“HHS”) published an updated version of the two agencies’ joint publication, entitled “Collecting, Using, or Sharing Consumer Health Information? Look to HIPAA, the FTC Act, and the Health Breach Notification Rule.” 

On September 12, 2023, the UK Information Commissioner, John Edwards, and the Chief Executive of the National Cyber Security Centre (NCSC) of the UK, Lindy Cameron, signed a joint Memorandum of Understanding (MoU) that sets forth a framework for cooperation and information sharing between the ICO and the NCSC. The MoU states the general aims “are to codify and enhance working” between the ICO and NCSC so as to “assist them in discharging their functions.”

On August 24, 2023, 12 data protection authorities published a joint statement calling for the protection of personal data from unlawful data scraping. The statement was issued by the authorities of Argentina, Australia, Canada, Colombia, Hong Kong, Jersey, Mexico, Morocco, New Zealand, Norway, Switzerland and the UK. The joint statement reminds organizations that personal data that is publicly accessible is still subject to data protection and privacy laws in most jurisdictions, and highlights the risks facing such data, including increased risk of social engineering or phishing attacks, identify fraud, and unwanted direct marketing or spam.

On July 19, 2023, the European Data Protection Board (“EDPB”) issued an Information Note regarding data transfers to the U.S. following the adoption of an adequacy decision on the EU-U.S. Data Privacy Framework (the “Data Privacy Framework”) on July 10, 2023 (the “Information Note”).

On July 10, 2023, the European Commission formally adopted a new adequacy decision on the EU-U.S. Data Privacy Framework (the “Adequacy Decision”). The adoption of this Adequacy Decision follows years of intense negotiations between the EU and the U.S., after the invalidation of the EU-U.S. Privacy Shield by the Court of Justice of the European Union (“CJEU”) in the Schrems II case.

On June 28, 2023, Louisiana Governor John Bel Edwards signed into law H.B. 61, which requires interactive computer services to get parental consent (or consent from a legal representative of a minor) to enter into a contract or other agreement, including the creation of an online account, with minors younger than 18 years of age. The Act comes after similar laws enacted in Texas, Utah and Arkansas. H.B. 61 will take effect on August 1, 2024. 

On June 15, 2023, the UK Information Commissioner’s Office (“ICO”) called for businesses to address the privacy risks posed by generative artificial intelligence (“AI”) before “rushing to adopt the technology.” Stephen Almond, the ICO’s Executive Director of Regulatory Risk, said:  “Businesses are right to see the opportunity that generative AI offers . . . . But they must not be blind to the privacy risks.” An organization wishing to use AI should seek to understand at the outset how AI will use personal data, and mitigate any known risks. The ICO stated it is ...

On June 14, 2023, the European Parliament (“EP”) approved its negotiating mandate (the “EP’s Position”) regarding the EU’s Proposal for a Regulation laying down harmonized rules on Artificial Intelligence (the “AI Act”). The vote in the EP means that EU institutions may now begin trilogue negotiations (the Council approved its negotiating mandate on December 2022). The final version of the AI Act is expected before the end of 2023.

On June 8, 2023, the UK Information Commissioner’s Office (“ICO”) published a new report on neurotechnology. Neurotechnology is technology used to monitor neurodata, the information coming directly from the brain and nervous system. In its press release on the report, the ICO warns that “that newly emerging neurotechnologies risk discriminating against people if those groups are not put at the heart of their development” and predicts the use of such technologies to become “widespread over the next decade.”

On June 2, 2023, Judge Brantley Starr of the U.S. District Court for the Northern District of Texas released what appears to be the first standing order regulating use of generative artificial intelligence (“AI”)—which has recently emerged as a powerful tool on many fronts—in court filings. Generative AI provides capabilities for ease of research, drafting, image creation and more. But along with this new technology comes the opportunity for abuse, and the legal system is taking notice.

On May 31, 2023, the Federal Trade Commission announced a proposed order against home security camera company Ring LLC (“Ring”) for unfair and deceptive acts or practices in violation of Section 5 of the FTC Act.

On May 22, 2023, the Federal Trade Commission announced a proposed order against education technology provider Edmodo, LLC (“Edmodo”) for violations of the Children’s Online Privacy Protection Rule (“COPPA Rule”) and Section 5 of the FTC Act.

On May 18, 2023, the Federal Trade Commission announced it is seeking comment to proposed changes to the Health Breach Notification Rule (the “Rule”). The Rule requires  vendors of personal health records (“PHR”), PHR-related entities and service providers to these entities, to notify consumers and the FTC (and, in some cases, the media) in the event of a breach of unsecured identifiable health information, including cybersecurity intrusions and other instances of unauthorized access. By clarifying the Rule’s scope and applicability, and by modernizing allowable methods of notice, the proposed amendments seek to update the Rule to account for technological change since the Rule’s issuance, which includes the proliferation of health apps and connected devices, and the emergence of a widespread market for health data.

On May 17, 2023, the Federal Trade Commission issued a consumer alert regarding the Premom Ovulation Tracker app (“Premom”) sharing sensitive information with third parties without users’ permission. According to the alert, Premom is a free app that is marketed as an accurate fertility calendar, which can be used to assist users who are trying to become pregnant.

On May 18, 2023, the Federal Trade Commission issued a policy statement on “Biometric Information and Section 5 of the Federal Trade Commission Act.”  The statement warns that the use of consumer biometric information and related technologies raises “significant concerns” regarding privacy, data security, and bias and discrimination, and makes clear the FTC’s commitment to combatting unfair or deceptive acts and practices related to the collection and use of consumers’ biometric information and the marketing and use of biometric information technologies.

On May 4, 2023, the Florida Senate and House of Representatives voted in favor of sending the Florida Digital Bill of Rights (“FDBR”) and other amendments related to government moderation of social media and protection of children in online spaces (S.B. 262) to Governor Ron DeSantis for signature. Unlike the other comprehensive state privacy laws that have been enacted, the FDBR applies to a much narrower subset of entities.

On April 4, 2023, the data protection regulator of the UK, the Information Commissioner’s Office (ICO), issued a fine of a £12.7 million to TikTok Information Technologies UK Limited and TikTok Inc (together, “TikTok”) for a number of breaches of UK data protection law, including failing to use children’s personal data lawfully. 

On March 27, 2023, New York Attorney General Letitia James announced that a New York-based law firm (Heidell, Pittoni, Murphy & Bach LLP) had agreed to pay $200,000 in penalties and enhance its cybersecurity practices to settle charges stemming from a 2021 data breach. 

On March 15, 2023, the Securities and Exchange Commission (“SEC”) proposed three rules related to cybersecurity and the protection of consumer information.

On March 3, 2023, the U.S. Department of Justice (“DOJ”) released an update to its Evaluation of Corporate Compliance Programs guidance (“ECCP Guidance”). The ECCP Guidance serves as a guidance document for prosecutors when evaluating a corporate compliance program. Among other updates, the ECCP Guidance now includes new guidance for assessing how companies govern employees’ use of personal devices, communication platforms and messaging applications.

On March 16, 2023, the Federal Trade Commission announced it issued orders to eight social media and video streaming platforms seeking Special Reports on how the platforms review and monitor commercial advertising to detect, prevent and reduce deceptive advertisements, including those related to fraudulent healthcare products, financial scams and the sale of fake goods. The FTC sent the orders pursuant to its resolution directing the FTC to use all available compulsory process to inquire into this topic, and using the FTC’s Section 6(b) authority, which authorizes the FTC to conduct studies that do not have a specific law enforcement purpose.

On March 6 and 15, 2023, both chambers of the Iowa Legislature unanimously voted to approve Senate File 262, which could make Iowa the sixth U.S. state to enact comprehensive privacy legislation. The bill is most similar to Utah’s comprehensive privacy law.

On March 15, 2023, the UK Information Commissioner’s Office (“ICO”) published an updated version of its guidance on AI and data protection (the “updated guidance”), following requests from UK industry to clarify requirements for fairness in AI. 

This is an excerpt from Centre for Information Policy Leadership (“CIPL”) President Bojana Bellamy’s recently published piece in the IAPP “Privacy Perspectives” blog, and are the views of the author.

On March 9, 2023, the U.S. Securities and Exchange Commission (SEC) announced settled administrative charges against Blackbaud Inc. The case stems from disclosures Blackbaud made to investors regarding a 2020 ransomware attack that targeted donor data management software the company provides to non-profit organizations.

On March 7, 2023, the Transportation Security Administration (“TSA”) announced the issuance on an emergency basis of a cybersecurity amendment to the security programs of certain TSA-regulated airport and aircraft operators, as part of the U.S. Department of Homeland Security’s initiatives to improve the cybersecurity of U.S. critical infrastructure. 

On March 8, 2023, the UK Secretary of State for Science, Innovation and Technology, Michelle Donelan, introduced the Data Protection and Digital Information (No. 2) Bill to UK Parliament. The first version of the reform bill was originally proposed by the UK government in July 2022, but was put on pause during September 2022. 

On February 24, 2023, Representative Patrick T. McHenry of North Carolina introduced a bill proposing the creation of the Data Privacy Act of 2023. The bill proposes to amend the Gramm-Leach-Bliley Act (“GLBA”) by making the following changes:

On February 17, 2023, the Illinois Supreme Court issued an opinion in Cothron v. White Castle Systems, Inc., in response to a certified question from the Seventh Circuit, ruling that the plain language of Section 15(b) and 15(d) of the Illinois Biometric Privacy Act (“BIPA”) shows that a claim accrues under BIPA with every scan or transmission of biometric identifiers or biometric information without prior informed consent. 

On February 10, 2023, an Illinois federal district court ordered the dismissal of a putative class action lawsuit alleging that an online tool that allowed users to virtually try on sunglasses violated the Illinois Biometric Privacy Act (“BIPA”).

On February 6, 2023, Texas State Representative Giovanni Capriglione submitted H.B. 1844, a comprehensive privacy bill modeled after the Virginia Consumer Data Protection Act (“VCDPA”). The bill could make Texas the sixth U.S. state to enact major privacy legislation, following California, Virginia, Colorado, Utah, and Connecticut. Although the bill closely follows the VCDPA, it departs from the Virginia law in several key areas, most notably in the definition of “personal data” and its applicability.

On February 2, 2023, the Illinois Supreme Court reversed in part and remanded a judgment of the lower appellate court in a class action lawsuit alleging violation of the Illinois Biometric Information Privacy Act (“BIPA”).

On February 1, 2023, the Federal Trade Commission announced that it entered into a proposed order with GoodRx, a telehealth and prescription drug discount provider, for violations of the FTC’s Health Breach Notification Rule stemming from GoodRx’s unauthorized disclosures of consumers’ personal health information to third party advertisers and other companies. This is the first enforcement action taken under the FTC’s Health Breach Notification Rule, which was issued in 2009.

On January 3, 2023, an Illinois state court entered a preliminary approval order for a settlement of nearly $300,000 in a class action lawsuit against Whole Foods for claims that the company violated the Illinois Biometric Information Privacy Act (“BIPA”). The plaintiffs alleged that Whole Foods unlawfully collected voiceprints from employees who worked at the company’s distribution centers. 

On December 31, 2022, Baltimore’s ordinance banning the private sector’s use of facial recognition technology expired. The ordinance, which was enacted in 2021, banned private entities and individuals within the city limits from using facial recognition technology, including obtaining, retaining, accessing or using a “face surveillance system” or any information obtained from such system. The Baltimore ordinance followed a similar ban on the use of facial recognition technology by private sector companies in Portland, Oregon, enacted in 2020. New York City also passed an ordinance in 2021 regulating commercial establishments’ use of biometric technology.

On December 20, 2022, a former employee in Illinois brought a class action suit against Five Guys Enterprises, LLC (“Five Guys”), a burger chain, alleging that Five Guys violated the Illinois Biometric Information Privacy Act (“BIPA”). 

On December 20, 2022, the English High Court has granted the victim of a cyber attack a permanent injunction against cyber attackers whilst the victim organization maintains its anonymity. Generally, a claimant's identity is public in English court proceedings. Injunctions can be made against unknown and unidentifiable defendants enabling them to be granted against individuals who are acting in breach or threatening to commit a breach. 

On December 19, 2022, the Federal Trade Commission announced two settlements, amounting to $520 million, with Epic Games, Inc. in connection with alleged violations of the Children’s Online Privacy Protection Act Rule (the “COPPA Rule”) and alleged use of “dark patterns” relating to in-game purchases.

On December 1, 2022, the Office for Civil Rights at the U.S. Department of Health and Human Services (“HHS”) released a Bulletin on the obligations of HIPAA covered entities and business associates under the HIPAA Privacy, Security, and Breach Notification Rules when using online tracking technologies. 

On  December 15, 2022, the UK government and the Dubai International Financial Centre Authority (“DIFC”) issued a joint statement on the shared commitment to deepening the UK-DIFC data partnership. The statement explains that “[t]here are over 5,000 UK companies operating in the UAE, many of which depend on the free and secure flow of safe data across borders.” Further, the UK and the DIFC have strong links in the financial sector, following the DIFC’s establishment in 2004, with 16% of the DIFC’s financial services companies originally based in the UK.

On December 7, 2022, the Federal Trade Commission released an updated Mobile Health App Interactive Tool to help developers determine what federal laws and regulations apply to apps that collect and process health data. The updated version of the tool, which revises the initial release in 2016, aims to assist developers of mobile apps that will access, collect, share, use or maintain information related to an individual consumer’s health, such as information related to diagnosis, treatment, fitness, wellness or addiction.

On December 13, 2022, the European Commission launched the process for the adoption of an adequacy decision for the EU-U.S. Data Privacy Framework. If adopted, the long-awaited adequacy decision will provide EU companies transferring personal data to the U.S. with an additional mechanism to legitimize their transfers.

An adequacy decision would foster trans-Atlantic data flows and address the concerns raised by the Court of Justice of the European Union (“CJEU”) judgment in the Schrems II case.

On November 30, 2022, the Second District Appellate Court of Illinois reversed and remanded a grant of summary judgement in favor of defendant, J&M Plating, Inc., for alleged violation of the Illinois Biometric Information Privacy Act (“BIPA”). In Mora v. J&M Plating, Inc., the plaintiff claimed that J&M Plating had violated BIPA by collecting workers’ fingerprints without a proper data retention and destruction policy for biometric information.

On November 22, 2022, the Department of Commerce’s National Telecommunications and Information Administration (“NTIA”) announced that it filed comments with the Federal Trade Commission that call for new limits on how companies can collect and use personal information about consumers. The comments were filed in response to the FTC’s request for public comment on its Advanced Notice of Proposed Rulemaking on commercial surveillance and lax data security practices.