On September 15, 2022, the European Commission ("EU") published a proposal for a Cyber Resilience Act, the first EU-wide legislation introducing a single set of cybersecurity rules for hardware and software products placed in...more
The European Parliament ("EP") and Council formally adopted the Digital Markets Act ("DMA") in July 2022, imposing new behavioral obligations on large digital platforms qualifying as "gatekeepers." The final agreement...more
In Short -
The Situation: China released new regulations and guidelines to clarify the procedural requirements companies must satisfy for the cross-border transfer of personal information under the Personal Information...more
On 31 January 2022, the English High Court delivered its judgment in Stadler v Currys Group Limited (EWHC 160 (QB)); the latest in a series of rulings which appear set to constrain the relatively nascent UK data breach claims...more
2/25/2022
/ Corporate Counsel ,
Cybersecurity ,
Damages ,
Data Breach ,
Data Protection ,
Emotional Distress Damages ,
General Data Protection Regulation (GDPR) ,
Personal Data ,
UK ,
UK Data Protection Act ,
UK Supreme Court
On February 23, 2022, the European Commission ("Commission") published a proposal for a Data Act which aims at enhancing data access and use within the European Union ("EU")....more
2/24/2022
/ Artificial Intelligence ,
Data Collection ,
Data Privacy ,
Data-Sharing ,
EU ,
European Commission ,
Information Governance ,
International Data Transfers ,
Internet of Things ,
Personal Data ,
Personally Identifiable Information ,
Proposed Regulation ,
Regulatory Agenda ,
Small and Medium-Sized Enterprises (SMEs)
EU and UK data protection rules each restrict transfers of personal data to third countries not regarded as having an adequate level of protection, such as the United States, China, Russia and India....more
The Cyberspace Administration of China has issued draft guidance on applying for and conducting security assessments for cross-border data transfers for public comment. On October 29, 2021, the Cyberspace Administration of...more
11/10/2021
/ China ,
Comment Period ,
Consumer Privacy Rights ,
Cybersecurity ,
Data Privacy ,
Data Protection ,
Data Security ,
Extraterritoriality Rules ,
International Data Transfers ,
Personal Information ,
Personal Information Protection Law (PIPL) ,
Popular ,
Public Comment ,
Regulatory Reform ,
Regulatory Requirements
The PIPL imposes extensive obligations on organizations and individuals engaged in "handling" of personal information, which is defined to include "collection, storage, use, processing, transmission, provision, disclosure,...more
9/10/2021
/ China ,
Consumer Privacy Rights ,
Data Privacy ,
Data Processors ,
Data Protection ,
Data Security ,
Extraterritoriality Rules ,
Personal Information ,
Personal Information Protection Law (PIPL) ,
Popular ,
Regulatory Reform ,
Regulatory Requirements
When the DSL goes into effect on September 1, 2021, it will impose certain restrictions on a company's ability to transfer data out of China without the prior approval of Chinese authorities. One significant restriction is...more
8/27/2021
/ China ,
Consumer Privacy Rights ,
Corporate Counsel ,
Cybersecurity ,
Data Protection ,
Data Security ,
Foreign Official ,
International Data Transfers ,
Multinationals ,
Personal Data ,
Personally Identifiable Information ,
Popular
UNITED STATES -
Regulatory—Policy, Best Practices, and Standards -
President Biden Issues Cybersecurity Executive Order -
On May 12, 2021, President Biden issued an executive order that placed new standards on the...more
8/10/2021
/ Article III ,
Biden Administration ,
California Consumer Privacy Act (CCPA) ,
Cybersecurity ,
Cybersecurity Framework ,
Data Breach ,
Data Privacy ,
Data Protection ,
Enforcement Actions ,
Executive Orders ,
Facial Recognition Technology ,
Federal Trade Commission (FTC) ,
Hackers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Information Technology ,
Mobile Apps ,
Personal Data ,
Popular ,
Ransomware ,
SCOTUS ,
Standing ,
TransUnion LLC v Ramirez
On June 10, 2021, the Standing Committee of the 13th National People's Congress passed the long awaited People's Republic of China (China) Data Security Law ("DSL") after a final read of the third draft. The DSL, which takes...more
6/21/2021
/ China ,
Corporate Counsel ,
Critical Infrastructure Sectors ,
Cybersecurity ,
Data Processing Rules ,
Data Processors ,
Data Protection ,
Data Security ,
General Data Protection Regulation (GDPR) ,
Information Technology ,
International Data Transfers ,
National Security ,
New Legislation ,
Regulatory Reform
The Background: Transfers of personal data to countries outside the European Economic Area ("EEA") must meet certain requirements under the General Data Protection Regulation ("GDPR"). If the third country does not provide an...more
An interest group of EU banks that was formed to assist European financial institutions with their use of public cloud technology recently suggested model terms for the compliant use of cloud technology.
On May 17, 2021,...more
China recently released new drafts of its Data Security Law and its Personal Information Protection Law for public comment; when finalized the two laws will impose significant obligations on how companies collect, process,...more
The Development: On 21 April 2021, the European Commission ("Commission") unveiled a proposal for a "Regulation laying down harmonized rules on Artificial Intelligence" ("AI Regulation"), which sets out how AI systems and...more
The Situation: The health care sector is currently going through a digital transformation phase with the promise of achieving improved patient care and higher efficiency—and the implementation of cloud-based services is a...more
The Background: On February 1, 2021, Singapore's Personal Data Protection (Amendment) Act 2020 ("PDPAA") came into effect.
The Situation: The PDPAA is the first comprehensive update to Singapore's Personal Data Protection...more
The Development: The European Commission ("EC") recently released two long-awaited legislative proposals, the Digital Services Act ("DSA") and Digital Markets Act ("DMA"), that would significantly increase the EC's regulatory...more
United States -
Regulatory—Policy, Best Practices, and Standard -
NIST Unveils Draft Guidance to Protect Critical Infrastructure -
On October 22, 2020, the National Institute of Standards and Technology ("NIST")...more
1/8/2021
/ CNIL ,
Consumer Privacy Rights ,
Court of Justice of the European Union (CJEU) ,
Cybersecurity ,
Cybersecurity Framework ,
Data Breach ,
Data Privacy ,
Data Protection ,
Data Protection Authority ,
Data Security ,
European Data Protection Board (EDPB) ,
General Data Protection Regulation (GDPR) ,
Information Commissioner's Office (ICO) ,
NIST ,
Personal Data ,
Popular ,
Risk Management
The Situation: The European Union and United Kingdom have both warned companies to prepare for a no-deal Brexit.
The Result: There is a real possibility that the Brexit Implementation Period will end on 31 December 2020...more
UNITED STATES -
Regulatory—Policy, Best Practices, and Standards -
NIST Releases Revision to Security Standard -
On September 23, the National Institute of Standards and Technology ("NIST") released Revision 5 to...more
The Situation: After the invalidation of the EU-U.S. Privacy Shield by the Court of Justice of the European Union ("CJEU"), the conditions under which international data may flow from the European Union continue to remain...more
11/23/2020
/ Binding Corporate Rules ,
Court of Justice of the European Union (CJEU) ,
Cybersecurity ,
EU ,
EU-US Privacy Shield ,
European Data Protection Board (EDPB) ,
General Data Protection Regulation (GDPR) ,
International Data Transfers ,
Personal Data ,
Schrems I & Schrems II ,
Standard Contractual Clauses
The Situation: On October 6, 2020, the Court of Justice of the European Union ("CJEU") held that the national security laws of the United Kingdom, France, and Belgium, which each require that providers of electronic...more
11/6/2020
/ Court of Justice of the European Union (CJEU) ,
Cybersecurity ,
Data Protection ,
Data Retention ,
Data Security ,
e-Privacy Directive ,
Electronic Communications ,
EU-US Privacy Shield ,
International Data Transfers ,
Location Data ,
Member State ,
National Security ,
Standard Contractual Clauses
The Situation: The Court of Justice of the European Union ("CJEU") has ruled that international data flows under the European Union's comprehensive data protection regime, the GDPR, can continue to be based on EU Standard...more
As the United States and other countries gradually ease stay-at-home orders and mandatory lockdowns, data-driven technologies have become increasingly discussed as a potential strategy for tracing and mitigating the further...more
7/13/2020
/ Biometric Information ,
Contact Tracing ,
Coronavirus/COVID-19 ,
Cybersecurity ,
Data Privacy ,
Employer Liability Issues ,
Employer Responsibilities ,
Federal Trade Commission (FTC) ,
Health and Safety ,
Infectious Diseases ,
Popular ,
Private Sector ,
Re-Opening Guidelines ,
Workplace Safety