On Friday, November 8, 2024, the California Privacy Protection Agency board voted 4-1 to commence the formal rulemaking process for the draft regulations on Automated Decisionmaking Technology (ADMT), Risk Assessments, Cybersecurity Audits, and Insurance Companies. The formal rulemaking process will begin with a 45-day public comment period. During this time, CPPA staff will gather and analyze public comments, which will inform potential amendments and revisions to the regulations. The period will likely be extended to…
This article was originally published by IAPP linked here. Recent global developments offer a glimpse into the future of cross-border data regulation. Historically, such regulations have focused on restrictions of cross-border transfers of personal data to achieve public policy goals on individual privacy rights. Today, cross-border data regulations are starting to cover a broader array of data, such as personal data, nonpersonal data and other company information, for a diversified range of public policy purposes…
On September 29, 2024, California Governor Gavin Newsom vetoed Senate Bill 1047, which would have enacted the Safe and Secure Innovation for Frontier Artificial Intelligence Models Act (the “Act”) to create a comprehensive regulatory framework for the development of artificial intelligence models. The veto embodies the dilemma that has emerged around the regulation of AI applications: how can laws prevent harms in the use and development of AI, while promoting innovation and harnessing the power…
“Neural data” is the newest addition to the ever expanding California Consumer Privacy Act (CCPA). Signed into law on September 28, 2024, SB 1223 amends the CCPA to add “personal information that reveals neural data” to the categories of personal information that constitute sensitive personal information. It further amends the CCPA to define “neural data” as “information that is generated by measuring the activity of a consumer’s central or peripheral nervous system, and that is…
Abstract The recently introduced American Privacy Rights Act (APRA) represents the latest attempt to pass a comprehensive federal privacy law in the US that would govern privacy generally across the country. The draft bill proposes novel compromises on controversial topics such as federal preemption and rights of private action, which need refinement and will likely be changed in the legislative process. The attempt to cover not-for-profit entities without accounting for their different purposes seems ill…
This article was originally published by IAPP: How US national security interests may lead to a multilateral treaty on data privacy | IAPP. In Lewis Carroll’s classic Alice in Wonderland sequel “Through the Looking-Glass,” Alice enters a fantastical world by climbing through a mirror. Alice discovers that, like a mirror, everything is reversed in this other world. For observers of global data privacy issues over the past few decades, “Through the Looking Glass” is an…
In brief On May 21, 2024, Erik Gerding, Director of the US Securities and Exchange Commission (SEC) Division of Corporate Finance, issued a statement1 clarifying the SEC’s expectations for cybersecurity incident disclosures under the new Form 8-K Item 1.05. Gerding’s statement clarified that Item 1.05 disclosures should be reserved for material cybersecurity incidents, and voluntary disclosures of immaterial incidents, or of incidents before a materiality determination has been made, should be provided under a different item of…
On April 29, 2024, the Department of Commerce’s National Institute of Standards and Technology (NIST) released initial drafts of four significant policy and governance documents aimed at improving the safety and reliability of AI systems. The launch came on the 180th day following President Biden’s Executive Order 14110 on the Safe, Secure and Trustworthy Development of AI, which instructed NIST to establish guidelines and best practices to promote consensus industry standards for developing and deploying…
In Brief On May 17, 2024 Colorado Governor Polis signed the landmark Colorado AI Act (Senate Bill 24-205) into law. Colorado is now the first US state with comprehensive AI regulation, adopting a classification system like the European Union’s recent AI Act. The law will take effect February 1, 2026. The law exempts small employers (fewer than fifty full-time employees) from some of its requirements but otherwise requires companies to take extensive measures to protect…
In late April 2024, the U.S. enacted the 21st Century Peace through Strength Act. In addition to approving aid for Israel, Taiwan and Ukraine and advancing other U.S. policy objectives, the 21st Century Peace through Strength Act establishes the Protecting Americans’ Data from Foreign Adversaries Act of 2024 (the “Act”), which prohibits “data brokers” from making available personally identifiable sensitive data of U.S. individuals to “foreign adversary countries” — namely, North Korea, the People’s Republic…