What rights does a consumer have to a digital product that they purchase? What control does an author have over their creative works? What obligations do others have to you when they use your data to develop new products? None of these questions are new, but the recent proliferation of artificial intelligence (AI) tools, particularly generative AI (GenAI) tools, has brought these questions to the forefront of ongoing conversations about the role that AI will…
On August 9, India’s Digital Personal Data Protection Bill, 2023 (“DPDP Bill”) passed both houses of the Indian Parliament and now awaits Presidential assent. In 2017, India’s Supreme Court mandated that privacy is a fundamental human right. Since that time, India has been working to pass data protection legislation. The DPDP Bill is India’s fifth draft of the bill. The DPDP Bill only applies to the processing of digital personal data in India, where the personal…
In brief On July 26, 2023, the U.S. Securities and Exchange Commission (“SEC”) approved the final rules for Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure (“Final Rules”). As previously reported, the SEC first proposed amendments to its rules on disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies on March 9, 2022 (“Proposed Rules”). Similar to the Proposed Rules, the Final Rules, broadly speaking, require (i) issuers to make disclosures…
On July 10, 2023, the European Commission adopted its adequacy decision for the EU-U.S. Data Privacy Framework (“DPF”). US companies that participate in the DPF will be deemed to provide “adequate protection” under Article 45 of the EU General Data Protection Regulation (“GDPR”) for personal data transfers received from the European Union (“EU”) and European Economic Area (“EEA”). Why did the EC need to adopt the adequacy decision for the DPF? As we have previously written, the…
The US Office of the Director of National Intelligence (“ODNI”) announced today that it has fully implemented new safeguards under Executive Order 14086. See INTEL – ODNI Releases IC Procedures Implementing New Safeguards in Executive Order 14086. These steps clear the path for the European Commission to adopt the draft “adequacy decision” for cross-border data transfers pursuant to the EU-U.S. Data Privacy Framework. By way of brief background, in July 2020, the Court of Justice…
On May 11, 2023, the governor of Tennessee signed the Tennessee Information Protection Act (“TIPA”), assigned Public Chapter Number 408, into law. TIPA takes effect on July 1, 2025. In this article, we highlight five key points of the new law.
From a legal and policy perspective, the rapid rise of transformative innovation places stress on existing legal and privacy frameworks. New interpretations will certainly be needed, but legislators, regulators and policymakers may believe that there is a need to rush to act quickly to adopt entirely new and potentially prescriptive laws, regulations and policies.
After a slowdown in 2022–US states are back at the drawing board of consumer privacy laws with four passing in the last month alone. Here, we break down what you need to know about the Montana and Tennessee bills. In brief The early months of 2023 have brought a bumper crop of new state privacy legislation, with Tennessee and Montana legislatures poised to become the eighth and ninth states to enact comprehensive privacy laws. The…
In brief Companies that export personal data out of China have roughly one month to adopt China’s Standard Contractual Clauses (“SCCs”) to comply with the Cyberspace Administration of China’s (“CAC”) deadline of June 1, 2023. As outlined in previous client alerts, the SCCs are one of three mechanisms in place for cross-border data transfers from mainland China to other jurisdictions. Many multinationals will be impacted by these requirements because Chinese employment data, which is…
In brief The European Data Protection Board (EDPB) has begun the 2023 iteration of its annual coordinated enforcement action under the General Data Protection Regulation (GDPR). In coordination with twenty-six EDPB Supervisory Authorities (SAs), the EDPB will analyze the roles, tasks, resources, and positions of Data Protection Officers (DPOs) in public and private sector organizations. DPOs should expect to receive requests soon from Supervisory Authorities to respond to questionnaires intended to aid that analysis, describing…