Author

Rachel Ehlers

Browsing

In recent years, China has adopted a series of complex regulations around cybersecurity and privacy. In 2022, it issued rules for cross-border transfers of data, and its version of Standard Contractual Clauses (“China SCCs”) in February 2023. The China SCCs became effective in June, but there was a six month grace period for filing, until November 30, 2023. Any company that has a presence in China or processes or transfers Chinese resident data outside of…

On August 9, India’s Digital Personal Data Protection Bill, 2023 (“DPDP Bill”) passed both houses of the Indian Parliament and now awaits Presidential assent. In 2017, India’s Supreme Court mandated that privacy is a fundamental human right. Since that time, India has been working to pass data protection legislation. The DPDP Bill is India’s fifth draft of the bill. The DPDP Bill only applies to the processing of digital personal data in India, where the personal…

There has been an incredible volume of discussion around generative AI (GAI) in 2023, including products like ChatGPT and GitHub Copilot, and the potential impact these tools have on every corner of the business world. This is not surprising given that GAI has demonstrated powerful functionality, making it easy to hypothesize about use cases. Unfortunately, on top of the fervor, the use of GAI presents a multitude of risks. Some companies have banned GAI use…

In brief On July 26, 2023, the U.S. Securities and Exchange Commission (“SEC”) approved the final rules for Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure (“Final Rules”). As previously reported, the SEC first proposed amendments to its rules on disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies on March 9, 2022 (“Proposed Rules”). Similar to the Proposed Rules, the Final Rules, broadly speaking, require (i) issuers to make disclosures…

On July 18, Oregon Governor Tina Kotek signed SB 619 into law as the Oregon Consumer Privacy Act, making Oregon the eleventh U.S. state to enact consumer privacy legislation and the seventh in 2023 alone. The compliance deadline for for-profit entities is July 1, 2024. In Brief: The Oregon Consumer Privacy Act has no revenue threshold and applies to any person that conducts business in Oregon or provides products or services to Oregon residents and…

On July 10, 2023, the European Commission adopted its adequacy decision for the EU-U.S. Data Privacy Framework (“DPF”). US companies that participate in the DPF will be deemed to provide “adequate protection” under Article 45 of the EU General Data Protection Regulation (“GDPR”) for personal data transfers received from the European Union (“EU”) and European Economic Area (“EEA”). Why did the EC need to adopt the adequacy decision for the DPF? As we have previously written, the…

The US Office of the Director of National Intelligence (“ODNI”) announced today that it has fully implemented new safeguards under Executive Order 14086. See INTEL – ODNI Releases IC Procedures Implementing New Safeguards in Executive Order 14086. These steps clear the path for the European Commission to adopt the draft “adequacy decision” for cross-border data transfers pursuant to the EU-U.S. Data Privacy Framework. By way of brief background, in July 2020, the Court of Justice…

In brief The Colorado Privacy Act (C.R.S. 6-1-1301, et seq.) (the “CPA”) comes into effect on July 1, 2023. Earlier this year, the Colorado Attorney General promulgated final rules for implementing the CPA (4 CCR 904-3) (the “Rules”). The Rules provide insight as to how the Attorney General may interpret and enforce the CPA. In this alert, we highlight several key aspects of the CPA and the Rules to help businesses focus their compliance efforts.…