There has been an incredible volume of discussion around generative AI (GAI) in 2023, including products like ChatGPT and GitHub Copilot, and the potential impact these tools have on every corner of the business world. This is not surprising given that GAI has demonstrated powerful functionality, making it easy to hypothesize about use cases. Unfortunately, on top of the fervor, the use of GAI presents a multitude of risks. Some companies have banned GAI use…
In brief On July 26, 2023, the U.S. Securities and Exchange Commission (“SEC”) approved the final rules for Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure (“Final Rules”). As previously reported, the SEC first proposed amendments to its rules on disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies on March 9, 2022 (“Proposed Rules”). Similar to the Proposed Rules, the Final Rules, broadly speaking, require (i) issuers to make disclosures…
On July 18, Oregon Governor Tina Kotek signed SB 619 into law as the Oregon Consumer Privacy Act, making Oregon the eleventh U.S. state to enact consumer privacy legislation and the seventh in 2023 alone. The compliance deadline for for-profit entities is July 1, 2024. In Brief: The Oregon Consumer Privacy Act has no revenue threshold and applies to any person that conducts business in Oregon or provides products or services to Oregon residents and…
On July 10, 2023, the European Commission adopted its adequacy decision for the EU-U.S. Data Privacy Framework (“DPF”). US companies that participate in the DPF will be deemed to provide “adequate protection” under Article 45 of the EU General Data Protection Regulation (“GDPR”) for personal data transfers received from the European Union (“EU”) and European Economic Area (“EEA”). Why did the EC need to adopt the adequacy decision for the DPF? As we have previously written, the…
The US Office of the Director of National Intelligence (“ODNI”) announced today that it has fully implemented new safeguards under Executive Order 14086. See INTEL – ODNI Releases IC Procedures Implementing New Safeguards in Executive Order 14086. These steps clear the path for the European Commission to adopt the draft “adequacy decision” for cross-border data transfers pursuant to the EU-U.S. Data Privacy Framework. By way of brief background, in July 2020, the Court of Justice…
In brief The Colorado Privacy Act (C.R.S. 6-1-1301, et seq.) (the “CPA”) comes into effect on July 1, 2023. Earlier this year, the Colorado Attorney General promulgated final rules for implementing the CPA (4 CCR 904-3) (the “Rules”). The Rules provide insight as to how the Attorney General may interpret and enforce the CPA. In this alert, we highlight several key aspects of the CPA and the Rules to help businesses focus their compliance efforts.…
On May 11, 2023, the governor of Tennessee signed the Tennessee Information Protection Act (“TIPA”), assigned Public Chapter Number 408, into law. TIPA takes effect on July 1, 2025. In this article, we highlight five key points of the new law.
The Texas Data Privacy and Security Act joins the growing number of states that have passed or enacted legislation in 2023, and more are expected in the coming months.
After a slowdown in 2022–US states are back at the drawing board of consumer privacy laws with four passing in the last month alone. Here, we break down what you need to know about the Montana and Tennessee bills. In brief The early months of 2023 have brought a bumper crop of new state privacy legislation, with Tennessee and Montana legislatures poised to become the eighth and ninth states to enact comprehensive privacy laws. The…
In brief Companies that export personal data out of China have roughly one month to adopt China’s Standard Contractual Clauses (“SCCs”) to comply with the Cyberspace Administration of China’s (“CAC”) deadline of June 1, 2023. As outlined in previous client alerts, the SCCs are one of three mechanisms in place for cross-border data transfers from mainland China to other jurisdictions. Many multinationals will be impacted by these requirements because Chinese employment data, which is…