Ahead of its December 8 board meeting, the California Privacy Protection Agency (CPPA) has issued draft risk assessment regulations. The CPPA has yet to initiate the formal rulemaking process and has stated that it expects to begin formal rulemaking next year, at which time it will also consider draft regulations covering “automated decisionmaking technology” (ADMT), cybersecurity audits, and revisions to existing regulations. Accordingly, the draft risk assessment regulations are subject to change. Below are the key takeaways:Continue Reading CPPA Releases Draft Risk Assessment Regulations
The recently agreed Cyber Resilience Act isn’t the only new EU cybersecurity rule set to be published this December: by the end of the year, the European Commission is expected to adopt its draft regulations to establish a European cybersecurity certification scheme (“ECCS”).Continue Reading EU cyber regulation wave quietly rolls on – Commission set to finalize new cyber standards
Yesterday, the European Commission, Council and Parliament announced that they had reached an agreement on the text of the Cyber Resilience Act (“CRA”). As a result, the CRA now looks set to finish its journey through the EU legislative process early next year. As we explained in our prior post about the Commission proposal (here), the CRA will introduce new cybersecurity obligations for a range of digital products sold in Europe. We’ll provide a more detailed summary of the agreed text once it is finalized and published but in this post we set out a brief summary of key provisions. In terms of timing, the CRA will come into force over a phased transition period starting in late 2025.Continue Reading The EU’s Cyber Resilience Act Has Now Been Agreed
Ahead of its December 8 board meeting, the California Privacy Protection Agency (CPPA) has issued draft “automated decisionmaking technology” (ADMT) regulations. The CPPA has yet to initiate the formal rulemaking process and has stated that it expects to begin formal rulemaking next year. Accordingly, the draft ADMT regulations are subject to change. Below are the key takeaways:Continue Reading CPPA Releases Draft Automated Decisionmaking Technology Regulations
Digital health apps are increasingly used in practice. They raise various questions under regulatory and data protection and data security laws. On November 6, 2023, the German Conference of the Independent Data Protection Supervisory Authorities (Datenschutzkonferenz, DSK), a national body which brings together Germany’s federal and regional data protection authorities, issued a paper about the GDPR’s application to cloud-based digital health applications (“health apps”) that are not subject to the German Digital Health Applications Ordinance (Digitale Gesundheitsanwendungen-Verordnung, the “DiGA Regulation”).Continue Reading German Data Protection Authorities Publish Paper on Cloud-Based Digital Health Applications
On November 16, 2023, the European Data Protection Board (“EDPB”) issued draft Guidelines 2/2023 on Technical Scope of Art. 5(3) of ePrivacy Directive (“Guidelines”). Article 5(3) is the provision that requires consent before storing or accessing information on an end user’s device. Over the years it has become known as the “cookie rule,” but it is technology-agnostic. The Guidelines expand upon guidance issued by the Article 29 Working Group in 2014, and are intended to clarify when the requirement applies to new tracking methods. The Guidelines are open to public consultation through December 28, 2023.
The Guidelines identify and explain the four key elements that trigger the obligation to obtain opt-in consent under Article 5(3) of the ePrivacy Directive (“ePD”). The Guidelines set forth an extremely broad interpretation of what constitutes “storing” and “accessing” information on a user’s device that arguably goes beyond the plain meaning of these terms. This interpretation is likely to be relevant for companies considering how to approach the discontinuation of third-party cookies on many browsers.Continue Reading EDPB Issues Draft Guidelines on Technical Scope of ePrivacy Directive Rules for Storage and Access
On October 11, 2023, the French data protection authority (“CNIL”) issued a set of “how-to” sheets on artificial intelligence (“AI”) training databases. The sheets are open to consultation until December 15, 2023, and all AI stakeholders (including companies, researchers, NGOs) are encouraged to provide comments.Continue Reading French CNIL Opens Public Consultation On Guidance On The Creation Of AI Training Databases
EU advocate general Collins has reiterated that individuals’ right to claim compensation for harm caused by GDPR breaches requires proof of “actual damage suffered” as a result of the breach, and “clear and precise evidence” of such damage – mere hypothetical harms or discomfort are insufficient. The advocate general also found that unauthorised access to data does not amount to “identity theft” as that term is used in the GDPR.Continue Reading EU Advocate General Defines “Identity Theft” And Reaffirms GDPR Compensation Threshold
Earlier this month, the New York Department of Financial Services (“NYDFS”) announced that it had finalized the Second Amendment to its “first-in-the-nation” cybersecurity regulation, 23 NYCRR Part 500. This Amendment implements many of the changes that NYDFS originally proposed in prior versions of the Second Amendment released for public comment in November 2022 and June 2023, respectively. The first version of the Proposed Second Amendment proposed increased cybersecurity governance and board oversight requirements, the expansion of the types of policies and controls companies would be required to implement, the creation of a new class of companies subject to additional requirements, expanded incident reporting requirements, and the introduction of enumerated factors to be considered in enforcement decisions, among others. The revisions in the second version reflect adjustments rather than substantial changes from the first version. Compliance periods for the newly finalized requirements in the Second Amendment will be phased over the next two years, as set forth in additional detail below.
The finalized Second Amendment largely adheres to the revisions from the second version of the Proposed Second Amendment but includes a few substantive changes, including those described below:
- The finalized Amendment removes the previously-proposed requirement that each class A company conduct independent audits of its cybersecurity program “at least annually.” While the finalized Amendment does require each class A company to conduct such audits, they should occur at a frequency based on its risk assessments. NYDFS stated that it made this change in response to comments that an annual audit requirement would be overly burdensome and with the understanding that class A companies typically conduct more than one audit annually. See Section 500.2 (c).
- The finalized Amendment updates the oversight requirements for the senior governing body of a covered entity with respect to the covered entity’s cybersecurity risk management. Updates include, among others, a requirement to confirm that the covered entity’s management has allocated sufficient resources to implement and maintain a cybersecurity program. This requirement was part of the proposed definition of “Chief Information Security Officer.” NYDFS stated that it moved this requirement to the senior governing bodies in response to comments that CISOs do not typically make enterprise-wide resource allocation decisions, which are instead the responsibility of senior management. See Section 500.4 (d).
- The finalized Amendment removes a proposed additional requirement to report certain privileged account compromises to NYDFS. NYDFS stated that it did so in response to public comments that this proposed requirement “is overbroad and would lead to overreporting.” However, the finalized Amendment retains previously-proposed changes that will require covered entities to report certain ransomware deployments or extortion payments to NYDFS. See Section 500.17 (a).
NYDFS also provided further context on its expectations for compliance in responding to public comments even where it did not make changes. For example, in response to a comment suggesting that NYDFS add a new section to the regulation to address risks associated with AI, NYDFS declined to make changes but noted that it “expects covered entities to take these risks into account in their risk assessments and address them in their cybersecurity programs.”
Compliance requirements for the amended regulation will take effect in stages. Below is a list of key compliance dates.
- Covered entities will have 180 days from the effective date of the Second Amendment, or until April 29, 2024, to comply with the amended regulation, unless specified otherwise.
- The expanded incident reporting requirements will take effect on December 1, 2023. New reporting requirements include, among others, an obligation to notify NYDFS within 72 hours when a cybersecurity event results in the deployment of ransomware within a material part of the covered entity’s information systems, and within 24 hours if a covered entity makes an “extortion payment” in connection with a cybersecurity event involving the covered entity. The covered entity must also provide specific additional information regarding the payment within 30 days. See Section 500.17.
- Governance, encryption, incident response planning and business continuity management, and exemption provisions will go into effect on November 1, 2024. See Sections 500.4, 500.15, 500.16, and 500.19 (a).
- Vulnerability scanning, access privileges and management, and monitoring and training provisions will go into effect on May 1, 2025. See Sections 500.5 (a)(2), 500.7, 500.14 (a)(2), and 500.14 (b).
- Multi-factor authentication, and asset management and data retention provisions will take effect on November 1, 2025. See Sections 500.12 and 500.13 (a).
To provide more information about changes in the Second Amendment, NYDFS will host briefings and seminars over the coming months. Please refer to the NYDFS website for the registration details.
On October 26, 2023, the European Court of Justice (“CJEU”) decided that the GDPR grants a patient the right to obtain a copy of his or her medical record free of charge (case C-307/22, FT v DW). As a result, the CJEU held that a provision under German law that permitted doctors to ask their patients to pay for the costs associated with providing access to their medical record is contrary to EU law.Continue Reading CJEU Holds That GDPR Right of Access Overrules Local Laws