On May 30, 2023, one day before the Measures on the Standard Contract for the Cross-Border Transfer of Personal Information (“Measures”) were scheduled to take effect, the Cyberspace Administration of China (“CAC”) released a first edition of its guidance on how organizations should complete the filing procedure for Standard Contracts (“CAC Guidance”). (See our prior blog posts on the Standard Contract here.)

Continue Reading China Releases Guidance on Filing Standard Contract for the Cross-Border Transfer of Personal Information

On May 18, 2023, the Federal Trade Commission (“FTC”) announced a notice of proposed rulemaking (the “proposed rule”) to “strengthen and modernize” the Health Breach Notification Rule (“HBNR”).  The proposed rule builds on the FTC’s September 2021 “Statement of the Commission on Breaches by Health Apps and Other Connected Devices” (“Policy Statement”), which took a broad approach to when health apps and connected devices are covered by the HBNR and when there is a “breach” for purposes of the HBNR.  The proposed rule primarily would (i) amend many definitions that are central to the scope of the HBNR (e.g., “breach of security,” “health care provider,” and “personal health record”), and (ii) authorize expanded means for providing notice to consumers of a breach and require additional notice content.  According to the FTC, these changes to the HBNR would ensure the HBNR “remains relevant in the face of changing business practices and technological developments.”  Below, we provide a brief summary of the history of the HBNR leading up to this proposed rule, a brief summary of the proposed rule, and a timeline for commenting.

Continue Reading FTC Announces a Notice of Proposed Rulemaking to Expand Scope of the Health Breach Notification Rule

On May 28, 2023, the Texas legislature passed the Texas Data Privacy and Security Act, making it the sixth state to pass a comprehensive data privacy law this year.  The Act shares many similarities with Virginia, although there are some distinctions.  If signed into law, the Act would take effect on July 1, 2024.  This blog post summarizes the Act’s key takeaways.

  • Scope: The Act applies to a person that (1) conducts business in Texas or produces products or services consumed by Texas residents, and (2) processes or engages in the sale of personal data (“sale” means a disclosure of personal data to a third party for “monetary or other valuable consideration”).  The second prong of this language is not found in other comprehensive state privacy laws and so does not have a well-settled interpretation.   The scope of the Act also excludes a small business as defined by the United States Small Business Administration, except with respect to the provision that requires small businesses to obtain consumer consent prior to selling sensitive data.
  • Consumer Rights:  Consumers have rights to: (1) confirm whether a controller is processing their personal data and access such personal data; (2) correct inaccuracies in the consumer ’s personal data; (3) delete personal data provided by or obtained about the consumer; (4) obtain a portable copy of the consumer’s personal data and (5) opt-out of processing for purposes of (a) targeted advertising (defined as displaying advertisements that are selected based on the consumer’s activities over time and across nonaffiliated websites), (b) the sale of personal data; or (c) profiling (definition is limited to “solely automated processing”) in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.  The Act also requires controllers to implement opt-out preference signals by January 1, 2025.
  • Sensitive Data: Controllers must obtain consent before processing a consumer’s sensitive data.  Sensitive data is defined as personal data revealing racial or ethnic origin, religious beliefs, a mental or physical health diagnosis, sexuality, or citizenship or immigration status; genetic or biometric data processed to identify individuals; personal data collected from a known child; and precise geolocation data (i.e., identifies a consumer within a radius of 1,750 ft.).  If a controller sells sensitive data or biometric data, it must post a specific notice (i.e., “NOTICE: We may sell your [sensitive/biometric] personal data.”) in its privacy notice.
  • Controller & Processor Contracts:  The Act uses the terms “controller” and “processor.”  Under the Act, processors must assist controllers in meeting their obligations, including responding to consumer requests and conducting data protection assessments.  The Act would require certain contractual terms between controllers and processors, including those requiring the processor to maintain a duty of confidentiality.
  • Data Protection Assessments: The Act requires controllers to conduct data protection assessments of processing activities that involve targeted advertising, the sale of personal data, profiling (in limited circumstances), sensitive data, or otherwise present a heightened risk of harm to consumers. 
  • Enforcement & Cure: The Texas Attorney General has the exclusive authority to enforce the Act.  The Act provides controllers and processors with a 30-day cure period, which would not expire.

This blog post reports on two recent state telemarketing law developments that affect, among other things, marketing calls and text message transmissions.

Maryland Enacts New Law.  Earlier this month, on May 3rd, Maryland Governor Wes Moore signed into law the Stop the Spam Calls Act of 2023, which will take effect on January 1, 2024.  As we previewed here, the new law is notable because it will impose the same proscriptive consent requirements on automated marketing calls and text messages that currently exist in Oklahoma.

Florida Scales Back its Law.  On May 25th, Florida’s governor signed into law H.B. 761, which took effect immediately to amend the Florida Telephone Solicitation Act (“FTSA”) in the following key ways:

  • Autodialer Definition.  The new law narrowed the definition of an autodialer from an “automated system for the selection or dialing of telephone numbers” to an “automated system for the selection and dialing of telephone numbers” (emphasis added).  This aligns the definition in the FTSA with the definition of an “automatic telephone dialing system” in the TCPA, thus presumably bringing it within the ambit of the Supreme Court’s April 2020 opinion in Facebook v. Duguid.
  • “Signature” Definition.  The new law broadens the definition of “signature,” which is one of the requirements for obtaining “prior express written consent” under the FTSA, to include “an act that demonstrates express consent, including, but not limited to, checking a box indicating consent or responding affirmatively to receiving text messages, to an advertising campaign, or to an e-mail solicitation.”
  • Text Message Solicitation Safe Harbor.  Before a called party can bring an action for text message solicitations, the new law now requires that the called party first notify the telephone solicitor that the called party does not wish to receive text messages by replying “STOP” to the text message.  Within 15 days, the telephone solicitor must stop transmitting such text message solicitations, although an opt-out confirmation message may be sent.  Only if the telephone solicitor continues to transmit text message solicitations to the called party after the 15-day period concludes can the called party bring a legal action.
  • Application of Amendments to Pending Cases.  The changes set forth in the new law expressly apply to any suit filed on or after the new law’s effective date and to any putative class action not certified on or before that effective date.

On April 4, 2023, the European Commission announced that the EU and Japan had successfully completed the first periodic review of the Japan-EU mutual adequacy arrangement, adopted in 2019.  The mutual adequacy recognition – whereby Japan and the EU each have recognized the other’s data protection regime as adequate to protect personal data – complements the regions’ other bilateral partnerships, such as the EU-Japan Economic Partnership Agreement, the Strategic Partnership Agreement, and the recently launched EU-Japan Digital Partnership (see our previous blogpost here).

The review process led to the adoption of two reports by the Commission and the Personal Information Protection Commission of Japan (“PPC”), each discussing the functioning of their respective adequacy decisions.  According to the Commission’s report, the convergence between the EU and Japan’s data protection frameworks has further increased in recent years, and the mutual adequacy arrangement appears to be functioning well.  We provide below a brief overview of the Commission’s main findings.

Continue Reading European Commission Announces Conclusion of First Review of Japan-EU Adequacy Arrangement

On May 22 the Federal Trade Commission (“FTC”) announced a $6 million settlement with Edmodo, an ed tech provider, for violations of the COPPA Rule and Section 5 of the FTC Act.  The FTC described this settlement as the first FTC order that will prohibit an ed tech provider from requiring students to provide more personal data than necessary to participate in online activities.  The settlement is consistent with the FTC’s policy statement on ed tech issued last May (see our summary of the policy statement here).

Continue Reading FTC Announces COPPA Settlement Against Ed Tech Provider Including Strict Data Minimization and Data Retention Requirements

On 11 May 2023, members of the European Parliament’s internal market (IMCO) and civil liberties (LIBE) committees agreed their final text on the EU’s proposed AI Act. After MEPs formalize their position through a plenary vote (expected this summer), the AI Act will enter the last stage of the legislative process: “trilogue” negotiations with the European Commission, Parliament and the Council, which adopted its own amendments in late 2022 (see our blog post here for further details). European lawmakers hope to adopt the final AI Act before the end of 2023, ahead of the European Parliament elections in 2024.

In perhaps the most significant change from the Commission and Council draft, under MEPs’ proposals, providers of foundation models – a term defined as an AI model that is “trained on broad data at scale, is designed for generality of output, and can be adapted to a wide range of distinctive tasks” (Article 3(1c)) – would be subject to a series of obligations. For example, providers would be under a duty to “demonstrate through appropriate design, testing and analysis that the identification, the reduction and mitigation of reasonably foreseeable risks to health, safety, fundamental rights, the environment and democracy and the rule of law prior and throughout development” (Article 28b(2)(a)), as well as to draw up “extensive technical documentation and intelligible instructions for use” to help those that build AI systems using the foundation model (Article 28b(2)(e)).

Continue Reading EU Parliament’s AI Act Proposals Introduce New Obligations for Foundation Models and Generative AI

On May 17, the Federal Trade Commission (“FTC”) announced an enforcement action against Easy Healthcare Corporation (“Easy Healthcare”) alleging that it shared users’ sensitive personal information and health information with third parties contrary to its representations and without users’ affirmative express consent, in violation of Section 5 of the FTC Act.  It also alleges that Easy Healthcare failed to notify consumers of these unauthorized disclosures, in violation of the Health Breach Notification Rule (“HBNR”).  According to the proposed order, Easy Healthcare will pay a $100,000 civil penalty for violating the HBNR and, among other requirements, will be permanently prohibited from sharing users’ personal health data with third parties for advertising purposes.  The FTC also noted that Easy Healthcare will pay a total of $100,000 to Connecticut, the District of Columbia, and Oregon for violating their laws.

Continue Reading FTC Announces Second Enforcement Action Under Health Breach Notification Rule Against Fertility App Developer Easy Healthcare

On May 4, 2023, the Advocate General (“AG”) of the Court of Justice of the European Union (“CJEU”) issued its opinion in case C-683/21, which examines the GDPR concepts of “controller”, “joint controller”, and “processor”, as well as the GDPR’s liability system.

Continue Reading CJEU’s Advocate General Issues Opinion on Concept of Controller, Joint Controller, Processor, and Administrative Fines

In May 2023, the Spanish Supervisory Authority (“SA”) issued a detailed guidance paper on GDPR compliance in the context of data spaces.  The paper acknowledges EU and Member State level initiatives for the creation of data spaces (such as the Data Governance Act, the proposed Data Act, and the proposed European Health Data Space) and provides insight into how the SA expects companies to meet their GDPR obligations when participating in those data spaces.

Continue Reading Spanish Data Protection Authority Issues Guidance on Data Spaces