On October 12, 2022, the UK Information Commissioner’s Office (“ICO”) opened a public consultation seeking feedback on the draft guidance document on employment practices, specifically relating to monitoring at work (the “Monitoring at Work Guidance”). The guidance aims to provide practical guidance and good practices relating to monitoring workers in accordance with data protection legislation.Continue Reading UK Information Commissioner’s Office released a New Draft Employment Guidance for Monitoring at Work
In a new post on the Covington Digital Health blog, our colleagues discuss a recent amendment to California’s Confidentiality of Medical Information Act (“CMIA”) that expands the scope of the law to cover mental health services that are delivered through digital health solutions and the associated health information generated from these services.Continue Reading California Expands the Scope of the CMIA to Cover Certain Digital Mental Health Services and Information
On October 13, 2022, the European Data Protection Supervisor (“EDPS”) released its Opinion 20/2022 on a Recommendation issued by the European Commission in August 2022 calling for a Council Decision authorising the opening of negotiations on behalf of the European Union for a Council of Europe convention on artificial intelligence, human rights, democracy and the rule of law.
The resulting convention – to be called the “AI Convention” – would complement the EU’s proposed AI Act and the proposed AI Liability Directive, both currently under negotiation. (See our previous blog post on the proposed AI Act here and on the proposed AI Liability Directive here).
The AI Convention would be the first legally binding international instrument on AI, and would be open to participation by non-member States. In September 2022, the Council of Europe’s Committee on Artificial Intelligence (“CAI”) examined a first draft, which focused on developing common principles to ensure continued application of and respect for human rights, democracy and the rule of law, where AI systems assist or replace human decision-making. The AI Convention would cover both public and private providers, and users of AI systems.
The EDPS welcomes the AI Convention as an opportunity to complement the EU’s AI Act and supports the EU Commission’s aim to ensure consistency with the EU’s proposed AI Act. Moreover, the EDPS endorses the AI Convention’s suggested definition of “AI subject”, i.e., a person affected by the use of AI systems (such as workers affected by the use of AI in work management systems, or individuals applying for loans relying on AI-powered creditworthiness systems), and of procedural safeguards and rights for AI subjects.
The EDPS’ key recommendations on the EU’s negotiating directives include the following:
- Prioritize safeguards and fundamental human rights for individuals as general objectives;
- Include (1) an explicit reference to the AI Convention’s compliance with the EU’s data protection framework, and (2) a methodology for assessing the risks posed by AI systems to fundamental rights, in order to establish clear, concrete and objective criteria for conducting “human rights impact assessments”;
- In line with a risk-based approach, ensure that risks to societal and specific groups posed by AI systems be assessed and mitigated, and impose a prohibition on AI systems presenting “unacceptable risks”. In the EDPS’ view, AI systems using (1) social scoring, (2) biometric identification in publicly accessible spaces, and (3) biometrics and emotional categorization, in addition to certain other systems, should generally be prohibited;
- Promote a data protection by design and by default approach in every step of an AI system’s lifecycle, to allow effective implementation of data protection principles by means of state-of-the-art technologies;
- Specify that the AI Convention should (1) include ex ante third-party conformity assessments for high-risk AI systems, and a procedure for new assessments in case of significant changes to those systems, and (2) provide minimum requirements on transparency, explainability and auditability of AI systems; and
- Ensure that competent supervisory authorities be vested with adequate investigatory and enforcement powers, and cross-border cooperation among authorities be facilitated.
Although further negotiations are scheduled to take place, a final proposal for the AI Convention is expected to be adopted by the Council of Europe’s Committee of Ministers in November 2023.
Covington regularly advises companies on their most challenging regulatory and compliance issues in the EU and other major markets. Our team is happy to assist with any inquiries relating to the new AI Convention and the EU AI Act, and other tech regulatory matters.
On November 3, the FTC announced that it entered into a significant $100 million settlement with Vonage to resolve allegations relating to the internet phone service provider’s sales and autorenewal practices. The FTC alleged that Vonage violated both the FTC Act and the Restore Online Shoppers’ Confidence Act (ROSCA) by failing to provide a simple cancellation mechanism, failing to disclose material transaction terms prior to obtaining consumers’ billing information, and charging consumers without consent.Continue Reading FTC Flexes ROSCA Muscle With $100 Million “Dark Patterns” Settlement with Vonage
On October 6, 2022, the Advocate General (“AG”) of the Court of Justice of the European Union (“CJEU”) released an opinion in case C-300/21 to the effect that a controller or processor’s non-compliance with the GDPR does not automatically entitle data subjects to receive compensation for non-material damages pursuant to Article 82 GDPR. According to the AG, compensation is meant to remedy the consequences caused by a breach of the GDPR, and therefore a data subject must have suffered damage that he or she can affirmatively demonstrate.Continue Reading CJEU Advocate General Issues Opinion on Non-Material Damages for GDPR Breach
On October 18 and 21, 2022, the European Data Protection Board (“EDPB“) published updated guidelines (i) on personal data breach notification under the GDPR and (ii) on identifying a controller or processor’s lead supervisory authority, respectively. Both guidelines are in draft form and are open to public consultation until the end of November.Continue Reading EDPB Publishes Updated Guidelines on Personal Data Breach Notification and Identifying the Lead Supervisory Authority
The California Privacy Protection Agency (CPPA) staff has posted updated draft rules implementing the California Privacy Rights Act (CPRA) today. As a next step, the rulemaking will undergo a 15-day public comment period, and comments are due Monday, November 21, 2022.
The upcoming date of December 27, 2022, marks the end of the roughly one year and a half-long transition period that companies had to replace any the old versions of the standard contractual clauses for international transfers of personal data by the new standard contractual clauses, which the European Commission adopted on June 4, 2021. As of December 27, 2022, EU Supervisory Authorities may start GDPR enforcement proceedings against any companies that still on to the old version of the standard contractual clauses.
Covington is well placed to assisting clients in amending their contracts to take into account the new standard contractual clauses and, more generally, to ensure compliance with the GDPR rules on international data transfers.Continue Reading Countdown for Implementing the New EU Data Transfer Contracts and Overview of other EU Transfer Developments
This quarterly update summarizes key legislative and regulatory developments in the third quarter of 2022 related to Artificial Intelligence (“AI”), the Internet of Things (“IoT”), connected and autonomous vehicles (“CAVs”), and data privacy and cybersecurity.Continue Reading U.S. AI, IoT, CAV, and Privacy Legislative Update – Third Quarter 2022
Earlier this month, the UK Information Commissioner’s Office (“ICO”) announced a fine in a case that involved inferring health data and using this for marketing. The ICO found that catalogue retailer Easylife Limited (“Easylife”) had profiled 145,400 individuals for inferred health conditions without their consent, based on certain “trigger products” that they had purchased from Easylife’s Health Catalogue. For example, if a customer bought a jar opener or a dinner tray, Easylife would infer that the customer might have arthritis, and then call them to market glucosamine joint patches. The ICO has fined Easylife £1.48 million: £1.35 million for using customers’ personal information to sell health-related products without their consent, and a further £130,000 for making unsolicited direct marketing calls.Continue Reading ICO Fines Easylife £1.48 Million For Data Protection and E-Marketing Violations