Nine million texts are sent daily in Ireland, a huge increase on when the first text was sent in 1992.  All are subject to the data retention and access regime currently in place under the Communications (Retention of Data) Act 2011.  That regime has now been given the kiss of death by the Court of Justice of the European Union (“CJEU”) in its recent decision on a referral by the Irish Supreme Court dealing with the validity of electronic communications evidence collected under it.

The legislation, brought in to transpose EU Directive 2006/24, regulates the retention of data by electronic communications providers and access to that data by state authorities.

Continue Reading CJEU Strikes Down Metadata Collection in Irish Criminal Case

The Connecticut legislature passed Connecticut SB 6 on April 28, 2022.  If signed by the governor, the bill would take effect on July 1, 2023, though the task force created by the bill will be required to begin work sooner.

The bill closely resembles the Colorado Privacy Act, with a few notable additions.  Like the Colorado Privacy Act, the bill adopts “controller” and “processor” terminology, provides consumers with rights to access, correct, delete, obtain a copy, and opt-out of certain types of processing of their personal data, and requires consent for certain activities. Continue Reading Connecticut Legislature Passes Comprehensive Privacy Bill

In a new post on the Inside Class Actions blog, our colleagues discuss a recent Fourth Circuit opinion holding that statements about the importance a company places on data security are not actionable following a data breach.  The case, In re Marriott International, Inc., — F.4th —-, No. 21-1802 (4th Cir. Apr. 21, 2022), could prove useful to companies facing data breach class actions.

On April 20, 2022, the cybersecurity authorities of the United States, Australia, Canada, New Zealand, and the United Kingdom—the so-called “Five Eye” governments—announced the publication of Alert AA22-110A, a Joint Cybersecurity Advisory (the “Advisory”) warning critical infrastructure organizations throughout the world that the Russian invasion of Ukraine could expose them “to increased malicious cyber activity from Russian state-sponsored cyber actors or Russian-aligned cybercrime groups.”  The Advisory is intended to update a January 2022 Joint Cybersecurity Advisory, which provided an overview of Russian state-sponsored cyber operations and tactics, techniques, and procedures (“TTPs”).

In its announcement, the authorities urged critical infrastructure network defenders in particular “to prepare for and mitigate potential cyber threats by hardening their cyber defenses” as recommended in the Advisory. Continue Reading International Cybersecurity Authorities Issue Joint Advisory on Russian Cyber Threats to Critical Infrastructure

On April 23, 2022, the European Parliament and Council of the EU announced that they reached a provisional political agreement on the Digital Services Act (“DSA”) during their final trilogue meeting.  The news comes roughly one month after the provisional political agreement on the Digital Markets Act (“DMA”).

Both acts are part of the European Data Strategy and underwent a year and a half of intense negotiations (see our previous blogs here and here).

DSA

The DSA is addressed to providers of intermediary services (e.g., Internet service providers, cloud providers, search engines, social networks and other online platforms, and online marketplaces) and covers a range of issues.

In their final round of negotiations, the EU institutions agreed on the following:

  • ban on targeted advertising addressed to minors, or based on special categories of data;
  • ban on misleading practices and interfaces (“dark patterns”);
  • enhanced transparency on the parameters to recommend, curate or prioritize content to users. Very large online platforms (“VLOP”, i.e., platforms with 45+ million users in the EU) must also provide an offering not based on profiling;
  • power to access VLOPs’ algorithms granted to the EU Commission and national authorities;
  • “notice and action” procedure to enable the reporting and removal of illegal content online;
  • “know your business customer” requirements for online marketplaces to ensure reliability of traders;
  • special crisis mechanism to mitigate the effects arising from the manipulation of online information; and
  • users’ right to compensation for any damage or loss suffered due to DSA infringements.

The DSA will provide for fines of up to 6% of an organization’s worldwide turnover.

DMA

The DMA applies to specific organizations designated as “gatekeepers”, when they (1) offer one or more “core platform services” (e.g., marketplaces, app stores, search engines, social networks, cloud or advertising services, voice assistants, web browsers); and (2) meet the following criteria:

  • annual turnover of €7.5+ billion within the EU in the preceding three years, or market valuation of €75+ billion, and
  • 45+ million monthly end users and 10.000+ business users established in the EU.

While the DMA pursues EU competition policy objectives, key provisions also touch upon data protection issues, including:

  • ban on the combination and cross-use of personal data collected during the use of a service for the purposes of another service offered by the gatekeeper;
  • access for business users to their marketing or advertising performance data; and
  • effective portability and continuous and real-time access to data provided or generated by end-users, complementing the GDPR’s right to (personal) data portability.

The DMA establishes fines up to 10% of worldwide turnover, or up to 20% in case of repeated infringements.

Next steps

The legal texts of both the DSA and DMA will be finalized on the basis of the provisional political agreements.  The acts will then be formally adopted in accordance with the EU’s legislative procedure.  They will enter into force on the twentieth day following their publication on the EU Official Journal.  With regards to enforceability, the acts will be applied, respectively:

  • DSA:
    • 15 months after entry into force;
    • for VLOPs: 4 months after their designation; and
  • DMA: 6 months after entry into force.

The Covington team will keep monitoring the final stages of the DSA and DMA approval and is happy to assist with any inquiry.

On April 12, at the International Association of Privacy Professionals’ global privacy conference, Colorado Attorney General Phil Weiser gave remarks on his office’s approach to the rulemaking and enforcement of the Colorado Privacy Act. Continue Reading Colorado Attorney General Remarks on CPA Rulemaking

In a new post on the Covington Digital Health blog, our colleagues discuss the Office for Civil Rights’ (“OCR”) recently published request for information (“RFI”) seeking comment on implementing certain provisions of the Health Information Technology for Economic and Clinical Health (“HITECH”) Act.  The RFI seeks input as to how covered entities and business associates are voluntarily implementing recognized security practices and on the process for distributing to harmed individuals a percentage of civil monetary penalties (“CMPs”) or monetary settlements collected pursuant to the HITECH Act.  The issuance of the RFI indicates that a rulemaking or further guidance related to the HITECH Act may be forthcoming.

On April 7, 2022, the U.S. Cybersecurity & Infrastructure Security Agency (“CISA”) announced the publication of its Sharing Cyber Event Information Fact Sheet (“Fact Sheet”) intended to provide clear guidance to critical infrastructure owners and operators and government partners on voluntary information sharing about “unusual cyber incidents or activity.”  In its announcement, CISA explained that it will use the information provided to fill “critical information gaps,” deploy resources, analyze trends, issue warnings, and “build a common understanding of how adversaries are targeting U.S. networks and critical infrastructure sectors.”

CISA’s announcement of the Fact Sheet encourages entities to visit its Shields Up website for more information; the Shields Up website was recently updated with guidance in response to the heightened risk of Russian cyber attacks.  The Shields Up website recommends that “all organizations—regardless of size—adopt a heightened posture when it comes to cybersecurity and protecting their most critical assets” and provides detailed guidance that entities can use to protect themselves. Continue Reading CISA Issues Voluntary Information Sharing Guidance for Critical Infrastructure Owners and Operators and Provides Resources for All

The National Institute of Standards and Technology (“NIST”) issued its initial draft of the “AI Risk Management Framework” (“AI RMF”), which aims to provide voluntary, risk-based guidance on the design, development, and deployment of AI systems.  NIST is seeking public comments on this draft via email, at AIframework@nist.gov, through April 29, 2022.  Feedback received on this draft will be incorporated into the second draft of the framework, which will be issued this summer or fall. Continue Reading NIST Releases Draft AI Risk Management Framework for Public Comment

On March 3, 2022, a leaked version of the proposal for a regulation setting up the European Health Data Space was published.  The draft regulation will set up a common framework across EU Member States for the sharing and exchange of quality health data (such as electronic health records, patient registries and genomic data).  The European Commission has not yet released an official version of the proposal.  It is expected to do so on May 3.

The leaked proposal is a lengthy document (126 pages, excluding annexes) that contains within it a number of different sets of rules.  Key requirements that are likely to be of interest to organizations in the life sciences sector are that the draft regulation proposes to:

  • create new patient rights over their electronic health data, and sets out rules regarding use of electronic health data for primary care;
  • establishes a pre-market conformity assessment requirement for electronic health record systems (“EHR systems”);
  • sets out rules that apply to digital health services and wellness apps; and
  • introduces a harmonized scheme for providing access to electronic health data for secondary use.

Continue Reading Leaked: Draft Version of the European Health Data Space Regulation