On March 14, 2024, the Court of Justice of the EU (“CJEU”) ruled that EU supervisory authorities have the (corrective) power to order data controllers who have been found to process personal data unlawfully to erase such personal data, even if the data subjects have not requested the erasure.  (Case C‑46/23)

Continue Reading The CJEU Ruled that Supervisory Authorities Can Order the Deletion of Unlawfully Processed Personal Data

Earlier this week, Members of the European Parliament (MEPs) cast their votes in favor of the much-anticipated AI Act. With 523 votes in favor, 46 votes against, and 49 abstentions, the vote is a culmination of an effort that began in April 2021, when the EU Commission first published its proposal for the Act.

Here’s what lies ahead:

Continue Reading EU Parliament Adopts AI Act

At its March 8, 2024 meeting, the Board of the California Privacy Protection Agency (“CPPA”) moved, by a 3-2 vote, to advance proposed regulations addressing automated decision-making technology (“ADMT”) and risk assessments for the processing of personal information.  Notably, the Board’s vote only allows staff to begin paperwork preliminary to a rulemaking; it did not actually initiate the formal rulemaking process.  At the meeting, the CPPA Staff clarified that the Board will need to re-review the draft rules for ADMT, privacy risk assessments, and cyber audits and vote again to initiate the rulemaking process.  The CPPA’s General Counsel Philip Laird said he expects the Board will vote to begin the formal rulemaking process for all three topics in July 2024, at the earliest.  Once formal rulemaking begins, the Board has one year to finalize the regulations, per California’s Administrative Procedure Act.

Continue Reading California Privacy Protection Agency Takes Next Step on New Automated Decision-Making Regulations and Privacy Risk Assessments

Yesterday, the European Parliament approved the Cyber Resilience Act (“CRA”), which sets out cybersecurity requirements for “products with digital elements” (“PDEs”) placed on the EU market.  The term PDE is defined broadly to include both hardware and software products, such as antivirus software, VPNs, smart home devices, connected toys, and wearables.  The approved text is available here.

Continue Reading The Cyber Resilience Act is One Step Closer to Becoming Law

On February 28, the European Data Protection Board (“EDPB”) announced that EU supervisory authorities (“SAs”) will undertake a coordinated enforcement action in 2024 regarding data subjects’ right of access under the GDPR.  For context, the EDPB selects a particular topic each year to serve as the focus for pan-EU coordinated enforcement.

In 2023, regulators focused upon data protection officers’ designation and role.  And, on January 17, 2024, the EDPB published its report providing an overview of the actions SAs took in the context of the 2023 action.  This blog post provides an overview of what you can expect from the coordinated enforcement action in 2024, based on the lessons learned from 2023.

Continue Reading EDPB’s 2024 Coordinated Enforcement Action on the Access Right: What Can You Expect?

The California Attorney General recently announced a settlement with DoorDash to resolve allegations that DoorDash violated the California Consumer Privacy Act (CCPA) and the California Online Privacy Protection Act (CalOPPA). 

Continue Reading California Attorney General Announces Second CCPA Settlement

On Thursday, March 7, 2024, the U.S. Senate confirmed two nominees for the open seats on the Federal Trade Commission:  Andrew N. Ferguson, former solicitor general of the Commonwealth of Virginia; and Melissa Holyoak, former solicitor general with the Utah Attorney General’s Office.  With this confirmation of two new Republican Commissioners, the FTC is one step closer to a full slate of five bipartisan Commissioners.  The Senate also re-confirmed Commissioner Rebecca Kelly Slaughter for a second term.  President Biden had nominated Ferguson and Holyoak on July 11, 2023, and renominated Slaughter on February 13, 2023. 

Continue Reading FTC Returns to Bipartisan Commission with Confirmation of Two New Republican Commissioners

Senator Bill Cassidy (R-LA), the Ranking Member of the U.S. Senate Health, Education, Labor, and Pensions (“HELP”) Committee, published on February 21, 2024, a white paper with various proposals to update privacy protections for health data. In Part 1 of this blog series (see here), we discussed the first section of Senator Cassidy’s February 21, 2024, white paper. Specifically, we summarized Senator Cassidy’s proposals on how to update the existing framework of the Health Insurance Portability and Accountability Act, as amended, and its implementing regulations (collectively, “HIPAA”) without disrupting decades of case law and precedent. In this blog post, we discuss the other sections of the white paper, namely proposals to protect other sources of health data not currently covered by HIPAA.

Continue Reading Senator Cassidy Issues White Paper with Proposals to Update Health Data Privacy Framework – Part 2: Safeguarding Health Data Not Covered by HIPAA 

On 6 March 2024, the ICO issued a call for views on so-called “Consent or pay” models, where a user of a service has the option to consent to processing of their data for one or more purposes (typically targeted advertising), or pay a (higher) fee to access the service without their data being processed for those purposes. This is sometimes referred to as “pay or okay”.

The ICO has provided an “initial view” of these models, stating that UK data protection law does not outright prohibit them. It also sets out factors to consider when implementing these models and welcomes the views of publishers, advertisers, intermediaries, civil society, academia and other interested stakeholders. The consultation is open until 17 April 2024.

Continue Reading UK ICO Launches a Consultation on “Consent or Pay” Business Models

On March 7, 2024, the European Court of Justice (“CJEU”) rendered its judgment in an appeal against a decision of the EU General Court (C-479/22P).  In the original decision, the General Court decided that the information contained in a press release by OLAF (a European anti-fraud organization) regarding fraud committed by an unnamed scientist was not personal data as the scientist was not identifiable from the press release (for more on the General Court’s decision, see our blog post here). The scientist appealed the decision arguing that she could easily be identified from the information released by OLAF and thus that the data were personal data.  The EU law concerned in this case is Regulation (EU) 2018/1725, which applies to the processing of personal data within EU bodies, rather than the GDPR, though the definition of personal data is the same in both regulations.

Continue Reading European Court Clarifies Concept of Personal Data