On September 8, 2022, the Brazilian Data Protection Authority (“ANPD”) launched a public consultation on the processing of minors’ personal data (encompassing children under 12-years-old and adolescents between the ages of 12- and 18-years-old).  The consultation will conclude on October 7, 2022.  According to the ANPD, the purpose of the consultation is to resolve divergent interpretations among public authorities, academics, privacy professionals, and representatives of civil society regarding the Brazilian Data Protection Law’s (“LGPD”) provision on the processing of minors’ personal data (Article 14).  The Authority will use the feedback it receives to draw up guidelines on the topic and, possibly, amend the LGPD.

Continue Reading Brazil’s ANPD Launches Public Consultation on the Processing of Minors’ Personal Data

With the growing use of AI systems and the increasing complexity of the legal framework relating to such use, the need for appropriate methods and tools to audit AI systems is becoming more pressing both for professionals and for regulators. The French Supervisory Authority (“CNIL”) has recently tested tools that could potentially help its auditors

On September 7, 2022, the Brussels Market Court adopted an interim decision in a case brought by IAB Europe, the sector organization for the digital marketing industry, against the Belgian Supervisory Authority.  The authority had fined IAB Europe alleging that its Transparency and Consent Framework (“TCF”) violates the GDPR and that the organization is a (joint) data controller for processing operations performed by the users of the standard, i.e., publishers and adtech vendors. Under the decision, IAB Europe was also required to present a work plan to remediate the alleged violations.

Continue Reading Brussels Appeal Court Refers IAB Europe Case to CJEU

On August 31, 2022, one day before the Measures for Security Assessment of Cross-border Data Transfer (“Measures”) were scheduled to take effect, the Cyberspace Administration of China (“CAC”) released a first edition of its guidance on how organizations should complete the security assessment application (“CAC Guidance”). Covington’s previous posts on the Measures can be found here.

Continue Reading China Releases Guidance on Cross-border Data Transfer Security Assessment Application

The UK Government recently published its AI Governance and Regulation: Policy Statement (the “AI Statement”) setting out its proposed approach to regulating Artificial Intelligence (“AI”) in the UK. The AI Statement was published alongside the draft Data Protection and Digital Information Bill (see our blog post here for further details on the Bill) and is

On Episode 19 of Covington’s Inside Privacy Audiocast, Dan Cooper and and Yan Luo discuss the key provisions of China’s draft SCCs, compare the draft legislation with the GDPR, and talk through actions that companies should be considering in order to comply with the new cross-border data requirements.

This audiocast episode is repurposed from a

The leadership of Ireland’s Data Protection Commission (“DPC”) is to be expanded to a three-person Commission, with the current Commissioner taking the lead role as Chair.  The Irish Minister for Justice announced the decision on July 27, 2022, along with the Government’s decision to undertake a review of its governance structures, staffing arrangements and processes for the newly modeled Commission.

Continue Reading Ireland Expands Leadership Structure of Data Protection Commission

In October 2019, the UK and U.S. Governments signed an agreement on cross-border law enforcement demands for data from Communication Service Providers (the “Agreement”, which we described in our earlier post here). Only now, however, have the two countries completed the procedural steps required to bring the Agreement into force. On July 21, 2022

On July 21, 2022, the Cyberspace Administration of China (“CAC”) – the country’s primary regulator for cybersecurity and privacy – imposed a fine of RMB 8.026 billion (around $1.2 billion USD) on China’s largest ride-hailing company for violating data protection laws, including the Cybersecurity Law, Data Security Law and Personal Information Protection Law. 

This quarterly update summarizes key federal legislative and regulatory developments in the second quarter of 2022 related to artificial intelligence (“AI”), the Internet of Things (“IoT”), connected and automated vehicles (“CAVs”), and data privacy, and highlights a few particularly notable developments in U.S. state legislatures.  In the second quarter of 2022, Congress and the Administration focused on addressing algorithmic bias and other AI-related risks and introduced a bipartisan federal privacy bill.

Continue Reading U.S. AI, IoT, CAV, and Data Privacy Legislative and Regulatory Update – Second Quarter 2022