Privacy & Data Security

On March 15th, the Iowa legislature passed S.F. 262 (the “ICDPA”), making it the sixth U.S. state to pass a comprehensive state privacy statute.  The Iowa statute most closely resembles the Utah Consumer Privacy Act (“UCPA”), though it also shares some similarities with the approaches adopted in Virginia, Colorado, and Connecticut.  The statute will next go to the governor’s desk for signature.  If signed into law, the ICDPA would take effect on January 1, 2025.

Continue Reading Iowa Passes Comprehensive Privacy Statute

As permitted by the GDPR, France has enacted some specific requirements for the processing of health data, in particular in the context of medical research.  Following a report, the French supervisory authority (“CNIL”) audited two organizations carrying out medical research in early 2022 to check their compliance with these requirements.  On March 13, 2023, the

On March 7, 2023, the Irish Data Protection Commission (“DPC”) published its annual report for 2022. The report reflects the DPC’s reputation as both an active enforcer of the General Data Protection Regulation (“GDPR”) and a contributor to policy development at national and EU levels.  The level of interaction between the DPC and the European Data Protection Board (“EDPB”) is particularly significant with more than 300 meetings reported for 2022 (averaging at more than 25 per month), many of which involved participation in the EDPB’s expert subgroups.

Continue Reading Key Takeaways from the Irish DPC’s 2022 Annual Report

On March 7, 2023, during the annual National People’s Congress (“NPC”) sessions, China’s State Council revealed its plan to establish a National Data Bureau (NDB) as part of a broader reorganization of government agencies. The plan is being deliberated by the NPC and is expected to be finalized soon. 

Continue Reading China Reveals Plan to Establish a National Data Bureau

On February 24, 2023, the Cyberspace Administration of China (“CAC”) released the final version of the Measures on the Standard Contract for the Cross-border Transfer of Personal Information (“Measures”) (only available in Chinese here), including a template contract (“Standard Contract”) accompanying the Measures.  The Measures will take effect on June 1, 2023, but are subject to a 6-month grace period to allow companies time to bring their activities into compliance.

The finalization of the Measures marks another important step forward in the establishment of China’s cross-border data transfer framework.  With implementing rules for all three lawful transfer mechanisms now in place, China appears to be entering into a new phase where cross-border transfer activities will be more closely regulated and enforcement actions are more likely to arise for non-compliance. 

Continue Reading China Finalizes Standard Contract for Cross-Border Transfers of Personal Information

Last night, the California Privacy Protection Agency (CPPA) published agenda materials for its upcoming meeting on February 3, 2023.  The materials include:

  • Proposed final draft regulations implementing the California Privacy Rights Act (CPRA).  These do not reflect further changes since the draft regulations that the CPPA put out for a 15-day comment period on November

On Episode 20 of Covington’s Inside Privacy Audiocast, Dan Cooper, Co-Chair of Covington’s Data Privacy and Cyber Security practice, and Christian Ahlborn, Partner in Covington’s Competition practice, discuss the recently enacted EU Digital Markets Act (DMA) in the first part of our “Competition and Privacy” mini series.

For more information on the DMA

At the beginning of a new year, we are looking ahead to five key technology trends in the EMEA region that are likely to impact businesses in 2023.

Continue Reading Top Five EMEA Technology Trends to Watch in 2023

This quarterly update summarizes key legislative and regulatory developments in the fourth quarter of 2022 related to Artificial Intelligence (“AI”), the Internet of Things (“IoT”), connected and autonomous vehicles (“CAVs”), and data privacy and cybersecurity.

Continue Reading U.S. AI, IoT, CAV, and Privacy Legislative Update – Fourth Quarter 2022

The Colorado Attorney General released updated draft rules interpreting the Colorado Privacy Act on December 21, 2022 (“Draft Rules”).  These revisions follow a series of stakeholder sessions on November 10th, 15th, and 17th.  The Attorney General will convene a formal rulemaking hearing on February 1, 2023.  In advance of the formal rulemaking hearing, stakeholders may submit written comments for consideration. 

Continue Reading Colorado Attorney General Releases Revised Colorado Privacy Act Draft Rules