On December 2, 2021, the Transportation Security Administration (“TSA”) announced the issuance of Security Directive 1580-21-01, Enhancing Rail Cybersecurity, and Security Directive 1582-21-01, Enhancing Public Transportation and Passenger Railroad Cybersecurity (the “December Security Directives”), and “additional guidance for voluntary measures to strengthen cybersecurity across the transportation sector in response to the ongoing cybersecurity threat to surface transportation systems and associated infrastructure.”  TSA’s announcement clarifies that these actions are “among several steps DHS is taking to increase the cybersecurity of U.S. critical infrastructure.”

The December Security Directives, which become effective on December 31, 2021, impose significant requirements on owners and operators of “higher-risk freight railroads, passenger rail, and rail transit.”  TSA’s announcement also explained that it has extended certain requirements of the December Security Directives to airport and airline operators and has recommended that “all other lower-risk surface transportation owners and operators voluntarily implement” the requirements of the December Security Directives.
Continue Reading TSA Imposes New Cybersecurity Requirements for Rail and Air Sectors

On Episode 16 of Covington’s Inside Privacy Audiocast, Dan CooperYan Luo and Zhijing Yu discuss the implications of China’s Personal Information Protection Law (PIPL) for companies with data or doing business in China. The law, which entered into force on November 1, is the first comprehensive personal information protection law in China and

Date: October 29, 2021

In Case You Missed It: EU Privacy, Data and Consumer Legislative Updates of the Past Month

Date Tag News Link to Source
October 29 Cybersecurity The European Commission announced that it adopted a delegate act to the Radio Equipment Directive (Directive (EU) 2014/53).  This act sets out measures to (1) improve

To add to the growing number of bills that would amend or revoke Section 230 of the Communications Decency Act, last month Senator Amy Klobuchar (D-MN) introduced the Health Misinformation Act of 2021 (S.2448).  Senator Ben Lujan (D-NM) cosponsored the bill.

The bill would amend Section 230 to revoke the Act’s liability shield

South Africa’s Information Regulator (the “Regulator”) issued, on June 22, 2021, a Guidance Note on Exemptions from the Conditions for Lawful Processing of Personal Information (“Guidance Note”), arising under sections 37 and 38 of the Protection of Personal Information Act, 4 of 2013 (“POPIA”).  The purpose of the Guidance Note is to provide guidance to “responsible parties” who: (i) intend to apply for an exemption from one or more of the eight conditions for the lawful processing of personal information, as prescribed by POPIA (section 37 of POPIA), or (ii) may automatically be exempt from some of these conditions where the processing occurs in the performance of a “relevant function” (section 38 of POPIA).  In a media statement, also issued on June 22, 2021, the Regulator confirmed that the June 20, 2021 deadline for responsible parties to register their Information Officers (“IOs”) and Deputy Information Officers (“DIOs”) was postponed indefinitely.
Continue Reading South Africa: Guidance on POPIA Exemptions and Registration of Information Officers

In celebration of data privacy as a human right as part of South Africa’s Human Rights Day 2021, we feature special guest Advocate Pansy Tlakula, Chairperson of the Information Regulator of South Africa on Episode 12 of Covington’s Inside Privacy Audiocast. Together with Dan Cooper and Mosa Mkhize, we discuss the Information Regulator of

On March 2, Virginia Governor Ralph Northam signed into law the Virginia Consumer Data Protection Act (VCDPA), becoming the second U.S. state to enact a comprehensive privacy law (Nevada has enacted an online privacy law, albeit with a narrower scope).  As we have previously explained, the VCDPA follows the framework established by the Washington Privacy Act.  We recently compared Virginia’s law against other key state privacy frameworks.
Continue Reading Virginia Enacts Comprehensive Privacy Law

Last month marks two years since the Supreme Court held, in Carpenter v. United States, that the Fourth Amendment applies to cell phone company records that detail a cell phone user’s location and movements.  Under Carpenter, police are generally required to use a warrant to obtain seven days or more of a user’s cell-site location information from phone companies.

As we previously reported, Carpenter redefined how the Fourth Amendment applies to information held by technology companies in the digital age.  Prior to Carpenter, the Court applied the third-party doctrine, under which a person who voluntarily revealed information to third parties—such as telephone companies, banks, or technology companies—lacks a reasonable expectation of privacy in that information and therefore forfeits Fourth Amendment protections.  In Carpenter, the Court declined to apply the third-party doctrine to cell-site location information, even though the cell phone user revealed their location information to their phone company.  Despite the significance of this ruling, the Court said that its decision in Carpenter was a “narrow one” that did not “address other business records that might incidentally reveal location information” or “consider other collection techniques involving foreign affairs or national security.”
Continue Reading Two Years of Carpenter

On May 28, 2020, the German Federal Supreme Court handed down its decision in the Planet 49 case regarding the consent requirements for the use of cookies. The decision follows the Court of Justice of the European Union’s preliminary ruling of September 10, 2019. The decision has not yet been published, but the court has issued a press release.

The court decided that the use of pre-ticked boxes was not a valid form of obtaining consent for cookies before May 24, 2018 and remains an invalid way of obtaining consent under the GDPR. The court’s decision applies the German provisions on cookies in the German Telemedia Act which it interprets in light of the EU Directive on Privacy and Electronic Communications (“ePrivacy Directive”).
Continue Reading German Federal Supreme Court Issued Cookie Decision in Planet 49 Case

On March 12, 2020, Washington’s state legislature passed SB 6280, a bill that will regulate state and local government agencies’ use of facial recognition services (“FRS’s”).  The bill aims to create a legal framework by which agencies may use FRS’s to the benefit of society (for example, by assisting agencies in locating missing or deceased persons), but prohibits uses that “threaten our democratic freedoms and put our civil liberties at risk.”
Continue Reading Washington State Passes Bill Limiting Government Use of Facial Recognition