This is the sixth in the series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”).  The first blog summarized the Cyber EO’s key provisions and timelines, and the second, third, fourth, and fifth blogs described the actions taken by various federal agencies to implement the EO during June, July, August, and September 2021, respectively.  This blog summarizes key actions taken to implement the Cyber EO during October 2021.

Although the recent developments this month are directly applicable to the U.S. Government, the standards being established for U.S. Government agencies could be adopted as industry standards for all organizations that develop or acquire software similar to various industries adopting the NIST Cybersecurity Framework as a security controls baseline. Continue Reading October 2021 Developments Under President Biden’s Cybersecurity Executive Order

Date: October 29, 2021

In Case You Missed It: EU Privacy, Data and Consumer Legislative Updates of the Past Month

Date Tag News Link to Source
October 29 Cybersecurity The European Commission announced that it adopted a delegate act to the Radio Equipment Directive (Directive (EU) 2014/53).  This act sets out measures to (1) improve network resilience; (2) better protect consumers’ privacy; and (3) reduce the risk of monetary fraud.

The delegated act will come into force following a two-month scrutiny period, should the Council and Parliament not raise any objections.

link
October 28 Cybersecurity European Parliament adopts position on Directive on measures for a high common level of cybersecurity across the Union (“NIS2 Directive”) and starts negotiations with Council link
October 20 AI European Commission launches public consultation ending on January 10 on the rules on compensation for damage caused by defective products with a specific focus on AI link and link
October 19 Cybersecurity European Commission invites the EU and Member States to further develop the EU cybersecurity crisis management framework, including by exploring the potential of building a joint cyber unit to tackle the rising number of serious cyber incidents impacting public services, businesses and citizens across the EU link
October 19 Cybersecurity European Commission will propose a European Cyber Resilience Act to establish common cybersecurity standards, and begin building an EU space-based global secure communications system to provide additional EU-wide broadband connectivity and secure independent communications to Member States link
October 13 Data Protection – Other European Data Protection Board (“EDPB”) issues guidelines on restrictions under Article 23 GDPR (i.e., restrictions will be defined as any limitation of scope of the obligations and rights provided for in Articles 12 to 22 and 34 GDPR as well as corresponding provisions of Article 5 in accordance with Article 23 GDPR) link
October 13 Children Data EDPB will adopt guidelines on children’s data link
October 13 Personal Data Transfers EDPB will adopt guidelines regarding the relationship between the GDPR’s extraterritorial reach and data transfer restrictions.  EDPB announced that the European Commission will develop a new set of standard contractual clauses for data transfers from the EEA to a non-EEA entity that is subject to the extra-territorial scope of the GDPR. link
October 13 Digital Services EDPB will adopt statement on overarching concerns regarding legislative proposals in Digital Services Package link
October 12 Cybersecurity European Parliament adopts position on new rules on EU critical infrastructure entities link
October 7 AI European Consumer Organization (“BEUC”) issues position paper on the AI Act link
October 6 AI European Parliament adopts resolution on AI in criminal law and its use by the police and judicial authorities in criminal matters link
October 1 Open Data Council of the EU approves version of the Data Governance Act, which will now be negotiated with the European Parliament link and link

What’s Coming Next

  • Negotiations on the Data Governance Act between Parliament and the Council are scheduled for November 9, and early December (see here)
  • Council of the EU is preparing position on the evaluation and findings on the application of the Directive (EU) 2016/680 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties (see here)

On 6 October 2021, the European Parliament (“EP”) voted in favor of a resolution banning the use of facial recognition technology (“FRT”) by law enforcement in public spaces. The resolution forms part of a non-legislative report on the use of artificial intelligence (“AI”) by the police and judicial authorities in criminal matters (“AI Report”) published by the EP’s Committee on Civil Liberties, Justice and Home Affairs (“LIBE”) in July 2021. The AI Report will now be sent to the European Commission, which has three months to either (i) submit, or indicate it will submit, a legislative proposal on the use of AI by the police and judicial authorities as set out in the AI Report; or (ii) if it chooses not to submit a proposal, explain why.

Continue Reading European Parliament Votes in Favor of Banning the Use of Facial Recognition in Law Enforcement

On Wednesday, October 6th, Governor Gavin Newsom signed SB 41, the Genetic Information Privacy Act, which expands genetic privacy protections for consumers in California, including those interacting with direct-to-consumer (“DTC”) genetic testing companies.  In a recent Inside Privacy blog post, our colleagues discussed SB 41 and the growing patchwork of state genetic privacy laws across the United States.  Read the post here.

On 5 September 2021, the UAE announced plans to introduce a new federal data protection law (“UAE Data Law”) in the coming weeks, its first-ever comprehensive data privacy and protection law to be issued.  The new law forms part of the UAE’s Projects of the 50, a set of economic and developmental initiatives designed to mark the country’s 50th anniversary, and launches the next phase of the UAE’s growth.

The UAE Data Law was developed in consultation with major technology companies. H.E. Omar Bin Sultan Al Olama, Minister of State for Artificial Intelligence, has stated that “every single data law on the planet” was considered when drafting the new legislation.  The new law aims to be a “global law” that will provide international companies with a smooth mechanism for cross-border transfers, as well as have a low cost of compliance for SMEs. Some aspects of the UAE Data Law will include:

  • the right to be forgotten, the right of access, the right of correction, and the right to be informed, all of which are already included in EU GDPR, Dubai International Financial Centre (DIFC) and Abu Dhabi Global Market (ADGM) data protection laws;
  • consent obligations regarding marketing of data by companies seeking to monetize data;
  • minimal restrictions on cross-border data flows or references to sensitive or restricted data; and
  • provisions for a new national data privacy regulator.

The UAE Data Law is likely to be issued before the end of November 2021, prior to the country’s 50th anniversary.  Once enacted, the UAE Data Law might also provide an adequate level of protection for the purposes of data transfers from other regulated jurisdictions, including the DIFC and ADGM.

The UAE Data Law will not likely apply to data privacy and protection related to government data or health data, which will be covered by separate new or revised legal regimes.

We will continue to monitor these developments at Inside Privacy.

Last Friday, October 1, the Protecting DNA Privacy Act (HB 833), a new genetic privacy law, went into effect in the state of Florida establishing four new crimes related to the unlawful use of another person’s DNA.  While the criminal penalties in HB 833 are notable, Florida is not alone in its focus on increased genetic privacy protections.  A growing number of states, including Utah, Arizona, and California, have begun developing a net of genetic privacy protections to fill gaps in federal and other state legislation, often focused on the privacy practices of direct-to-consumer (“DTC”) genetic testing companies.  While some processing of genetic information is covered by federal law, the existing patchwork of federal genetic privacy protections do not clearly cover all forms of genetic testing, including DTC genetic tests. Continue Reading Newly Effective Florida Law Imposing Criminal Sanctions Adds to Developing Nationwide Patchwork of State Genetic Privacy Laws

On 22 September 2021, the UK Government published its 10-year strategy on artificial intelligence (“AI”; the “UK AI Strategy”).

The UK AI Strategy has three main pillars: (1) investing and planning for the long-term requirements of the UK’s AI ecosystem; (2) supporting the transition to an AI-enabled economy across all sectors and regions of the UK; and (3) ensuring that the UK gets the national and international governance of AI technologies “right”.

The approach to AI regulation as set out in the UK AI Strategy is largely pro-innovation, in line with the UK Government’s Plan for Digital Regulation published in July 2021.

Continue Reading The UK Government Publishes its AI Strategy

On September 28, 2021, the European Data Protection Board (“EDPB”) issued its opinion on the European Commission’s (“Commission”) draft decision on the adequate protection of personal data in the Republic of South Korea.  Once the Commission approves the decision, it will allow for personal data to flow freely from the EEA to commercial operators and public authorities in South Korea, without the need to implement other transfer mechanisms provided in the General Data Protection Regulation (“GDPR”), such as standard contractual clauses.

The EDPB’s opinion is overall favorable with respect to the Commission’s finding that South Korea’s data protection laws offer a level of protection essentially equivalent to that provided by the GDPR.  In particular, the EDPB highlights that there are “numerous similarities” between the South Korean data protection laws (which include the Personal Information Protection Act (PIPA), its adjoining Enforcement Decree, and Notification No. 2021-1) and the European data protection framework, in particular the GDPR. Continue Reading EDPB Adopts Overall Favorable Opinion on European Commission’s Draft Adequacy Decision for South Korea

Last week, the Ninth Circuit held in United States v. Wilson, No. 18-50440, 2021 WL 4270847, that a law enforcement officer violated a criminal defendant’s Fourth Amendment rights when he opened images attached to the defendant’s emails without a warrant, even though the images had previously been flagged as child sexual abuse materials (“CSAM”) by Google’s automated CSAM-detection software.  The court based its ruling on the private search exception to the Fourth Amendment, which permits law enforcement to conduct a warrantless search only to the extent the search was previously conducted by a private party.  Because no individual at Google actually opened and viewed the images flagged as CSAM, the court held that law enforcement “exceeded the scope of the antecedent private search,” thereby “exceed[ing] the limits of the private search exception.”  Op. at 20-21.

Continue Reading Ninth Circuit’s Interpretation of Private Search Exception to the Fourth Amendment Contributes to “Growing Tension” Among Circuit Courts

On September 21, 2021, the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) issued an “Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments” (the “Updated Advisory”).  The Updated Advisory updates and supersedes an earlier OFAC Advisory released on October 1, 2020, and is directed toward not only organizations victimized by ransomware attacks, but also financial institutions, cyber insurance firms, and forensic and incident-response firms that assist organizations victimized by ransomware attacks.

The Updated Advisory is largely consistent with the previous version released in October 2020, restating the U.S. government’s opposition to ransomware victims making payments to cyber threat actors and making clear OFAC’s commitment to bringing enforcement actions in connection with such payments when they constitute U.S. sanctions violations.  However, the Updated Advisory adds important new guidance on “the proactive steps companies can take to mitigate [sanctions enforcement] risks,” including implementing strong cybersecurity practices before an attack; and promptly reporting a ransomware attack to, and engaging in timely and ongoing cooperation with, law enforcement or other relevant agencies.  Taking these steps would constitute “mitigating factors” in any OFAC enforcement action resulting from sanctions violations in connection with ransomware payments.

In conjunction with the new Advisory, OFAC for the first time designated for sanctions a Russian cryptocurrency exchange, SUEX OTC, that OFAC alleges has been involved in facilitating numerous ransomware payments for malicious cyber actors.  As a result of this designation, U.S. persons (that is, all individual U.S. citizens and permanent residents, U.S.-incorporated entities and their branch offices, and anyone physically within the United States) are now prohibited from engaging in or facilitating virtually all transactions with or involving SUEX OTC.

Continue Reading OFAC Issues Updated Guidance on Ransomware Payments