On April 7, 2022, the U.S. Cybersecurity & Infrastructure Security Agency (“CISA”) announced the publication of its Sharing Cyber Event Information Fact Sheet (“Fact Sheet”) intended to provide clear guidance to critical infrastructure owners and operators and government partners on voluntary information sharing about “unusual cyber incidents or activity.”  In its announcement, CISA explained that it will use the information provided to fill “critical information gaps,” deploy resources, analyze trends, issue warnings, and “build a common understanding of how adversaries are targeting U.S. networks and critical infrastructure sectors.”

CISA’s announcement of the Fact Sheet encourages entities to visit its Shields Up website for more information; the Shields Up website was recently updated with guidance in response to the heightened risk of Russian cyber attacks.  The Shields Up website recommends that “all organizations—regardless of size—adopt a heightened posture when it comes to cybersecurity and protecting their most critical assets” and provides detailed guidance that entities can use to protect themselves. Continue Reading CISA Issues Voluntary Information Sharing Guidance for Critical Infrastructure Owners and Operators and Provides Resources for All

The National Institute of Standards and Technology (“NIST”) issued its initial draft of the “AI Risk Management Framework” (“AI RMF”), which aims to provide voluntary, risk-based guidance on the design, development, and deployment of AI systems.  NIST is seeking public comments on this draft via email, at AIframework@nist.gov, through April 29, 2022.  Feedback received on this draft will be incorporated into the second draft of the framework, which will be issued this summer or fall. Continue Reading NIST Releases Draft AI Risk Management Framework for Public Comment

On March 3, 2022, a leaked version of the proposal for a regulation setting up the European Health Data Space was published.  The draft regulation will set up a common framework across EU Member States for the sharing and exchange of quality health data (such as electronic health records, patient registries and genomic data).  The European Commission has not yet released an official version of the proposal.  It is expected to do so on May 3.

The leaked proposal is a lengthy document (126 pages, excluding annexes) that contains within it a number of different sets of rules.  Key requirements that are likely to be of interest to organizations in the life sciences sector are that the draft regulation proposes to:

  • create new patient rights over their electronic health data, and sets out rules regarding use of electronic health data for primary care;
  • establishes a pre-market conformity assessment requirement for electronic health record systems (“EHR systems”);
  • sets out rules that apply to digital health services and wellness apps; and
  • introduces a harmonized scheme for providing access to electronic health data for secondary use.

Continue Reading Leaked: Draft Version of the European Health Data Space Regulation

The German Conference of Independent Supervisory Authorities (“DSK”) published on March 23, 2022 a statement on scientific research and data protection (see here, in German).  The DSK published the statement in response to the German Government’s initiative on a general law on research data as part of its Open Data Strategy, announced on July 6, 2021.  The DSK also refers to the Government’s intention to introduce a law on the use of health data, including the storage of data in electronic health records. Continue Reading German Supervisory Authorities Publish Paper on Scientific Research and Data Protection

In March, the Supreme Court issued its decision in Federal Bureau of Investigation v. Fazaga, No. 20-828, holding that the state secrets privilege—and its dismissal remedy—applies to cases that may also be subject to the judicial review procedures set forth in the Foreign Intelligence Surveillance Act (“FISA”).  In so holding, the Court reversed the Ninth Circuit’s 2020 ruling that FISA displaces the state secrets privilege in cases involving electronic surveillance.

Continue Reading Supreme Court Holds FISA Does Not Displace the State Secrets Privilege

The California Privacy Protection Agency (“CPPA”) held two informational hearings on March 29, 2022 and March 30, 2022, in anticipation of its upcoming rulemaking later this year.  While the CPPA Board was present throughout the hearings, its members did not present any views as part of the program.  The speakers covered the following topics of note: Continue Reading California Privacy Protection Agency Holds Informational Hearings

The Irish Data Protection Commission (“DPC”), having last month released its annual report (see our blog post here), has now also issued two additional reports detailing statistics on its handling of cross-border cases (see here) and a recently completed Resource Allocation Audit conducted by independent consultants (see here).  Each is important in its own right for the reputation and development of this regulator, the lead EU supervisory authority for many of the large technology companies.

Continue Reading Irish DPC Reports on Cross-Border Activity and Resources

As many readers will be aware, a key enforcement trend in the privacy sphere is the increasing scrutiny by regulators and activists of cookie banners and the use of cookies. This is a topic that we have been tracking on the Inside Privacy blog for some time. Italian and German data protection authorities have issued guidance within the past three months, adding to guidance coming out of France,  Spain, the UK and at EU level from the EDPB. The EDPB has also recently adopted guidance on the use of “dark patterns” in social media interfaces, setting out best practice to ensure that users can make fully informed decisions. The key compliance recommendations relating to cookies set out by these various guidelines include:

  • allowing only essential technical cookies to be implemented by default, and requiring user consent for all other cookies that are merely helpful or convenient;
  • the need for the giving of consent to non-essential cookies be a clear and positive action, rather than being given, for example, by way of a pre-ticked box or by continued use of a site;
  • preventing consent bundling whereby consent is given in one click for cookies used for more than one purpose without granular controls; and
  • making the withdrawal of consent to cookies as easy as giving consent.

Alongside this increasing prevalence of regulatory guidance on cookies, there has been a wave of letters from activists to companies pointing out apparent shortcomings in compliance, and a corresponding increase in the submission of complaints to national data protection authorities across Europe. Notably, noyb recently sent a second wave of two hundred and seventy draft cookie banner complaints to website operators across Europe. This follows from the initial batch of over five hundred letters sent by the same organisation in May 2021.

Complaints from activist groups such as noyb have focused on the following practices by website operators:

  • inaccurately classifying certain cookies as “essential”;
  • using pre-ticked boxes to obtain consent for cookies;
  • making accepting cookies easier than rejecting them when first landing on a site through design features, such as the use of different colours and levels of contrast;
  • situating the options to accept and reject cookies on different layers of a cookie pop-up;
  • allowing users to reject cookies only via links to separate webpages, rather than utilising an integrated reject button; and
  • making the withdrawal of consent to cookies more difficult than the original giving of that consent.

As can be seen, both regulators and activists have very similar data privacy concerns when it comes to cookies and cookie banners, notably honing in on the need for cookie banners and pop-ups to be designed in such a way that website users are able to make a free and informed choice between consenting to and rejecting cookies.

Throughout this period of increased scrutiny on cookies, Covington’s multi-jurisdictional Data Privacy and Cybersecurity team has been actively assisting clients to navigate the various guidelines and to respond to letters from activists, and is ideally placed to help with any questions you may have.

On March 25, 2022, the EU Commission and US announced that an agreement in principle on a new framework for transatlantic data flows had been reached (see the Commission’s statement here, here, and here, and the US White House’s statement here).  The Commission and the U.S. published draft factsheets outlining the agreement (see the Commission’s factsheet here and the U.S. factsheet here).  This agreement will form the basis for an adequacy decision in the EU and an executive order in the US, which both parties will draft as a next step.

Today’s announcement follows lengthy negotiations that began shortly after the Court of Justice of the EU’s (“CJEU”) Schrems II judgment on July 16, 2020, which annulled the EU-US Privacy Shield (see our blog post here).  There, the CJEU held that the US did not provide an “essentially equivalent” level of data protection to that found in the EU, due in part to extensive powers granted to US law enforcement and intelligence agencies to access data and an absence of effective legal remedies for EU residents.

According to the published factsheets, the US has made “unprecedented commitments” that build on the safeguards that were in place under the annulled Privacy Shield framework with the aim of addressing issues identified in the Schrems II decision.  The new framework will:

  • strengthen the privacy and civil liberties safeguards governing U.S. signals intelligence activities through binding safeguards limiting U.S. intelligence authorities’ access to data to what is necessary and proportionate to protect U.S. national security;
  • establish a new, multi-layered redress mechanism with independent and binding authority composed of individuals chosen from outside the U.S. Government who will have full authority to investigate and adjudicate claims, as well as impose remedial measures, as needed; and
  • enhance the U.S.’ existing rigorous and layered oversight of signals intelligence activities.

Just as with the annulled Privacy Shield, U.S. companies will need to self-certify their adherence to the Privacy Shield 2.0 once it is released.

This is undoubtedly good news for industry, as such a framework will offer industry another option when transferring personal data from the EU, alongside EU contractual clauses and other means.  However, any new framework is certain to be pressure-tested before the EU courts, and at least one privacy advocacy group has, issued a statement challenging the legality of the agreement (see NOYB statement here).

The Covington team will keep monitoring any developments on the Privacy Shield 2.0 and continue to report on them on our blog Inside Privacy.

On March 21, 2022, the European Data Protection Board (“EDPB”) published its draft Guidelines 3/2022 on Dark patterns in social media platform interfaces (hereafter “Guidelines”, available here), following the EDPB’s plenary session held on March 14, 2022.  The stated objective of the Guidelines is to provide practical guidance to both designers and users of social media platforms about how to identify and avoid so-called “dark patterns” in social media interfaces that would violate requirements set out in the EU’s General Data Protection Regulation (“GDPR”).  In this sense, the Guidelines serve both to instruct organizations on how to design of their platforms and user interfaces in a GDPR-compliant manner, as well as to educate users on how certain practices they are subject to could run contrary to the GDPR (which could, as a result, lead to an increase in GDPR complaints arising from such practices).  The Guidelines are currently subject to a 6-week period of public consultation, and interested parties are invited to submit feedback directly to the EDPB here (see “provide your feedback” button).

In this blog post, we summarize the Guidelines and identify key takeaways.  Notably, while the Guidelines are targeted to designers and users of social media platforms, they may offer helpful insights to organizations across other sectors seeking to comply with the GDPR, and in particular, its requirements with respect to fairness, transparency, data minimization, purpose limitation, facilitating personal data rights, and so forth.

Continue Reading EDPB Publishes Draft Guidelines on the Use of “Dark Patterns” in Social Media Interfaces