In February, the Federal Trade Commission (“FTC”) published a blog post that elucidated key security principles from recent FTC data security and privacy orders.  Specifically, the FTC highlighted three practices that the Commission regards as “effectively protect[ing] user data.”  These practices include: (1) offering multi-factor authentication (“MFA”) for consumers and requiring it for employees; (2) requiring that connections within a company’s system be both encrypted and authenticated (e.g., deploying a “zero trust” methodology); and (3) requiring companies to develop data retention schedules.  The FTC noted that while these measures “are not the sum-total of everything the FTC expects from an effective security program, they are a sample of provisions [that the FTC has] seen recently that speak directly to the idea of attacking things at their root cause to produce uniquely effective results.”

Continue Reading FTC Publishes Blog Post on Data Security Practices for Complex Systems

On February 24, Congressman Patrick McHenry (NC-10) formally introduced his bill to modernize the Gramm-Leach-Bliley Act (“GLBA”) in the House as H.R. 1165.  The bill was first released as a discussion draft in June 2022, although the latest version reflects a number of updates as compared to the initial discussion draft.  The bill has been referred to the House Financial Services Committee, of which Congressman McHenry is the Chairman, and will be marked up during the Committee’s first markup of the 118th Congress, which began on February 28th at 10 AM ET.

On Tuesday, February 14, 2023, the Senate Judiciary Committee held a hearing titled “Protecting Our Children Online.”  The witnesses included only consumer advocates, and no industry representatives.  As Committee Chair, however, Senator Durbin (D-IL) indicated that he plans to hold another hearing featuring representatives from technology companies.

Continue Reading Senate Judiciary Committee Holds Hearing on Children’s Online Safety

On February 22, 2023, the European Data Protection Board (“EDPB”) released its Work Program for 2023-2024 (“the Program”), outlining the key priority areas for the next two years.  The Program is divided into four pillars, which largely reflect the priorities already set out in its Strategy 2021-2023.

Continue Reading EDPB Releases its 2023-2024 Work Program

The EU Representative Actions Directive (“RAD”) was meant to have been transposed by all EU member states by December 25, 2022. However, the EU Commission announced on January 27, 2023, that only three out of the 27 EU member states have properly transposed the RAD into their national legislation as required, and that it will now start issuing formal notices to the remaining countries to transpose the RAD as soon as possible.

As reported in our previous blog post, the RAD aims to harmonize member state frameworks on collective actions (i.e., whereby multiple claimants may lodge a claim or claims as a group) across the EU. It sets minimum requirements with respect to collective actions on a wide range of topics, including data protection matters (see also our blog post on the implications of RAD for data protection infringements and our separate blog post on the Court of Justice of the EU’s interpretation of Article 80(2) GDPR on data protection-related collective actions). This blogpost provides an overview of the RAD and its implementation status by EU member states.

Continue Reading National Transposition of the EU Representative Actions Directive: What is the Current Status?

On February 24, 2023, the Cyberspace Administration of China (“CAC”) released the final version of the Measures on the Standard Contract for the Cross-border Transfer of Personal Information (“Measures”) (only available in Chinese here), including a template contract (“Standard Contract”) accompanying the Measures.  The Measures will take effect on June 1, 2023, but are subject to a 6-month grace period to allow companies time to bring their activities into compliance.

The finalization of the Measures marks another important step forward in the establishment of China’s cross-border data transfer framework.  With implementing rules for all three lawful transfer mechanisms now in place, China appears to be entering into a new phase where cross-border transfer activities will be more closely regulated and enforcement actions are more likely to arise for non-compliance. 

Continue Reading China Finalizes Standard Contract for Cross-Border Transfers of Personal Information

On February 16, 2023, the UK Information Commissioner’s Office (“ICO”) released guidance for the video game industry on how to conform with the UK’s Age Appropriate Design Code when developing video games. This blog post summarizes the ICO’s recommendations for video game developers and designers when creating video games that are likely to be accessed by children under the age of 18. For more information about the UK’s Age Appropriate Design Code, see our previous blog posts here and here.

Continue Reading UK Information Commissioner’s Office Publishes Guidance for Video Game Developers and Designers to Improve Data Protection in their Services

On 24 January 2023, the Italian Supervisory Authority (“Garante”) announced it fined three hospitals in the amount of 55,000 EUR each for their unlawful use an artificial intelligence (“AI”) system for risk stratification purposes, i.e., to systematically categorize patients based on their health status. The Garante also ordered the hospitals to erase all the data they obtained as a consequence of that unlawful processing.

Continue Reading Italian Garante Fines Three Hospitals Over Their Use of AI for Risk Stratification Purposes, Establishes That Predictive Medicine Processing Requires the Patient’s Explicit Consent

On February 20, 2023, the European Commission launched an initiative to further specify procedural aspects relating to the enforcement of the GDPR (“ procedural initiative”). The aim of the procedural initiative is to clarify the administrative procedure that applies in cross-border investigations and enforcement under the GDPR. These rules are expected to clarify and complement the existing rules on cooperation and dispute resolution under GDPR Articles 60 and 65.

This procedural initiative was announced in the Commission’s work program for 2023, and the text of the proposal is not yet available. The European Commission is expecting to publish a draft regulation on procedural rules relating to the enforcement of the GDPR in Q2 2023.

Continue Reading European Commission Plans to Improve Cooperation Between Supervisory Authorities in Cross-Border GDPR Cases

On February 3, 2023, the German Data Protection Conference (“Datenschutzkonferenz”, “DSK”) published its decision, dated January 31, 2023, on the data protection assessment of access possibilities for third country public authorities to personal data processed by an EU/EEA-based subsidiary of a third country-based parent company pursuant to Article 28 of the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”).

Firstly, the DSK states – deviating from a decision of the Public Procurement Chamber Baden-Württemberg in July 2022 – that the mere risk that third country public authorities or a third country-based parent company of an EU/EEA-based company could instruct it to transfer personal data to a third country does not constitute a data transfer within the meaning of Art. 44 et seq GDPR.

However, the DSK highlights that the controller must take this risk into account when assessing the processor’s reliability pursuant to Art. 28(1) GDPR. The DSK takes the view that the reliability assessment of an EU/EEA-based processor with a parent company in a third country requires an assessment of all circumstances of the individual case. The relevant criteria for the assessment include, for example, the risk that the third country-based parent company will instruct the EU/EEA-based subsidiary to transfer personal data to a third country, or assurances given by the third country-based parent company as to how it will deal with conflicts between EU law and law of the third country and whether the EU/EEA-based processor and the third country-based parent company can comply with these assurances. It’s also necessary to assess whether and if so, to what extent the EU/EEA-based processor and/or the data it processes are covered by third-country law obligations and/or practices. If the EU/EEA-based processor and/or the data it processes are covered by the third-country law and/or practices, it needs to be assessed whether the EU/EEA-based processor provides sufficient guarantees to prevent processing operations that are unlawful under the standards of the GDPR or the applicable Member State law, in particular processing without or against the instructions of the controller based on obligations under third country law.

The DSK noted that, if there is risk that third-country law and/or practices may require unlawful processing under EU law by the EU/EEA-based subsidiary of a third country-based parent company, such processing by the subsidiary as a EU/EEA-based processor is not in itself sufficient to achieve reliability under Article 28(1) of the GDPR. If no guarantees can be provided, this shortcoming must be compensated for by additional technical and/or organizational measures. With regard to appropriate measures, the DSK refers to the recommendations of the European Data Protection Board (“EDPB”) on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, dated June 2021, which should be applied accordingly.

The DSK concludes the decision by announcing that it will promote further discussion of this issue in the EDPB.