Last week, an Illinois federal district court granted the defendant’s motion to stay in Stegmann v. PetSmart, No. 1:22-cv-01179 (N.D. Ill.).  The case implicates the evolving law surrounding the scope of the Illinois Biometric Information Privacy Act (“BIPA”) and  a pending Illinois Supreme Court case that could provide an important defense to certain BIPA suits.

Continue Reading Federal Court Stays Suit Implicating Accrual of Claims Under the Illinois Biometric Information Privacy Act

On July 5, 2022, the Cybersecurity and Infrastructure Security Agency (“CISA”) and the National Institute of Standards and Technology (“NIST”) strongly recommended that organizations begin preparing to transition to a post-quantum cryptographic standard.  “The term ‘post-quantum cryptography’ is often referred to as ‘quantum-resistant cryptography’ and includes, ‘cryptographic algorithms or methods that are assessed not to be specifically vulnerable to attack by” a CRQC (cryptanalytically relevant quantum computer) or a classical computer.  NIST “has announced that a new post-quantum cryptographic standard will replace current public-key cryptography, which is vulnerable to quantum-based attacks.”  NIST does not intend to publish the new post-quantum cryptographic standard for commercial products until 2024 but urges companies to begin preparing now by following the Post-Quantum Cryptography Roadmap

Continue Reading CISA and NIST Urge Companies to Prepare to Transition to a Post-Quantum Cryptographic Standard

Recent months have seen a growing trend of data privacy class actions asserting claims for alleged violations of federal and state video privacy laws.  In this year alone, plaintiffs have filed dozens of new class actions in courts across the country asserting claims under the federal Video Privacy Protection Act (“VPPA”), Michigan’s Preservation of Personal Privacy Act (“MPPPA”), and New York’s Video Consumer Privacy Act (“NYVCPA”).

Continue Reading Emerging Trends: Renewed Wave of Video Privacy Class Actions

This quarterly update summarizes key federal legislative and regulatory developments in the second quarter of 2022 related to artificial intelligence (“AI”), the Internet of Things (“IoT”), connected and automated vehicles (“CAVs”), and data privacy, and highlights a few particularly notable developments in U.S. state legislatures.  In the second quarter of 2022, Congress and the Administration focused on addressing algorithmic bias and other AI-related risks and introduced a bipartisan federal privacy bill.

Continue Reading U.S. AI, IoT, CAV, and Data Privacy Legislative and Regulatory Update – Second Quarter 2022

In addition to the two developments we reported on in our last blog post, on July 7, 2022, the long-waited, final version of the Measures for Security Assessment of Cross-border Data Transfer (《数据出境安全评估办法》, “Measures”) were released by the Cyberspace Administration of China (“CAC”).  With a very tight implementation schedule, the Measures will take effect on September 1, 2022.  The full text of the Measures can be found here (currently available only in Mandarin Chinese).

In this blog, we highlight a few key takeaways from the final Measures.

Continue Reading China Releases Measures for a Security Assessment of Cross-Border Data Transfers To Take Effect in September 2022

On 31 May 2022, the Italian Parliament approved Law 62/2022, also known as the Sunshine Act, which entered into force on 26 June 2022. The new rules will become fully operational once the Ministry of Health sets up the public database where companies will have to disclose their data.  In practice, this means the new transparency system will not be enforceable before 2023. 

Prior to the approval of the Sunshine Act, only member companies of trade associations, such as Farmindustria or Confindustria Dispositivi Medici, were under the obligation to disclose the transfers of value made to healthcare professionals (“HCP”) and organizations (“HCO”).  While non-member companies had no corresponding obligation, many disclosed their transfers on a voluntary basis.  Under these industry codes, companies could disclose data on transfers in an aggregate form, rather than individually, in two circumstances:  (i) when collecting individual consent would not be possible or (ii) when the transfer concerns R&D expenses.  The Sunshine Act, however, does not contain these derogations and excludes the option of only publishing aggregated data entirely. 

Companies in scope of the Sunshine Act will have to disclose their transfers of value on a dedicated online database, publicly accessible, that will be set up and managed by the Ministry of Health within 6 months following the entry into force of the Sunshine Act.  The database will be called “Sanità Trasparente” and will include data such as the professional contact details and number of affiliation of the HCPs, the contact details of the HCOs, and all the other details concerning the transfer of value.  The data stored on the database could be freely searched and sorted by the public for at least 5 years following publication. 

Within 3 months from the entry into force of the Sunshine Act, the Ministry of Health in collaboration with the Agency for Digital Italy (AgID), the National Anticorruption Authority (ANAC) and the Italian Data Protection Authority (Garante Privacy), will decide on the structure of the database, including its technical features and the procedure through which companies will disclose their data online.  The system should incorporate privacy by design and by default features.

Companies are required to disclose three distinct categories of data:

  1. Transfers of money, goods, services or other benefits made to HCPs or HCOs (“ToV”).
  2. Agreements with HCP and HCO providing them with direct or indirect benefits “consisting of participation in conferences, training events, committees, commissions, advisory bodies or scientific committees or the establishment of consulting, teaching or research relationships” (“Agreements”).
  3. The details of those HCPs and HCOs that (i) holds quotas, shares or bonds in the company (“Shares”), or (ii) received fees from the company for the economic exploitation of their intellectual property licenses (“Licenses”).

As anticipated, companies must disclose those data exclusively on an individual basis (i.e., per identified HCP/HCO).  To this end, the Sunshine Act establishes that privacy consent is considered provided at the moment when the HCP or HCO accepts the ToV or signs the Agreements or acquires the Shares or the Licenses.  This raises questions on the consistency of the provision with the GDPR, and, in particular, with the freely given nature of a consent and the right to withdraw consent.  The Sunshine Act clarifies that companies are under the obligation to inform HCPs or HCOs of the disclosure on the Ministry’s database Sanità Trasparente by providing them with a privacy notice that must clarify, at a minimum, that their data will be published. The Act also provides that the publication of the transfer of value is without prejudice to the rights of data subjects under Article 15-19 and 21 of the GDPR, which raises questions on the application of certain rights, such as the right of erasure.

* * *

The Covington team will keep monitoring the implementation of the Sunshine Act and the relevant database, and is happy to provide advice or answer any questions you may have on the topic.

On July 5, 2022, the European Parliament adopted the Digital Services Act (“DSA”) with 539 votes in favor, 54 votes against and 30 abstentions, following the political deal reached on April 23, 2022 (see our previous blog here).

Key aspects

The DSA is addressed to providers of intermediary services (e.g., Internet service providers, cloud providers, search engines, social networks and other online platforms, and online marketplaces).  The DSA will also apply to providers established outside the EU, to the extent they offer services to business and individual users established or located in the EU.

Among a range of topics, the DSA requires:

  • implementation of notice-and-action mechanisms;
  • setting up internal complaint-handling systems;
  • ensuring the traceability of traders on online marketplaces; and
  • compliance with detailed transparency and accountability obligations, including specifically on online advertising and algorithms used to recommend content. 

Moreover, the DSA imposes a ban on so-called dark patterns and online advertising activities targeting minors, or those based on sensitive personal data.

The strictest set of obligations are addressed to providers of “very large online platforms” and “very large online search engines”, i.e., those reaching an average of 45 million or more monthly active users in the EU, and designated as such by the Commission.  Specific obligations for such players include:

  • conducting assessments of “systemic risks” stemming from the design, functioning and use of their services, including algorithmic systems, in the EU;
  • conducting yearly independent audits;
  • granting access to data to the authorities, upon request, for the purposes of monitoring and assessing compliance with the DSA, and explaining the design, logic, functioning and the testing of algorithmic systems;
  • establishing an independent compliance function;
  • paying an annual supervisory fee to the Commission; and
  • complying with certain actions required by the Commission in cases of extraordinary circumstances leading to a serious threat to public security or public health.

Next steps

The DSA text must now be adopted by the Council (expected in September 2022).  The DSA will enter into force twenty days after publication in the EU Official Journal.

The DSA will be directly applicable across the EU and will apply fifteen months, or from January, 1 2024 (whichever comes later), after its entry into force.  However, the DSA will become enforceable sooner for very large online platforms and very large online search engines, i.e., four months after being designated as such by the Commission.

***

The Covington team will keep monitoring the developments on the DSA, and is happy to assist with any inquiries on the topic.

The UK Government recently published its long-awaited response to its data reform consultation, ‘Data: A new direction’ (see our post on the consultation, here).

As many readers are aware, following Brexit, the UK Government has to walk a fine line between trying to reduce the compliance burden on organizations and retaining the ‘adequacy’ status that the European Commission granted in 2021 (see our post on the decision, here).

While we’ll have to wait to review the detail of the final legislation, we outline below some of the more eye-catching proposals for reform.

Continue Reading 8 Eye-catching Reforms in the UK Government’s Response to its Public Consultation on Data Protection Law

On June 30, 2022, the European Data Protection Board published draft guidelines on certification as a tool for transfers.  These guidelines complement the EDPB’s earlier guidelines on certification and identifying certification criteria.

These guidelines and the guidelines on codes of conduct as tools for transfers appear to be part of the EDPB’s broader response to the Schrems II decision issued by the Court of Justice of the European Union (“CJEU”), which invalidated the EU-US Privacy Shield framework.  The approval of certification schemes expands the toolbox available under Art. 46 GDPR for lawfully transferring personal data outside the EEA.

Continue Reading European Data Protection Board Publishes Guidelines on Certification as a Tool for International Personal Data Transfers

On June 23, 2022, the German Federal Office for Information Security (“Office”) published technical guidelines on security requirements for healthcare apps, including mobile apps, web apps, and background systems.  Although the technical guidelines are aimed at healthcare app developers, they contain useful guidance for developers of any app that processes or stores sensitive data.

The guidelines set out a number of security levels and a security risk assessment.  The risk assessment takes into account the following aspects: (1) the apps’ purpose; (2) its architecture; (3) the source code; (4) third party software integrations; (5) cryptographic implementation; (6) authentication mechanisms; (7) data storage and protection; (8) auditing of paid resources; (9) network communication; (10) platform-specific interactions; and (11) resilience.  The guidelines also include specific security requirements for digital healthcare apps with biometric authentication mechanisms.

The guidelines are based on state-of-the-art security techniques used in the healthcare sector and the Office’s findings in several of its projects.  They also take into account feedback received from industry stakeholders, the German Federal Institute for Drugs and Medical Devices, and the German Federal Commissioner for Data Protection and Freedom of Information.

The Office offers a certification to healthcare apps that comply with the guidelines.