As 2021 comes to a close, we will be sharing the key legislative and regulatory updates for artificial intelligence (“AI”), the Internet of Things (“IoT”), connected and automated vehicles (“CAVs”), and privacy this month.  Lawmakers introduced a range of proposals to regulate AI, IoT, CAVs, and privacy as well as appropriate funds to study developments in these emerging spaces.  In addition, from developing a consumer labeling program for IoT devices to requiring the manufacturers and operators of CAVs to report crashes, federal agencies have promulgated new rules and issued guidance to promote consumer awareness and safety.  We are providing this year-end round up in four parts.  In this post, we detail AI updates in Congress, state legislatures, and federal agencies. Continue Reading U.S. AI and IoT Legislative Update – Year-End 2021

The Kingdom of Saudi Arabia has recently issued its first comprehensive national data protection law.  The Personal Data Protection Law will enter into force on March 23, 2022 and regulates the collection, processing and use of personal data in the Kingdom.

Organizations with operations in the Kingdom or those processing data of Saudi residents will have one year to comply with the new requirements.

Continue Reading Saudi Arabia Issues New Personal Data Protection Law

There has been a substantial increase in the use of the Internet across the African continent, aided by ongoing investment into local digital infrastructure, reduction in the associated costs, and improved user access. This has allowed both individuals, and private and public entities, the ability to access, collect, process and/or disseminate personal data more easily, which has spurred a number of African countries to enact comprehensive data protection laws and establish data protection authorities. There is also a growing perception among African countries that there is a need to protect their citizen’s personal data, to regulate how public and private entities use personal data, and to establish data protection authorities tasked with enforcing these laws.

While countries like Kenya, Rwanda and South Africa now have comprehensive data protection laws, which share some elements found in the European Union’s General Data Protection Regulation (“GDPR”), many of the proposed data protection laws have specific rules that are different from those in other countries in Africa. Consequently, technology companies conducting business in Africa will be required to keep abreast of the evolving regulatory landscape as it relates to data protection on the continent.

Continue Reading Tech Regulation in Africa: Recently Enacted Data Protection Laws

On December 2, 2021, the Transportation Security Administration (“TSA”) announced the issuance of Security Directive 1580-21-01, Enhancing Rail Cybersecurity, and Security Directive 1582-21-01, Enhancing Public Transportation and Passenger Railroad Cybersecurity (the “December Security Directives”), and “additional guidance for voluntary measures to strengthen cybersecurity across the transportation sector in response to the ongoing cybersecurity threat to surface transportation systems and associated infrastructure.”  TSA’s announcement clarifies that these actions are “among several steps DHS is taking to increase the cybersecurity of U.S. critical infrastructure.”

The December Security Directives, which become effective on December 31, 2021, impose significant requirements on owners and operators of “higher-risk freight railroads, passenger rail, and rail transit.”  TSA’s announcement also explained that it has extended certain requirements of the December Security Directives to airport and airline operators and has recommended that “all other lower-risk surface transportation owners and operators voluntarily implement” the requirements of the December Security Directives. Continue Reading TSA Imposes New Cybersecurity Requirements for Rail and Air Sectors

On December 2, 2021, the Advocate General (“AG”) of the Court of Justice of the European Union (“CJEU”) held that consumer protection associations may bring collective claims without a mandate for violations of the GDPR relying on national consumer law provisions (see here).  The words “without a mandate” mean that the organization is not representing a particular consumer or group of consumers, rather, it is representing the collective interests of those whose personal data have been processed in a manner contrary to the GDPR without identifying particular individuals.  According to the AG, this is compatible with Article 80(2) of the GDPR.

The case relates to an injunction order lodged by a German consumer protection organization against a social media provider for allegedly allowing on its platform “free” games in violation of data protection law and relatedly in violation of the German consumer law.  The organization did not have a mandate from impacted consumers to lodge the claim before the German court.  But, the organization relied on a provision under German consumer law that allows it to lodge collective claims without a mandate.

The German court requested that the CJEU consider whether the consumer organization could have relied on such a provision for claims relating to violations of the GDPR.  The AG held that the GDPR does not preclude this.  However, the AG pointed out that consumer organizations may only initiate collective claims without a mandate where this option is provided for under EU Member State law.

It now is to be seen whether the CJEU follows the AG’s opinion.  We will report back once it is published.

Date: December 3, 2021

In Case You Missed It: EU Privacy, Data and Consumer Updates of the Past Month

Date Tag News Link to Source
December 1 Cybersecurity The European Parliament published a progress report on the NIS2 Directive. Link.
November 30 Open Data The Council of the EU and European Parliament reached a provisional agreement on the Data Governance Act.  The provisional agreement is subject to Council of the EU’s approval. Link.


November 25 Digital Services The Council of the EU reached an agreement on the draft Digital Services Act and the Digital Markets Act bringing them one-step closer to adoption.  The European Parliament will discuss the drafts on December 9 and plans to announce its first reading position either in December or in early 2022, after which the Council and the Parliament will enter into negotiations with the goal of reaching an agreement on a final text for both acts. Link.



November 25 Other The European Commission published a draft regulation on the transparency and targeting of political advertising. Link.


November 22 AI The Council of the EU published a progress report on the EU Artificial Intelligence Regulation. Link.
November 22 Cybersecurity The European Union Agency for Cybersecurity published its report on emerging cybersecurity challenges. Link.
November 19 Transfers The European Data Protection Board adopted guidelines on the interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR. Link.


November 19 Product Safety The Council of the EU issued a progress report on the draft Regulation on general product safety. Link.
November 18 Digital Services The European Data Protection Board published a statement on the Digital Services Act. Link.
November 18 Cybersecurity The European Data Protection Board sent a letter to the European Union Agency for Cybersecurity regarding the European Cybersecurity Certification Scheme for Cloud Services on how to best use this scheme to meet the cybersecurity requirements of the GDPR, including those on transfers. Link.
November 17 Cybersecurity The European Union Agency for Cybersecurity published its report on the cybersecurity investments of operators of essential services and digital service providers covered by EU Directive on Security of Network and Information Systems (NIS Directive). Link.
November 15 Other The European Data Protection Supervisor announced that it will host a conference on effective enforcement in the digital work on June 16 and 17, 2022. Link.
November 11 Cybersecurity The European Union Agency for Cybersecurity published a report on incident response capabilities in the health sector. Link.
November 5, 2021 Open Data The European Commission will no longer discuss the EU Data Act in 2021.  According to Euractive, “the Commission’s impact assessments for new legislative proposals, rejected the Data Act on Wednesday (October 27) for reportedly not providing sufficient information on the conditions for public bodies to access data, the compensation for businesses and the relation with other legislative measures. Link
November 4, 2021 Privacy The Slovenian Council Presidency and European Parliament agreed to make certain changes to the draft ePrivacy Regulation provisions on direct marketing, including information in public registries. Link
October 29 Cybersecurity The European Commission adopted the Commission Delegated Regulation (EU) to the Radio Equipment Directive (Directive (EU) 2014/53) which aims to make sure that all wireless devices are safe before being sold within the EU market.  The Delegated Regulation lays down cybersecurity requirements for manufacturers of wireless devices.  The Delegated Regulation is currently under the scrutiny of the Council of the EU and the Parliament for a two-month period.  If the Council and Parliament do not raise any objections within these two months, it will be published in the Official Journal of the EU and will enter into force 20 days following publication.  Following the entry into force, manufacturers will have a transition period of 30 months to start complying with the new legal requirements under the Delegated Act. Link.


What’s Coming Next


  • European Parliament to adopt first reading position on the Digital Services Act and the Digital Markets Act in either December 2021 or early 2022.


On November 8, 2021, New York Governor Kathy Hochul signed a new electronic monitoring law (S2628) requiring New York businesses that monitor or intercept employees’ e-mails, telephone calls, or internet usage to notify employees in writing of these practices.  The new law amends the state’s civil rights law and takes effect on May 7, 2022. Continue Reading New York Requires Businesses To Notify Employees of Electronic Monitoring

On November 26, 2021, the Court of Justice of the EU (“CJEU”) held in Case C-102/20 that the display of advertising messages in an electronic inbox in a form similar to that of an actual email constitutes direct marketing, and therefore is subject to EU Member States’ rules on direct marketing (see press release here).  In this case, the advertisement in question was shown in the inbox list of a user’s private emails, resembling the appearance of an email, although it was labelled “advertisement”.

The CJEU emphasized in its decision that this form of advertisement is distinguishable from advertising banners or pop-up windows that appear at the outer edge of private messages or separately from them.  According to the CJEU, the advertisement here was subject to direct marketing rules because it resembled an electronic communication (i.e., an email).

Notably, the advertisement in this case was shown only to users who had opted for a “free” version of the email service – paying subscribers did not receive this same advertisement.  Unfortunately, the CJEU declined to clarify whether consent for direct marketing could be tied with the provision of an email service, a common practice in some industry sectors, such as online media and news websites (a position which was supported in a decision of the Austrian Data Protection Authority in 2018, as discussed in our prior blog post here).  The CJEU remanded the case to the German court that originally referred it to the CJEU, to decide whether the consent obtained in this scenario meets the standard of the GDPR.

On November 25, 2021, the Council of the European Union reached an agreement on the draft Digital Services Act (“DSA”) (see here and here) and the Digital Markets Act (“DMA”) (see here) bringing them one step closer to adoption.  The European Parliament will discuss the drafts on December 9 and plans to announce its first reading position in early 2022, after which the Council and the Parliament will enter into negotiations with the goal of reaching an agreement on a final text for both acts.

The acts lay down rules for intermediary service providers (e.g., Internet access providers, cloud providers, search engines, social networks, and online marketplaces) covering areas such as:

  • liability of mere conduit, caching and hosting services;
  • content moderation;
  • transparency of services and electronic communications;
  • transparency of online advertising;
  • openness and interoperability of the services to businesses and consumers; and
  • fair competition between service providers.

If you like to receive an overview of the  draft DSA and DMA, as well as a short explanation of the sanctions regime in the event of a breach, please let us know.

Significantly, on November 18, the European Data Protection Board issued a related statement (see here).  In that statement, the Board identified three main lingering concerns with respect to the DSA: (1) lack of protection of individuals’ fundamental rights and freedoms; (2) fragmented supervision by competent regulatory authorities; and (3) the risk of inconsistencies between the DSA and EU data protection law.  The Council’s reactions to these recommendations have yet to be published.

We will continue to monitor and report on the legislative process of the DSA and DMA.