Last week, Virginia’s Joint Commission on Technology and Science held its second meeting of the Consumer Data Protection Work Group.

Instead of following a detailed rulemaking process for implementation like that provided for in the California Privacy Rights Act (CPRA), the Virginia Consumer Data Protection Act (VCDPA) is being reviewed over the next few months by a group of state officials, business representatives, and advocates. This group will publish recommendations by November 1, 2021, which the state legislature can consider if it amends the law before the VCDPA goes into effect on January 1, 2023. A stated goal of the group is to align the VCDPA with other privacy laws that states are enacting around the country.

At the meeting, the group heard public comments as well as a presentation by Deputy Attorney General Samuel Towell on behalf of the Office of the Attorney General of Virginia (OAG). The presentation covered issues that the OAG sees with the VCDPA’s implementation and proposed a number of recommendations for the group to consider: Continue Reading Virginia Consumer Data Protection Work Group Holds Second Meeting, Hears Recommendations from the Office of the Virginia Attorney General

The Cyprus Presidency of the Council of the European Union has made clear its objective to achieve a general partial approach on certain articles of the new legislative package on data protection by December 2012, with a view to having the whole legislative package adopted in 2013 or early in 2014. 

The Cyprus Presidency has so far achieved agreement within the Justice and Home Affairs (JHA) Council (a body that brings together the justice and interior ministers of the EU Member States and whose remit includes civil protection) on three principal issues: (i) to avoid creating additional and disproportionate costs for small and medium-sized businesses, (ii) to implement a common set of data protection regulations for the private and public sector, with some flexibility for public-sector organizations and (iii) to limit the enhanced powers proposed in the new legislative package so that the EU Commission is not able to regulate through delegated acts without the approval of the European Parliament.

While the Cyprus Presidency has been praised by Viviane Reding, Vice President of the EU Commission, for supporting the new reform package, it is clear that there is still a lot of work to be done to bring the package into law.

For more information, see:



On June 6, the Texas Attorney General published a news release announcing that the Attorney General has opened an investigation into several car manufacturers.  The news release states that the investigation was opened “after widespread reporting that [car manufacturers] have secretly been collecting mass amounts of data about drivers directly from their vehicles and then selling that data to third parties.”  Further, the release states that “car manufacturers and the third parties to whom they sold data are being instructed to produce documents relevant to their conduct. . .[and] to produce documents showing the disclosures they made to customers about the extent of their data collection practices and subsequent sale of their customers’ data.”  This announcement follows an earlier news release from the Attorney General describing the launch of a data privacy and security initiative, which will enforce Texas’s privacy protection laws, including the Texas Data Privacy and Security Act that goes into effect on July 1.

On May 16, 2024, the CNIL launched a public consultation on all of its health data standards.  Interested stakeholders are encouraged to participate by completing a questionnaire (available in French here) by July 12, 2024.

French law has specific requirements for the processing of health data.  In particular, it generally requires that the processing either comply with one of the French Supervisory Authority’s (“CNIL”) standards (such as the méthodologies de référence or “MRs” – hereafter Health Data Standards”) or be specifically authorized by the CNIL. 

Since 2018, the CNIL has issued multiple Health Data Standards to cover a variety of processing activities, such as medical research and pharmacovigilance.  However, as technologies deployed in the health sector rapidly evolve, some of these standards have become outdated and fail to adequately meet industry practices and needs.  For instance, conducting a decentralized clinical trial is typically challenging under the current Health Data Standards, meaning that sponsors are often forced to pursue the more burdensome and time consuming CNIL authorization. 

The consultation questionnaire released by the CNIL is divided in five sections:

  • the Health Data Standards covering research activities;
  • the other Health Data Standards (e.g., on pharmacovigilance);
  • adaptation required because of the increasing use of AI;
  • specific documentation the CNIL could provide; and
  • participation to upcoming working groups – the CNIL encourages participants to identify any topics they consider as high priorities, in particular as the CNIL is considering setting up some working groups on high priorities.

The CNIL also used this opportunity to summarize its recommendations and best practices relating to three aspects of decentralized clinical trials.  These guidelines cover:

  • Electronic information notices (see here) – The CNIL highlights the importance of ensuring that the confidentiality of the data is sufficiently protected and identifies some security measures to that end.  For instance, where the notice contains direct or indirect health information about the individual, the CNIL considers that it may only be sent to a regular email address (as opposed to via a secure platform) provided that (i) the subject and text of the email do not include any sensitive data, (ii) the notice itself is shared as an encrypted attachment or via a password-protected link and (iii) the relevant encryption key or password is shared separately and via different means (e.g., by post);
  • Following-up and monitoring patients at home (see here) – The CNIL reminds sponsors how they can make such arrangements while still complying with the Health Data Standards (in particular where the sponsor relies on a third party);
  • Remote quality control (see here) – Sponsors who wish to engage in remote quality control currently cannot do so while relying on a Health Data Standard and need to obtain a specific authorization from the CNIL. However, the CNIL has compiled a list of best practices that, if complied with, would facilitate the authorization process.  Such best practices include transparency requirements, the consultation of the data protection officer, precautions concerning remote consultation and the professional secrecy of clinical research associates, and a list of security measures (including a requirement that the data be stored in the EU or an EU-adequate country).

These guidelines are only temporary, as the CNIL intends to better address these issues in the updated version of its Health Data Standards.  The consultation questionnaire thus also enables participants to comment on these guidelines.  In terms of timeline, the CNIL will analyze responses to this public consultation during Summer and Fall 2024.  Some updated Health Data Standards are expected in the course of 2025, starting with the ones identified as high priorities during the consultation. 

On May 9, 2024, the Italian data protection authority (“Garante”) published a decision identifying the safeguards that controllers must put in place when processing health data for medical research purposes, in cases where data subjects’ consent cannot be obtained for ethical or organizational reasons.

The Garante’s decision follows a recent legislative development, enacted by Law n. 56 of April 29, 2024, and effective as of May 1, 2024, which amended, among other things, Article 110 of the Italian Privacy Code.  The amendment removes the obligation to submit a research program and related data protection impact assessment (“DPIA”) for prior consultation to the Garante, in cases where it is impossible or disproportionately burdensome to contact the concerned individuals.  

We provide below an overview of the legal framework and the safeguards identified by the Garante.

Continue Reading Italian Legislator and Regulator Update Rules on Processing of Health Data for Medical Research

Last month, the Maryland legislature passed the Maryland Online Data Privacy Act (“MODPA”). Pending Governor’s signature, Maryland will become the latest state to enact comprehensive privacy legislation, joining California, Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Tennessee, Montana, Oregon, Texas, Florida, Delaware, New Jersey, New Hampshire, Kentucky, and Nebraska.

MODPA contains unique provisions that will require careful analysis to ensure compliance, including: data minimization requirements; restrictions on the collection, sale, or transfer of sensitive data; and consumer health data-related obligations.  These unique provisions have the potential to create additional work streams even for companies who have come into compliance for existing state laws.  This blog post summarizes the statute’s key takeaways.

Continue Reading The Maryland Online Data Privacy Act Set to Reshape the State Privacy Legislation Landscape with Stringent Requirements

On April 17, the Nebraska governor signed the Nebraska Data Privacy Act (the “NDPA”) into law.  Nebraska is the latest state to enact comprehensive privacy legislation, joining CaliforniaVirginiaColoradoConnecticutUtahIowaIndiana, Tennessee, Montana, OregonTexasFloridaDelawareNew Jersey,  New Hampshire, Kentucky, and Maryland. The NDPA will take effect on January 1, 2025.  This blog post summarizes the statute’s key takeaways.

Continue Reading Nebraska Enacts Nebraska Data Privacy Act

In March 2024, the EU lawmakers reached agreement on the European Health Data Space (EHDS).  Although the text has not yet been formally adopted by all the European institutions, a number of interesting points can already be highlighted.  This article focuses on the governance and enforcement of the EHDS; for an overview of the EHDS generally, see our first post in this series.

The final text of the EHDS was adopted by the European Parliament on 24 April 2024 and is expected to be formally adopted by the European Council in the coming months.

Continue Reading EHDS Series – 5: European Health Data Space Governance, Enforcement and Timelines

In early March 2024, the EU lawmakers reached agreement on the European Health Data Space (EHDS).  For now, we only have a work-in-progress draft version of the text, but a number of interesting points can already be highlighted.  This article focusses on the obligations of data users; for an overview of the EHDS generally, see our first post in this series.

We expect the final text of the EHDS to be adopted by the European Parliament in April 2024 and by the EU Member States shortly thereafter.

Continue Reading EHDS Series – 3: The European Health Data Space from the Health Data User’s Perspective

After nearly six months since the initial draft was issued for public comments on September 28, 2023 (see here for our previous alert on that development), on March 22, 2024, the Cyberspace Administration of China (“CAC”) issued the final version of the Provisions on Promoting and Standardizing Cross-Border Data Flows (促进和规范数据跨境流动规定) ( “Provisions”) (Chinese version available here).  The Provisions take effect immediately.  

The newly finalized Provisions introduce significant changes to China’s existing cross-border data transfer regime.  These changes primarily involve exemptions from the previously mandated transfer mechanisms outlined in the Personal Information Protection Law (“PIPL”) and its implementing regulations.  Such mechanisms included undergoing a government-led security assessment, entering into a standardized contract, or obtaining personal information protection certification.  As a result, many companies that previously faced these requirements may now be exempt, easing their compliance burden for cross-border data transfers.  Importantly, the Provisions take precedence over any conflicting provisions within PIPL’s implementing regulations, including the Measures on the Standard Contract for Cross-Border Transfer of Personal Information and the Measures for Security Assessment of Cross-Border Data Transfer.

Continue Reading China Eases Restrictions on Cross-Border Data Flows