Companies compliant with the GDPR and similar US state laws will have a substantial headstart with the Colorado Privacy Act. Recognizing the key differences will enable organizations with a well-designed compliance program to efficiently accommodate all these laws.

• The law provides for a mandatory universal consumer opt-out of targeted advertising, data sales and profiling.
• The Colorado law places new obligations on those businesses not subject to federal privacy laws.
• Enhanced mechanisms for enforcement make compliance even more important in implementing a robust compliance program.

Learn more.

The United States Supreme Court took a narrow view of what the Computer Fraud and Abuse Act (the federal anti-hacking act) prohibits.

• SCOTUS ruled last week that the CFAA’s “exceed authorized access” language does not reach those who have authorized access but who use their access for prohibited purposes.
• The ruling will likely be celebrated by cybersecurity practitioners but may prompt legislative reform from Congress.
• Given the Department of Justice’s increasing focus on combatting cybercrime, staying abreast of developments in data protection will be ever more important in the coming months.

Learn more.

On May 7, 2021, the US House of Representative’s Task Force on Artificial Intelligence (AI) held a hearing on “Equitable Algorithms: How Human-Centered AI can Address Systemic Racism and Racial Justice in Housing and Financial Services.” ¹ It was the latest among several federal, state and international governmental initiatives calling for fair, transparent and accountable AI in the financial and consumer sectors, and urging all AI actors to address inequitable outcomes. This hearing focused on ways that the public and private sectors can use AI to address systemic racism and optimize fairness. Among the views expressed:

• AI and machine learning (ML) models can improve efficiencies, help to tackle critical societal problems and reduce costs, but they can also introduce risks of amplified bias.
• AI and ML models can be particularly problematic due to their lack of explainability and transparency, especially when models are trained on biased data sets, engineers are not trained to recognize red flags and regulators are not equipped to handle them.
• US regulatory frameworks need to keep pace with AI/ML developments, including methodologies to test AI models for discrimination, while finding ways use AI to improve outcomes through innovation. New federal legislation may be needed.
• AI actors should expect more US governmental initiatives, including enforcement actions, aimed at regulating inequitable outcomes in AI and ML models.

Learn more.

COVID-19 vaccines are now widely available, signaling an eventual return to work. That is certainly welcome news for employees and employers alike, but employers are finding themselves in an unprecedented quandary—whether they can condition workforce re-entry on proof of employee vaccinations. The Equal Employment Opportunity Commission (EEOC) and state legislatures have generally green-lighted employer vaccination programs, so long as employers comply with other statutory and contractual (such as union) considerations. For example, New York employers are required to provide up to four paid hours off to receive a COVID-19 vaccine. Beyond these considerations, however, privacy laws present an additional challenge as to how employers can collect, maintain and use proof of vaccinations.

Given the lack of federal privacy law applicable to employees and the proliferation of various privacy laws around the world, employers with personnel in multiple locations will find there is likely no one-size fits all solution for this issue.  In their article for the New York Law Journal, Eversheds Sutherland attorneys Michael Bahar, Frank Nolan and Deepa Menon discuss how common approaches can smooth the way for a successful vaccination and return-to-work campaign in New York and in many other—if not most other—jurisdictions.

Learn more.

Amidst the ever-worsening onslaught of cyberattacks, companies are longing to go on the offensive, whether by “hacking-back” or by going after malicious actors in US courts. While Congress has previously refused to enable the former, it now appears more open to the latter, particularly with the introduction of the Homeland and Cyber Threat Act (the HACT Act):

• The HACT Act, if passed, risks opening the doors to suits against the US Government, while the likelihood of success against foreign governments for cyberattacks in US courts will remain small.
  
• The Supreme Court earlier this year recognized the peril in amending the Foreign Sovereign Immunities Act (FSIA), which allows only limited circumstances in which a foreign government can suffer suit in US courts.
  
• Private companies remain better off shoring up defenses rather than planning to go on the offensive, either through hacking back or through vindicating past attacks in court.

Learn more.

Welcome to the tenth edition of Updata!

Updata is our US and international update on the most important privacy and cybersecurity regulatory and legislative developments from the past quarter, October to December 2020.

Full of newsworthy items from our global team members, this edition includes updates on:

• COVID testing and remote working guidance across multiple jurisdictions;
• Increase in privacy enforcement action and litigation across many jurisdictions;
• California voters passed sweeping amendments to the California Consumer Privacy Act;
• The rampant SolarWinds hack, including the New York Department of Financial Services requirement to report on its effects;
• the CJEU issued the judgment in the much anticipated Privacy International case concerning the mass use of surveillance technologies;
• the Schrems II decision (which invalidated the EU-US Privacy Shield and requires additional due diligence before using the Standard Contractual Clauses) continues to feature prominently and the EDPB published recommendations for consultation in response;
• the European Commission published updated drafts of both the SCCs and controller-processor terms;
• The Hong Kong Monetary Authority announced the launch of the enhanced Cybersecurity Fortification Initiative 2.0;
• China unveiled the full text of the draft Personal Data Protection Law of the People’s Republic of China;

We hope you enjoy reading this edition. Follow us on Twitter @ESPrivacyLaw.

Learn more.

On March 2, 2021, Governor Northam signed the Virginia Consumer Data Protection Act (CDPA), making it the country’s second, enhanced state privacy law. It will likely not be the last.

• Set to take effect on January 1, 2023, the CDPA requires businesses to make significant enhancements to their privacy policies and to provide covered consumers with substantial rights.  
  
• Many obligations and rights are similar—but not necessarily identical—to those required by other enhanced privacy laws like the California Consumer Privacy Act (CCPA) or Europe’s General Data Protection Regulation (GDPR).
  
• While there is no private right of action, regulatory enforcement penalties can be high.

Learn more.

When it comes to privacy and cybersecurity, the uncertainty and volatility of 2020 will not soon relent — but neither will its invaluable lessons.

In this article for Thomson Reuters, Partners Michael Bahar and Paula Barrett look back on the tumult of 2020 and reveal five key lessons to help manage the inevitable uncertainty and volatility going forward, and emerge stronger and more resilient.

Learn more.

Europe’s movement to replace the 2002 ePrivacy Directive with a new ePrivacy Regulation picks up steam, signaling the potential need for US companies to add further privacy protections over electronic communications that may reach users in the EU. 

• What’s the significance? If agreed to, the ePrivacy Regulation will repeal the 2002 ePrivacy Directive and update existing rules on the protection of privacy and confidentiality in the use of electronic communication services.
  
• Does this apply to me? The ePrivacy Regulation will apply when end-users are in the EU regardless of where the processing of the electronic communications data takes place, opening the door to enforcement against US companies for actions originating outside of the EU.
  
• What’s next? The ePrivacy Regulation now moves on to the Council of the EU and European Parliament. While negotiations will still take some time, once approved, it is predicted to go into effect within 20 days.

Learn more.

The European Data Protection Board (EDPB), a collective of representatives from European data privacy regulators, published important recommendations on the Schrems II judgment, the seismic European decision that invalidated the EU-US Privacy Shield and called into question the continuing viability of personal data transfers from the EU and UK to third countries, particularly the US. 

The Recommendations provide a useful tool to assess the legality of cross border transfers, and they hold out the prospect for a more uniform approach among EU regulators (even potentially for the UK post-Brexit), but they embrace a restrictive approach on data transfers to the US, which multinational companies will need to address.

In this article for Bloomberg Law, attorneys Michael Bahar, Lorna Doggett and Tanvi Shah discuss the legal framework and pitfalls surrounding cross-border data transfers, and how best to strategically navigate them.

Learn more.