There has been much scrutiny of artificial intelligence tools this year. From NIST to the FTC to the EU Parliament, many have recommendations and requirements for companies that want to use AI tools. Key concerns including being transparent about the use of the tools, ensuring accuracy, and not discriminating against individuals when using AI technologies, and not using the technologies in situations where it may not give reliable results (i.e., for things for which…
Throughout 2020 we saw many enforcement actions brought by EU and U.S. regulators. Whether for allegations of deception (misleading privacy representations) or unfairness (failure to protect information), COVID did not appear to slow down regulatory action. Laws that many companies forget about -or don’t know as well- were enforced by regulators, as well as through class action lawsuits. This included the Children’s Online Privacy Protection Act, Illinois’s Biometric Information Privacy Act,…
Throughout 2020, companies have been negotiating with their business partners the issue of “selling” under CCPA. Is the partner a service provider? A third party? Is there an exchange of consideration? These issues will not likely go away in 2021, especially as we turn to addressing the CCPA modification, CPRA.…
As 2020 comes to a close, we take this opportunity to look back at some of the more significant developments that we discussed in the blog this year. The first is the EU Court of Justice’s Schrems II decision, finding that the EU-U.S. Privacy Shield was not a valid mechanism for transferring personal data from the EU to the U.S. Related decisions came out of Switzerland and Israel.…
As 2020 draws to a close and we approach CCPA’s first birthday, the regulations continue to remain very much in “infant” mode. On December 10, 2020, the California Attorney General released a fourth set of proposed regulations. This is the second set of proposed changes released since the regulations went into effect in August 2020. Companies have until December 28, 2020 to submit comments to the AG on the modifications.…
Apple has launched, in connection with other privacy changes in iOS 14, a requirement for privacy “nutrition labels.” The labels are required for new and existing apps, and are in addition to the existing requirement of linking to the company’s long-form privacy policy. Apple will automatically generate the label based on the company’s answers to its online questionnaire. Apple is requiring companies to explain what information they -and third-party partners collect. Answers will be…
One of the methods US and EU companies rely on most frequently for the transfer of personal data from the EU to the US are standard contractual clauses. For the method to be acceptable as a valid basis for transfer of personal information, one critical step is for companies to use the version of the clauses as approved by the EU Commission. This has causes some confusion and concern, as the clauses predate GDPR and…
The EDPB recently published recommendations on additional security steps to take when transferring personal data out of the EU. As outlined in our previous series of posts, the EU found this summer that the EU-US Privacy Shield was an invalid mechanism for transferring personal information from the EU to the US.…
NIST has now finalized its guidance providing important information on selecting both security and privacy control baselines for the Federal Government. The guidance is available here: Special Publication 800-53B, Control Baselines for Information Systems and Organizations. As we previously discussed when the draft version was released, these control baselines are from NIST Special Publication 800-53, and have been moved to this separate publication as a consolidated catalog of privacy and security controls. While the…
By ballot initiative, California residents recently approved Proposition 24, or the California Privacy Rights Act (CPRA), with approximately 56 percent voting in favor. CPRA significantly amends the CCPA by expanding individual rights, introducing new GDPR-style governance measures, and establishing a new enforcement agency (among other things). Importantly, CPRA does not replace or repeal CCPA, but rather augments it. Further, no new private right of action will be added by CPRA. The substantive provisions of CPRA…