UK ICO Scrutinizes Use of Generative AI

Following the EU’s increased focus on generative AI with the inclusion of foundation and generative AI in the latest text of the EU AI Act (see our post here), the UK now also follows suit, with the UK’s Information Commissioner’s Office (“ICO”) communicating on 15 June 2023 its intention to “review key businesses’ use of generative AI.” The ICO warned businesses not to be “blind to AI risks” especially in a “rush to see opportunity” with generative AI. Generative AI is capable of generating content e.g., complex text, images, audio or video, etc. and is viewed as involving more risk than other AI models because of its ability to be used across different sectors (e.g., law enforcement, immigration, employment, insurance and health), and so have a greater impact across society – including in relation to vulnerable groups.

(more…)

AI and the Role of the Board of Directors

Artificial intelligence (AI) has the capacity to disrupt entire industries, with implications for corporate strategy and risk, stakeholder relationships, and compliance that require the attention of the board of directors.

(more…)

U.S. SEC Public Company Cybersecurity Disclosure Regulation Finalized With Swift Effective Date

On July 26, 2023, the U.S. Securities and Exchange Commission finalized its rule on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies (the Final Rule), which will become effective 30 days following publication in the Federal Register. The Final Rule applies to all public companies subject to the reporting requirements of the Securities Exchange Act of 1934, including foreign private issuers, smaller reporting companies, and business development companies, and will require disclosure of material cybersecurity incidents on Form 8-K and Form 20-F and periodic disclosure of cybersecurity risk management, strategy, and governance in annual reports on Form 10-K and Form 20-F.

(more…)

U.S. Congressional Leaders Introduce Two Landmark Bills to Create a Digital Assets Regulatory Scheme

This week, two committees in the House of Representatives will mark up legislation intended to clarify the regulatory framework applicable to digital assets in the United States. Earlier this month, leaders in the U.S. Senate also introduced legislation to establish a comprehensive and unified regulatory scheme for digital assets and digital asset derivatives.1 Both the House and Senate bills seek to integrate the regulation of digital assets and digital asset derivatives into the existing U.S. regulatory framework — primarily that of the Securities and Exchange Commission (SEC) and the Commodity Futures Trading Commission (CFTC) — rather than create a standalone framework, but both bills face significant barriers to enactment.

(more…)

Webinar Recording: The Finalization of the EU-U.S. Data Privacy Framework

On July 13, Sidley and OneTrust DataGuidance hosted a webinar titled “The Finalization of the EU-U.S. Data Privacy Framework.” The discussion with key players in international data transfers included topics such as significant points and implications of the European Commission Adequacy Decision for the Data Privacy Framework, what organizations should know about the Framework’s Principles, consideration of factors and logistics for signing up for the Framework (including interplay with current Privacy Shield membership), next steps in the EU and UK processes, and other internal data transfer developments, including adequacy decision for the UK-U.S. Data Bridge.

(more…)

Cybersecurity and Environmental Fraud Top Priorities of U.S. Commodity Futures Trading Commission Division of Enforcement

Just before Americans began their Fourth of July holiday, the U.S. Commodity Futures Trading Commission (CFTC) Division of Enforcement Director announced that the division has established two key task forces: the Cybersecurity and Emerging Technologies and the Environmental Fraud Task Force.1 Both task forces will be staffed with attorneys and investigators across the Division of Enforcement with the goal of serving as subject matter experts and prosecuting cases. As a result, CFTC registrants should be prepared for heightened focus on cybersecurity and environmental fraud, particularly in the derivatives and relevant spot markets.

(more…)

FTC’s New Biometric Policy Statement Articulates New Governance Standards and an Expansive View of Biometric Data

On May 18, 2023, the Federal Trade Commission (“FTC”) issued its 2023 Policy Statement on Biometric Information and Section 5 of the FTC Act (the “Policy Statement”) describing the agency’s concerns about these fast-proliferating technologies and articulating a set of compliance obligations for businesses that develop or use biometric technologies.  To address potential risks of bias, discrimination, and security associated with the collection or use of biometric information, the FTC wants businesses to, among other things, conduct pre-release risk assessments evaluating the potential for bias and other potential consumer harms, assess these risks on an ongoing basis, and evaluate and potentially audit third parties with access to a business’s biometric data.

(more…)

EU-U.S. Adequacy Once Again

On July 10, 2023, the European Commission issued its Final Implementing Decision granting the U.S. adequacy (“Adequacy Decision”) with respect to companies that subscribe to the EU-U.S. Data Privacy Framework (“DPF”).

(more…)

The Finalization of the EU-U.S. Data Privacy Framework

On July 10, 2023, the European Commission published its final Adequacy Decision for EU-U.S. data transfers. The draft decision reflects the multi-year coordination between the EU and U.S. to identify and implement a lasting solution to facilitate international data transfers following the Court of Justice of the European Union’s judgment in Schrems II. The EU’s adequacy decision determines that the U.S., through the newly created EU-U.S. Data Privacy Framework, provides comparable safeguards to those of the EU and ensures an adequate level of protection for personal data transferred from the EU to certified organizations in the U.S.

(more…)

Hong Kong New PCPD Guidance on Handling Data Breaches

On June 30, 2023, Hong Kong’s data protection authority (the Office of the Privacy Commissioner for Personal Data, or PCPD) issued an updated version of its Guidance on Data Breach Handling and Data Breach Notifications (the Guidance, accessible here), which aims to guide companies on how they respond to data breaches. In particular, the Guidance contains a new recommendation for companies to adopt written data breach response plans.

(more…)