Connecticut Strengthens Data Breach Notification Requirements and the Uniform Law Commission Approves and Recommends Comprehensive and Uniform State Privacy Legislation
In recent weeks, Connecticut passed An Act Concerning Data Privacy Breaches (“The Act”), and the Uniform Law Commission approved and recommended the Uniform Personal Data Protection Act (“UPDPA”). With the growing patchwork of state data privacy laws continuing to pose challenges for compliance—and the potential for federal data privacy legislation at the forefront of policy debates—the UPDPA may provide state legislators with a path toward a standardized statutory scheme.
West Coast, East Coast, and Now Mountains, Too: Colorado Joins the Comprehensive State Privacy Law Club
With the U.S. Congress continuing to stymie federal omnibus privacy legislation, states have decidedly taken up the call. Most recently, on July 8, 2021, Colorado Gov. Jared Polis signed into law Senate Bill 21-190, the Colorado Privacy Act (CPA). With the signing of the CPA, which will largely go into effect on July 1, 2023, Colorado became the third state to enact comprehensive privacy legislation following the California Privacy Rights Act (CPRA) and the Virginia Consumer Data Protection Act (VCDPA). Other states have taken a more limited approach, most notably Nevada, which increased the scope of the right to opt out of personal data sales under its targeted privacy law.
Long-Awaited Online Safety Bill is Introduced by the UK Government to Combat “Harmful” Online Content
Two years after the UK Government first put forward its intention to introduce a new regime to address illegal and harmful content online, the UK Government published the Online Safety Bill (“Bill”) on 12 May 2021. The Bill imposes duties of care on providers of digital services, social media platforms and other online services to make them responsible for content generated and shared by their users and to mitigate the risk of harm arising from illegal content (e.g., by minimising the spread of such content). The Bill also aims to ensure that users are able to express themselves freely online and requires platforms to consider the importance of freedom of expression when fulfilling their duties.
Federal Government Interest in Cyber Continues: Congressional Hearings on the Colonial Pipeline Cyberattack
On May 7, 2021, Colonial Pipeline experienced a ransomware cyberattack on its corporate network. This attack, attributed to the DarkSide hacking group, led the company to temporarily halt the operation of its pipeline network—causing fuel shortages throughout the East Coast. Although highly publicized, the Colonial Pipeline cyberattack is not unique. In fact, the event was just one in a growing pattern of ransomware attacks against major U.S. companies and critical infrastructure. In light of these events, the issue of cyberattacks—particularly those involving ransomware—has become a key area of concern for federal lawmakers.
European Commission Publishes Details of its Forthcoming Data Act
The European Commission has formally launched its legislative initiative aimed at increasing access to and further use of data, so that more public and private actors can benefit from technologies such as Big Data and machine learning. The Commission has published its inception impact assessment on the forthcoming Data Act, on which interested stakeholders can submit comments until 25 June 2021. In parallel, the Commission has launched a public consultation for the legislative initiative, to be conducted by an online questionnaire, with a deadline of 3 September 2021. Feedback will be taken into account for further development and fine tuning of the initiative to be tabled in Q3-Q4 2021.
EU Commission Invites Stakeholders Feedback on Draft AI Regulation
On April 26, 2021, the European Commission announced that its draft proposal for the new EU Artificial Intelligence Regulation (“Draft AI Regulation”) is currently indicated to be open for feedback until July 15, 2021.* The Draft AI Regulation was published on April 21. Please refer to our blog post here that provides an overview of the Draft AI Regulation and its potential impact.
EU Commission Issues Draft AI Regulation
On April 21, 2021, the European Commission (EC) issued its eagerly awaited draft proposal on the EU Artificial Intelligence Regulation (Draft AI Regulation) – the first formal legislative proposal regulating Artificial Intelligence (AI) on a standalone basis. The Draft AI Regulation is accompanied by a revision of the EU’s rules on machinery products, which lay down safety requirements for machinery products before being placed on the EU market. The new draft Machinery Products Regulation – proposed by the EU Commission on the same day – intends to tackle safety issues that arise in emerging technologies. The Draft AI Regulation (which appears to have borrowed a number of principles from existing EU legislation, including the EU General Data Protection Regulation 2016/679 (GDPR)) has an intentionally broad scope, and regulates the use of AI in accordance with the level of risk the AI system presents to fundamental human rights and other key values the EU adheres to. AI systems that are considered to present an “unacceptable” level of risk are banned from the EU, and “high-risk” systems are subject to strict requirements. AI systems which are considered to present a lower risk level are subject to transparency requirements or are not regulated at all. Companies engaged in the development, manufacturing, importation, distribution, servicing, and use of AI – irrespective of industry – should assess to what extent their products are implicated and how they will address any regulatory requirements they are subject to. The Draft AI Regulation foresees maximum administrative fines of up to €30m or 6% of total worldwide annual turnover in the event of non-compliance – meaning fines are higher than the ones under the GDPR.