U.S. Government Issues Warning of Threat Against U.S. Critical Infrastructure

On February 25, 2022, in light of Russia’s attack on Ukraine, and months of continuing Russian state-sponsored cyberattacks on Ukrainian government and critical infrastructure organizations, the Cybersecurity and Infrastructure Security Agency (CISA) issued a “Shields Up” warning to American critical infrastructure organizations and businesses, stating that “[e]very organization—large and small—must be prepared to respond to disruptive cyber activity.”  While the guidance states that there are no specific, credible cyber threats directed at the United States, it notes that Russian threat actors have been orchestrating denial of service and destructive malware attacks affecting Ukraine and its neighboring countries, and that such activities may spread to the United States and its NATO allies in what is a rapidly evolving scenario. (more…)

California Privacy Agency: CPRA Regs Not Likely Until Late 2022

Final regulations implementing the California Privacy Rights Act (CPRA) may not be issued until Q3 or Q4 2022, as reported by Executive Director Soltani of the California Privacy Protection Agency (“CalPPA”) at its February 17th Board meeting.  This means that businesses subject to CPRA will not have regulatory guidance on how to implement the CPRA until just months, or possibly weeks, before the law goes into effect on January 1, 2023, assuming the regulations are finalized before the effective date.  This is a significant departure from the CPRA’s stated timeline of July 1, 2022 for the adoption of final regulations.  While enforcement under CPRA cannot begin until July 1, 2023, and at that time enforcement can only address violations alleged to have occurred on or after that date, businesses are not well-served by the prospect of implementing the significant regulations required by the CPRA in half the statutorily allotted time. (more…)

Building AI and Machine Learning Technologies: Data Licensing Tips and Traps

Data is the fuel for software development, and developers use historical data from existing products to train algorithms and build AI and machine learning models. Companies are well aware of privacy and regulatory restrictions on data use, but often do not consider the potential impact of data use restrictions on intellectual property ownership and use rights. (more…)

SEC Chair: Sweeping New Cybersecurity Rules Are Coming Soon

On Monday, January 24, 2022, in a speech at the Northwestern University Pritzker School of Law annual Securities Regulation Institute conference, Gary Gensler, Chair of the U.S. Securities and Exchange Commission (SEC), announced that he has asked SEC staff to provide sweeping rulemaking recommendations to modernize and expand the agency’s rules relating to cybersecurity.1 Stressing that cybersecurity is a matter of national security, Chair Gensler signaled that new guidance or proposed rules would enhance or expand public company cybersecurity programs and risk disclosures; cybersecurity program requirements and breach notification obligations for SEC regulated entities under Reg S-P; and the scope of registrants covered under Regulation Systems Compliance and Integrity (Reg SCI). He also signaled the SEC’s continued focus on enforcement and cooperation with other law enforcement agencies.2 (more…)

The UK’s Competition and Markets Authority’s Music Streaming Market Study

1. What has the Competition and Markets Authority (CMA) announced?

On January 27, The UK’s competition regulator, the CMA, has formally launched a market study into music streaming; see its Market Study Notice.

The market study will look at whether competition in the music streaming value chain is working well for consumers. It will focus on three key areas: competition among music companies; competition among music streaming services; and the impact on competition of agreements between music companies and music streaming services. (more…)

5 Key European Data Protection Trends for 2022

It seems there will be a packed agenda for EU and UK data protection this coming year. We set out below the 5 hot topics to watch in 2022 including expected legislative reforms, the most interesting cases to follow, and areas which are expected to continue to receive regulatory attention. (more…)

Uniform Law Commission Proposes “Reasonable” Uniform Personal Data Protection Act for State-by-State Adoption as Federal Privacy Bills Languish

Introduction

As data breaches become more common, increased public attention on privacy has led to a flurry of state-level activity on the issue. With a federal privacy bill languishing in Congress, the states have taken the lead. California, Colorado, and Virginia have all passed comprehensive privacy laws in the past three years. In 2021, an additional twenty-one states considered a comprehensive privacy bill.

Considering the serious risk of fragmentation that could arise from dozens of distinct privacy statutes, the Uniform Law Commission has proposed a model bill – the Uniform Personal Data Protection Act (“UPDPA”). The Uniform Law Commission’s model bills, such as the Uniform Commercial Code, are often influential in the development of state laws.  The UPDPA will be available for states’ 2022 legislative sessions, with a bill having already been introduced in the District of Columbia.

If adopted, the UPDPA offers a more business-friendly framework than many of the existing and proposed state privacy laws. (more…)

EU Council Publishes Changes to Artificial Intelligence Act Proposal

On 29 November 2021, the Slovenian Presidency (the “Presidency”) of the European Council published its compromise text (“Compromise Text”) on the European Union’s (“EU”) draft Artificial Intelligence Act (“AI Act” or “Act”) alongside a progress report on the Act. While the overall structure of the AI Act and many of its key provisions (including, those relating to potential fines for non-compliance), remain the same, there are some significant proposed changes to the Act which we have noted below including, for example, a new Article on general purpose AI systems. (more…)

FTC Announces it May Pursue Rulemaking to Combat Discrimination in AI

On December 10, the Federal Trade Commission (FTC) announced it is considering a rulemaking on commercial Artificial Intelligence (AI). The purpose of the rulemaking, according to an advanced notice of proposed rulemaking (ANPRM) titled “Trade Regulation in Commercial Surveillance,” would be “to curb lax security practices, limit privacy abuses, and ensure that algorithmic decision-making does not result in unlawful discrimination.”

While not formally part of the rulemaking process mandated by the Administrative Procedure Act, advanced notices allow agencies to solicit public comment before drafting more specific proposals. The FTC has not yet issued privacy or artificial intelligence rules, though it has indicated that such rulemaking is on the horizon.  The December 10 ANPRM is another signal that the FTC is gearing up to develop substantive privacy guidelines. (more…)

SEC Announces Long-Awaited Updates to Broker-Dealer Recordkeeping Requirements

In a much anticipated (and, to many, long overdue) release published in mid-November, the U.S. Securities and Exchange Commission (SEC) proposed to update its decades-old recordkeeping requirements for broker-dealers to, among other things, allow for electronic records to be retained in a manner other than “exclusively in a non-rewriteable, non-erasable format” (aka write once, read many, or WORM). The proposal would allow electronic records to be retained, as an alternative to WORM, using an audit-trail methodology.

(more…)