The UK’s Competition and Markets Authority’s Music Streaming Market Study
1. What has the Competition and Markets Authority (CMA) announced?
On January 27, The UK’s competition regulator, the CMA, has formally launched a market study into music streaming; see its Market Study Notice.
The market study will look at whether competition in the music streaming value chain is working well for consumers. It will focus on three key areas: competition among music companies; competition among music streaming services; and the impact on competition of agreements between music companies and music streaming services. (more…)
5 Key European Data Protection Trends for 2022
It seems there will be a packed agenda for EU and UK data protection this coming year. We set out below the 5 hot topics to watch in 2022 including expected legislative reforms, the most interesting cases to follow, and areas which are expected to continue to receive regulatory attention. (more…)
Uniform Law Commission Proposes “Reasonable” Uniform Personal Data Protection Act for State-by-State Adoption as Federal Privacy Bills Languish
Introduction
As data breaches become more common, increased public attention on privacy has led to a flurry of state-level activity on the issue. With a federal privacy bill languishing in Congress, the states have taken the lead. California, Colorado, and Virginia have all passed comprehensive privacy laws in the past three years. In 2021, an additional twenty-one states considered a comprehensive privacy bill.
Considering the serious risk of fragmentation that could arise from dozens of distinct privacy statutes, the Uniform Law Commission has proposed a model bill – the Uniform Personal Data Protection Act (“UPDPA”). The Uniform Law Commission’s model bills, such as the Uniform Commercial Code, are often influential in the development of state laws. The UPDPA will be available for states’ 2022 legislative sessions, with a bill having already been introduced in the District of Columbia.
If adopted, the UPDPA offers a more business-friendly framework than many of the existing and proposed state privacy laws. (more…)
EU Council Publishes Changes to Artificial Intelligence Act Proposal
On 29 November 2021, the Slovenian Presidency (the “Presidency”) of the European Council published its compromise text (“Compromise Text”) on the European Union’s (“EU”) draft Artificial Intelligence Act (“AI Act” or “Act”) alongside a progress report on the Act. While the overall structure of the AI Act and many of its key provisions (including, those relating to potential fines for non-compliance), remain the same, there are some significant proposed changes to the Act which we have noted below including, for example, a new Article on general purpose AI systems. (more…)
FTC Announces it May Pursue Rulemaking to Combat Discrimination in AI
On December 10, the Federal Trade Commission (FTC) announced it is considering a rulemaking on commercial Artificial Intelligence (AI). The purpose of the rulemaking, according to an advanced notice of proposed rulemaking (ANPRM) titled “Trade Regulation in Commercial Surveillance,” would be “to curb lax security practices, limit privacy abuses, and ensure that algorithmic decision-making does not result in unlawful discrimination.”
While not formally part of the rulemaking process mandated by the Administrative Procedure Act, advanced notices allow agencies to solicit public comment before drafting more specific proposals. The FTC has not yet issued privacy or artificial intelligence rules, though it has indicated that such rulemaking is on the horizon. The December 10 ANPRM is another signal that the FTC is gearing up to develop substantive privacy guidelines. (more…)
SEC Announces Long-Awaited Updates to Broker-Dealer Recordkeeping Requirements
In a much anticipated (and, to many, long overdue) release published in mid-November, the U.S. Securities and Exchange Commission (SEC) proposed to update its decades-old recordkeeping requirements for broker-dealers to, among other things, allow for electronic records to be retained in a manner other than “exclusively in a non-rewriteable, non-erasable format” (aka write once, read many, or WORM). The proposal would allow electronic records to be retained, as an alternative to WORM, using an audit-trail methodology.
Meru Data Podcast Features Sidley Associate Lauren Kitces
Sidley associate Lauren Kitces was featured on Simplify For Success, a podcast series presented by Meru Data and hosted by Priya Keshav. The discussion covered upcoming U.S. privacy laws and key considerations for organizations as they prepare for these laws. (more…)
A Software Primer For Attorneys After Cyber Executive Order
When President Joe Biden issued his major cybersecurity executive order on May 12, a White House press briefing said the order would invoke:
“the power of federal procurement to say, “If you’re doing business with us, we need you to practice really good — really good cybersecurity. And, most importantly, we really need you to focus on secure software development.” (more…)
European General Court Judgment in Google Shopping: Key Takeaways
On November 10, 2021, the European General Court (Court) issued its judgment in Case T-612/17 Google and Alphabet v Commission (Google Shopping).
The Court dismissed almost in its entirety the action brought by Google and Alphabet against the decision by the European Commission (Commission) of June 27, 2017, which found that Google had abused its dominant market position by favoring its own comparison shopping service (CSS) on its general results pages while demoting the results from competing CSSs. The Court also upheld the fine of €2.42 billion imposed on Google by the Commission. The judgment can be appealed to the Court of Justice of the European Union (CJEU). (more…)
U.S. Federal Bank Regulators Require Notifications For Material Cybersecurity Incidents
On November 18, 2021, a group of federal bank regulators announced a final rule requiring banks to notify their primary federal regulator of any “significant computer-security incidents.” Regulators must be notified no later than 36 hours after the bank has determined that the incident triggers the rule’s notification requirement. Further, bank service providers are now required to promptly notify all affected banks whenever a cybersecurity disruption lasts for four or more hours. (more…)