DORA – ESAs Publish Draft Technical Standards on ICT Subcontracting

On 26 July 2024, the European Supervisory Authorities (EBA, EIOPA and ESMA, collectively, the “ESAs”) published their joint final report on the draft Regulatory Technical Standards (“RTS”) specifying the elements that a financial entity should determine and assess when subcontracting ICT services supporting critical or important functions under Article 30(5) of the Digital Operational Resilience Act (“DORA”). The RTS are intended to assist with the enhancement of the digital operational resilience of the financial services sector by improving in-scope entities’ ICT risk management, specifically with respect to the issue of ICT subcontracting.

(more…)

EU Governments Sign-off Proposed Reforms to GDPR Procedural Rules and Council Reaches Common Member States’ Position

On 24 May 2024, the Council of the European Union (the “Council”) released new details of a proposed reform of the General Data Protection Regulation’s (“GDPR”) procedural rules, which representatives of EU national governments approved on 29 May 2024. On 13 June 2024, the Council issued a press release detailing its agreed common Member States’ position that maintains the general thrust of the original proposed reforms, but which seeks to: (i) introduce clearer timelines; (ii) improve efficiency of cooperation; and (iii) provide an early resolution mechanism.

(more…)

One Step Closer: AI Act Approved by Council of the EU

On 21 May 2024, the Council of the European Union approved the EU Artificial Intelligence Act (the “AI Act”). This is the final stage in the legislative process and comes after the EU Parliament voted to adopt the legislation on 13 March 2024. This final vote clears the path for the formal signing of the legislation and its publication in the Official Journal of the EU in the coming weeks. The AI Act will then enter into force 20 days after such publication with staggered transition periods of 6 to 36 months.

(more…)

U.S. SEC Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Customer Information Amendments Adopted

On May 16, 2024, the U.S. Securities and Exchange Commission (SEC) adopted amendments to its Regulation S-P. These final amendments impose significant cybersecurity requirements for several SEC-registered entities and transfer agents registered with another appropriate regulatory agency, including with respect to these entities’ policies and procedures, incident response and notification procedures, and cybersecurity risk management.

(more…)

ICO Publishes Its Strategic Approach to Regulating AI

On 30 April 2024, the UK’s Information Commissioner’s Office (“ICO”) published its strategic approach to regulating artificial intelligence (“AI”) (the “Strategy”), following the UK government’s request that key regulators set out their approach to AI regulation and compliance with the UK government’s previous AI White Paper (see our previous blog post here). In its Strategy, the ICO sets out: (i) the opportunities and risks of AI; (ii) the role of data protection law; (iii) its work on AI; (iv) upcoming developments; and (v) its collaboration with other regulators. The publication of the ICO’s Strategy follows the recent publication of the Financial Conduct Authority’s (“FCA”) approach to regulating AI.

(more…)

EU Formally Adopts Cyber Law for Connected Products

On 12 March 2024, the European Parliament approved the EU Cyber Resilience Act (“CRA”) with a large majority of 517-12 votes in favor of the legislation (with 78 abstentions). The CRA aims to ensure that “products with digital elements” (“PDE”) i.e., connected products such as smart devices, and remote data processing solutions, are resilient against cyber threats and provide key information in relation to their security properties.

(more…)

Chambers 2024 Global Practice Guides for Data Protection & Privacy and Cybersecurity

The newest editions of the Chambers Global Practice Guides have been published and, once again, Sidley lawyers have contributed to two guides: Data Protection & Privacy 2024 and Cybersecurity 2024. These publications cover important developments across the globe and offer insightful legal commentary for businesses on issues related to data privacy and cybersecurity, such as regulatory enforcement and litigation, global cooperation to combat cybercrime, international agreement on ‘Software Security by Design,’ a global approach to policy on artificial intelligence, and more. Sidley partner Alan Charles Raul is a contributing editor to both guides in addition to authoring the introductions. The UK chapters of Cybersecurity 2024, covering “UK Law and Practice” and “UK Trends and Development” were authored by Sidley lawyers William Long, Francesca Blythe, Denise Kara, and Eleanor Dodding.

(more…)

EU Formally Adopts World’s First AI Law

On March 13, 2024, the European Parliament formally adopted the EU Artificial Intelligence Act (“AI Act”) with a large majority of 523-46 votes in favor of the legislation. The AI Act is the world’s first horizontal and standalone law governing AI, and a landmark piece of legislation for the EU.

(more…)

FTC Proposes Significant and Sweeping Changes to COPPA and Requests Public Comment

On January 11, 2024, the Federal Trade Commission (“FTC”) published its Notice of Proposed Rule Making (“NPRM”) seeking to update the FTC’s Children’s Online Privacy Protection Act (“COPPA”) Rule in the Federal Register.  Among other things, the proposed changes would require more granular privacy notices, require fairly detailed identification of, and parental consent to, third-party data sharing (including targeted advertising), expand the scope of personal information subject to COPPA, make it easier for parents to provide consent via text message, clarify various requirements around EdTech, including school authorization for parental consent, and impose significant new programmatic information security and data retention requirements.

(more…)

New Know-Your-Customer and Reporting Rules Proposed for Cloud Providers: Five Key Takeaways

Last week, the U.S. Department of Commerce published a notice of proposed rulemaking (NPRM) implementing Executive Orders (EO) 13984 and 14110 to prevent “foreign malicious cyber actors” from accessing U.S. infrastructure as a service products1 (IaaS Rule). The IaaS Rule seeks to strengthen the U.S. government’s ability to track “foreign malicious cyber actors” who have relied on U.S. IaaS products to steal intellectual property and sensitive data, engage in espionage activities, and threaten national security by attacking critical infrastructure.

(more…)