Selected U.S. Privacy and Cyber Updates
CISA Posts Notice of Proposed Rulemaking Under CIRCIA
On March 27, 2024, the Cybersecurity and Infrastructure Security Agency (CISA) published a notice of proposed rulemaking (NPRM) implementing the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA). CISA is required to issue a final rule by October 4, 2025. The NPRM was published in the Federal Register on April 4, 2024 and is open for public comment for 60 days, making the deadline to submit comments in early June 2024.
FTC Denies an Application to Add a New Verifiable Parental Consent Mechanism Under COPPA Rule Without Prejudice
On March 29, 2024, the Federal Trade Commission (FTC) published a unanimous decision to deny an application by the Entertainment Software Rating Board, Yoti, and SuperAwesome to add a new verifiable parental consent (VPC) mechanism under the Children’s Online Privacy Protection Rule (COPPA Rule). The application, which our previous blog post analyzed in more detail, requested that the FTC approve Yoti’s “Facial Age Estimation” technology as a valid method to obtain VPC.
More Guidance from HHS on Online Tracking Technologies, but Questions Remain
On March 18, 2024, the Department of Health and Human Services (HHS) released updated guidance on the use of online tracking technologies (like cookies, pixels, and software development kits (SDKs)) by HIPAA covered entities. The updated guidance amends and supersedes HHS’s original guidance on the use of digital tracking technologies published on December 1, 2022. The prior guidance sent shockwaves through the health care industry since its implicit core message seemed to be that health care as an industry could no longer digitally engage with customers in the same manner as other U.S. market participants. The prior guidance led many leading players to reevaluate their use of online tracking technologies on their websites and mobile apps; however, many felt the prior guidance left several open questions.
State AGs and Other Stakeholders Weigh In on Proposed COPPA Rule Update
The FTC received over 270 comments to its NPRM for the amendments to the COPPA Rule during the public comment period that ended on March 11, 2024. The NPRM reflects the FTC’s continued effort to modernize the COPPA Rule, which implements the Children’s Online Privacy Protection Act (COPPA) and regulates operators of websites and online services that collect personal information from children. Our previous advisory discusses notable proposals in the NPRM in more detail.
California Privacy Protection Agency Board Votes to Advance Proposed Regulations to Formal Rulemaking
On March 8, 2024, the California Privacy Protection Agency (CPPA) board voted to advance to formal rulemaking proposed regulations under the California Consumer Privacy Act covering risk assessments, automated decision-making technology, and certain updates to existing regulations. The formal rulemaking action will begin when the CPPA publishes a proposed action in the California Regulatory Notice Register. The CPPA will have one year to complete the rulemaking process and submit the completed rulemaking file to the California Office of Administrative Law.
Executive Order to Limit Sales of Americans’ Sensitive Data to Adversarial Foreign Governments
Peter Swire has co-authored a detailed article in Lawfare, “Limiting Data Broker Sales in the Name of U.S. National Security: Questions on Substance and Messaging,” analyzing the Biden Administration’s Executive Order issued on February 28, 2024. Swire’s article summarizes key aspects and impacts of the Executive Order, which is intended to prevent Americans’ sensitive data from being obtained in bulk by entities connected to “countries of concern,” expected to include China, Russia, Iran, North Korea, Cuba, and Venezuela.
White House Executive Order to Regulate Transactions Involving Sensitive Personal Data of Americans
On February 28, 2024, the White House announced that President Biden will sign an Executive Order designed to protect sensitive data of U.S. persons from exploitation by identified countries of concern. This Executive Order is expected to be published later today and to direct the Department of Justice (DOJ) to issue regulations designed to address transactions that involve U.S. persons’ bulk sensitive personal data and countries of concern. The DOJ has announced that it will issue an advance notice of proposed rulemaking followed by an NPRM and has stated that “companies and individuals will be required to comply with the regulations only after the final rule becomes effective.”
FBI and CISA Warn of Chinese Cyberattacks on U.S. Critical Infrastructure
There has been a surge in alerts and warnings of cyberattacks by People’s Republic of China (PRC) state-sponsored threat actors on U.S. critical infrastructure. On February 7, 2024, the Federal Bureau of Investigation, CISA, and National Security Agency, and their counterparts in Australia, Canada, and the United Kingdom, issued an advisory warning to governmental organizations regarding Chinese cyber actors poised to disrupt critical infrastructure, such as water-treatment plants, electric grids, oil and natural gas pipelines, and transportation systems. This comes on the heels of FBI Director Christopher Wray, CISA Director Jen Easterly, and U.S. Cyber Command Army General Paul Nakasone testifying to Congress on increased cyberattacks by PRC-sponsored hackers on U.S. critical infrastructure.
Declassified Intelligence Community Letters Highlight Importance of Monitoring Outbound Data Flows
On January 25, 2024, Senator Ron Wyden (D-OR) released documents that confirm U.S. intelligence agencies are purchasing location and other sensitive personal information from data brokers without the consent of the data subjects. The FTC has recently gone after data brokers who collect and sell the sensitive location data of consumers without their express consent, but intelligence agencies purchase information from these data brokers that they would otherwise need a warrant to obtain. Businesses must be mindful of where their sensitive consumer data is going and protect themselves from the risks of allowing this data to end up in the hands of these data brokers without strong agreements.
California Court of Appeal Paves the Way for Enforcement of California Privacy Rights Act Regulations
On February 9, 2024, a California state court of appeal mandated a trial court to vacate its order and judgment prohibiting the CPPA from enforcing the California Privacy Rights Act (CPRA) regulations until March 29, 2024. The CPPA will be able to enforce the CPRA regulations once the trial court vacates its order and judgment.
Selected Global Privacy and Cybersecurity Updates
China Releases Updated Regulations on Permits Needed for Transferring Data out of China
On March 22, 2024, the Cyberspace Administration of China published the Regulations on Promoting and Regulating Cross-border Data Flow, effective immediately. The regulations supplement China data protection laws (the Cybersecurity Law, Data Security Law, and Personal Information Protection Law) and take precedence over previously issued data transfer rules, such as the Measures for the Security Assessment of Outbound Data Transfer (effective September 1, 2022) and the Guidelines for Filing the Standard Contract for Outbound Transfer of Personal Information (effective June 1, 2023).
European Parliament Approves EU Artificial Intelligence Act
On March 13, 2024, the European Parliament approved the much-anticipated European Union (EU) Artificial Intelligence Act (AI Act). The AI Act is billed as the first comprehensive legal framework worldwide that specifically regulates AI systems. It will impose obligations on both private and public sector actors that develop, import, distribute, or use in-scope AI systems. Like the EU General Data Protection Regulation (GDPR) before it, the AI Act has explicit extraterritorial effect, which means that – under certain conditions – even companies without a physical presence in the EU may be subject to the AI Act.
CBDF Research Fellow Théodore Christakis Publishes Study on Cross-Border Data Transfers and the EU’s ‘Zero Risk’ Approach
Théodore Christakis, professor of international law at Université Grenoble Alpes and senior fellow and director of research for Europe at the Cross-Border Data Forum, has published a new comprehensive analysis on cross-border transfers of personal data and the EU’s data protection authorities’ “Zero Risk” theory developed since the Court of Justice of the EU’s Schrems II judgment. Christakis looks at how controllers and processors transferring personal data outside the EU have been asked by data protection authorities (DPAs) around the EU to guarantee no access to EU personal data by the intelligence and law enforcement agencies of foreign countries whose legal systems do not include data protection safeguards that are essentially equivalent to those mandated by EU law. The study also analyzes in detail the positions of EU DPAs and courts concerning protections from extraterritorial access by foreign governments to data localized in Europe as well as the “immunity from foreign laws” requirement proposed within the context of the EU Cybersecurity Certification Scheme for Cloud Services (EUCS).
[View source.]
