May 12, 2023

The Digital Download – Alston & Bird’s Privacy & Data Security Newsletter – May 2023

Paul Greaves, David Keating, Kimberly Kiefer Peretti, Dorian Simmons

Alston & Bird

+ Follow Contact

Facebook

Send

Embed

Alston & Bird

Publications and Advisories

April 5, 2023 – Kate Hanniford and Elinor Hiller published “Healthy Byte: White House and HHS Both Update Their Cybersecurity Guidance.”
March 13, 2023 – Kim Peretti, Amy Mushahwar, and Kristen Bartolotta published “Privacy, Cyber & Data Strategy Advisory: White House Releases National Cybersecurity Strategy.”
March 13, 2023 – David Teske and Hyun Jai Oh published “Intellectual Property Advisory: New National Cybersecurity Strategy Seeks to Hold Technology Companies Accountable.”
February 24, 2023 – Wim Nauwelaerts, Dan Felz, Paul Greaves, and Josh Fox published “Privacy, Cyber & Data Strategy: Help! My Business Wants to Start Using ChatGPT!”

Selected U.S. Privacy and Cyber Updates

HHS and FTC Expanding Technology, Privacy, and Cybersecurity Divisions

The Federal Trade Commission (FTC) and U.S. Department of Health and Human Services (HHS) announced the expansion of operational areas of their organizations that are dedicated to the enforcement of laws and regulations related to technology, privacy, and cybersecurity. On February 17, 2023, the FTC announced the creation of a new Office of Technology to “strengthen the FTC’s ability to keep pace with technological challenges in the digital marketplace,” including to “strengthen and support law enforcement investigations and actions.” On February 27, 2023, HHS announced the rebranding and reorganization of divisions within the Office for Civil Rights.

New NAIC Consumer Privacy Model Law Proposed for Insurers

On January 31, 2023, the National Association of Insurance Commissioners (NAIC) Privacy Protections Working Group released Insurance Consumer Privacy Protection Model Law #674 for comment. Model 674 is intended to modernize and replace the Insurance Information and Privacy Protection Model Act #670 and the Privacy of Consumer Financial and Health Information Regulation #672, which have been widely adopted nationwide but are approximately 30 to 40 years old. Unlike its predecessors, Model 674 notably includes a safe harbor for entities that comply with the Health Insurance Portability and Accountability Act (HIPAA). The proposed model law does not impact the reporting obligations for cybersecurity events set forth under Insurance Data Security Model Law #668.

Selected Global Privacy and Cybersecurity Updates

International Data Transfers: Lessons from the EDPS’s “101 Task Force”

In August 2020, privacy activist organization None of Your Business (NOYB) – European Center for Digital Rights filed 101 complaints with the EU supervisory authorities (SAs) in connection with the transfer of personal data from Europe to the United States by companies that implemented Google Analytics and Facebook Business Tools on their websites.

EU Supervisory Authorities Clarify Breach Notification Requirements

On April 4, 2023, the European Data Protection Board (EDPB), which is composed of representatives of the EU SAs and the European Data Protection Supervisor, published an updated version of the Working Party 29 Guidelines on personal data breach notification under the EU General Data Protection Regulation (GDPR). The EDPB initially endorsed the Working Party 29 Guidelines – without amendments – when the GDPR became applicable in May 2018. However, the EDPB reconsidered whether there was a need to clarify the GDPR’s breach notification requirements, in particular regarding personal data breaches suffered by controllers that do not have an establishment in the EU. The EDPB has therefore revised and updated the relevant section of the Guidelines, while the rest was left unaltered (save for editorial changes).

China’s Standard Contractual Clauses for Cross-Border Transfers of Personal Information

On February 24, 2023, the Cyberspace Administration of China released its final version of the Standard Contract Measures for Exporting Personal Information, accompanied by a template contract outlining the standard contractual clauses. The Standard Contract Measures are effective June 1, 2023; however, organizations transferring personal information outside China before June 1, 2023 will have a six-month grace period to comply with and enter into the standard contractual clauses with the overseas recipient.

The EU Supervisory Authorities’ Coordinated Enforcement Action in the EU: This Year It’s All About DPOs

On March 15, 2023, the EDPB along with 26 EU SAs officially launched a coordinated enforcement action, focusing on the designation of data protection officers (DPOs) under the EU GDPR, and the position that DPOs hold in the organizations that appoint them.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.