Privacy & Information Security Law Blog

On February 20, 2024, The Centre for Information Policy Leadership at Hunton Andrews Kurth LLP  (“CIPL”) and Theodore Christakis, Professor of International, European and Digital Law at University Grenoble Alpes, released a comprehensive study titled The “Zero Risk” Fallacy: International Data Transfers, Foreign Governments’ Access to Data and the Need for a Risk-Based Approach. In the study, Prof. Christakis makes the case that the EU General Data Protection Regulation (“GDPR”), the Charter of Fundamental Rights of the European Union and EU law, more generally, allow a more nuanced and risk-based approach to data transfers than the restrictive approach often applied. CIPL and Prof. Christakis provide an approach that outlines data protection measures that are proportionate to the risks at hand, and takes into account the nature of the data, the likelihood of access by foreign governments, and the severity of the potential harm.

On February 23, 2024, the UK Information Commissioner’s Office (the “ICO”) reported that it had ordered public service providers Serco Leisure, Serco Jersey and associated community leisure trusts (jointly, “the Companies”) to stop using facial recognition technology (“FRT”) and fingerprint scanning (“FS”) to monitor employee attendance.

On February 15, 2024, the Federal Trade Commission proposed a rule that would ban the use of AI to impersonate individuals, which would extend protections of a recently finalized FTC rule against government and business impersonation.  The FTC announced a public comment period for a supplemental Notice of Proposed Rulemaking (“NPR”) regarding the proposed rule that ends 60 days after being published in the Federal Register. The FTC’s swift action is in response to an AI-generated robocall mimicking President Biden that encouraged voters not to vote in the New Hampshire primary. FTC Chair Lina Khan described the FTC’s supplemental NPR as a key step in “strengthening the FTC’s toolkit to address AI-enabled scams impersonating individuals,” as malicious actors “us[e] AI tools to impersonate individuals with eerie precision and at a much wider scale.”

On February 12, 2024, California bill AB-1949 was referred to the Assembly Committee on Privacy and Consumer Protection. The bill would amend the California Consumer Privacy Act (as amended by the California Privacy Rights Act) (the “CCPA”) to significantly expand businesses’ obligations with respect to the personal information of consumers under the age of 18.

On February 8, 2024, the Centre for Information Policy Leadership at Hunton Andrews Kurth LLP (“CIPL”) published a discussion paper on Comparison of U.S. State Privacy Laws: Data Protection Assessments. The paper analyzes the data protection assessment requirements set forth in an ever-growing number of comprehensive U.S. state privacy laws. The paper represents the first deliverable of CIPL’s ongoing project on U.S. state privacy laws, in which CIPL is collaborating with its member organizations to identify areas of alignment and divergence between state privacy laws. The paper also examines the compliance challenges organizations face as a result of the divergences, and provides recommendations to state law and policymakers who may be considering changes to existing laws or the introduction of new ones.

On February 21, 2024, the Centre for Information Policy Leadership at Hunton Andrews Kurth LLP (“CIPL”) published a white paper on Building Accountable AI Programs: Mapping Emerging Best Practices to the CIPL Accountability Framework. The white paper showcases how 20 leading organizations are developing accountable AI programs and best practices.

As we pass the two-month anniversary of the effectiveness of the U.S. Securities and Exchange Commission’s (“SEC’s”) Form 8-K cybersecurity reporting rules under new Item 1.05, this blog post provides a high-level summary of the filings made to date.

On January 24, 2024, the European Commission announced that it had published the Commission Decision establishing the European AI Office (the “Decision”). The AI Office will be established within the Commission as part of the administrative structure of the Directorate-General for Communication Networks, Content and Technology, and subject to its annual management plan. The AI Office is not intended to affect the powers and competences of national competent authorities, and bodies, offices and agencies of the EU in the supervision of AI systems, as provided for by the forthcoming AI Act. The Decision details the functions and tasks of the AI Office, such as:

On February 21, 2024, the California Attorney General announced that it had reached a settlement resolving an enforcement action under the California Consumer Privacy Act (“CCPA”) and the California Online Privacy Protection Act (“CalOPPA”) brought against online food delivery company  DoorDash, Inc. (the “Company”). This is the AG’s second CCPA enforcement settlement, following the agency’s settlement with Sephora.

On February 16, 2024, the U.S. Department of Health and Human Services' Office for Civil Rights (“OCR”) and the National Institute of Standards and Technology (“NIST”) published a final version of Special Publication 800-66 Revision 2, “Implementing the Health Insurance Portability and Accountability Act (“HIPAA”) Security Rule: A Cybersecurity Resource Guide.” The publication features guidance and recommendations for cybersecurity measures for HIPAA covered entities to consider in the development of their information security programs, a ...