Privacy & Information Security Law Blog

On July 25, 2023, Hunton published a client alert discussing the importance of cyber and directors and officers (“D&O”) liability insurance for companies and their executives to guard against cyber-related exposures. In today’s ever-changing threat landscape, all organizations are at risk of damaging cyber incidents and resulting investigations and lawsuits, underscoring the importance of utilizing all tools in a company’s risk mitigation toolkit, including insurance, to address these exposures. 

On July 19, 2023, the European Data Protection Board (“EDPB”) issued an Information Note regarding data transfers to the U.S. following the adoption of an adequacy decision on the EU-U.S. Data Privacy Framework (the “Data Privacy Framework”) on July 10, 2023 (the “Information Note”).

On July 26, 2023, the U.S. Securities and Exchange Commission (“SEC”) adopted long-anticipated disclosure rules for public companies by a 3-2 party-line vote. The final rules apply both to U.S. domestic public companies, as well as any offshore company that qualifies as a “foreign private issuer” under SEC rules due to a strong nexus to the U.S. capital markets. The new rules are effective as soon as December 18, 2023, as detailed further below.

On July 10, 2023, California Governor Newsom signed into law A.B. 127, which places the working group for the California Age-Appropriate Design Code Act (the “Act”) under the California Office of the Attorney General. The Act creates a working group, formally named the California Children’s Data Protection Working Group, to produce a report on recommendations for best practices concerning children’s access to online services. Under A.B. 127, the deadline for the first report from the working group will be pushed back from January 1, 2024, to July 1, 2024, and the working group will be required to consist of only nine members, instead of the original 10-member requirement.

On July 14, 2023, the Norwegian Data Protection Authority (“DPA”) ordered Meta Platforms Ireland Limited and Facebook Norway AS (jointly, “Meta”) to temporarily cease the processing of personal data of data subjects in Norway for the purpose of targeting ads on the basis of “observed behavior,” when relying on either the contractual necessity legal basis (Article 6(1)b)) or the legitimate interests legal basis (Article 6(1)(f)) of the GDPR.

On June 30, 2023, the Delaware House of Representatives passed the Delaware Personal Data Privacy Act (H.B. 154) (the “DPDPA”), a day after the Delaware Senate passed the legislation. The DPDPA heads to Governor John Carney for a final signature. This could make Delaware the 13th U.S. state to enact comprehensive privacy legislation.

Pablo A. Palazzi from Allende & Brea in Argentina reports that on June 30, 2023, the Argentine Executive Branch sent the new proposed Personal Data Protection Bill (the “Bill”) to the National Congress for consideration. The Bill was drafted by the Argentine Data Protection Authority (Agencia de Acceso a la Información Pública, or “AAIP”) and seeks to amend the current Personal Data Protection Act (Law No. 25,326 of 2000).

On July 14, 2023, California Attorney General Rob Bonta (“California AG”) announced a new enforcement sweep aimed at ensuring that companies comply with the California Consumer Privacy Act of 2018 (“CCPA”) with respect to the personal information of employees and job applicants. The exemption for HR-related data under the CCPA expired on January 1, 2023, when the amendments to the CCPA made by the California Privacy Rights Act of 2020 became operative.

On June 22, 2023, the Oregon House of Representatives passed the Oregon Consumer Privacy Act (S.B. 619) (the “OCPA”), which was previously passed by the Oregon Senate on June 20, 2023. The OCPA has been sent to the Oregon governor’s desk for signature. If signed, the OCPA would make Oregon the 12th state to have enacted comprehensive privacy legislation.

On July 10, 2023, the European Commission formally adopted a new adequacy decision on the EU-U.S. Data Privacy Framework (the “Adequacy Decision”). The adoption of this Adequacy Decision follows years of intense negotiations between the EU and the U.S., after the invalidation of the EU-U.S. Privacy Shield by the Court of Justice of the European Union (“CJEU”) in the Schrems II case.