Privacy & Information Security Law Blog

On November 18, 2021, the Federal Reserve, Federal Deposit Insurance Corporation, and Office of the Comptroller of the Currency issued a new rule regarding cyber incident reporting obligations for U.S. banks and service providers.

On November 22, 2021, according to India Today, the Indian Joint Parliamentary Committee (the “JPC”) responsible for reviewing the Personal Information Protection Bill 2019 (“PDPB”) issued its report on the proposed law. The report comes nearly two years after the bill was first referred to the JPC. The JPC’s report will likely be presented with the PDPB 2019 in the Winter Session of Parliament, which begins on November 29, 2021. If passed, the PDPB would constitute the first comprehensive data protection law in India ...

On November 19, 2021, the European Data Protection Board (“EDPB”) published its draft Guidelines 05/2021 (the “Guidelines”) on the interplay between the application of Article 3 of the EU General Data Protection Regulation (“GDPR”), which sets forth the GDPR’s territorial scope, and the GDPR’s provisions on international data transfers. The Guidelines aim to assist organizations subject to the GDPR in identifying whether a data processing activity constitutes an international data transfer under the GDPR, as the GDPR does not define the term.

On November 17, 2021, the Senate Committee on Commerce, Science, and Transportation held its confirmation hearing on FTC Commissioner nominee, Alvaro Bedoya.

On November 14, 2021, the U.S. Department of the Treasury announced a bilateral cybersecurity partnership with the Israeli Ministry of Finance “to protect critical financial infrastructure and emerging technologies” and combat the use of ransomware. The initiative includes the launch of a U.S.-Israeli Task Force on Fintech Innovation and Cybersecurity (the “Task Force”), which seeks to advance the twin goals of encouraging fintech innovation while protecting against cyber threats from nation-state and criminal actors.

On November 5, 2021, the Federal Trade Commission suggested two preventative steps small businesses can take to protect against ransomware risks:

On November 8, 2021, New York Governor Kathy Hochul signed into law A.430/S.2628 (the “Act”), which requires private employers with a place of business in New York State to provide their employees prior written notice, upon hiring, of any electronic monitoring, as defined in the Act, to which the employees will be subjected by the employer.

On November 5, 2021, IAB Europe (“IAB EU”) announced that, in the coming weeks, the Belgian Data Protection Authority plans to share with other data protection authorities a draft ruling on the IAB EU Transparency & Consent Framework (“TCF”). The TCF is a GDPR consent solution built by IAB EU that has become a widely used approach to collecting consent to cookies under the GDPR. The draft ruling is expected to find that the TCF does not comply with the GDPR, in part because IAB EU acts as a controller, and the digital signals the TCF creates to capture individuals’ consent to cookies are personal data under the GDPR. Because IAB EU does not consider itself a controller with respect to the TCF, it does not currently comply with the GDPR’s controller obligations.

On November 10, 2021, the UK Supreme Court issued its long-awaited judgment in the Lloyd v Google case. The decision is expected to make it difficult in practice for a future class action lawsuit that is brought on behalf of a class of individuals who have not actively opted in to being represented by the lead claimant to proceed under UK law.

On November 3, 2021, the Cybersecurity and Infrastructure Security Agency (“CISA”) announced Directive 22-01 - Reducing the Significant Risk of Known Exploited Vulnerabilities (the “Directive”), establishing a CISA-managed catalog of vulnerabilities and compelling federal agencies to remediate such vulnerabilities on government information systems. The Directive targets vulnerabilities that pose a significant risk to the federal government and applies to all software and hardware found on federal information systems, including those managed on an agency’s premises, as well as those hosted by third parties on an agency’s behalf. The Directive is the latest in a series of executive branch efforts to address U.S. cybersecurity in the public and private sectors.