Privacy & Information Security Law Blog

On April 1, 2024, the U.S. and UK signed a Memorandum of Understanding that details how the U.S. and UK will work together to develop tests for advanced AI models.

On March 29, 2024, the Federal Trade Commission announced its decision to deny, without prejudice, an application for approval of a “Privacy-Protective Facial Age Estimation” mechanism for obtaining parental consent under COPPA.

On March 27, 2024, the U.S. Cybersecurity and Infrastructure Agency (“CISA”) released an unpublished version of a Notice of Proposed Rulemaking (“NPRM”), as required by the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”). The NPRM will be officially published on April 4, 2024, and comments are due by June 3, 2024. Pursuant to the proposed rules, “covered entities” would be required to report (1) “qualifying cyber incidents,” (2) ransom payments made in response to a ransomware attack, and (3) any substantially new or different information discovered related to a previously submitted report to CISA. Covered entities are required to notify CISA within 72 hours in the event of a qualifying cyber incident and within 24 hours, in the event that payment is made in response to a ransomware attack.

On March 26, 2024, the French data protection authority (the “CNIL”) published the 2024 edition of its Practice Guide for the Security of Personal Data (the “Guide”). The Guide is intended to support organizations in their efforts to implement adequate security measures in compliance with their obligations under Article 32 of the EU General Data Protection Regulation. In particular, the Guide targets DPOs, CISOs, computer scientists and privacy lawyers.

On March 22, 2024, the Cyberspace Administration of China (the “CAC”) issued the Provisions on Facilitation and Regulation of Cross-Border Data Flows (the “Provisions”), which were effective the same day. The CAC also held a press conference to introduce and explain the Provisions. The Provisions demonstrate that the regulation of cross-border transfers in China is focused on important data and critical information infrastructure operators (“CIIO”), and that the CAC aims to optimize business environment, stabilize foreign investment, and support the data flow between global companies with a Chinese presence.

Hunton Andrews Kurth released a client alert on the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) settlement with EFG International AG. On March 14, 2024, OFAC announced a settlement (the “Settlement”) with EFG International AG, a global private banking group based in Switzerland with many global subsidiaries (collectively, the “Manager”) regarding violations of OFAC rules alleged to have occurred as a result of the Manager’s buying, selling and, in many cases, merely holding, U.S. securities on behalf of persons sanctioned by OFAC. 

On March 20, 2024, the U.S. House of Representatives passed legislation that will prohibit data brokers from transferring U.S. residents’ sensitive personal data to foreign adversaries, including China and Russia. The House bill HR 7520 (the “Bill”), also known as the Protecting Americans’ Data from Foreign Adversaries Act of 2024, marks a significant development in executive and legislative action related to foreign access to U.S. data. The Bill follows a similarly groundbreaking Executive Order and Department of Justice Notice of Proposed Rulemaking issued at the end of February that will establish strict protective measures against data exploitation by countries considered national security threats for U.S. sensitive personal data and U.S. government-related data. The Bill also comes after the House overwhelmingly passed HR 7521, (the Protecting Americans from Foreign Adversary Controlled Applications Act) resulting from concerns that the Chinese government would compel TikTok (or other foreign adversary-controlled apps) to turn over U.S. data. HR 7521 would effectively require TikTok to divest from parent company ByteDance in order to avoid a ban in the U.S.

On March 19, 2024, Utah’s Governor Spencer J. Cox signed Senate Bill (SB) 98 (the “Bill”), Online Data Security and Privacy Amendments, into law. The Bill amends the Protection of Personal Information Act (§13-44-101 et seq) and the Utah Technology Governance Act in the Utah Government Operations Code (§63A-16-1101 et seq). The Utah Technology Governance Act had previously established the Utah Cyber Center, a state initiative to coordinate efforts between local, state and federal resources by sharing threat intelligence and best practices.

On March 1, 2024, the Virginia legislature passed S.B. 361 (the “Bill”), which amends the Virginia Consumer Data Protection Act to introduce new protections for children’s privacy. If signed by the Virginia Governor, the new children’s privacy protections will go into effect on January 1, 2025.

After potential warning signs spanning several years, on March 14, 2024, the Federal Trade Commission brought an enforcement action against two entities selling virus protection software to consumers via online and telemarketing sales. According to the FTC’s complaint, for several years the entities, Restoro Cyprus Limited and Reimage Cyprus Limited, received excessive chargebacks on purchases, numerous consumer complaints made directly to the entities, and various indirect consumer complaints made to vendors, telecoms service providers and others.