Dechert Cyber Bits
Issue 52 - March 28, 2024
European Parliament Approves EU AI Act
On March 13, 2024, the European Parliament approved the EU Artificial Intelligence Act (“AI Act”). A first of its kind legal framework for AI, the AI Act has extraterritorial effect, impacting EU and non-EU businesses that develop, provide, or use AI within the EU. In its current version, serious breaches of the AI Act can result in fines up to 7% of global annual turnover or EUR 35 million (whichever is higher). The AI Act adopts a “risk-based” staggered approach, classifying AI systems into four categories:
- Prohibited AI: Certain AI systems that are considered to threaten individuals’ fundamental rights are banned. These include biometric categorisation systems based on sensitive characteristics, systems that manipulate human behaviour or exploit vulnerabilities, systems for emotion recognition in the workplace and schools, and social scoring.
- High Risk AI: AI systems in this category include those used in critical infrastructure sectors such as energy and transport as well as the insurance and banking sectors, education assessments, recruitment and employment. They are subject to strict requirements, including technical documentation, data governance, human oversight, security, conformity assessments, and reporting obligations. This category is the focus of the AI Act and is subject to the most extensive obligations.
- General Purpose AI Models: These are models that display significant generality and can perform a wide range of distinct tasks and be integrated into a variety of systems. They must meet certain transparency requirements, assess, and mitigate risks, and undertake testing, among other things.
- Other/Low Risk AI: Examples include AI systems such as chatbots or those performing general tasks like content creation or image and speech recognition. The primary obligations for these systems revolve around ensuring transparency for the end-user (i.e., informing the end user that they are interacting with an AI system).
The AI Act is now undergoing final legal-linguistic checks and will be subject to the Council of the EU’s formal final endorsement before being published in the Official Journal, expected to take place around May or June 2024, and will then enter into force 20 days later. Requirements will then be gradually phased into effect with all provisions applicable within 24 months.
Takeaway: Businesses developing or using AI will want to get started with mapping their current usage of AI, considering whether they are within the territorial scope of the AI Act, and assessing what risk-level category each AI deployment falls under, to ensure they are in compliance as the requirements phase into effect. Developers of AI (in particular systems that would fall within the high-risk category) will want to have the requirements of the AI Act front of mind during the development process with a view to such systems being well positioned to comply as the AI Act comes into effect, rather than potentially requiring costly fixes following implementation. Early preparation will also position businesses favorably in navigating the AI Act’s anticipated “Brussels effect” across different regions.
U.S. House of Representatives Passes Bill to Prevent Sales of Americans' Data to "Foreign Adversaries"
On March 21, 2024, the U.S. House of Representatives passed the Protecting Americans’ Data from Foreign Adversaries Act of 2024 (“H.R. 7520” or the “Bill”). H.R. 7520 focuses on the bulk sale of data to “foreign adversary” countries, such as China, North Korea, Iran and Russia. The Bill seeks to make it unlawful for data brokers to provide a foreign adversary, or any company in which a foreign adversary has 20% or more ownership interest, with access to the “sensitive data” of any U.S. person. The Bill defines “sensitive data” broadly and includes, among other things, government identification numbers, health data, financial data, and log-in credentials. A U.S. person’s private communications, calendar information, intimate imagery, and information identifying online activities over time and across websites are also protected under the Bill.
H.R. 7520 would empower the U.S. Federal Trade Commission (“FTC”) to treat violations of the ban on sensitive data disclosure as an unfair trade practice under the FTC’s existing enforcement powers. H.R. 7520 does not yet have a counterpart in the U.S. Senate and its fate therefore remains uncertain.
Takeaway: H.R. 7520 demonstrates continuing concerns over the collection and sale of U.S. consumer data, and reflects an increasing focus of lawmakers on the dangers associated with U.S. consumer data falling into the hands of foreign adversaries. Data brokers and companies that share sensitive personal information need to be aware of who is purchasing their data, and whether it was lawfully acquired, as legislative and regulatory focus on the data broker space continues unabated.
CJEU Ruling Pressures IAB Europe To Reform Adtech Framework
The Court of Justice of the European Union (“CJEU”) ruled on the Transparency and Consent Framework (“TCF”) operated by IAB Europe, the European-level trade association for the digital marketing and advertising industry. In 2022, the Belgian data regulator fined IAB Europe for GDPR violations. IAB Europe appealed, and the appeal court referred questions to the CJEU. The TCF was designed to support compliance with the GDPR in relation to consents for targeted advertising by using ‘TC Strings,’ digital signals that capture website users’ preferences about how their data is used.
The CJEU held that TC Strings constitute personal data where the information contained in the string may be linked to an identifier, such as an IP address, that enables the data subject to be identified. This is the case even if IAB Europe cannot access the data used by its members.
The CJEU also indicated that, through the TCF, IAB Europe exerts sufficient influence over the recording of preferences in a TC String for IAB Europe to be a ‘joint controller’ under the GDPR (even where IAB Europe does not itself have access to the data). IAB Europe is not a controller, however, in relation to the subsequent use of the preference information by IAB members and others in the adtech ecosystem (such as data brokers and advertising platforms).
Takeaway: The CJEU’s comments and factual assumptions are subject to confirmation by the Belgian court, but the CJEU has given a clear steer that IAB Europe is a joint controller in connection with the TCF. This will put pressure on IAB Europe to remedy privacy issues with the TCF. Organizations that participate in the TCF can take comfort in the fact that an action plan for bringing the TCF into compliance has been approved by the Belgian data regulator.
EU Data Regulators Can Order Erasure of Personal Data Even If Not Requested by Data Subject
The Court of Justice of the European Union (“CJEU”) has confirmed that data regulators have the power to order erasure of unlawfully processed personal data of their own volition.
In 2020, a Hungarian municipal administration decided to provide financial support to certain individuals who had been made vulnerable by the COVID-19 pandemic. To verify eligibility for this aid, the administration requested personal data from other Hungarian state institutions. The Hungarian data regulator launched an investigation into the scheme and found that the municipal administration had failed to comply with its transparency obligations under the GDPR. It fined the administration and ordered erasure of the unlawfully processed data.
The municipal administration appealed the erasure order relying on a decision of the Hungarian Supreme Court that found that erasure was a right of data subjects and could not be enforced by data regulators if the data subject had not exercised that right. The CJEU disagreed, finding that even if a data subject has not made an erasure request, the GDPR imposes an obligation on data controllers to erase personal data that is processed unlawfully, and regulators are empowered to order compliance with that erasure obligation.
Takeaway: Finding that data regulators can independently order the deletion of unlawfully processed personal data is a logical outcome, and the CJEU has confirmed an important power in a regulator’s enforcement arsenal. The CJEU’s decision also emphasizes that, rather than waiting for data subjects to exercise their rights, organizations would be well-advised to pro-actively manage their data protection compliance, including on issues where data subjects have express rights.
California Privacy Protection Agency Releases Strategic Plan for 2024-2027
The California Privacy Protection Agency (“Agency”) released its strategic plan for 2024-2027 (the “Plan”). The Plan outlines the Agency’s goals to: (1) “strengthen public education, outreach and engagement,” (2) “vigorously enforce privacy laws,” (3) “strengthen Californians’ privacy rights,” and (4) ensure “operational excellence.” The goals and the strategic plan also lay out the Agency’s plan for enforcement of the California Consumer Privacy Act (“CCPA”).
The Plan includes objectives designed to effectuate each of the four goals. For example, to “vigorously enforce the law,” the Plan suggests several objectives, including advancing “strategic enforcement priorities that will provide the greatest impact to Californians,” the undertaking of successful “enforcement actions” to “protect consumers through quality, diligent, and timely investigations,” and identifying “trends through complaint data and adjust[ing] audit and enforcement protocols to mitigate consumer harm.” Moreover, to “strengthen public education, outreach, and engagement,” the Plan suggests developing “supplemental business guidance” and instituting “a statewide public education campaign.”
Takeaway: The Agency’s Plan, which the CCPA calls a “road map for the future,” is ambitious. It emphasizes development of protocols and processes intended to foster a robust regulatory landscape, including measures meant to facilitate timely responses to privacy-related issues, encourage cross-industry collaboration, and bolster partnerships between the Agency and non-government entities. A key Plan objective is encouraging compliance by empowering consumers through educational efforts, and facilitating businesses’ understanding of their obligations through publishing “supplemental business guidance.” And it is important to note that enforcement remains a priority: the Plan commits the Agency to protecting consumer privacy rights through “engagement with the regulated community, timely investigations, and enforcement actions.”
Dechert Tidbits
UN Passes Resolution Promoting Collective Action on "Safe, Secure and Trustworthy" AI
The United Nations General Assembly on March 21, 2024, unanimously adopted the first global resolution regarding artificial intelligence (“AI”). In a joint statement from the resolution’s co-sponsors, the United States explained that the resolution, titled "Seizing the Opportunities of Safe, Secure, and Trustworthy Artificial Intelligence Systems for Sustainable Development," calls on Member States to promote AI systems that are safe, secure, and trustworthy. The resolution also seeks to guide Member States’ leveraging of AI in their efforts against poverty, global health inequality, food insecurity, and education inequality.
EDPS Criticizes Council of Europe's Proposal for Convention On AI
The Council of Europe is negotiating a “Convention on Artificial Intelligence, Human Rights, Democracy and the Rule of Law” to create obligations between members of the Council of Europe to respect human dignity, the rule of law, and democratic principles when artificial intelligence is used. The European Data Protection Supervisor has expressed concern that the value of the treaty has been undermined by limiting its scope to public bodies (with merely an option for member states to opt-in private companies) and by excluding technologies developed for national security.
New Hampshire Enacts Privacy Legislation
New Hampshire Governor Chris Sununu signed SB 255, the state’s first consumer privacy law, into law earlier this month. Similar to other U.S. state privacy laws, SB 255 empowers New Hampshire consumers to access the personal data companies process, understand how that data is processed, and delete that data upon request. The law also contains data minimization principles. The law does not apply to financial institutions and data regulated by the federal Gramm-Leach-Bliley Act. Violations of the law will be enforced exclusively by the New Hampshire’s Attorney General. SB255 takes effect on January 1, 2025.
We are honored to have been recognized in The Legal 500 2023, Chambers USA 2023, nominated by The American Lawyer for the Best Client-Law Firm Team award with our client Flo Health, Inc., and named Law360 Cybersecurity & Privacy Practice Group of the year! Thank you to our clients for entrusting us with the types of matters that led to these recognitions.
Recent News and Publications
- Tribunal Overturns UK ICO’s Enforcement Action Against Clearview AI (Dechert OnPoint published November 8, 2023)
- 5 Takeaways from ICO's Biometric Recognition Guidance (Published in Law360, October 18, 2023)
- Bridge Over Troubled Data Flows: UK-US Data Bridge Approved (Dechert OnPoint published September 22, 2023)
- US-EU Plan On AI Illustrates Differing Opinions On Regulation (Published in Law360, August 2, 2023)
- SEC Final Rule Exempts ABS Issuers from New Cybersecurity Disclosure and Reporting Requirements (Dechert OnPoint published August 16, 2023)
- SEC Finalizes Cybersecurity Disclosure Rules for Public Companies (Dechert OnPoint published August 7, 2023)
- Ready. Set. Flow: Green Light from the Commission for EU-U.S. Data Privacy Framework (Dechert OnPoint published July 11, 2023)
- EU General Court Examines Data Anonymisation and Pseudonymisation (Dechert OnPoint published May 25, 2023)
- SEC Proposes New Cybersecurity Risk Management Rule for Various Market Entities (Dechert OnPoint published May 10, 2023)
- Artificial Intelligence: Legal and Regulatory Issues for Financial Institutions (Dechert OnPoint published April 26, 2023)
- BioDech | A Global Life Sciences Broadcast Series - What Every Life Sciences Company Needs to Know About Cybersecurity
- The group was named 2022 Law360 Practice Group of the Year.
- Winner of the International Association of Privacy Professionals (“IAPP”) Legal Innovation Award for the Americas for 2022, for its work with client Flo Health, Inc., the world’s leading women’s health App on its “Anonymous Mode” feature in the wake of the Dobbs decision by the U.S. Supreme Court.
- Recognized as a 2022 “Standout” by London’s Financial Times in a legal innovation award for the Americas in the category of “Innovation in Enabling Business Resilience.”
- Visit Dechert's California Consumer Privacy Act Resource Center
-
- Exploiting Public Health Data for R&D: UK Progresses Secure Data Environments (Dechert OnPoint published July 20, 2023)
- EU Data and Digital Drive: 10 Things to Know About the Digital Services Act (Dechert OnPoint published February 17, 2023) By: Paul Kavanagh, Dr. Olaf Fasshauer, and Madeleine White.
- Your Company’s Data Is for Sale on the Dark Web. Should you Buy it Back? (Published in the Harvard Business Review January 4, 2023) By: Brenda Sharton.
- Brenda Sharton and Steven Rabitz quoted in Plan Sponsors Have Myriad Responsibilities to Protect Against Cyberthreats (Published in PLANSPONSOR December 22, 2022).
- English High Court Maintains Claimant’s Anonymity in Cyberattack Case (Dechert OnPoint published December 19, 2022) By: Paul Kavanagh, Brenda Sharton, Dylan Balbirnie, and Anita Hodea.
- The entry into force of the Digital Markets Act kicks off new era of digital regulation in Europe (Dechert OnPoint published October 25, 2022), by members of the Dechert antitrust practice.
- Brenda Sharton was named a 2022 Law360 MVP for Cybersecurity & Privacy.
- Brenda Sharton was recognized as one of Massachusetts Lawyers Weekly's Go To Cybersecurity/Data Privacy Lawyers for 2022 (Published in Mass. Lawyers Weekly October 31st issue)
- Practice leaders Brenda Sharton and Karen Neuman are discussed in Litigation Leaders: Dechert’s Cathy Botticelli and Jonathan Streeter on Counseling Clients With an Eye Toward Avoiding Litigation (Published in Law.com August 15, 2022).
- Brenda Sharton quoted in Why hackers are able to steal billions of dollars worth of cryptocurrency (Published in the Washington Post August 11, 2022).
- FDA Medical Device Cyber Guidance Protects Patients, Cos. (Published in Law360 June 9, 2022) By: Brenda Sharton, Emily Van Tuyl, and Kathleen Fay
- Olaf Fasshauer was ranked in the 2022 publication of German’s daily newspaper Handelsblatt (in cooperation with Best Lawyers) as best lawyers in Germany for Data Security and Privacy Law
- Brenda Sharton presented at the WSJ Pro Cyber Forum (June 1, 2022).
- Brenda Sharton was a moderator on the panel, "The Digital Transformation of Customer Experience" at the LendIt Fintech Conference (May 25, 2022).
- Ranked by The Legal 500 US – Media, Technology and Telecoms: Cyber Law (including Data Privacy and Data Protection). Brenda Sharton was named a Leading Lawyer and Hilary Bonaccorsi was named a Rising Star.
- Brenda Sharton named to Cybersecurity Docket’s Incident Response 40 2021 list.
- Dubai data protection authority plans to launch international privacy risk index and update international data transfer mechanisms (Dechert OnPoint published May 5, 2022) By: Paul Kavanagh and Dylan Balbirnie.
- Brenda Sharton quoted in Global Data Review article, "SEC proposes 4-day breach reporting rule" (April 26, 2022).
- CJEU rules on private copying exception to storage in the cloud (Dechert OnPoint published April 11, 2022) By: Paul Kavanagh and Nathan Smith.
- SEC Proposes New and Amended Cybersecurity Rules for Public Companies (Dechert OnPoint published March 17, 2022) By: Timothy Blank, Kevin Cahill, Brenda Sharton and Daniel Murdock.
- Brenda Sharton was quoted in the Law360 article, “Congress Seizes On Incident Reports In Fighting Cyberattacks” (March 16, 2022).
- 4 Takeaways For Asset Managers From SEC's Cyber Rule Plan (Published in Law360 on March 10, 2022) By: Kevin Cahill and Hilary Bonaccorsi.
- California Privacy Protection Agency Signals Delay for Final CPRA Rules & California AG Conducts CCPA Investigative Sweep (Dechert Newsflash published February 25, 2022) By: Karen Neuman, Hilary Bonaccorsi, Bailey E. Dervishi.
- SEC Proposes New Cybersecurity Rules for SEC Registered Advisers and Funds (Dechert OnPoint published February 23, 2022) By: Kevin Cahill, Timothy Blank, Brenda Sharton, Hilary Bonaccorsi, Colleen Hespeler and Bailey Dervishi.
- Exploiting Public Health Data for R&D: UK Progresses Secure Data Environments (Dechert OnPoint published July 20, 2023)
Content Editors
Dylan Balbirnie, Connor Bisset Flannery, Aurélien Martinot, and Daniel Murdock
Production Editors
Hilary Bonaccorsi and Madeleine White
Senior Editor
Partner Committee
Dechert Cyber Bits Partner Committee
Brenda R. Sharton
Partner, Chair, Privacy & Cybersecurity
Boston
brenda.sharton@dechert.com
Timothy C. Blank
Senior Counsel
Boston
timothy.blank@dechert.com
Kevin F. Cahill
Partner
Los Angeles
kevin.cahill@dechert.com
Dr. Olaf Fasshauer
National Partner
Munich
olaf.fasshauer@dechert.com
Vernon L. Francis
Partner, Senior Editor
Philadelphia
vernon.francis@dechert.com
Paul Kavanagh
Partner
London
paul.kavanagh@dechert.com
Laura Rossi
Partner
Luxembourg
laura.rossi@dechert.com
Benjamin Sadun
Partner
Los Angeles
benjamin.sadun@dechert.com
"Dechert has assembled a truly global team of privacy and data security lawyers. The cross-practice specialization ensures that clients have access to lawyers dedicated to solving a range of client’s legal issues both proactively and reactively during a data security related crisis or a litigation."
"The privacy and security team collaborates seamlessly across the globe when advising clients."
- Quotes from The Legal 500, 2023
Dechert’s global Privacy & Cybersecurity practice provides a multidisciplinary, integrated approach to clients’ privacy and cybersecurity needs. Our practice is top ranked by The Legal 500 and our partners are well-known thought leaders and sought after advisors in the space with unparalleled expertise and experience. Our litigation team provides pre-breach counseling and handles all aspects of data breach investigations as well as the defense of government regulatory enforcement actions and class action litigation for clients across a broad spectrum of industries. We have handled over a thousand data breach investigations of all types including nation states, ransom/cyber extortion, vendor/supply chain, DDoS, brought by threat actors of all types, from nation-state threat actors to organized crime to insiders. We also represent clients holistically through the entire life cycle of issues, providing sophisticated, solution oriented advice to clients and counseling on cutting edge data-driven products and services including for trend forecasting, personalized content and targeted advertising across sectors on such key laws as the CCPA, CPRA and state consumer privacy laws, Section 5 of the FTC Act; the EU/UK GDPR, e-Privacy Directive, and cross-border data transfers. We also conduct privacy and cybersecurity diligence for mergers and acquisitions, financings, corporate transactions, and securities offerings.
-
- Issue 51 - March 14, 2024
- Issue 50 - February 29, 2024
- Issue 49 - February 19, 2024
- Issue 48 - February 1, 2024
- Issue 47 - January 18, 2024
- 2024 Crystal Ball Edition - January 5, 2024
-
- Issue 46 - December 14, 2023
- Issue 45 - November 16, 2023
- Issue 44 - November 2, 2023
- Issue 43 - October 19, 2023
- Issue 42 - October 5, 2023
- Issue 41 - September 21, 2023
- Issue 40 - August 31, 2023
- Issue 39 - August 17, 2023
- Issue 38 - August 3, 2023
- Issue 37 - July 20, 2023
- Issue 36 - June 29, 2023
- Issue 35 - June 15, 2023
- Issue 34 - May 25, 2023
- Issue 33 - May 11, 2023
- Issue 32 - April 27, 2023
- Issue 31 - March 30, 2023
- Issue 30 - March 16, 2023
- Issue 29 - March 2, 2023
- Issue 28 - February 16, 2023
- Issue 27 - February 2, 2023
- Issue 26 - January 19, 2023
-
- Issue 25 - December 15, 2022
- Issue 24 - November 10, 2022
- Issue 23 - October 27, 2022
- Issue 22 - October 12, 2022
- Issue 21 - September 29, 2022
- Issue 20 - September 15, 2022
- Issue 19 - August 18, 2022
- Issue 18 - August 3, 2022
- Issue 17 - July 21, 2022
- Issue 16 - June 23, 2022
- Issue 15 - June 10, 2022
- Issue 14 - May 26, 2022
- Issue 13 - May 12, 2022
- Issue 12 - April 28, 2022
- Issue 11 - April 7, 2022
- Issue 10 - March 24, 2022
- Issue 9 - March 10, 2022
- Issue 8 - February 24, 2022
- Issue 7 - February 10, 2022
- Issue 6 - January 27, 2022
- Issue 5 - January 13, 2022
-
- Issue 4 - December 9, 2021
- Issue 3 - November 18, 2021
- Issue 2 - November 4, 2021
- Issue 1 - October 21, 2021