Dechert Cyber Bits

CJEU Rules on Scope of GDPR Right to a "Copy" of Personal Data

On May 4, 2023, the Court of Justice of the European Union (“CJEU”) ruled that a data subject’s right to obtain a “copy” of their personal data under the GDPR requires that the data subject be given a “faithful and intelligible reproduction” of all data, and depending on the circumstances, that may require copies of the documents containing personal data to be provided.

The case involved a data subject who requested access to his personal data and asked for a copy of the documents containing his data. In response to the request, the controller sent the applicant a list of his personal data in summary form. The applicant filed a complaint, arguing that the controller should have sent him a copy of all documents containing his data, including emails and database extracts.

In response to a reference from the Austrian court, the CJEU held that a description or summary of the personal data in general terms is not sufficient. In addition, whilst the right of access under the GDPR is a right to information rather than documents, it may be necessary in certain circumstances to provide extracts from documents (or even whole documents) where the data is unintelligible without that context.

Takeaway: The CJEU leaves room for debate as to whether documents need to be provided in response to any given subject access request. At bottom, the assessment is highly fact specific. In the context of litigation, parties often use subject access requests as a method of obtaining early access to documents that might be relevant to the dispute. The finding that documents sometimes need to be supplied may embolden litigious individuals to seek documents through subject access requests, while at the same time the decision provides grounds for data controllers to argue that documents do not need to be produced.

White House Meets with AI Tech CEOs, Seeks Public Input on AI Strategy

The Biden Administration continues to focus on the development of artificial intelligence, with initiatives designed to encourage responsible innovation in the artificial intelligence (“AI”) sphere. As part of this initiative, Vice President Kamala Harris, on May 4, 2023, met with tech company CEOs to discuss Administration initiatives meant to ensure that rapidly evolving AI technology does not put people’s rights and safety at risk. According to reports, the Administration emphasized three key areas: (i) the need for companies to be more transparent about their AI systems; (ii) the importance of being able to evaluate, verify, and validate the safety, security, and efficacy of AI systems; and (iii) the need to ensure AI systems are secure from malicious actors and attacks.

As part of the federal government’s increasing focus on AI strategy, which has already resulted in the Blueprint for an AI Bill of Rights released in October 2020, the Biden Administration announced an investment of $140 million to establish seven new AI research institutes through the National Science Foundation. In addition, on May 22, The White House Office of Science and Technology Policy issued an update of its National AI R&D Strategy Plan to include a “principled and coordinated approach to international collaboration in AI research” and now seeks public comment through July 7. The White House Office of Management and Budget also noted that this summer it will publish a draft policy on the use of AI systems by the U.S. government for public comment. Moreover, FTC chair Lina Khan made clear in a New York Times op-ed coinciding with the White House meeting that the US government must regulate AI and has ample existing legal authority to do so through its mandate to protect consumers and competition.

Takeaway: As recent headlines bear out, US authorities clearly are focused on shaping the development of AI technology. This latest meeting and the announcement of these initiatives is yet another indication that the federal government continues to explore a variety of policies, regulations, and enforcement actions to influence the development and deployment trajectory of AI.

For more on AI, listen to the podcast from ESI Survival Guide, where Dechert partners Brenda Sharton and Ben Sadun discuss the technology's origins, privacy concerns and cybersecurity risks. Also read our recent OnPoint, Artificial Intelligence: Legal and Regulatory Issues for Financial Institutions.

EU Moves Closer to Adopting AI Regulation After Committee Votes

On May 11, 2023, the European Parliament Internal Market and the Civil Liberties Committees voted to approve an amended draft of the AI Act, legislation designed to regulate artificial intelligence. The Act, if adopted, will apply to any product or service that uses an AI system.

The Act as proposed would assign AI systems to different risk categories. Certain AI systems would be prohibited altogether because they create an unacceptable level of risk. Among the practices prohibited under the Act would be social scoring, biometric categorization, predictive-policing, emotional-recognition, and biometric data scraping. AI systems that are not prohibited but categorized as “High Risk” are subject to a number of regulatory requirements. “High Risk” AI includes AI intended for use as a “safety component” of a product (such as a collision avoidance system in a car), as well as AI systems in certain areas that are deemed to be particularly sensitive (such as biometric identification and management of critical infrastructure). The legislation also seeks greater transparency with respect to general purpose AI. Violations of the Act could result in fines of up to 6% of a company’s global annual revenue.

The Committees have taken a robust stance to regulation – broadening both the categories of prohibited AI and “High Risk” AI – and thereby bringing more AI functions within the ambit of the stricter rules in the proposed legislation.

Takeaway: Whilst there are still a number of steps in the legislative process, the European Union is on its way to becoming the first body to pass legislation regulating the use of artificial intelligence. Such legislation would be ground-breaking, and the Act could set a global standard for artificial intelligence regulation. AI developers worldwide may want to consider how their systems might be classified under the EU’s standards.

For more information on the framework of the legislation see our Dechert OnPoint European Commission Proposes Regulation on Artificial Intelligence, and for further detail on some of the proposed rules applicable to “High Risk” AI see our Dechert OnPoints Requirements for High-Risk AI Systems and Conducting a Conformity Assessment for High-Risk AI.

Florida Legislators Pass Privacy Bill

On May 4, 2023, the Florida House passed SB 262—the Florida Digital Bill of Rights (“FDBR”), which, if enacted, will take effect on July 1, 2024. In its current form, SB 262’s defining characteristic is its extremely narrow scope. Most provisions would apply to “controllers”—entities that make in excess of $1 billion in global gross annual revenues and either: (i) derive 50 percent or more of those revenues from online advertisement sales; (ii) operate a consumer smart speaker and voice command service; or (iii) operate an app store with at least 250,000 apps. For companies that meet this threshold, the FDBR is similar to many other state data privacy laws, generally requiring a controller to, among other things: (i) provide a privacy notice; (ii) establish a secure and reliable means for consumers to exercise their privacy rights; (iii) obtain a consumer’s consent to process sensitive data; (iv) enter into contracts with its processors; and (v) conduct and document data protection assessments.

The fact that the bulk of Florida’s bill is targeted to businesses with over $1 billion in revenue does not mean that other businesses can ignore SB 262 entirely. The FDBR’s provisions related to the processing of “sensitive data” apply to any for-profit entity that conducts business in Florida. As a result, such entities would need to, for example, obtain consumer consent prior to processing or selling sensitive data. Sensitive data includes personal data revealing an individual’s racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status, as well as genetic or biometric data processed for the purpose of uniquely identifying an individual.

Notably, the bill grants exclusive enforcement authority to the Florida Department of Legal Affairs—i.e., no private right of action. In addition, the bill includes a discretionary 45-day cure period that the Department may grant before initiating an enforcement action.

Takeaway: Florida will likely join a host of other states, including Iowa and Indiana, that have passed comprehensive data privacy laws in the first half of 2023. While SB 262 has a narrower scope than other state provisions, its requirements, particularly regarding sensitive data, add to the already large compliance burden on businesses with the growing patchwork of state data privacy laws. Companies should consider planning for this expansion of their compliance burdens, as an increasing number of data privacy laws will come into effect over the next few years.  

MEPs Vote Against Draft EU-US Data Transfer Agreement

As expected, Members of the European Parliament (“MEPs”) recently voted 306-21 (with 231 members abstaining) to adopt a resolution rejecting the proposed EU-US Data Privacy Framework (“DPF”). Although this resolution is not binding on the European Commission, it will be taken into account by the Commission when considering whether to adopt the DPF.

MEPs appeared to consider the DPF an improvement when compared to its predecessor—the invalidated EU-US Privacy Shield. But doubts remain. Members reportedly suggested that the DPF may still not satisfy EU law, contending that the DPF still allows for bulk personal data collection in certain cases, does not make bulk data collection subject to independent prior authorization, does not provide clear rules on data retention, and lacks a lawsuit-proof regime. MEPs also argued that while the DPF proposes the creation of a Data Protection Review Court (“DPRC”) to provide redress to EU data subjects, the DPRC could be viewed as unsatisfactory because its decisions would be secret and a U.S President would have the authority to overrule DPRC decisions or dismiss DPRC judges. In particular, as there is no U.S federal privacy and data protection law, MEPs raised the concern that a “comprehensive assessment of how these principles are implemented in the U.S. legal order might not be possible due to a lack of transparency in Data Protection Review Court procedures.”

Takeaway: In the face of significant opposition from MEPs, it may be quite some time before there is an adequacy decision in place in relation to the DPF. Although there has been significant movement towards a new understanding, this vote is a reminder of the divisions that remain and it underscores the need for the EU and US to come together on a mutually agreeable framework that will provide practical and workable guidance for data transfers.

Easy Healthcare Corporation Settles with FTC Over Alleged Data Sharing

Easy Healthcare, Corp.—the operator of the ovulation tracking app Premom—settled a case brought against the company by the FTC, without any admission of wrongdoing. The Commission alleged that Easy Healthcare: (i) repeatedly and deceptively promised users in its privacy policies that it would not share their personal information with third parties without users’ consent and that any data it did collect was non-identifiable and only used for its own analytics or advertising; (ii) failed to take reasonable measures to address the privacy and data security risks created by its use of third-party automated tracking tools known as software development kits (SDKs); and (iii) shared personal information for advertising purposes without obtaining consumers’ affirmative express consent. As part of the settlement with the FTC, Easy Healthcare agreed to, among other things, pay a $100,000 civil penalty, obtain user consent before sharing personal information with third parties for other purposes, and seek deletion of data it shared with third parties. Easy Healthcare did not admit liability.

Takeaway: Dechert represented Easy Healthcare Corporation in this matter, so we will not provide any comment on it. Dechert represented Easy Healthcare Corporation in this matter, so we will not provide any comment on it. For Easy Healthcare’s Response to the FTC Settlement, click here.