Dechert Cyber Bits
We are honored to have been named Law360 Cybersecurity & Privacy Practice Group of the year! Thank you to our clients for entrusting us with the types of matters that led to this recognition. See article here.
CJEU Rules on Scope of GDPR Right to a "Copy" of Personal Data
On May 4, 2023, the Court of Justice of the European Union (“CJEU”) ruled that a data subject’s right to obtain a “copy” of their personal data under the GDPR requires that the data subject be given a “faithful and intelligible reproduction” of all data, and depending on the circumstances, that may require copies of the documents containing personal data to be provided.
The case involved a data subject who requested access to his personal data and asked for a copy of the documents containing his data. In response to the request, the controller sent the applicant a list of his personal data in summary form. The applicant filed a complaint, arguing that the controller should have sent him a copy of all documents containing his data, including emails and database extracts.
In response to a reference from the Austrian court, the CJEU held that a description or summary of the personal data in general terms is not sufficient. In addition, whilst the right of access under the GDPR is a right to information rather than documents, it may be necessary in certain circumstances to provide extracts from documents (or even whole documents) where the data is unintelligible without that context.
Takeaway: The CJEU leaves room for debate as to whether documents need to be provided in response to any given subject access request. At bottom, the assessment is highly fact specific. In the context of litigation, parties often use subject access requests as a method of obtaining early access to documents that might be relevant to the dispute. The finding that documents sometimes need to be supplied may embolden litigious individuals to seek documents through subject access requests, while at the same time the decision provides grounds for data controllers to argue that documents do not need to be produced.
White House Meets with AI Tech CEOs, Seeks Public Input on AI Strategy
The Biden Administration continues to focus on the development of artificial intelligence, with initiatives designed to encourage responsible innovation in the artificial intelligence (“AI”) sphere. As part of this initiative, Vice President Kamala Harris, on May 4, 2023, met with tech company CEOs to discuss Administration initiatives meant to ensure that rapidly evolving AI technology does not put people’s rights and safety at risk. According to reports, the Administration emphasized three key areas: (i) the need for companies to be more transparent about their AI systems; (ii) the importance of being able to evaluate, verify, and validate the safety, security, and efficacy of AI systems; and (iii) the need to ensure AI systems are secure from malicious actors and attacks.
As part of the federal government’s increasing focus on AI strategy, which has already resulted in the Blueprint for an AI Bill of Rights released in October 2020, the Biden Administration announced an investment of $140 million to establish seven new AI research institutes through the National Science Foundation. In addition, on May 22, The White House Office of Science and Technology Policy issued an update of its National AI R&D Strategy Plan to include a “principled and coordinated approach to international collaboration in AI research” and now seeks public comment through July 7. The White House Office of Management and Budget also noted that this summer it will publish a draft policy on the use of AI systems by the U.S. government for public comment. Moreover, FTC chair Lina Khan made clear in a New York Times op-ed coinciding with the White House meeting that the US government must regulate AI and has ample existing legal authority to do so through its mandate to protect consumers and competition.
Takeaway: As recent headlines bear out, US authorities clearly are focused on shaping the development of AI technology. This latest meeting and the announcement of these initiatives is yet another indication that the federal government continues to explore a variety of policies, regulations, and enforcement actions to influence the development and deployment trajectory of AI.
For more on AI, listen to the podcast from ESI Survival Guide, where Dechert partners Brenda Sharton and Ben Sadun discuss the technology's origins, privacy concerns and cybersecurity risks. Also read our recent OnPoint, Artificial Intelligence: Legal and Regulatory Issues for Financial Institutions.
EU Moves Closer to Adopting AI Regulation After Committee Votes
On May 11, 2023, the European Parliament Internal Market and the Civil Liberties Committees voted to approve an amended draft of the AI Act, legislation designed to regulate artificial intelligence. The Act, if adopted, will apply to any product or service that uses an AI system.
The Act as proposed would assign AI systems to different risk categories. Certain AI systems would be prohibited altogether because they create an unacceptable level of risk. Among the practices prohibited under the Act would be social scoring, biometric categorization, predictive-policing, emotional-recognition, and biometric data scraping. AI systems that are not prohibited but categorized as “High Risk” are subject to a number of regulatory requirements. “High Risk” AI includes AI intended for use as a “safety component” of a product (such as a collision avoidance system in a car), as well as AI systems in certain areas that are deemed to be particularly sensitive (such as biometric identification and management of critical infrastructure). The legislation also seeks greater transparency with respect to general purpose AI. Violations of the Act could result in fines of up to 6% of a company’s global annual revenue.
The Committees have taken a robust stance to regulation – broadening both the categories of prohibited AI and “High Risk” AI – and thereby bringing more AI functions within the ambit of the stricter rules in the proposed legislation.
Takeaway: Whilst there are still a number of steps in the legislative process, the European Union is on its way to becoming the first body to pass legislation regulating the use of artificial intelligence. Such legislation would be ground-breaking, and the Act could set a global standard for artificial intelligence regulation. AI developers worldwide may want to consider how their systems might be classified under the EU’s standards.
For more information on the framework of the legislation see our Dechert OnPoint European Commission Proposes Regulation on Artificial Intelligence, and for further detail on some of the proposed rules applicable to “High Risk” AI see our Dechert OnPoints Requirements for High-Risk AI Systems and Conducting a Conformity Assessment for High-Risk AI.
Florida Legislators Pass Privacy Bill
On May 4, 2023, the Florida House passed SB 262—the Florida Digital Bill of Rights (“FDBR”), which, if enacted, will take effect on July 1, 2024. In its current form, SB 262’s defining characteristic is its extremely narrow scope. Most provisions would apply to “controllers”—entities that make in excess of $1 billion in global gross annual revenues and either: (i) derive 50 percent or more of those revenues from online advertisement sales; (ii) operate a consumer smart speaker and voice command service; or (iii) operate an app store with at least 250,000 apps. For companies that meet this threshold, the FDBR is similar to many other state data privacy laws, generally requiring a controller to, among other things: (i) provide a privacy notice; (ii) establish a secure and reliable means for consumers to exercise their privacy rights; (iii) obtain a consumer’s consent to process sensitive data; (iv) enter into contracts with its processors; and (v) conduct and document data protection assessments.
The fact that the bulk of Florida’s bill is targeted to businesses with over $1 billion in revenue does not mean that other businesses can ignore SB 262 entirely. The FDBR’s provisions related to the processing of “sensitive data” apply to any for-profit entity that conducts business in Florida. As a result, such entities would need to, for example, obtain consumer consent prior to processing or selling sensitive data. Sensitive data includes personal data revealing an individual’s racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status, as well as genetic or biometric data processed for the purpose of uniquely identifying an individual.
Notably, the bill grants exclusive enforcement authority to the Florida Department of Legal Affairs—i.e., no private right of action. In addition, the bill includes a discretionary 45-day cure period that the Department may grant before initiating an enforcement action.
Takeaway: Florida will likely join a host of other states, including Iowa and Indiana, that have passed comprehensive data privacy laws in the first half of 2023. While SB 262 has a narrower scope than other state provisions, its requirements, particularly regarding sensitive data, add to the already large compliance burden on businesses with the growing patchwork of state data privacy laws. Companies should consider planning for this expansion of their compliance burdens, as an increasing number of data privacy laws will come into effect over the next few years.
MEPs Vote Against Draft EU-US Data Transfer Agreement
As expected, Members of the European Parliament (“MEPs”) recently voted 306-21 (with 231 members abstaining) to adopt a resolution rejecting the proposed EU-US Data Privacy Framework (“DPF”). Although this resolution is not binding on the European Commission, it will be taken into account by the Commission when considering whether to adopt the DPF.
MEPs appeared to consider the DPF an improvement when compared to its predecessor—the invalidated EU-US Privacy Shield. But doubts remain. Members reportedly suggested that the DPF may still not satisfy EU law, contending that the DPF still allows for bulk personal data collection in certain cases, does not make bulk data collection subject to independent prior authorization, does not provide clear rules on data retention, and lacks a lawsuit-proof regime. MEPs also argued that while the DPF proposes the creation of a Data Protection Review Court (“DPRC”) to provide redress to EU data subjects, the DPRC could be viewed as unsatisfactory because its decisions would be secret and a U.S President would have the authority to overrule DPRC decisions or dismiss DPRC judges. In particular, as there is no U.S federal privacy and data protection law, MEPs raised the concern that a “comprehensive assessment of how these principles are implemented in the U.S. legal order might not be possible due to a lack of transparency in Data Protection Review Court procedures.”
Takeaway: In the face of significant opposition from MEPs, it may be quite some time before there is an adequacy decision in place in relation to the DPF. Although there has been significant movement towards a new understanding, this vote is a reminder of the divisions that remain and it underscores the need for the EU and US to come together on a mutually agreeable framework that will provide practical and workable guidance for data transfers.
Easy Healthcare Corporation Settles with FTC Over Alleged Data Sharing
Easy Healthcare, Corp.—the operator of the ovulation tracking app Premom—settled a case brought against the company by the FTC, without any admission of wrongdoing. The Commission alleged that Easy Healthcare: (i) repeatedly and deceptively promised users in its privacy policies that it would not share their personal information with third parties without users’ consent and that any data it did collect was non-identifiable and only used for its own analytics or advertising; (ii) failed to take reasonable measures to address the privacy and data security risks created by its use of third-party automated tracking tools known as software development kits (SDKs); and (iii) shared personal information for advertising purposes without obtaining consumers’ affirmative express consent. As part of the settlement with the FTC, Easy Healthcare agreed to, among other things, pay a $100,000 civil penalty, obtain user consent before sharing personal information with third parties for other purposes, and seek deletion of data it shared with third parties. Easy Healthcare did not admit liability.
Takeaway: Dechert represented Easy Healthcare Corporation in this matter, so we will not provide any comment on it. Dechert represented Easy Healthcare Corporation in this matter, so we will not provide any comment on it. For Easy Healthcare’s Response to the FTC Settlement, click here.
Recent News and Publications
- SEC Proposes New Cybersecurity Risk Management Rule for Various Market Entities (Dechert OnPoint published May 10, 2023)
- Artificial Intelligence: Legal and Regulatory Issues for Financial Institutions (Dechert OnPoint published April 26, 2023)
- BioDech | A Global Life Sciences Broadcast Series - What Every Life Sciences Company Needs to Know About Cybersecurity
- The group was named 2022 Law360 Practice Group of the Year.
- Your Company’s Data Is for Sale on the Dark Web. Should you Buy it Back? (Published in the Harvard Business Review January 4, 2023) By: Brenda Sharton.
- Brenda Sharton and Steven Rabitz quoted in Plan Sponsors Have Myriad Responsibilities to Protect Against Cyberthreats (Published in PLANSPONSOR December 22, 2022).
- Winner of the International Association of Privacy Professionals (“IAPP”) Legal Innovation Award for the Americas for 2022, for its work with client Flo Health, Inc., the world’s leading women’s health App on its “Anonymous Mode” feature in the wake of the Dobbs decision by the U.S. Supreme Court.
- Recognized as a 2022 “Standout” by London’s Financial Times in a legal innovation award for the Americas in the category of “Innovation in Enabling Business Resilience.”
- Visit Dechert's California Consumer Privacy Act Resource Center
- EU Data and Digital Drive: 10 Things to Know About the Digital Services Act (Dechert OnPoint published February 17, 2023) By: Paul Kavanagh, Dr. Olaf Fasshauer, and Madeleine White.
- English High Court Maintains Claimant’s Anonymity in Cyberattack Case (Dechert OnPoint published December 19, 2022) By: Paul Kavanagh, Brenda Sharton, Dylan Balbirnie, and Anita Hodea.
- The entry into force of the Digital Markets Act kicks off new era of digital regulation in Europe (Dechert OnPoint published October 25, 2022), by members of the Dechert antitrust practice.
- Brenda Sharton was named a 2022 Law360 MVP for Cybersecurity & Privacy.
- Brenda Sharton was recognized as one of Massachusetts Lawyers Weekly's Go To Cybersecurity/Data Privacy Lawyers for 2022 (Published in Mass. Lawyers Weekly October 31st issue)
- Practice leaders Brenda Sharton and Karen Neuman are discussed in Litigation Leaders: Dechert’s Cathy Botticelli and Jonathan Streeter on Counseling Clients With an Eye Toward Avoiding Litigation (Published in Law.com August 15, 2022).
- Brenda Sharton quoted in Why hackers are able to steal billions of dollars worth of cryptocurrency (Published in the Washington Post August 11, 2022).
- FDA Medical Device Cyber Guidance Protects Patients, Cos. (Published in Law360 June 9, 2022) By: Brenda Sharton, Emily Van Tuyl, and Kathleen Fay
- Olaf Fasshauer was ranked in the 2022 publication of German’s daily newspaper Handelsblatt (in cooperation with Best Lawyers) as best lawyers in Germany for Data Security and Privacy Law
- Brenda Sharton presented at the WSJ Pro Cyber Forum (June 1, 2022).
- Brenda Sharton was a moderator on the panel, "The Digital Transformation of Customer Experience" at the LendIt Fintech Conference (May 25, 2022).
- Ranked by The Legal 500 US – Media, Technology and Telecoms: Cyber Law (including Data Privacy and Data Protection). Brenda Sharton was named a Leading Lawyer and Hilary Bonaccorsi was named a Rising Star.
- Brenda Sharton named to Cybersecurity Docket’s Incident Response 40 2021 list.
- Dubai data protection authority plans to launch international privacy risk index and update international data transfer mechanisms (Dechert OnPoint published May 5, 2022) By: Paul Kavanagh and Dylan Balbirnie.
- Brenda Sharton quoted in Global Data Review article, "SEC proposes 4-day breach reporting rule" (April 26, 2022).
- CJEU rules on private copying exception to storage in the cloud (Dechert OnPoint published April 11, 2022) By: Paul Kavanagh and Nathan Smith.
- SEC Proposes New and Amended Cybersecurity Rules for Public Companies (Dechert OnPoint published March 17, 2022) By: Timothy Blank, Kevin Cahill, Brenda Sharton and Daniel Murdock.
- Brenda Sharton was quoted in the Law360 article, “Congress Seizes On Incident Reports In Fighting Cyberattacks” (March 16, 2022).
- 4 Takeaways For Asset Managers From SEC's Cyber Rule Plan (Published in Law360 on March 10, 2022) By: Kevin Cahill and Hilary Bonaccorsi.
- California Privacy Protection Agency Signals Delay for Final CPRA Rules & California AG Conducts CCPA Investigative Sweep (Dechert Newsflash published February 25, 2022) By: Karen Neuman, Hilary Bonaccorsi, Bailey E. Dervishi.
- SEC Proposes New Cybersecurity Rules for SEC Registered Advisers and Funds (Dechert OnPoint published February 23, 2022) By: Kevin Cahill, Timothy Blank, Brenda Sharton, Hilary Bonaccorsi, Colleen Hespeler and Bailey Dervishi.
- EU Data and Digital Drive: 10 Things to Know About the Digital Services Act (Dechert OnPoint published February 17, 2023) By: Paul Kavanagh, Dr. Olaf Fasshauer, and Madeleine White.
Dechert Cyber Bits Partner Committee
“Dechert has assembled a truly global team…. The cross practice specialization ensures that clients have access to lawyers dedicated to solving a range of client’s legal issues both proactively and reactively during a data security related crisis. The privacy and security team collaborates seamlessly across the globe... [with] experienced lawyers that can parachute in, establish client rapport and trust and develop a multifaceted workflow to tackle any client challenge.” -- The Legal 500 USA, June 2021
Dechert’s global Privacy & Cybersecurity practice provides a multidisciplinary, integrated approach to clients’ privacy and cybersecurity needs. Our practice is top ranked by The Legal 500 and our partners are well-known thought leaders and sought after advisors in the space with unparalleled expertise and experience. Our litigation team provides pre-breach counseling and handles all aspects of data breach investigations as well as the defense of government regulatory enforcement actions and class action litigation for clients across a broad spectrum of industries. We have handled over a thousand data breach investigations of all types including nation states, ransom/cyber extortion, vendor/supply chain, DDoS, brought by threat actors of all types, from nation-state threat actors to organized crime to insiders. We also represent clients holistically through the entire life cycle of issues, providing sophisticated, solution oriented advice to clients and counseling on cutting edge data-driven products and services including for trend forecasting, personalized content and targeted advertising across sectors on such key laws as the CCPA, CPRA and state consumer privacy laws, Section 5 of the FTC Act; the EU/UK GDPR, e-Privacy Directive, and cross-border data transfers. We also conduct privacy and cybersecurity diligence for mergers and acquisitions, financings, corporate transactions, and securities offerings.
- Issue 33 - May 11, 2023
- Issue 32 - April 27, 2023
- Issue 31 - March 30, 2023
- Issue 30 - March 16, 2023
- Issue 29 - March 2, 2023
- Issue 28 - February 16, 2023
- Issue 27 - February 2, 2023
- Issue 26 - January 19, 2023
- Issue 25 - December 15, 2022
- Issue 24 - November 10, 2022
- Issue 23 - October 27, 2022
- Issue 22 - October 12, 2022
- Issue 21 - September 29, 2022
- Issue 20 - September 15, 2022
- Issue 19 - August 18, 2022
- Issue 18 - August 3, 2022
- Issue 17 - July 21, 2022
- Issue 16 - June 23, 2022
- Issue 15 - June 10, 2022
- Issue 14 - May 26, 2022
- Issue 13 - May 12, 2022
- Issue 12 - April 28, 2022
- Issue 11 - April 7, 2022
- Issue 10 - March 24, 2022
- Issue 9 - March 10, 2022
- Issue 8 - February 24, 2022
- Issue 7 - February 10, 2022
- Issue 6 - January 27, 2022
- Issue 5 - January 13, 2022
- Issue 4 - December 9, 2021
- Issue 3 - November 18, 2021
- Issue 2 - November 4, 2021
- Issue 1 - October 21, 2021