After nearly six months since the initial draft was issued for public comments on September 28, 2023 (see here for our previous alert on that development), on March 22, 2024, the Cyberspace Administration of China (“CAC”) issued the final version of the Provisions on Promoting and Standardizing Cross-Border Data Flows (促进和规范数据跨境流动规定) ( “Provisions”) (Chinese version available here).  The Provisions take effect immediately.  

The newly finalized Provisions introduce significant changes to China’s existing cross-border data transfer regime.  These changes primarily involve exemptions from the previously mandated transfer mechanisms outlined in the Personal Information Protection Law (“PIPL”) and its implementing regulations.  Such mechanisms included undergoing a government-led security assessment, entering into a standardized contract, or obtaining personal information protection certification.  As a result, many companies that previously faced these requirements may now be exempt, easing their compliance burden for cross-border data transfers.  Importantly, the Provisions take precedence over any conflicting provisions within PIPL’s implementing regulations, including the Measures on the Standard Contract for Cross-Border Transfer of Personal Information and the Measures for Security Assessment of Cross-Border Data Transfer.

Continue Reading China Eases Restrictions on Cross-Border Data Flows

The FTC convened its eighth annual privacy conference on March 6, 2024.  The full transcript of the event can be found here.   Both Chair Khan and Commissioner Bedoya provided remarks during the event that are likely to be considered provocative by many.

Continue Reading Commissioner Remarks at FTC PrivacyCon 2024

On March 7, Utah repealed and replaced its Social Media Regulation Act, which had previously been challenged in a pair of lawsuits by NetChoice and the Foundation for Individual Rights and Expression.  The replacement legislation is spread across two enacted bills, SB 194 and HB 464.  SB 194 contains the bulk of the legislation’s general provisions, while HB 464 includes a private right of action for certain harms associated with a minor’s use of algorithmically curated social media. We summarize below some of the key features of the new legislation, which will go into effect on October 1, 2024.

Continue Reading Utah Repeals and Replaces Social Media Regulation Act

On March 14, 2024, the Court of Justice of the EU (“CJEU”) ruled that EU supervisory authorities have the (corrective) power to order data controllers who have been found to process personal data unlawfully to erase such personal data, even if the data subjects have not requested the erasure.  (Case C‑46/23)

Continue Reading The CJEU Ruled that Supervisory Authorities Can Order the Deletion of Unlawfully Processed Personal Data

Earlier this week, Members of the European Parliament (MEPs) cast their votes in favor of the much-anticipated AI Act. With 523 votes in favor, 46 votes against, and 49 abstentions, the vote is a culmination of an effort that began in April 2021, when the EU Commission first published its proposal for the Act.

Here’s what lies ahead:

Continue Reading EU Parliament Adopts AI Act

At its March 8, 2024 meeting, the Board of the California Privacy Protection Agency (“CPPA”) moved, by a 3-2 vote, to advance proposed regulations addressing automated decision-making technology (“ADMT”) and risk assessments for the processing of personal information.  Notably, the Board’s vote only allows staff to begin paperwork preliminary to a rulemaking; it did not actually initiate the formal rulemaking process.  At the meeting, the CPPA Staff clarified that the Board will need to re-review the draft rules for ADMT, privacy risk assessments, and cyber audits and vote again to initiate the rulemaking process.  The CPPA’s General Counsel Philip Laird said he expects the Board will vote to begin the formal rulemaking process for all three topics in July 2024, at the earliest.  Once formal rulemaking begins, the Board has one year to finalize the regulations, per California’s Administrative Procedure Act.

Continue Reading California Privacy Protection Agency Takes Next Step on New Automated Decision-Making Regulations and Privacy Risk Assessments

Yesterday, the European Parliament approved the Cyber Resilience Act (“CRA”), which sets out cybersecurity requirements for “products with digital elements” (“PDEs”) placed on the EU market.  The term PDE is defined broadly to include both hardware and software products, such as antivirus software, VPNs, smart home devices, connected toys, and wearables.  The approved text is available here.

Continue Reading The Cyber Resilience Act is One Step Closer to Becoming Law

On February 28, the European Data Protection Board (“EDPB”) announced that EU supervisory authorities (“SAs”) will undertake a coordinated enforcement action in 2024 regarding data subjects’ right of access under the GDPR.  For context, the EDPB selects a particular topic each year to serve as the focus for pan-EU coordinated enforcement.

In 2023, regulators focused upon data protection officers’ designation and role.  And, on January 17, 2024, the EDPB published its report providing an overview of the actions SAs took in the context of the 2023 action.  This blog post provides an overview of what you can expect from the coordinated enforcement action in 2024, based on the lessons learned from 2023.

Continue Reading EDPB’s 2024 Coordinated Enforcement Action on the Access Right: What Can You Expect?

The California Attorney General recently announced a settlement with DoorDash to resolve allegations that DoorDash violated the California Consumer Privacy Act (CCPA) and the California Online Privacy Protection Act (CalOPPA). 

Continue Reading California Attorney General Announces Second CCPA Settlement

On Thursday, March 7, 2024, the U.S. Senate confirmed two nominees for the open seats on the Federal Trade Commission:  Andrew N. Ferguson, former solicitor general of the Commonwealth of Virginia; and Melissa Holyoak, former solicitor general with the Utah Attorney General’s Office.  With this confirmation of two new Republican Commissioners, the FTC is one step closer to a full slate of five bipartisan Commissioners.  The Senate also re-confirmed Commissioner Rebecca Kelly Slaughter for a second term.  President Biden had nominated Ferguson and Holyoak on July 11, 2023, and renominated Slaughter on February 13, 2023. 

Continue Reading FTC Returns to Bipartisan Commission with Confirmation of Two New Republican Commissioners