Since China’s Personal Information Protection Law (PIPL) took effect in 2021, companies doing business in mainland China have questioned what is required of them when transferring personal information in and out of the country. Taft pondered this very question in our earlier blog post, ‘Data Transfers and Beyond: China Moves Closer to Finalizing Draft Provisions Permitting the Transfer of Personal Data Abroad.’ Last month, the Cyberspace Administration of China (CAC) provided its long-awaited answer, by issuing its final version of the measures of the standard contact for cross-border transfer of personal information (Final Measures), along with a standard contractual clauses equivalent (PIPL SCCs). Similar to the EU SCCs or UK international data transfer agreement (IDTA), the PIPL SCCs allow companies to freely import and export data from China. Here is what companies should know about this new Chinese transfer mechanism:

Continue Reading The Wait is Over: Cyberspace Administration of China Releases Model Contract for Data Transfers

For companies doing business with the Department of Defense (DoD), the Cybersecurity Maturity Model Certification (CMMC) has been a source of confusion for nearly five years. Originally, November 30, 2020, was the deadline for DoD to implement a standard methodology for assessing DoD contractor compliance with security requirements in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171. Concurrently, the DoD would roll out CMMC as a certification process designed to measure a company’s maturity and institutionalization of cybersecurity practices and processes. This certification, in turn, would be required for performance of DoD contracts.

Continue Reading CMMC – Where Do We Stand in 2023?

A few months ago we wrote about the proposed draft rules for the Colorado Privacy Act (CPA) (“draft rules”). Since then, the Colorado Attorney General’s Office has published two updated versions of the draft rules. The third and latest version of the proposed draft CPA rules was published on January 27, 2023 and the comment period for this version ended on February 3, 2023. Below is a brief high-level overview of some of the key changes made in the past two revisions of the draft rules.

Continue Reading Colorado Privacy Act Update: Colorado AG Issues Updated Draft Rules

Over the past year, there has been a growing number of lawsuits, including class actions, filed against website operators in various states (including California, Florida, Illinois, and Pennsylvania) for violations of state wiretapping laws or the Video Privacy Protection Act of 1988 (“VPPA”).

Continue Reading Heads Up!  Increasing Litigation Related to Website Technology & Data Sharing
Swiss Flag

Switzerland is implementing new legislation to better protect its citizens’ data (“revFADP”), replacing the longstanding Federal Act on Data Protection of 1992. The revFADP improves the processing of personal data and grants Swiss citizens new rights consistent with other comprehensive data protection laws, such as the General Data Protection Regulation (GPDR) and UK GDPR. This important legislative change also comes with a number of increased obligations for companies doing business in Switzerland. Companies must quickly get up to speed on the revFADP requirements because the Act takes effect on September 1, 2023. Companies should not assume that compliance with the GDPR and UK GDPR equals compliance under the revFADP. While this revised legislation has many similarities to the GDPR, there are a few stark differences companies should be aware of. Here is the breakdown of what companies should know.

Continue Reading Nothing Neutral about the New Swiss Federal Act on Data Protection

The Office for Civil Rights (OCR) recently issued a bulletin (the “Bulletin”) addressing the use of online tracking technologies by HIPAA-covered entities and business associates (collectively “regulated entities”). The Bulletin highlights the regulated entities’ obligations under the HIPAA Privacy, Security, and Breach Notification Rules (collectively the “HIPAA Rules”) when using tracking technologies. This blog post provides the key information regulated entities should know about their obligations under HIPAA when they, or their business associates, use tracking technologies.

Continue Reading Cookies and HIPAA Don’t Always Mix: OCR Issues Guidance on HIPAA and Tracking Technologies

Artificial Intelligence (AI) is a broad term that generally refers to computer systems that can receive and process information to make decisions without human input. AI is widely considered an era-defining technology in the way electrical and computer technology came to define the 1800s and 1900s respectively. Just as regulation of computer security lagged behind the increasingly pervasive use of computers in the late 1980s, we are seeing today that regulation of AI has likewise lagged behind the expansion of the technology. 

U.S. federal, state, and international authorities are increasingly monitoring and regulating AI. Regulating AI is no simple task, with the technology finding growing applications in a myriad of areas such as autonomous vehicles, the military, law enforcement, art, music, creative writing, social media, and even corporate recruitment.

Continue Reading A Primer on Artificial Intelligence and the Law in 2023

On December 13, 2022, the European Commission published a draft adequacy decision for the EU-U.S. Data Privacy Framework (“EU-U.S. DPF or DPF”) signaling the potential return of the framework allowing the flow of personal data between the EU and the United States. Although this is a draft decision, if approved, it will ease trans-Atlantic data flow and ease the restrictions that were placed after the 2020 Schrems II decision invalidated the EU-U.S. Privacy Shield framework for cross-border transfers. This draft adequacy decision ultimately concluded that the DPF provides an adequate level of protection of personal data.

Continue Reading Don’t Call It A Comeback: EU-U.S. Data Privacy Framework Inches Closer to Implementation Following the European Commission’s Draft Adequacy Decision

As you consider the end of the year and beginning of a new year, we in Taft’s Privacy and Data Security Practice thought to provide you with a simple list of data protection resolutions you might consider, both professionally and personally.

1.  Get strong!  Now is a good time to make a change in passwords for your accounts, and specifically make them strong passwords (i.e. ten characters or more, including an upper and lower case letter, number, and special character).

2.  Multiply!  In addition to a strong password, you should make sure to add that second layer of authentication and make sure all your sensitive accounts have multifactor authentication turned on.  This will further deter password thieves from gaining access to your accounts and systems. 

3.  Plan!  Have a plan for how you will comply with the numerous privacy laws coming into effect in 2023 in California, Virginia, Colorado, Utah, and Connecticut(Yes, they may still apply to your business even if it is not located in those states). And don’t forget to update your Standard Contractual Clauses should your business process personal data from Europe.  Planning also means implementing or updating policies, procedures, and contracts to account for privacy and security requirements (both as a matter of law and best practice).  

 4.  Lose Weight!  Delete unneeded data from your systems and your hard copy storage in accordance with a record retention policy or best practice.  The best defense against your data being stolen is not keeping it around unnecessarily.  

5.  Stay Informed!  Keep up to date on both legal issues and best practices in the privacy and security space.  Download our PDS mobile app and sign up for Taft’s Privacy and Data Security Insights! Happy New Year to all and best wishes for 2023! 

Two weeks ago, the German Conference of the Independent Data Protection Authorities of Germany (Datenschutzkonferenz or “DSK”) released a report looking into Microsoft 365’s (Microsoft) compliance under the European Union’s General Data Protection Regulation (GDPR). DSK’s overarching conclusion of the report was that use of Microsoft 365 applications by businesses processing personal data runs afoul of GDPR requirements.

The DSK report alleged Microsoft’s policies and disclosures lack clarity with respect to how personal data is processed and which entity is processing that data. DSK was unable to conclusively determine the cases where Microsoft acts as a data controller rather than a data processor. The distinction between a data controller and a data processor is important because Article 5(2) of the GDPR imposes additional accountability requirements and responsibilities for data controllers. The DSK also expressed concerns regarding Microsoft’s lack of overall clarity and notification to users about subcontractors and sub-processors. The group determined that Microsoft’s lack of detail regarding subcontractors and sub-processors falls below the European Commission’s template on Standard Contractual Clauses. Continue Reading Windows Pain? German Report Casts Doubt on Microsoft GDPR Compliance