Artificial active

Summary of 2021: Global developments in artificial intelligence, cybersecurity and privacy | Orrick, Herrington & Sutcliffe LLP

Significant developments in artificial intelligence, cybersecurity, and consumer privacy have occurred across the world in 2021 with the anticipation of greater activity in 2022. Our summary for the year captures some of the key updates. legislative, regulatory and litigation updates that occurred throughout the year in China, Europe (EU), United Kingdom (UK) and United States (US).


China’s new data security law: what international companies need to know

China’s Data Security Law (DSL) came into effect on September 1, 2021, and marks China’s first comprehensive data regulatory regime, one of three key frameworks that will strengthen data governance and cybersecurity from the country. With DSL’s broad extraterritorial reach, international companies that collect data and do business in China and with China now have a new set of data rules to play with.

Europe-wide (EU)

6 essential things to know about the new guidelines of the European Data Protection Board (EDPB) on international data transfers

In November 2021, the European Data Protection Board (EDPB) published draft guidelines on the interaction between Article 3 of the General Data Protection Regulation (GDPR) and the provisions on international transfers described in chapter V of the GDPR (“guidance”). The Guide aims to clarify various issues relating to international data transfer. We have prepared an FAQ that summarizes and provides recommendations for the key points described in the new Guide.

7 essential things to know about the new European standard contractual clauses (CCP)

In June 2021, the European Commission published its long-awaited implementing decision adopting standard contractual clauses for the transfer of personal data to third countries, called new standard contractual clauses, designed to comply with the General Protection Regulation. data (GDPR). and take into account the Schrems II judgment of the Court of Justice of the European Union.

Whether you like it or not, cookies are back on the menu and UK and EU data protection authorities are taking enforcement action

The French data protection authority, The National Commission for Informatics and Liberties (CNIL), one of the most active European regulators in the field of data protection, continued to focus on the legality of the use of cookies to collect and process personal data in 2021. The CNIL has specified that cookie compliance is one of its application priorities, along with the security of websites and the security of health data .

The EU’s new approach to regulating artificial intelligence (AI)

In April 2021, the European Commission published its much anticipated Communication and proposal for a “Regulation establishing harmonized rules on artificial intelligenceThe regulation is the very first legal framework, globally, to focus solely on AI and has striking similarities to the GDPR. If passed as drafted, the AI ​​regulation would have significant consequences for many organizations that develop, sell or use AI systems, including the introduction of a new set of legal obligations and a monitoring and enforcement regime with heavy penalties for non-compliance.

United Kingdom (United Kingdom)

The UK Age-Appropriate Design Code in force

In September 2021, the UK statutory code of conduct setting out the standards that will apply to online or connected products or services that (i) process personal data and (ii) are likely to be viewed by anyone from under 18 in the UK, entered into force. The age-appropriate design code was issued by the Information Commissioner’s Office (ICO) and required under the UK Data Protection Act 2018. As children’s privacy continues to be one of the main concerns of lawmakers and privacy advocates, the code reflects a direction of travel with similar reforms being considered in the United States, Europe and around the world.

Warren v DSG Retail Ltd – Changing the Liability Landscape in Post-Cyber ​​Attack Litigation

In August 2021, the High Court of England delivered an important judgment in the case of Warren v DSG Retail Ltd. [2021] EWHC 2168 (QB) (Warren) which casts doubt on three of the potential claim counts typically raised as a result of a cybersecurity breach and which could impact how those claims are presented and funded at the to come up.

United States (United States)

2021 Summary: United States (US) State of Consumer Privacy Developments

A summary of some of the major state consumer privacy regulatory and legislative activities that took place in the United States in 2021, including developments in California, Colorado, Nevada, New York and in Virginia.

U.S. Artificial Intelligence (AI) Regulations Taking Shape

A year-end summary of artificial intelligence (AI) regulatory guidelines that have been proposed agency-by-agency in the United States by the United States Department of Commerce, FTC, Food and Drug Administration (FDA), National Security Commission and the Government Accountability Office (GAO) and the White House.

Recess Ends For Apps That Collect Health-Related Data – Federal Trade Commission Announces Intention To Enforce Infringement Rule

In September 2021, the Federal Trade Commission (FTC) announced its intention to “vigorously” enforce its 2009 health injury notification rule via a policy statement that highlights the scope of the rule. The policy statement includes a broad interpretation of entities subject to the Rule and clarifies that not only is the acquisition of health data by a malicious actor a reportable violation, but its disclosure to a third party without the authorization of an individual is also a reportable violation.

Treasury actions to counter ransomware

In October 2021, the US Treasury Department’s Office of Foreign Assets Control (OFAC) announced several actions aimed at disrupting the infrastructure of criminal digital finance, including virtual currency exchanges, responsible for laundering ransoms from cyber attacks and encouraging payment reporting of incidents and ransomware to US authorities. . OFAC has issued an updated notice on the potential sanction risks associated with facilitating ransomware payments.

US Department of Commerce’s Bureau of Industry and Security (BIS) finalizes rule covering cybersecurity activities

The BIS issued a rule in October 2021 that will restrict certain exports, re-exports and other overseas transfers of equipment, software and technology (technical know-how) that can be used for cyber attacks or surveillance. The new rule is expected to come into effect on January 19, 2022.

Supreme Court Reduces Scope of Computer Fraud and Abuse Act

In July 2021, the United States Supreme Court resolved a circuit split over the Federal Computer Fraud and Abuse Act (CFAA), specifically weighing on the “exceeds authorized access” provision of the law. The CFAA engages the criminal liability of any person who “intentionally accesses a computer without authorization or exceeds authorized access”.

The third circuit upholds the summary judgment of the defendant TCPA for lack of prejudice

In May 2021, the United States Court of Appeals for the Third Circuit unanimously upheld a district court decision granting summary judgment to Bank of America in a class action suit under Telephone Consumer Protection. Act (“TCPA”). The Third Circuit found that the plaintiff lacked standing because he had not alleged that he suffered prejudice as a result of receiving a pre-recorded telemarketing call on his landline. The ruling is a good reminder for companies defending themselves against TCPA’s lawsuits to investigate the plaintiff’s conduct to determine whether there has been alleged harm, including whether the plaintiff actively solicited telemarketing calls. for the purpose of initiating such proceedings.