Privacy & Information Security Law Blog

On October 13, 2022, the Interactive Advertising Bureau (“IAB”) released for public comment an updated version of its contractual framework and new U.S. State Signals (“Signals”) specifications to help the digital advertising industry comply with the comprehensive state privacy laws of California, Virginia, Colorado, Utah and Connecticut.

On October 3, 2022, Google LLC (“Google”) agreed to pay the State of Arizona $85 million to settle a consumer privacy lawsuit that alleged the company surreptitiously collected consumers’ geolocation data on smartphones even after users disabled location tracking. 

On October 21 and October 22, 2022, the California Privacy Protection Agency (“CPPA”) Board will hold public meetings to discuss and take possible action, including adoption or modification of proposed regulations, to “implement, interpret, and make specific” the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 .

On October 4, 2022, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth published a white paper outlining 10 key recommendations for regulating artificial intelligence (“AI”) in Brazil (the "White Paper"). CIPL prepared the White Paper to assist the special committee of legal experts established by Federal Senate of Brazil (the “Senate Committee”) as it works towards an AI framework in Brazil.

On October 4, 2022, the White House Office of Science and Technology Policy (“OSTP”) unveiled its Blueprint for an AI Bill of Rights, a non-binding set of guidelines for the design, development, and deployment of artificial intelligence (AI) systems. 

On October 7, 2022, President Biden signed Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities, which provides a new framework for legal data transfers between the European Union and the United States. The legal basis for transatlantic data transfers has been uncertain since 2020, when the European Court of Justice (“ECJ”) declared the previous framework, the EU-U.S. Privacy Shield, invalid under EU law. 

On October 3, 2022, the U.S. Department of Justice (“DOJ”) announced that the agreement between the U.S. Government and the UK Government on Access to Electronic Data for the Purpose of Countering Serious Crime (the “CLOUD Act Agreement”) entered into force, effective the same day. The CLOUD Act Agreement, which is authorized by the U.S. Clarifying Lawful Overseas Use of Data (“CLOUD”) Act, is the first of its kind and will allow each country’s investigators to gain access to data held by service providers in the other country, for the purpose of combating serious crime. According to DOJ, this “will greatly enhance the ability of the United States and the United Kingdom to prevent, detect, investigate and prosecute serious crime, including terrorism, transnational organized crime, and child exploitation, among others.”

Background

On September 15, 2022, the European Commission presented its proposal for a Regulation on horizontal cybersecurity requirements for products with digital elements (the “Cyber Resilience Act”). According to the European Commission, the Cyber Resilience Act will be the first EU-wide legislation introducing “cybersecurity requirements for products with digital elements, throughout their whole lifecycle.”

On October 5, 2022, former Uber security chief Joe Sullivan was found guilty by a jury in U.S. federal court for his alleged failure to disclose a breach of Uber customer and driver data to the FTC in the midst of an ongoing FTC investigation into the company. Sullivan was charged with one count of obstructing an FTC investigation and one count of misprision, the act of concealing a felony from authorities.

On September 12, 2022, the Cybersecurity and Infrastructure Security Agency (“CISA”) released a Request for Information (“RFI”) seeking public input regarding the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”). The public comment period will close on November 14th, 2022. The RFI provides a “non-exhaustive” list of topics on which CISA seeks public input, including: