On April 17, the Nebraska governor signed the Nebraska Data Privacy Act (the “NDPA”) into law. Nebraska is the latest state to enact comprehensive privacy legislation, joining California, Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Tennessee, Montana, Oregon, Texas, Florida, Delaware
Continue Reading Nebraska Enacts Nebraska Data Privacy ActData Protection
California Privacy Protection Agency Issues Enforcement Advisory on Data Minimization
On April 2, the Enforcement Division of the California Privacy Protection Agency issued its first Enforcement Advisory, titled “Applying Data Minimization to Consumer Requests.” The Advisory highlights certain provisions of and regulations promulgated under the California Consumer Privacy Act (“CCPA”) that “reflect the concept of data minimization” and provides…
Continue Reading California Privacy Protection Agency Issues Enforcement Advisory on Data MinimizationCPPA Executive Director Remarks on Policy and Enforcement Priorities
A new post on the Covington Inside Privacy blog discusses remarks by California Privacy Protection Agency (CPPA) Executive Director Ashkan Soltani at the International Association of Privacy Professionals’ global privacy conference last week. The remarks covered the CPPA’s priorities for rulemaking and administrative enforcement of the California Consumer Privacy Act…
Continue Reading CPPA Executive Director Remarks on Policy and Enforcement PrioritiesEDPB 2023 Coordinated Enforcement Framework on DPOs: What Are the Key Takeaways for Organizations?
On January 17, 2024, the European Data Protection Board (“EDPB”) published its report on the 2023 Coordinated Enforcement Framework (“CEF”), which examines the current landscape and obstacles faced by data protection officers (“DPOs”) across the EU. In particular, the report provides a snapshot of the findings of each supervisory authority…
Continue Reading EDPB 2023 Coordinated Enforcement Framework on DPOs: What Are the Key Takeaways for Organizations?EHDS Series – 2: The European Health Data Space from the Health Data Holder’s Perspective
In early March 2024, the EU lawmakers reached agreement on the European Health Data Space (EHDS). For now, we only have a work-in-progress draft version of the text, but a number of interesting points can already be highlighted. This article focusses on the obligations of data holders; for an overview of the EHDS generally, see our first post in this series.
We expect the final text of the EHDS to be adopted by the European Parliament in April 2024 and by the EU Member States shortly thereafter.
1: Health data holder
The term “health data holder” includes, among others, any natural or legal person developing products or services intended for health, developing or manufacturing wellness applications, or performing research in relation to healthcare, who:
- in relation to personal electronic health data: in its capacity of a data controller has the right or obligation to process the health data, including for research and innovation purposes; or
- in relation to non-personal electronic health data: has the ability to make the data available through control of the technical design of a product and related services. These terms appear to be taken from the Data Act, but they are not defined under the EHDS.
In practice, this means that, for example, hospitals, as data controllers, are data holders of their electronic health records. Similarly, pharmaceutical companies are data holders of clinical trial data and biobanks. Medical device companies may be data holders of non-personal data generated by their devices, if they have access to that data and an ability to produce it. However, medical device companies would not qualify as a data holder where they merely process personal electronic health data on behalf of a hospital.
Individual researchers and micro enterprises are not data holders, unless EU Member States decide differently for their territory.
2: Data sets covered by EHDS
The EHDS sets out a long list of covered electronic health data that should be made available for secondary use under the EHDS. It includes, among others:
- electronic health records;
- human genetic data;
- biobanks;
- data from wellness applications;
- clinical trial data – though according to the recitals, this only applies when the trial has ended;
- medical device data;
- data from registries; and
- data from research cohorts and surveys, after the first publication of the results – a qualifier that does not seem to apply for clinical trial data.
UK and Australia Agree Enhanced Cross-Border Cooperation in Online Safety and Security
On 20 February, 2024, the Governments of the UK and Australia co-signed the UK-Australia Online Safety and Security Memorandum of Understanding (“MoU”). The MoU seeks to serve as a framework for the two countries to jointly deliver concrete and coordinated online safety and security policy initiatives and outcomes to support their citizens, businesses and economies.
The MoU comes shortly after the UK Information Commissioner’s Office (“ICO”) introduced its guidance on content moderation and data protection (see our previous blog here) to complement the UK’s Online Safety Act 2023, and the commencement of the Australian online safety codes, which complement the Australian Online Safety Act 2021.
The scope of the MoU is broad, covering a range of policy areas, including: harmful online behaviour; age assurance; safety by design; online platforms; child safety; technology-facilitated gender-based violence; safety technology; online media and digital literacy; user privacy and freedom of expression; online child sexual exploitation and abuse; terrorist and violent extremist content; lawful access to data; encryption; misinformation and disinformation; and the impact of new, emerging and rapidly evolving technologies such as artificial intelligence (“AI”).Continue Reading UK and Australia Agree Enhanced Cross-Border Cooperation in Online Safety and Security
EDPB’s 2024 Coordinated Enforcement Action on the Access Right: What Can You Expect?
On February 28, the European Data Protection Board (“EDPB”) announced that EU supervisory authorities (“SAs”) will undertake a coordinated enforcement action in 2024 regarding data subjects’ right of access under the GDPR. For context, the EDPB selects a particular topic each year to serve as the focus for pan-EU coordinated…
Continue Reading EDPB’s 2024 Coordinated Enforcement Action on the Access Right: What Can You Expect?Spotlight Series on Global AI Policy — Part III: China’s Policy Approach to Artificial Intelligence
The field of artificial intelligence (“AI”) is at a tipping point. Governments and industries are under increasing pressure to forecast and guide the evolution of a technology that promises to transform our economies and societies. In this series, our lawyers and advisors provide an overview of the policy approaches and regulatory frameworks for AI in jurisdictions around the world. Given the rapid pace of technological and policy developments in this area, the articles in this series should be viewed as snapshots in time, reflecting the current policy environment and priorities in each jurisdiction.
The following article examines the state of play in AI policy and regulation in China. The previous articles in this series covered the European Union and the United States.
On the sidelines of November’s APEC meetings in San Francisco, Presidents Joe Biden and Xi Jinping agreed that their nations should cooperate on the governance of artificial intelligence. Just weeks prior, President Xi unveiled China’s Global Artificial Intelligence Governance Initiative to world leaders, the nation’s bid to put its stamp on the global governance of AI. This announcement came a day after the Biden Administration revealed another round of restrictions on the export of advanced AI chips to China.
China is an AI superpower. Projections suggest that China’s AI market is on track to exceed US$14 billion this year, with ambitions to grow tenfold by 2030. Major Chinese tech companies have unveiled over twenty large language models (LLMs) to the public, and more than one hundred LLMs are fiercely competing in the market.
Understanding China’s capabilities and intentions in the realm of AI is crucial for policymakers in the U.S. and other countries to craft effective policies toward China, and for multinational companies to make informed business decisions. Irrespective of political differences, as an early mover in the realm of AI policy and regulation, China can serve as a repository of pioneering experiences for jurisdictions currently reflecting on their policy responses to this transformative technology.
This article aims to advance such understanding by outlining key features of China’s emerging approach toward AI.Continue Reading Spotlight Series on Global AI Policy — Part III: China’s Policy Approach to Artificial Intelligence
Dutch SA Sanctions Credit Card Company for Failure to Perform Data Protection Impact Assessment
In December 2023, the Dutch SA fined a credit card company €150,000 for failure to perform a proper data protection impact assessment (“DPIA”) in accordance with Art. 35 GDPR for its “identification and verification process”.
First, the Dutch SA decided that the company was required to perform a DPIA because…
Continue Reading Dutch SA Sanctions Credit Card Company for Failure to Perform Data Protection Impact AssessmentEU Advocate General Defines “Identity Theft” And Reaffirms GDPR Compensation Threshold
EU advocate general Collins has reiterated that individuals’ right to claim compensation for harm caused by GDPR breaches requires proof of “actual damage suffered” as a result of the breach, and “clear and precise evidence” of such damage – mere hypothetical harms or discomfort are insufficient. The advocate general also…
Continue Reading EU Advocate General Defines “Identity Theft” And Reaffirms GDPR Compensation Threshold