On August 24, 2022, California Attorney General Rob Bonta announced a settlement with Sephora for violations of the California Consumer Privacy Act (CCPA). The action places online consumer tracking, analytics and advertising squarely in the regulatory crosshairs. “Sephora, like many online retailers, installs third-party companies’ tracking software on its website and in its app so that these third parties can monitor consumers as they shop,” the AG alleged, “. . . [and] when a company like Sephora utilizes third-party tracking technology without alerting consumers and giving them the opportunity to control their data, they deprive consumers of the ability to limit the proliferation of their data on the web.”
Year: 2022
NIST Releases New Draft of Artificial Intelligence Risk Management Framework for Comment
The National Institute of Standards and Technology (NIST) has released the second draft of its Artificial Intelligence (AI) Risk Management Framework (RMF) for comment. Comments are due by September 29, 2022.
NIST, part of the U.S. Department of Commerce, helps individuals and businesses of all sizes better understand, manage and reduce their respective “risk footprint.” Although the NIST AI RMF is a voluntary framework, it has the potential to impact legislation. NIST frameworks have previously served as basis for state and federal regulations, like the 2017 New York State Department of Financial Services Cybersecurity Regulation (23 NYCRR 500).
The AI RMF was designed and is intended for voluntary use to address potential risks in “the design, development, use and evaluation of AI products, services and systems.” NIST envisions the AI RMF to be a “living document” that will be updated regularly as technology and approaches to AI reliability to evolve and change over time.
Court of Justice of the European Union Recognizes Inferred Special Categories of Personal Data
On August 1, 2022, the Court of Justice of the European Union (CJEU) issued an opinion regarding a Lithuanian data protection case that may signal an expansion of interpretation of the definition of sensitive personal data under the EU’s General Data Protection Regulation (GDPR). Specifically, the CJEU found that data indirectly disclosing sexual orientation constitutes sensitive personal data.
At issue was a Lithuanian law that requires the Chief Official Ethics Commission of Lithuania to publish information about the private interests of public officials in an effort to combat corruption. In the facts underlying the case, a Lithuanian official objected to the Chief Official Ethics Commission’s online publication of his private interest information, which included his spouse’s name. The CJEU concluded that the publication of such information was prohibited by the GDPR because it was “liable to disclose indirectly the sexual orientation of a natural person,” a type of special category of personal data generally prohibited from processing under GDPR Article 9 (processing of special categories of personal data) unless certain additional conditions are satisfied such as the data subject’s explicit consent, or that processing is necessary for reasons of substantial public interest.
NYDFS Releases Pre-Proposed Second Amendment to its Cybersecurity Regulations, 23 NYCRR 500
On July 29, 2022, the New York Department of Financial Services (NYDFS) published the pre-proposed second amendment to its Cybersecurity Regulations, 23 NYCRR 500 (Part 500), that if adopted, would likely require numerous policy and operational changes. NYDFS sought comments to the pre-proposal through August 18, 2022. Although this amendment has been long-anticipated, the next step will be for NYDFS to formally publish the second amendment.
Effective in 2017, Part 500 was a first-of-its-kind state regulation that created mandatory cybersecurity and risk management regulations for “covered entities.” Part 500 defines Covered Entities as persons operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law.
AI Regulation in the U.K. — New Government Approach
On July 18, 2022, the U.K. Government published a paper on its proposals for AI regulation “Establishing a pro-innovation approach to regulating AI” (the AI Paper). This was published alongside the Government’s AI Action Plan, the first update provided since the Government published its National AI Strategy in September 2021.
The AI Paper provides for an alternative approach to AI regulation in the U.K. when compared with the recently proposed draft legislation for AI regulation in the EU (the EU AI Act). The U.K. Government favours a more decentralised and less regimented approach: guidance, rather than legislation; sector-based, rather than cross-sector application; regulated at sector level, rather than centrally; and with a looser definition of what constitutes AI for the purposes of regulatory application. This is intended to make the U.K. an attractive environment for AI innovation, with more flexible and pragmatic regulation, although AI businesses operating in multiple sectors will potentially need to review and comply with more than one set of principles and address conflicts between them.
Continue reading “AI Regulation in the U.K. — New Government Approach”
What Is the Information Blocking Rule? – Faegre Drinker on Law and Technology Podcast
Want to better understand what the Office of the National Coordinator for Health IT’s (ONC) Information Blocking Rule (IBR) is, how it works and why we need it? In this episode of the Faegre Drinker on Law and Technology Podcast, host Jason G. Weiss sits down with Faegre Drinker partners Jeff Ganiban and Doriann Cain, and associate Alex Eschenroeder to discuss all things IBR.
Expected in September 2022, the final draft of the HHS Office of Inspector General’s (OIG) first IBR enforcement rule is aimed at two of the three actor types defined in the IBR: Health IT Developers of Certified Health IT and Health Information Networks / Health Information Exchanges. Under the Cures Act, each IBR violation by a Health IT Developer of Certified Health IT or Health Information Network / Health Information Exchange would be subject to penalties of up to $1 million. The expected rule will establish how the OIG intends to assess and enforce these penalties. (Unfortunately, there is still no guidance on when we can expect a rule regarding the penalties that will apply to IBR violations by Health Care Providers.)