2023 was an eventful year for privacy legislation, regulation and regulatory enforcement. The compliance landscape continues to develop and evolve rapidly, making it difficult for covered businesses to keep up with the myriad requirements. In this post, we discuss some of the year’s most interesting privacy compliance developments globally.
U.S. Regulators Crack Down on Tracking Technologies and Health Data
Early in the year, regulators continued to signal increased focus on use of tracking technologies in the context of health-related websites and applications. Following the HHS OCR policy Bulletin on use of trackers in compliance with HIPAA, the FTC jumped into the fray announcing settlement of enforcement actions against GoodRx, Premom and BetterHelp for sharing health data via tracking technologies with third parties resulting in a breach of Personal Health Records under the HBNR. In July, OCR and FTC sent a joint letter to 130 hospital systems and telehealth providers to caution them regarding the risks of using tracking technologies on websites and mobile applications. That same month some of the provisions of the Washington My Health My Data Act (“MHMDA”) went into effect. With many operative provisions of MHMDA going into effect in 2024, and new consumer health data laws in Nevada (effective March 31, 2024) and Connecticut (effective July 1, 2023 but subject to a right to cure until December 31, 2024), and to a lesser degree New York (restriction on geofencing of healthcare facilities), you can be sure this will be a space to watch in 2024. You can read our post regarding the implications of these developments here.
Contracting for Personal Data Processing Services becomes More Complex in the U.S., but DPF makes exports to the U.S. easier
With a cascade of new state comprehensive privacy laws going into effect in 2023 and 2024, the requirements for contracts with vendors that process personal data have become increasingly complex. With data protection law evolving at such a rapid rate, how can companies keep up? We analyzed the increasing complexity of ensuring appropriate data protection terms are included in your data protection addenda and provided practical tips in our post here. Notwithstanding the compliance difficulties facing U.S. organizations, companies received a reprieve in the form of the newly-approved EU-U.S. Data Privacy Framework, Swiss-U.S. Data Privacy Framework and UK Extension to the EU-U.S. Data Privacy Framework (“DPF”). Like Privacy Shield before it (and Safe Harbor before that), the Frameworks enable certifying organizations to freely transfer EU, UK, or Swiss personal data to the United States as if such transfers were occurring to a jurisdiction deemed to be “adequate” by the European Commission with respect to the level of protection accorded to personal data. Such transfers may be made without the need to conduct a transfer risk assessment or use of additional safeguards, such as the Standard Contractual Clauses. You can read our blog post regarding approval of DPF here.
UK Data Protection Law in Flux
On 8 March 2023 the UK government heralded its new Data Protection and Digital Information (No 2) Bill (the Bill) as a “new common-sense-led version of the EU’s GDPR” that would “save the UK economy more than £4 billion over the next 10 years and ensure that privacy and data protection are securely protected”. The Bill has fueled concerns that UK divergence from the EU’s GDPR would put at risk the EU-UK adequacy decision. The Bill also includes an obligation on (i) public sector bodies and (ii) organizations whose processing of personal data is likely to result in a “high risk” to the rights and freedoms of individuals to appoint a “Senior Responsible Individual” (SRI). For a discussion about the Bill click here. For a discussion about the responsibilities of a SRI click here.
In addition to the proposed changes to UK law, the UK government published an adequacy decision to the EU-U.S. DPF. The UK DPF Extension will permit organizations that certify to the EU Framework to include the UK Extension, enabling free transfers between the UK and certified organizations. For additional analysis of the UK Extension to the EU-U.S. DPF, read our blog post here.
Laws Designed to Protect Children and Other Minors Gain Prevalence
Following on the heels of the California Age Appropriate Design Code Act (“CA AADCA”) which is facing constitutional challenge is currently enjoined (appeal pending), various laws were passed in 2023 designed to protect the privacy of children and teens online. If the injunction in the CA AADCA challenge is overturned on appeal, the act goes into effect on July 1, 2024 and will impose a range of requirements and restrictions on online businesses that offer services, products, or features likely to be accessed by minors (under 18). Modeled after the United Kingdom’s Age Appropriate Design Code, the CA AADC mandates that companies consider the best interests of minor children when designing, developing and providing services, products, or features that they are likely to access, while at the same time requiring companies to “prioritize the privacy, safety, and well-being of children” in the event a conflict arises between the company’s commercial interests and the best interests of minors. This includes a requirement to conduct data protection impact assessments and myriad of privacy protection requirements if the service serves minors. Violations of the AADC would subject companies to civil penalties per affected child of up to $2,500 for negligent violations and up to $7,500 for intentional violations.
On March 23, 2023, Utah’s Social Media Regulation Act (“SMRA”) was signed into law by Gov. Spencer Cox, which becomes fully effective on March 1, 2024 if it a motion to enjoin it pending in a constitutional challenge is not successful. The SMRA applies to businesses that provide a social media platform with at least five (5) million account holders worldwide. The definition of “social media platform” is broad but includes 24 exceptions that generally narrow the SMRA’s scope to a lay-person’s typical understanding of a social media platform. SMRA went into effect on May 3, 2023, with numerous compliance requirements and prohibitions (such as age verification, parental consent, parental rights, advertising prohibition, etc.) for social media platforms coming into force beginning March 1, 2024. For an analysis of the law’s requirements click here. Louisiana passed a very similar law, that will go into effect July 1, 2024 if it is not enjoined in a pending constitutional challenge.
In April Arkansas followed Utah’s lead, enacting the Social Media Safety Act (effective September 1, 2023) In July Texas passed the Securing Children Online through Parental Empowerment Act in June (effective September 1, 2024), also addressing minors and social media. Also, last summer Connecticut amended its Data Privacy Act to require additional protections for children and other minors, which becomes effective October 1, 2024. Known as SB 3, these amendments are inspired by CA AADCA and similarly require data practice assessments and enhanced privacy protections for minors.
Data Privacy Assessments become Increasingly Common Privacy Law Requirement
Following the lead of Europe, several U.S. consumer privacy laws and regulations were enacted or went into effect this year requiring companies to conduct “and document formal assessments of certain personal data processing activities. Virginia, Connecticut, Colorado, Indiana and Tennessee’s laws have assessment requirements, whereas Utah and Iowa’s privacy laws contain no requirements on this subject. The CCPA will also require data privacy assessments and cybersecurity audits, when draft regulations currently under consideration by the California Privacy Protection Agency (“CPPA”) are adopted. A current discussion draft contemplates C-suite and Board-level involvement and the filing of abridged summaries with the CPPA. In addition, other privacy laws may also apply and obligate assessments, including the California Age-Appropriate Design Code Act and New York City’s Local Law 144. You can read our analysis of the assessment requirements under these laws here.
Spanish Data Protection Laws Amended
The Spanish data protection and e-commerce legislation was amended in May. The amended law redefines the nature of the process to issue reprimands to data controllers and processors (so that reprimands are removed from the list of sanctions resulting from infringement of the regulations). Additionally, the amendments relax the rules governing the Spanish authority’s investigation procedure, simplify the complaint process and adjust the standards for infringements and sanctions. Click here for our analysis of the impact of these amendments.
China Issues Guidelines and Regulations Regarding Cross-Border Transfers
On May 30th, the Cybersecurity Administration of China (CAC) issued details of the format for filing with the government the documentation necessary for the export of Personal Information collected in China. This guide acts to supplement the requirements set forth in regulations issued in February of this year, which came into effect on June 1, 2023. Then on September 28, 2023, the Cyberspace Administration of China proposed draft regulations, the Regulations on Regulating and Facilitating Cross-border Data Flow (Draft Regulations), seeking public comment. If adopted, it will significantly reduce the restrictions on cross-border data transfers from China. This regulation represents a material effort by China to improve free data flows and an implementation of the “whitelist” mentioned under the 24 provisions for attracting foreign investment published in August 2023. To read more about export DPIA requirements click here and to read more about the proposed Regulations on Regulating and Facilitating Cross-border Data Flow click here.
AI Becomes the Technology Hot Topic of the Year
Artificial Intelligence technologies experienced a breakout year in 2023. As a result, various legislators and regulators issued guidelines or regulations regarding AI in an effort to combat concerns relating to this groundbreaking technology. In February, NIST issued Guidelines on AI Governance; a voluntary framework for use by organizations to address risks in the design, development, use and evaluation of AI products. You can read our analysis of the NIST AI Risk Management Framework here.
In June, the Italian Supervisory Authority, Garante, issued an order temporarily banning OpenAI from use within Italy, citing doubts that the company could lawfully collect and process Italian personal data consistent with the transparency and fair processing requirements in several GDPR Articles. We discuss Garante’s order here. China’s Cyberspace Administration issued comprehensive provisional measures governing the development and use of generative AI in September. The rules apply to the use of GAI services provided to the public, and not the internal use of generative AI by a company or research institution. You can read our analysis of the provisional measures here.
October was a particularly busy month for AI-related legal developments. That month, Singapore and the U.S. published an interoperable AI Governance Framework, which maps Singapore’s AI Verify and the U.S. NIST AI Risk Management Framework. You can read about the AI Governance Framework here. the White House published an Artificial Intelligence Executive Order, creating a framework designed to ensure responsible innovation and use of the technology. The G-7 also issued Principles and a Voluntary Code of Conduct in October. The Principles and Code of Conduct were designed to guide the responsible development of AI systems, while fostering innovation. You can read our analysis of the Executive Order and G7 Principles and Voluntary Code of Conduct here.
In December, the European Union reached a political agreement regarding the sweeping AI Act, which would regulate covered AI systems. Under the draft AI Act, certain systems would be regulated, whereas other “high risk” uses would be banned. A paper published by OpenAI – the developer of ChatGPT – explored the various safety, privacy and cybersecurity concerns that their AI tool creates, as well as the actions they have taken to mitigate the potential harms. Among the concerns identified was the anomalous issue of AI “hallucinations.” Although some solutions are proposed, many challenges remain, highlighting the need to ensure that any business deployment of ChatGPT or other generative AI services comes with adequate controls over data preparation, prompts and the screening of ChatGPT’s responses. To read the discussion about the concerns discussed in the OpenAI paper click here.
New Asian Privacy Laws Adopted
On 11 August 2023, after close to a decade since its initial conception, India’s Digital Personal Data Protection Act (Act) received presidential assent, formalizing the nation’s first ever comprehensive data protection law. The Act applies to digital personal data, including non-digital data that is subsequently digitized. While enactment of the Act is certainly a monumental step for a nation that has a population of 1.43 billion people, it is also expected that further regulations and guidance will be issued to provide clarity and certainty over specific aspects of the law. To read more about the new law’s requirements, click here.
On April 17, 2023, Vietnam issued its long-awaited, first-ever comprehensive data privacy law, Decree No. 13/2023/ND on the Protection of Personal Data (Decree). The Decree took effect on July 1, 2023, without any transition period. All Vietnamese and foreign businesses located in Vietnam or carrying out data processing activities in Vietnam must comply with the Decree. Suffice it to say, as this is the republic’s first comprehensive privacy law that will apply to all manner of personal data processing in Vietnam, the Decree will undoubtedly have considerable and wide-reaching implications on companies that have operations or a business presence in Vietnam. For more information about the decree click here.