The UK Government has published its response to the consultation on its proposed reform of the UK’s data protection regime (which we have provided further information on in our previous legal update available here.) Whilst the UK Government has proposed several incremental reforms to the UK’s data protection laws that will diverge from the standards set under the European General Data Protection Regulation (“EU GDPR”), the proposals fall short of the extensive reform, or replacement, of UK GDPR previously considered.
On 25 May 2022, the European Commission published Questions and Answers for the New Standard Contractual Clauses to provide practical guidance on the use of standard contractual clauses (SCCs) and help organisations with their General Data Protection Regulation (GDPR) compliance efforts. The Commission confirmed that the Q&A document will be regularly updated.
On May 26, 2022, the US Department of Commerce’s Bureau of Industry and Security (“BIS”) published a final rule revising the restrictions on the export, reexport and transfer (in-country) of certain “cybersecurity items” used for malicious cyber activities (“final rule”). Effective immediately upon publication, the final rule amends the October 21, 2021, interim final rule that went into effect on March 7, 2022. This Legal Update provides further detail.
On 12 May 2022, the Hong Kong Privacy Commissioner for Personal Data (PCPD) issued a Guidance Note on the Recommended Model Contractual Clauses for Cross-border Transfers of Personal Data (2022 Guidance).
The 2022 Guidance is split into three “parts”:
- Part 1 is an introduction of the 2022 Guidance and the rationale underpinning it;
- Part 2 is an explanation on the use of the Recommended Model Contractual Clauses; and
- Part 3 is the Schedule which sets out the recommended model clauses.
On May 19, 2022, the Federal Trade Commission (FTC) unanimously approved a policy statement on education technology (EdTech) and the Children’s Online Privacy Protection Act (COPPA). Characterized as part of a larger effort to “crack down on companies that illegally surveil children learning online,” the policy statement itself merely highlights pre-existing obligations under COPPA for companies that knowingly process children’s data to minimize the data collected and to employ appropriate security to protect that data.
On May 11, 2022, the Senate confirmed President Biden’s appointment of Alvaro Bedoya to fill the vacant Democratic seat on the Federal Trade Commission (FTC). Commissioner Bedoya’s confirmation gives the Democratic commissioners a voting majority on the Commission, and we expect the FTC will pursue actions previewed by Chair Lina Khan. In this Legal Update, we highlight the major areas where Commissioner Bedoya’s presence will likely make an immediate impact, including in privacy rulemaking.
The Queen’s Speech 2022 (the “Speech”), given on 10 May 2022 (available here), details the UK Government’s priorities for the year. Although its focus was primarily on the cost of living crisis and proposed economic measures, the Speech confirmed that the UK’s data protection regime will be reformed by way of the ‘Data Reform Bill’.
Businesses can expect the Data Reform Bill to have a large impact on their data protection practices and data governance.
This announcement follows the “Data: a new direction” consultation published by the UK Government in September 2021, which included proposals in five broad categories.
On May 6, 2022, the US Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) designated crypto mixer Blender.io as a Specially Designated National (“SDN”), marking the first time a virtual currency mixer has been sanctioned. The move is the latest in a series of sanctions designations and enforcement actions in the virtual currency industry based on a determination of involvement in malicious cyber attacks and laundering the stolen virtual currency proceeds of illicit ransomware attacks.
Strengthening the nation’s cybersecurity has been a top priority for the Biden administration, as reflected in its collaboration with industry, regulatory actions, and the legislation it has supported in Congress, including the Cyber Incident Reporting for Critical Infrastructure Act of 2022. Executive action has been a key tool in the Biden administration’s cyber policymaking toolkit. Today marks the one-year anniversary of President Biden’s ambitious and wide-ranging Executive Order on Improving the Nation’s Cybersecurity (“Cyber EO”) (which we discussed in a May 17, 2021, Legal Update).
Connecticut has become the fifth state to pass comprehensive consumer data privacy legislation. Connecticut Governor Ned Lamont signed the bill into law on May 10, 2022, and the Connecticut Data Privacy Act” (CTDPA) will take effect on July 1, 2023. This Legal Update discusses the CTDPA’s scope; compares it with the other state privacy laws in the areas of exemptions, data subject rights and data controller and processor obligations; and notes important dates and enforcement details.