The UK Information Commissioner’s Office (the “ICO”) published new guidance on transfer risk assessments (“TRAs”) and a template for carrying out a TRA.

All businesses are required to carry out TRAs, also known as local law assessments or transfer impact assessments, when transferring personal data subject to the UK GDPR outside the United Kingdom using the international data transfer agreement (the “IDTA”), the European Commission’s standard contractual clauses with the UK addendum (the “UK Addendum”), or the binding corporate rules.

The new guidance is reportedly designed to provide organisations subject to the UK GDPR with a more pragmatic, risk-based approach without requiring them to carry out new assessments if they already followed the recommendations published by the European Data Protection Board.

Continue reading.

The European Commission’s proposal to establish a European Health Data Space (“EHDS”) aims to improve access by individuals to their health data (primary use) and facilitate the re-use of health data for societal good across the European Union (secondary use).

While the draft EHDS regulation might easily get lost in an alphabet of data-related legislative proposals coming from the European Commission, businesses operating in the health and pharma sectors should carefully consider how the EHDS might affect them.

In particular, the EHDS would introduce a new regime for the compulsory licensing of health data to third parties. Taken together with the broad definition of health data under the proposal, businesses will be required to understand what health data they possess and consider what measures they need to implement to protect the intellectual property rights in the data.

Continue reading.

Ransomware attacks continue to surge from the levels seen just a few years ago and the threat such attacks present against companies and organisations remains very real – not least because the sums involved also continue to surge. According to a recent report by software company Acronis1, global ransomware damages are predicted to reach more than US$30 billion by next year, with that figure set to increase exponentially, potentially reaching the hundreds of billions of dollars a year within the next decade.

Directors and senior management therefore must not only work to prevent ransomware and other cyber attacks from happening, but be prepared if the company’s cyber defences are breached. One critical point for senior management can be boiled down to the question: to pay or not to pay?

This update highlights some of the key legal issues facing businesses that have suffered a ransomware attack with particular reference to the latest UK guidance and the relevant sanctions regimes.

Continue reading.

Technical Note No. 33/2022, published by the Brazilian Data Protection Authority (ANPD), proposes a template for a Record of Personal Data Processing Activities (ROPA) for small processing agents, whether controllers or processors.

The proposed template is under public consultation until December 4, 2022, with a definitive version expected to be published in 2023.

ROPA is mandatory under the Brazilian General Data Protection Law (LGPD), for all processing agents in accordance with its Article 37. However, among the various exceptions and exemptions to small processing agents, a simplified ROPA may be adopted, as provided for in Resolution CD/ANPD No. 2/2021.

Continue reading.

With the cybersecurity landscape evolving ever more rapidly, and the threats to businesses’ critical information and assets—as well as to their bottom lines—are only increasing. Breaches continue to grow in scale and sophistication, regulators are crowding the field with an expanding and shifting array of requirements and de facto standards, and litigation remains perilous. Now, more than ever, businesses must think strategically about the cyber threats they face—whether to consumer or employee information, intellectual property or product safety—and take practical steps to address the associated legal, business and reputational risks.

Data privacy & security have gone from legal issues to business issues.  The issues have gone from compliance to business because they are impacting revenue. This year, data privacy caused NASDAQ-listed companies to lose 1.4 trillion dollars in market cap in 2022. Last year, cybersecurity cost our global economy over 6 trillion dollars.  If data privacy and cybersecurity represented the GDP of one country,  they would amount to the third largest GDP in the world, behind the US and China.  With headlines featuring data breaches, technology and privacy whistleblowers, regulators are looking to the C-Suite and the Boardroom to demonstrate leadership that will promote innovation and consumer trust.

Listen to the webcast.

Cybersecurity has become one of the biggest risks facing the financial services industry, and there have been extensive guidance and initiatives from US banking regulators to help ensure the safety of the institutions and the banking system. Some of the more recent regulatory requirements and other developments will have a significant impact on nonbank financial services companies, such as mortgage lenders, brokers and servicers, and other consumer financial services companies. For example, the Federal Trade Commission (FTC) has revised its Standards for Safeguarding Customer Information (FTC Safeguards Rule), and the New York Department of Financial Services (NYDFS) has issued proposed changes to its cybersecurity regulation. These two recent developments will require many nonbank financial services companies to enhance their existing cybersecurity programs to meet these heightened security standards.

Continue reading.

The California Privacy Protection Agency (“the Agency”) announced October 17, 2022, proposed modifications to the draft regulations for the California Privacy Rights Act (CPRA) that were published on July 8, 2022. The draft regulations expanded on the text of the CPRA setting out a number of additional requirements regarding obtaining consumer consent, supporting the exercise of consumer rights, contracting with service providers, contractors and third parties to share data, and increasing transparency in privacy notices provided to consumers.

This legal update summarizes a few key changes from the initial proposed CPRA regulations. While the CPRA regulations are still not final, the latest revisions will be valuable as businesses prepare for the CPRA’s effective date of January 1, 2023, and enforcement start date of July 1, 2023.

Continue reading.

Software security is a critical issue for multinational businesses. Highlighted as a top priority by the Biden administration and other governments worldwide, software security is a central pillar of effective cybersecurity—and managing associated legal risk. But developing and maintaining secure software is challenging, including to the extent that companies manage complex software development lifecycles, face the threat of sophisticated supply chain attacks, and rely on open source software. In this Cybersecurity Awareness Month program, our panel will explore legal risks associated with threats to software security and tools companies can use to mitigate these risks as they develop and maintain software. Topics will include:

  • New requirements for secure software development
  • Security threats to software development
  • Emerging best practices and market expectations
  • Internal governance of software security
  • Effective collaboration between the legal team and software developers


Sam Kaplan
Palo Alto Networks

Aaron Cooper

Maria Garzaro

View the webinar.

An omnibus federal privacy bill with significant bipartisan support is currently under congressional review and, if enacted, could dramatically increase oversight of how companies use artificial intelligence (“AI”) in their businesses.

This article discusses the bill, which, even if not enacted, provides valuable insights as to potential future regulation of AI.

Continue reading.

There has been a whirlwind of activity over the past year as states enact and implement comprehensive consumer privacy laws. Starting with the passage of the California Consumer Privacy Act (CCPA) in 2018, which became effective in 2020, the US state privacy legal landscape has continued to develop rapidly. New comprehensive privacy frameworks are set to come into effect in California, Virginia, Colorado, Utah, and Connecticut in 2023. As we described in our Legal Update State Privacy Law Roundup: Developments in California, Virginia and Colorado, covered businesses, privacy advocates, and other interested spectators have been (patiently) waiting for regulations to be promulgated for guidance about how these laws will be enforced. Our latest state law roundup reviews what has been happening in our “laboratories of democracy.” Thanks to some particularly active state enforcement authorities in California and Colorado, we now have draft rules and regulations that clarify, and in some ways expand, the requirements under those states’ forthcoming privacy laws. Moreover, the California Attorney General’s office (CA AG) has announced the first public settlement of an enforcement action for violations of the CCPA. This Legal Update provides an overview of these recent developments.

Continue reading.