Today, the UK Department for Science, Innovation and Technology announced further details on the new transatlantic data flow mechanism for UK-to-US personal data transfers. In particular, the UK Secretary of State for Science, Innovation, and Technology today laid new adequacy regulations before the UK Parliament to give effect to the proposed arrangement. The deal, announced “in principle” in June, is a UK extension to the EU-US Data Privacy Framework (“DPF”), finalised in July. The extension creates a UK-US data bridge, allowing organisations to transfer personal data subject to the UK General Data Protection Regulation (“UK GDPR”) to participating US organisations.
India—the fifth largest economy in the world—just passed a comprehensive privacy law. On August 11, 2023, the Digital Personal Data Protection Act, 2023 (the “DPDP”) was approved by the president of India, adding India to the list of global powers with a comprehensive privacy law. The law is expected to come into force in June 2024. Guest author Stephen Mathias, from Kochhar & Co., provides a detailed breakdown of the DPDP.
On August 8, 2023, the National Institute of Standards and Technology (“NIST”) released a draft of The NIST Cybersecurity Framework (CSF) 2.0,1 (the “CSF” or “Framework”) along with a Discussion Draft of the Implementation Examples.2 This draft makes the most significant changes to the Framework since its initial release in 2014. It follows more than a year’s worth of community feedback, with NIST issuing the first request for information on the CSF in February 2022 and a concept paper regarding potential changes in January 2023.3 Both drafts are open for public comment until November 4, 2023. NIST announced that it plans to publish the final version in early 2024, without releasing another version for public comment.
Oregon has joined 10 other states in enacting a comprehensive data privacy law.1 On July 18, 2023, Governor Tina Kotek signed the Oregon Consumer Privacy Act (the “Oregon Privacy Law”) into law. The law imposes a range of new data privacy requirements on non-exempt controllers and processors of Oregon consumer personal data. The Oregon Privacy Law goes into effect on July 1, 2024.
On July 26, 2023, the U.S. Securities and Exchange Commission (the “SEC”) issued a release, adopting final rules (the “Final Rules”) aimed at standardizing and enhancing disclosure relating to cybersecurity incidents and risk management processes. The SEC had proposed rules (the “Proposed Rules”) on March 9, 2022. The Final Rules reflect the considerable comments received on the Proposed Rules, resulting in far narrower and streamlined requirements, though still imposing significant new requirements on registrants.
On July 18, 2023, the Biden-Harris Administration announced its “U.S. Cyber Trust Mark” initiative.1 Under this program, the Federal Communications Commission (FCC) will establish a voluntary certification and labeling program to guide and inform consumers purchasing Internet of Things (IoT) devices such as “smart refrigerators, smart microwaves, smart televisions, smart climate control systems, smart fitness trackers, and more.” By providing information about certain cybersecurity protections and practices, this program is ostensibly intended to help consumers evaluate the cybersecurity of devices. FCC Chair Rosenworcel has stated that this program could be up and running in late 2024 after a forthcoming public comment period.2
On July 19, 2023, the Office of the National Cyber Director (ONCD) issued a request for information (RFI) on cybersecurity regulatory harmonization.1 The RFI is intended to be a step toward the Biden Administration’s goal, as stated in the National Cybersecurity Strategy, to “harmonize not only regulations and rules, but also assessments and audits of regulated entities.” It supports Initiative Number 1.1.1 of the Strategy’s recently released Implementation Plan2: “engage non-governmental stakeholders to understand existing challenges with regulatory overlap and explore a framework for reciprocity for baseline requirements” by the first quarter of 2024.
The EU Digital Operational Resilience Act (“DORA”) entered into force in January 16, 2023, setting forth security requirements for network and information systems of organizations operating in the financial sector;
Obligations under DORA are to be further detailed by Regulatory Technical Standards (“RTS”) and Implementing Technical Standards (“ITS”), aimed at harmonizing requirements and facilitating implementation;
On June 19, 2023, the European Supervisory Authorities (“ESAs”)published the first batch of drafts on RTS and ITS under DORA, providing detail to certain obligations around:
- ICT security tools, policies and procedures;
- Policies on the use of third-party ICT services concerning critical or important functions;
- Criteria for the classification of ICT-related incidents; and
- Register of agreements with third-party ICT service providers.
On July 10, 2023, the European Commission (“Commission”) adopted an adequacy decision for the EU-US Data Privacy Framework (“DPF”). The DPF is the successor to the EU-US Privacy Shield, which the Court of Justice of the European Union (“CJEU”) declared invalid in 2020.
This adequacy decision reflects agreement by the Commission that the DPF offers an adequate level of protection for personal data transferred from the European Union to the United States under Article 45(1) of the General Data Protection Regulation. Moreover, the DPF entered into force upon adoption of the adequacy decision yesterday. This means that US businesses certified under the DPF no longer require separate data transfer mechanisms in order to transfer personal data from the European Union to the United States.
The New York Department of Financial Services (NYDFS) has proposed revisions to its cybersecurity regulation for banks, insurance companies and other financial services companies. The proposal significantly expands requirements for covered entities, including new requirements for larger companies, expanded governance requirements, additional notice and compliance certification requirements and more.
In this one-hour webinar, members of our Cybersecurity & Data Privacy practice will help you understand the:
- Key changes from the current regulation and differences from the prior proposal after the first round of notice-and-comment
- Likely impact on companies and their compliance and cybersecurity programs
- Practical effects of the expanded notification obligations