Key takeaways this October include: Facial Recognition: Businesses face continued challenges in establishing GDPR-compliant facial recognition technology, including those with no presence in the EEA, after the French CNIL fined Clearview AI €20 million for “intrusive and massive” data processing without consent or a valid legitimate interest, among other failings; Digital Services Act: The EU’s adoption of the Digital Services…

On 24 October 2022, the UK Information Commissioner’s Office (“ICO”) fined Interserve Group Limited £4.4 million for failing to implement appropriate technical and organisational measures to safeguard 113,000 individuals’ personal data in company HR databases. Here we outline what went wrong and lessons for businesses about how to manage the risk of similar incidents and regulatory enforcement action. What happened?…

On October 4, 2022, the White House released the Blueprint for an AI Bill of Rights (the “Blueprint”), which provides non-binding “principles” for organizations in both the public and private sectors to use when developing or deploying artificial intelligence (“AI”) or other automated systems. The Blueprint does not include many new ideas for AI compliance. Instead, it represents a collection…

On September 28, 2022, the European Commission released a proposal to change the legal landscape for companies developing and implementing artificial intelligence in EU Member States. This AI Liability Directive would require Member States to implement rules that would significantly lower evidentiary hurdles for victims injured by AI-related products or services to bring civil liability claims. Most importantly, the Directive…

On October 7, 2022, U.S. President Biden signed Executive Order 14086 on Enhancing Safeguards for United States Signals Intelligence Activities (the “Order”). The administrative Order creates new protections applicable to cross-border data sharing through a phased implementation process and is the latest step toward establishing a new data privacy framework intended to permit the free flow of data from the…

There has been significant regulatory attention recently to “dark patterns,” including FTC guidance, state privacy laws, and state and federal enforcement actions. Some of this activity involves new regulations, and some is based on decades-old consumer protection laws that prohibit unfair and deceptive practices. There is no single definition for “dark patterns,” but the term generally refers to user interfaces…

European Data Protection Roundup – September 2022 Key takeaways this September include: Google Analytics: Continue to assess carefully the use of Google Analytics. The Danish Data Protection Agency became the latest supervisory authority to suggest that the cross border transfers involved in the use of Google Analytics in the European Union, without more, violates the GDPR; Data Transfers: Regulators are…

On September 20, 2022, the SEC announced settled charges and the imposition of a $35 million penalty against a dually registered investment adviser and broker-dealer (the “Firm”) for violations of Regulation S-P (“Reg S-P”). The SEC found that the Firm violated Reg S-P’s requirements for registrants to adopt written policies and procedures to safeguard customer records and information (the “Safeguards Rule”)…

On Thursday, September 16, 2022, the Consumer Financial Protection Bureau (“CFPB” or the “Bureau”) published a report (the “Report”) detailing the regulatory risks of Buy Now, Pay Later (“BNPL”) products in response to last December’s market monitoring orders to five BNPL companies. BNPL generally refers to a credit product offered by a third-party institution that enables consumers to split the…

As we wrote in previous posts, on August 11, 2022, the Federal Trade Commission (the “FTC”) announced its Advance Notice of Proposed Rulemaking (the “ANPR”) seeking public comment on 95 questions focused on harms stemming from “commercial surveillance and lax data security practices” and whether new trade regulation rules under section 18 of the FTC Act are needed to protect people’s privacy and information.…