CJEU Finds That Companies Must Provide Individuals with the Identity of Data Recipients When Responding to Data Access Requests

By Cédric Burton, Nikolaos Theodorakis and Michael Kern on January 27, 2023 Posted in Privacy

On January 12, 2023, the Court of Justice of the European Union (CJEU) ruled¹ that the data subject’s right of access to personal data² requires controllers to provide the data subject with the identity of the companies that they have shared or will share data with. This is a sharp departure from current market practice since many controllers typically provide the categories of data recipients, and not their actual identity, when responding to data subjects access requests.

Colorado Attorney General’s Office Releases Modified Draft Rules for Colorado Privacy Act: Key Takeaways

By Tracy Shapiro, Edward Holman, Hale Melnick, Clinton Oxford and Yeji Kim on January 12, 2023 Posted in Privacy, Regulatory

On December 21, 2022, the Colorado Attorney General’s office published an updated version of proposed draft rules (“modified draft rules”) to the Colorado Privacy Act (ColoPA), which revise the initial draft rules issued in October 2022, based on feedback received during the prior comment period.¹ Notably, the Colorado Attorney General’s office explained that it modified some of the rules to facilitate interoperability with the California Consumer Privacy Act (CCPA) as modified by the California Privacy Rights Act (CPRA). Below are our high-level takeaways, followed by more, in-depth analysis of each point.

2023 U.S. Cybersecurity Predictions

By Maneesha Mithal, Megan Kayo and Stacy Okoro on January 5, 2023 Posted in Cybersecurity, Privacy

Given that cyberattacks continue to be sophisticated and severe, and cybersecurity continues to be a top concern for regulators, consumers, business partners, and investors, companies should be proactive and devote adequate resources to their security practices and incident response. In addition to the litigation and reputational risks that companies face if they are perceived as having inadequate security practices, regulators are imposing significant fines for data breaches, increasingly calling for greater board oversight of cybersecurity and holding top officials personally liable for allegedly lax security practices. So, based on regulator activities from 2022, what are the top considerations for board members and businesses when it comes to cybersecurity in 2023?

2023 U.S. Privacy Regulatory Predictions

By Maneesha Mithal and Rebecca Weitzel on January 5, 2023 Posted in Privacy, Regulatory

The year 2023 promises to be another big year for privacy. In 2022, regulators focused on AI, dark patterns and aggressive remedies for allegedly deceptive and unfair data practices, such as disgorgement of algorithms developed through ill-gotten data, and these trends are likely to continue. Privacy professionals continue to focus on the privacy laws in five states coming into effect this year (California, Virginia, Colorado, Utah, Connecticut), while federal regulators continue to flex their muscles on privacy. Here are our top five predictions for privacy regulation in 2023:

Council of the EU Proposes Amendments to Draft AI Act

By Laura De Boel on December 22, 2022 Posted in Cybersecurity, European Union, Privacy

On December 6, 2022, the European Union’s (EU) Regulation on Artificial Intelligence (AI Act) progressed one step towards becoming law when the Council of the EU (the Council) adopted their amendments to the draft act (Council General Approach). The European Parliament (Parliament) must now finalize their common position before interinstitutional negotiations can begin.