CJEU Finds That Companies Must Provide Individuals with the Identity of Data Recipients When Responding to Data Access Requests

On January 12, 2023, the Court of Justice of the European Union (CJEU) ruled1 that the data subject’s right of access to personal data2 requires controllers to provide the data subject with the identity of the companies that they have shared or will share data with. This is a sharp departure from current market practice since many controllers typically provide the categories of data recipients, and not their actual identity, when responding to data subjects access requests.

Continue Reading

Colorado Attorney General’s Office Releases Modified Draft Rules for Colorado Privacy Act: Key Takeaways

On December 21, 2022, the Colorado Attorney General’s office published an updated version of proposed draft rules (“modified draft rules”) to the Colorado Privacy Act (ColoPA), which revise the initial draft rules issued in October 2022, based on feedback received during the prior comment period.1 Notably, the Colorado Attorney General’s office explained that it modified some of the rules to facilitate interoperability with the California Consumer Privacy Act (CCPA) as modified by the California Privacy Rights Act (CPRA). Below are our high-level takeaways, followed by more, in-depth analysis of each point.

Continue Reading

2023 U.S. Cybersecurity Predictions

Given that cyberattacks continue to be sophisticated and severe, and cybersecurity continues to be a top concern for regulators, consumers, business partners, and investors, companies should be proactive and devote adequate resources to their security practices and incident response. In addition to the litigation and reputational risks that companies face if they are perceived as having inadequate security practices, regulators are imposing significant fines for data breaches, increasingly calling for greater board oversight of cybersecurity and holding top officials personally liable for allegedly lax security practices. So, based on regulator activities from 2022, what are the top considerations for board members and businesses when it comes to cybersecurity in 2023?

Continue Reading

2023 U.S. Privacy Regulatory Predictions

The year 2023 promises to be another big year for privacy. In 2022, regulators focused on AIdark patterns and aggressive remedies for allegedly deceptive and unfair data practices, such as disgorgement of algorithms developed through ill-gotten data, and these trends are likely to continue. Privacy professionals continue to focus on the privacy laws in five states coming into effect this year (California, Virginia, Colorado, Utah, Connecticut), while federal regulators continue to flex their muscles on privacy. Here are our top five predictions for privacy regulation in 2023:

Continue Reading

Council of the EU Proposes Amendments to Draft AI Act

On December 6, 2022, the European Union’s (EU) Regulation on Artificial Intelligence (AI Act) progressed one step towards becoming law when the Council of the EU (the Council) adopted their amendments to the draft act (Council General Approach). The European Parliament (Parliament) must now finalize their common position before interinstitutional negotiations can begin.

Continue Reading

New Draft Guidance on Binding Corporate Rules for Controllers

On November 15, 2022, the European Data Protection Board (EDPB) adopted draft recommendations (here) for data controllers when applying for approval of their binding corporate rules for international data transfers (Recommendations). Continue Reading


We use cookies on our site to analyze traffic, enhance your experience, and provide you with tailored content. For more information or to opt-out, visit our privacy policy.

I agree