The White House recently issued guidance to government agencies for the regulation of artificial intelligence applications.

Key data protection takeaways:
  • Transparency is essential. Disclosures should be written in a format that is easy to understand.
  • What constitutes appropriate disclosure and transparency is context-specific, depending on assessments of potential harms, the magnitude of those harms, the technical state of the art, and the potential benefits of the AI application.
  • Promote the development of AI systems that are safe, secure, and operate as intended.
  • Pay particular attention to the controls in place to ensure the confidentiality, integrity, and availability of the information processed, stored, and transmitted by AI systems.
  • Consider methods for providing systemic resilience, and for preventing bad actors from exploiting AI systems.
  • Be mindful of any potential safety and security risks and vulnerabilities, as well as the risk of possible malicious deployment and use of AI applications.
  • Consider any national security implications and take actions to protect national security as appropriate.

Read the full text of the guidance.

The Consumer Privacy Protection Act (CPPA) is coming! The Canadian government has submitted a bill for the amendment of the Personal Information Protection and Electronic Documents Act (PIPEDA) and the enactment of a new, modern privacy act.

Key provisions include:
Stronger enforcement:
  • Broad order-making powers to the Commissioner, including recommending the issuance of fines.
  • Administrative two-tiered monetary penalties of up to 3% of global revenue or $10 million or 5% of global revenue or $25 million.
Stronger protections:
  • Required disclosure of data processing in plain language
  • Right for individual to direct the transfer of their personal information from one organization to another.
  • Right to delete/right to object to processing.
  • Transparency about how automated decision-making systems like algorithms and artificial intelligence are used to make significant predictions, recommendations or decisions and the right to request an explanation.
  • Protection of deidentified information and preventing its use without an individual’s consent only to limited circumstances.

Read the full text of the legislation.

Some thoughts from the interactive ad industry on CCPA compliance from a new IAB CCPA Benchmark survey.

  • Allowing the placement of third party trackers for the purpose of advertising is likely a sale.
  • Participants down the advertising chain are sometimes “businesses,” sometimes “service providers” and sometimes “third parties.”
  • Many give CCPA rights to individuals outside California.

Deeper dive into these and other insights from the IAB CCPA Benchmark survey in this client alert.

The European Commission has issued long-awaited draft Standard Contractual Clauses and they have something for everyone…

  • Annexes and pick-and-choose modules (C2C, C2P, P2P, P2C).
  • Lots of emphasis on the laws of the country of transfer and pushing back on government requests.
  • Reiteration of some Article 26 (joint controller agreement) and Article 28 (data processor agreement) provisions.
  • Requirements for transparency to the individuals.
  • Individual redress, third party beneficiary and liability as among the entities

Details in this client alert.

Brace yourselves, the post-Schrems II supplemental measures are coming!

The European Data Protection Board adopted recommendations on measures that supplement transfer tools to ensure compliance with the European Union level of protection of personal data, as well as recommendations on the European Essential Guarantees for surveillance measures.

“The implications of the Schrems II judgment extend to all transfers to third countries. Therefore, there are no quick fixes, nor a one-size-fits-all solution for all transfers, as this would be ignoring the wide diversity of situations data exporters face. Data exporters will need to evaluate their data processing operations and transfers and take effective measures bearing in mind the legal order of the third countries to which they transfer or intend to transfer data,” said EDPB chair Andrea Jelinek

The European Essential Guarantees recommendations provide data exporters with elements to determine if the legal framework governing public authorities’ access to data for surveillance purposes in third countries can be regarded as a justifiable interference with privacy rights.

Details in this EDPB Press Release.

Continue Reading EDPB Adopts Measures on Post-Schrems II Supplemental Data Transfer Tools

“The LGPD replicates the GDPR’s extraterritorial scope and then takes it one giant step further. The LGPD, like the GDPR, applies to processing carried out in Brazil, as well as processing related to the offering or provision of goods or services to individuals in Brazil,” writes Caitlin Fennessy for IAPP, the International Association of Privacy Professionals.

“Importantly…if your company is processing personal data related to individuals in Brazil, the LGPD ( Lei Geral de Proteção de Dados) now applies regardless of the origin of that data.”

Until the ANPD (Brazilian Data Protection Authority) takes action, “companies may be limited to two data transfer mechanisms only — specific and distinct consent and the necessity for the execution of a contract”.

“Since each of the mechanisms listed above has a close relative under the GDPR, the EU’s experience, as well as the experience of other nations that have replicated the EU model, is instructive [may].. offer insight into how the ANPD might operationalize them and the impact that could have on companies.”

Full details in this article from the IAPP.

Denmark’s Data Protection Authority Datatilsynet  has published an article emphasizing the importance of providing encrypted means for communicating personal information:

  • Authorities and companies must, as data controllers, ensure — on the basis of an assessment of the risk to citizens’ rights — that they establish appropriate security measures. This means, among other things, that authorities and companies are responsible for establishing secure transmission solutions that address the identified risks to citizens — not only when they send information to citizens, but also when they collect information from citizens for the processing of a case or service.
  •  An authority or company is not responsible for the method of transmission if the citizen sends information of a confidential or sensitive nature unsolicited via an unencrypted connection, or if the citizen — despite an invitation to send the information encrypted — still uses an insecure method of transmission.

Details in this article from Datatilsynet.

The Board of Governors of the Federal Reserve System, the Office of the Comptroller of the Currency  and the Federal Deposit Insurance Corporation are issuing an interagency paper on Sound Practices to Strengthen Operational Resilience.

Key takeaways re: third party management
  • Identify and analyze third-party risk of critical operations and core business lines.
  • Prioritize third-party dependencies that are most significant.
  • Establish relationships with third parties through formal agreements.
  • Establish processes and benchmarks for monitoring third parties.
  • Verify that third parties have sound risk management practices and controls in place.
  • Identify risks of third parties that provide public and critical infrastructure services, such as energy and telecommunications, and develop processes to manage disruptions of these services.


a close up of text on a white background

The Gibraltar Regulatory Authority has issued helpful guidance on data protection considerations for the use of video conferencing applications (VCAs).

Key recommendations:
  1. Consider the implications of VCAs and their compliance with data protection laws to choose the one best suited to your organization’s needs.
  2. Establish appropriate technical and organizational security measures to protect personal data when using VCAs.
  3. Establish data protection policies where proportionate.
  4. Consider transparency and fairness when using VCAs, particularly if monitoring staff.
  5. Ensure staff are appropriately educated and trained so policies are effectively implemented, and staff are aware of the dangers of unexpected invitations and links.
  6. Protect calls with strong passwords.
  7. Consider using VCA tools and security features to ensure VCA sessions are secure and data protection compliant.
  8. Be wary when screen sharing to ensure open documents, browser windows or desktop backgrounds are not visible.
  9. Use the latest software versions of VCAs and take greater care when confidentiality is crucial.

Read the full report from the Gibraltar Regulatory Authority.

When it comes to entering into new agreements with non-EU providers that involve the processing of EU personal data, if in doubt – don’t, says Norway DPA Datatilsynet.

“One must be prepared for the fact that new agreements involving the illegal transfer of personal data to third countries may be considered more severely than existing agreements,” according to Norway’s Data Protection Authority.

Key takeaways from Datatilsysnet’s new Q&A on cross-border data transfers in this client alert.