After nearly six months since the initial draft was issued for public comments on September 28, 2023 (see here for our previous alert on that development), on March 22, 2024, the Cyberspace Administration of China (“CAC”) issued the final version of the Provisions on Promoting and Standardizing Cross-Border Data Flows (促进和规范数据跨境流动规定) ( “Provisions”) (Chinese version
Inside Privacy
Updates on developments in data privacy and cybersecurity
Blog Authors
Latest from Inside Privacy
Commissioner Remarks at FTC PrivacyCon 2024
The FTC convened its eighth annual privacy conference on March 6, 2024. The full transcript of the event can be found here. Both Chair Khan and Commissioner Bedoya provided remarks during the event that are likely to be considered provocative by many.…
Utah Repeals and Replaces Social Media Regulation Act
On March 7, Utah repealed and replaced its Social Media Regulation Act, which had previously been challenged in a pair of lawsuits by NetChoice and the Foundation for Individual Rights and Expression. The replacement legislation is spread across two enacted bills, SB 194 and HB 464. SB 194 contains the bulk of…
The CJEU Ruled that Supervisory Authorities Can Order the Deletion of Unlawfully Processed Personal Data
On March 14, 2024, the Court of Justice of the EU (“CJEU”) ruled that EU supervisory authorities have the (corrective) power to order data controllers who have been found to process personal data unlawfully to erase such personal data, even if the data subjects have not requested the erasure. (Case C‑46/23)…
California Privacy Protection Agency Takes Next Step on New Automated Decision-Making Regulations and Privacy Risk Assessments
At its March 8, 2024 meeting, the Board of the California Privacy Protection Agency (“CPPA”) moved, by a 3-2 vote, to advance proposed regulations addressing automated decision-making technology (“ADMT”) and risk assessments for the processing of personal information. Notably, the Board’s vote only allows staff to begin paperwork preliminary to a rulemaking; it did not…
The Cyber Resilience Act is One Step Closer to Becoming Law
Yesterday, the European Parliament approved the Cyber Resilience Act (“CRA”), which sets out cybersecurity requirements for “products with digital elements” (“PDEs”) placed on the EU market. The term PDE is defined broadly to include both hardware and software products, such as antivirus software, VPNs, smart home devices, connected toys, and wearables. The approved text is…
California Attorney General Announces Second CCPA Settlement
The California Attorney General recently announced a settlement with DoorDash to resolve allegations that DoorDash violated the California Consumer Privacy Act (CCPA) and the California Online Privacy Protection Act (CalOPPA). …
FTC Returns to Bipartisan Commission with Confirmation of Two New Republican Commissioners
On Thursday, March 7, 2024, the U.S. Senate confirmed two nominees for the open seats on the Federal Trade Commission: Andrew N. Ferguson, former solicitor general of the Commonwealth of Virginia; and Melissa Holyoak, former solicitor general with the Utah Attorney General’s Office. With this confirmation of two new Republican Commissioners, the FTC is one…
UK ICO Launches a Consultation on “Consent or Pay” Business Models
On 6 March 2024, the ICO issued a call for views on so-called “Consent or pay” models, where a user of a service has the option to consent to processing of their data for one or more purposes (typically targeted advertising), or pay a (higher) fee to access the service without their data being processed…
European Court Clarifies Concept of Personal Data
On March 7, 2024, the European Court of Justice (“CJEU”) rendered its judgment in an appeal against a decision of the EU General Court (C-479/22P). In the original decision, the General Court decided that the information contained in a press release by OLAF (a European anti-fraud organization) regarding fraud committed by an unnamed…