Privacy & Information Security Law Blog

On April 27, 2023, Washington adopted the My Health My Data Act (“WMHMDA”). Most of the law’s provisions are not effective until March 31, 2024 (or June 30, 2024 for small businesses). The law’s geofencing prohibition, however, is set to take effect on July 23, 2023. The prohibition is part of stringent requirements that Washington added when it became the first state to enact a comprehensive consumer health information privacy law in the United States.

On June 19, 2023, the UK Information Commissioner’s Office (“ICO”) recommended that organizations start using privacy enhancing technologies (“PETs”) to share personal information safely, securely and anonymously. The ICO also has issued new guidance on PETs which is aimed at those using large data sets in finance, healthcare, money laundering and cybercrime. The guidance contains information on how PETs can be used to help organizations with data protection compliance and technical detail on the different types of PETs currently available.

On June 28, 2023, the New York Department of Financial Services (“NYDFS”) published an updated proposed Second Amendment (“Amendment”) to its Cybersecurity Regulation, 23 NYCRR Part 500. On November 9, 2022, NYDFS published a first draft of the proposed Amendment and received comments from stakeholders over a 60-day period. The updated proposed Amendment will be subject to an additional 45-day comment period.

On June 30, 2023, the European Data Protection Board (“EDPB”) published Recommendations 1/2022 on the Application for Approval and on the elements and principles to be found in Controller Binding Corporate Rules (Art. 47 GDPR) (the “Recommendations”), which were adopted on June 20, 2023. Binding corporate rules (“BCRs”) are a mechanism for transferring personal data to third countries in accordance with Chapter V of the EU General Data Protection Regulation (“GDPR”), and must be approved by the relevant organization’s lead supervisory authority. BCRs create enforceable rights and set out commitments in order to create, for the personal data transferred under the BCRs, a level of protection essentially equivalent to that provided by the GDPR.

On July 3, 2023, U.S. Secretary of Commerce Gina Raimondo issued a statement confirming that the U.S. has fulfilled its commitments for implementing the EU-U.S. Data Privacy Framework (the “Framework”). In the statement, it was confirmed that the EU, Iceland, Liechtenstein and Norway, have been designated as “qualifying states” for purposes of implementing the redress mechanism established under Executive Order 14086, such designation to be become effective upon the adoption of an adequacy decision by the EU for the Framework. Further, according to the statement, the Office of the Director of National Intelligence has confirmed that the U.S. Intelligence Community has adopted its policies and procedures pursuant to Executive Order 14086.

On June 27, 2023, the Council and the European Parliament reached a Political Agreement (“Political Agreement”) on the Proposal for a Regulation on harmonized rules on fair access to and use of data (the “Data Act”). The Data Act aims to “ensure fairness in the digital environment, stimulate a competitive data market, open opportunities for data-driven innovation and make data more accessible for all” and was initially proposed by the European Commission on February 23, 2022.

On June 26, 2023, the Centre for Information Policy Leadership (CIPL) published the third edition of its Frequently Asked Questions on Cross-Border Privacy Rules, Privacy Recognition for Processors, and Global CBPR and PRP (FAQs).

On June 29, 2023, the Superior Court of California for the County of Sacramento issued a Tentative Ruling providing for a postponement of enforcement of final CPRA regulations for 12 months after the regulations were finalized (i.e., March 29, 2024). Tentative Rulings are posted by a court the day before a writ or motion is noticed for a hearing and state how the court intends to rule on the motion based on the papers filed by the parties. The ruling may change based on oral argument.  The hearing on the Petition for Writ of Mandate for the CPRA regulations was noticed for June 30, 2023 at ...

On June 28, 2023, Louisiana Governor John Bel Edwards signed into law H.B. 61, which requires interactive computer services to get parental consent (or consent from a legal representative of a minor) to enter into a contract or other agreement, including the creation of an online account, with minors younger than 18 years of age. The Act comes after similar laws enacted in Texas, Utah and Arkansas. H.B. 61 will take effect on August 1, 2024. 

On June 2 and June 5, 2023, the Connecticut and Nevada state legislatures, respectively, voted in favor of sending legislation to their governors for signature that would impose restrictions, among others, on the processing of consumer health data, including geofencing provisions.  Nevada S.B. 370 was signed by Nevada Governor Joe Lombardo on June 16, 2023. These bills contain provisions similar to Washington’s My Health My Data Act and expand on protections in the Health Insurance Portability and Accountability Act of 1996 and other privacy laws.