2021 Roundup: Global Artificial Intelligence, Cybersecurity & Privacy Developments

December.17.2021

Significant developments in artificial intelligence, cybersecurity and consumer privacy occurred across the globe in 2021 with the anticipation of more activity in 2022. Our roundup for the year captures some of the major legislative, regulatory and litigation updates that occurred throughout the year in China, Europe (EU), the United Kingdom (UK) and the United States (U.S.).

China
Europe-Wide
United Kingdom (UK)
United States (U.S.)

China

China’s New Data Security Law: What International Companies Need to Know

China’s Data Security Law (DSL) took effect on September 1, 2021, and marks China’s first comprehensive data regulatory regime, one of three key frameworks that will buttress the country’s data and cybersecurity governance. With the broad extraterritorial reach of the DSL, international companies that collect data and do business in and with China now have a new set of data rules by which to play.

Europe-Wide (EU)

6 Key Things to Know about the New European Data Protection Board (EDPB) Guidance on International Data Transfers

In November 2021, the European Data Protection Board (EDPB) issued draft guidance on the interplay between Article 3 of the General Data Protection Regulation (GDPR) and the provisions on international transfers outlined in Chapter V GDPR (“Guidance”). The Guidance aims to clarify various international data transfer questions. We have prepared a FAQs that summarizes and provides recommendations for the key points outlined in the new Guidance.

7 Key Things to Know About Europe’s New Standard Contractual Clauses (SCCs

In June 2021, the European Commission published its long-awaited Implementing Decision adopting standard contractual clauses for the transfer of personal data to third countries referred to as the new Standard Contractual Clauses, which are designed to comply with the General Data Protection Regulation (GDPR) and take into account the Schrems II judgment of the Court of Justice of the European Union.

Whether You Like it or Not, Cookies are Back on the Menu and UK and EU Data Protection Authorities are Taking Enforcement Action

The French data protection authority, La Commission nationale de l’informatique et des libertés (CNIL), one of Europe's most active data protection regulators, continued to focus on the lawfulness of the use of cookies to collect and process personal data in 2021. The CNIL has made clear that cookie compliance is one of its enforcement priorities, as well as the security of websites and the security of health data.

The New EU Approach to the Regulation of Artificial Intelligence (AI)

In April 2021, the European Commission published its highly-anticipated communication and proposal for a "Regulation laying down harmonised rules on artificial intelligence." The Regulation is the first ever legal framework, globally, focused solely on AI and has striking similarities to the GDPR. If adopted as drafted, the AI Regulation would have significant consequences for many organisations who develop, sell or use AI systems, including the introduction of a new set of legal obligations and a monitoring and enforcement regime with hefty penalties for non-compliance.

United Kingdom (UK)

The United Kingdom's Age-Appropriate Design Code in Effect

In September 2021, the UK's statutory code of practice setting out standards which will apply to online or connected products or services that (i) process personal data and (ii) are likely to be accessed by anyone under the age of 18 in the UK, went into effect. The Age-Appropriate Design Code was issued by the Information Commissioner's Office (ICO) and required under the UK's Data Protection Act 2018. As children's privacy continues to be one of the primary areas of concerns for legislators and privacy advocates, the Code reflects a global direction of travel with similar reforms being considered in the USA, Europe and globally.

Warren v DSG Retail Ltd – Shifting the Liability Landscape in Post‐Cyberattack Litigation

In August 2021, the English High Court handed down an important judgment in Warren v DSG Retail Ltd [2021] EWHC 2168 (QB) (Warren) which casts doubt on three of the potential heads of claim typically pleaded in the wake of a cybersecurity breach and which could impact on how these claims are brought, and funded, going forward.

United States (U.S.)

2021 Roundup: United States (U.S.) State Consumer Privacy Developments

A roundup of some of the major state consumer privacy regulatory and legislative activities that occurred across the U.S. in 2021, including developments in California, Colorado, Nevada, New York and Virginia.

U.S. Artificial Intelligence (AI) Regulation Takes Shape

A year-end summary of the artificial intelligence-related (AI) regulatory guidelines that have been proposed on an agency-by-agency basis in the U.S. by the U.S. Department of Commerce, the FTC, the Food and Drug Administration (FDA), the National Security Commission and Government Accountability Office (GAO) and the White House.

Playtime is Over for Apps Collecting Health‐Related Data – Federal Trade Commission Announces Intent to Enforce Health Breach Rule

In September 2021, the Federal Trade Commission (FTC) announced its intent to "vigorously" enforce its 2009 Health Breach Notification Rule via a policy statement that sheds light on the Rule's scope. The policy statement includes an expanded interpretation of entities subject to the Rule and clarifies that not only does the acquisition of health data by a bad actor constitute a reportable breach but that the disclosure of it to a third-party without an individual's authorization is also a reportable breach.

Treasury Actions to Counter Ransomware

In October 2021, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) announced several actions focused on disrupting criminal digital finance infrastructure, including virtual currency exchanges, responsible for laundering cyberattack ransoms, and encouraging incident and ransomware payment reporting to U.S. authorities. OFAC issued an updated advisory on potential sanctions risks associated with facilitating ransomware payments.

U.S. Department of Commerce's Bureau of Industry and Security (BIS) Finalizes the Rule Covering Cybersecurity Activities

BIS published a rule in October 2021 that will restrict some exports, reexports, and other overseas transfers of equipment, software, and technology (technical know-how) that can be used for cyberattacks or surveillance. The new rule is scheduled to come into effect on January 19, 2022.

Supreme Court Narrows Scope of the Computer Fraud and Abuse Act

In July 2021, the U.S. Supreme Court resolved a circuit split regarding the federal Computer Fraud and Abuse Act (CFAA), specifically weighing in on the “exceeds authorized access” provision of the statute. The CFAA subjects to criminal liability anyone who “intentionally accesses a computer without authorization or exceeds authorized access”.

Third Circuit Affirms Summary Judgment for TCPA Defendant for Lack of Harm

In May 2021, the United States Court of Appeals for the Third Circuit unanimously affirmed a district court’s decision granting summary judgment for Bank of America in a Telephone Consumer Protection Act (“TCPA”) class action case. The Third Circuit found that Plaintiff lacked standing because he failed to allege an injury from having received a prerecorded telemarketing call on his landline. The decision is a good reminder for companies defending against TCPA lawsuits to inquire into the plaintiff’s conduct to determine if there has been any alleged harm, including whether the plaintiff actively solicited telemarketing calls for purposes of initiating such suits.

Authors

Heather Egan Partner, Cyber, Privacy & Data Innovation, Global Compliance & Regulatory

Boston

See my bio

D:+1 617 880 1830
E: [email protected]

Practice:

Technology & Innovation Sector
Finance Sector
Energy & Infrastructure Sector
Cyber, Privacy & Data Innovation
Global Compliance & Regulatory
Government Investigations and Enforcement Actions
Technology & Innovation
Fintech
Environmental, Social & Corporate Governance (ESG)
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Heather Egan Partner

Boston

Heather partners with clients to reduce the risk of privacy and security incidents. In the event of an incident, she helps companies respond, successfully guiding them through investigation, remediation, notification and any ensuing government inquiries. She provides comprehensive crisis management support and companies rely on her to manage their response to catastrophes, investigations and government probes involving conduct by employees, contractors and third parties.

To help clients navigate complicated global regulatory compliance challenges, she leads comprehensive cybersecurity and privacy assessments worldwide, vets risks in corporate transactions, conducts internal investigations stemming from data incidents, and drafts and negotiates contracts concerning data-related vendors and arrangements. She regularly counsels businesses on how to mitigate risks associated with the collection, use, retention, disclosure, transfer and disposal of personal data. Outside of the U.S., she manages teams of talented counsel around the world to deliver seamless advice for clients that operate across many jurisdictional lines, developing comprehensive privacy and cybersecurity programs that address competing regulatory regimes.

Dr. Christian Schröder Partner, Cyber, Privacy & Data Innovation, Technology Transactions

Düsseldorf

See my bio

D:+49 211 3678 7269
E: [email protected]

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Technology Transactions
Technology Companies Group
Automotive Technology & Mobility
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Dr. Christian Schröder Partner

Düsseldorf

Christian helps clients consider the privacy and artificial intelligence implications of new technology, supports their compliance programs, and helps them stay ahead of enforcement trends. One particular focus of his work deals with internal data transfer agreements, external data transfers with external providers, and product launches that comply with international data protection standards, as well as privacy requirements for connected cars. Furthermore, Christian provides guidance on privacy and data protection considerations for developing, acquiring, using, licensing and selling technology, data and intellectual property, including M&A transactions and IP focused joint ventures. He supports companies on the set-up of webshops, outsourcings, license agreements, in cases of trademark or unfair and deceptive trade practice issues, as well as on hard and software license and information technology (IT) project agreements.

Christian maintains strong working relationships with German data protection authorities and EU regulatory authorities with jurisdiction over privacy and data security matters. He effectively defends companies in cybersecurity and privacy-related investigations initiated by EU regulatory authorities. He also engages with authorities on behalf of clients and helps clients avoid proceedings and possible litigation. When litigation can't be avoided, Christian vigorously defends his clients.

For companies facing global cybersecurity incidents, Christian helps with crisis mitigation, including counseling on notification requirements, coordinating media strategies, and representing clients before data protection authorities in related regulatory investigations.

Christian regularly contributes practical thought leadership to global privacy industry publications and German privacy books and journals. Christian authors the Chapter V (international data transfers) of Germany’s leading GDPR commentary Kühling/Buchner (4th ed.) and is co-author to the Corporate Privacy Handbook (Betrieblicher Datenschutz). As an active member of the Sedona Conference, Christian drives the development and understanding of cross border privacy. He also participates in, hosts and moderates speaking programs with fellow private practitioners, EU data protection authorities, and academics focused on privacy and data security. Legal 500 Germany named Christian one of the top 15 practitioners in 2023 and noted that he is "a pioneer in the legal field, a data protection guru." They also recognized Christian and Orrick as "truly global" and how that it is "vital as they require the various leaders of each region to participate and bring issues to the table as a forum".

Prior to working in private practice, Christian interned with the German Federal Data Protection Commissioner and www.epic.org.

Shannon Yavorsky Partner, Cyber, Privacy & Data Innovation, Technology Transactions

San Francisco; London

See my bio

D:+1 415 773 5731
E: [email protected]

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Technology Transactions
Global Compliance & Regulatory
Government Investigations and Enforcement Actions
Environmental, Social & Corporate Governance (ESG)
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Shannon Yavorsky Partner

San Francisco; London

She advises public and private companies across several sectors, including life sciences and health technology, financial services, private equity, insurance, social media and technology on a range of EU and U.S. federal and state privacy laws. Shannon’s strategic counseling advice includes, but is not limited to:

Advertising and payment card processing self-regulatory frameworks
Controlling the Assault of Non-Solicited Pornography And Marketing Act (CAN-SPAM)
Electronic Communications Privacy Act (ECPA)
EU Artificial Intelligence Act
EU e-Privacy Directive
EU General Data Protection Regulation (GDPR)
Fair Credit Reporting Act (FCRA)
Gramm–Leach–Bliley Act (GLBA)
Health Insurance Portability and Accountability Act (HIPAA)
National Institute of Standards and Technology (NIST) Artificial Intelligence Risk Management Framework
Telephone Consumer Protection Act (TCPA)
U.S. state breach notification laws
U.S. state privacy laws in California, Colorado, Connecticut, Utah and Virginia (CCPA, CPRA, CPA, CTDPA, UCPA, VCDPA)

Shannon also helps clients undertake comprehensive privacy, cybersecurity and artificial intelligence risk assessments, evaluates privacy, security and artificial intelligence risks in corporate transactions and drafts and negotiates data-related contracts. She advises clients on cross-border data transfers, data breaches and developing global privacy and artificial intelligence compliance programs.

Emily S. Tabatabai Partner, Cyber, Privacy & Data Innovation, Technology Companies Group

Washington, D.C.; Houston

See my bio

D:+1 202 339 8698
E: [email protected]

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Technology Companies Group
Internet of Things
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Emily S. Tabatabai Partner

Washington, D.C.; Houston

Emily provides strategic counseling and advice on privacy, consumer protection and online safety matters to clients across industries, including retail, ecommerce, mobile apps, gaming, social media, advertising technology (adtech), financial services, education, business services and technology. She also represents clients subject to regulatory investigations, including before the FTC and States Attorneys General, Congressional committees and other regulatory agencies and groups.

Emily provides proactive compliance guidance, and regulatory investigation defense, on a variety of privacy and consumer protection laws, including:

U.S. state privacy laws in California, Colorado, Connecticut, Utah and Virginia (CCPA, CPRA, CPA, CTDPA, UCPA, VCDPA)
Children’s Online Privacy Protection Act (COPPA)
Online safety laws for kids and teens, including California Age-Appropriate Design Code Act (AADC), Utah Social Media Regulation Act and others
Section 5 of the Federal Trade Commission Act (FTC Act) and state unfair and deceptive acts and practices (UDAP) laws
Family Educational Rights and Privacy Act (FERPA)
California’s Student Online Personal Information Protection Act (SOPIPA), New York’s Education Law 2-d and other state student data privacy laws
Illinois’ Biometric Information Privacy Act (BIPA) and other biometric privacy laws
Washington My Health My Data Act and other state health privacy laws
Fair Credit Reporting Act (FCRA)
Gramm-Leach-Bliley Act (GLBA)
Telephone Consumer Protection Act (TCPA)
Telemarketing Sales Rule (TSR)
Restore Online Shoppers’ Confidence Act (ROSCA)

Emily is a frequent speaker on data privacy matters, with a particular focus on children’s privacy (COPPA), student data privacy and EdTech and online safety laws for kids and teens. She has been featured as an “Up and Coming” Privacy & Data Security attorney by Chambers USA and Chambers Global. Clients tell Chambers, “She’s been an excellent partner. She has a very good understanding of the practical realities of implementing privacy policies for large companies.” Citing her expertise in the field of educational privacy, student data and EdTech matters, Chambers reports that clients regard her as “very knowledgeable and truly an expert in this space,” with some saying, “On the student data side, she is unmatched,” and The Legal 500 notes that Emily “is the first port of call for child- and student-directed service providers for compliance advice with COPPA, SOPIPA and CalOPPA regulations.”

Emily also has an active consumer protection practice, focused on marketing and promotional issues. She counsels clients on advertisements and endorsements, retail sales and e-commerce, advertising substantiation, SMS and telemarketing, social media and online advertising.

Xiang Wang Partner, Intellectual Property, Cyber, Privacy & Data Innovation

Beijing; New York; Shanghai

See my bio

D:+86 10 8595 5600
E: [email protected]

Practice:

Technology & Innovation Sector
Intellectual Property
Cyber, Privacy & Data Innovation
Mass Torts & Product Liability
Trade Secrets Litigation
IP Counseling & Due Diligence
Patents
Antitrust & Competition
International Trade and Investment
White Collar, Investigations, Securities Litigation & Compliance
Employment Law & Litigation
Trademark, Copyright & Media
Automotive Technology & Mobility
China

vCard

See full bio

Xiang Wang Partner

Beijing; New York; Shanghai

Xiang is a Guiding Expert of the China Overseas IP Dispute Response & Guidance Center.

He also serves several consultancy roles for local regulatory authorities, including as IP Guiding Expert of Shenzhen IP Protection Center; IP Guiding Expect of Zhejiang Province IP Protection Center; IP Consultant of Technology Innovation Bureau of Nanjing Jiangbei New Area Management Committee (Jiangsu Province); Expert of IP Dispute Investigation and Appraisal of Foshan Market Supervision and Administration Bureau (Guangdong Province); and Expert for Overseas IP Protection and Assistance of Foshan Intellectual Property Bureau (Guangdong Province).

Xiang has extensive experience in assisting local and foreign-based multinational companies with all aspects of their IP rights in the U.S. and China, including IP litigation and arbitration, patent infringement, industrial espionage, trade secret misappropriation, copyright and trademark infringement, ITC Sec. 337 investigations, patent office proceedings including inter partes reviews (IPR), IP due diligence and portfolio counseling, technology export control, mass torts and product liability, securities litigation, the Foreign Corrupt Practices Act (FCPA) and other investigations and compliance. These matters have implicated a vast array of technologies, from software and electronics to renewable energy and medical devices as well as agricultural and building materials, to name just a few.

Xiang also works extensively on cybersecurity investigations and data privacy compliance matters for both Chinese and international clients.

Xiang has been particularly active in Chinese state-owned enterprises related U.S. litigation. Clients turn to his strategic and innovative advice thanks to his in-depth understanding of their business needs and political risks. Clients appreciate that he “understood the environment in the China legal system and can give nuanced advice”.

Xiang has developed the region’s premier IP practice based on his reputation as one of the few IP lawyers who has a doctorate in electrical and computer engineering, a Juris Doctor, a Chinese Certificate of Laws, and admission to practice law in New York, Indiana and before the U.S. Patent and Trademark Office. Due to its success in patent disputes in the United States and China, involving both foreign and Chinese companies, Orrick IP team was exclusively featured in a documentary film “Patent Wars” by the China Central Television (CCTV).

Xiang is highly regarded for his practical legal advice that results from more than ten years of experience at medical and electronic device businesses before becoming a lawyer. He also has received four U.S. medical-technology patents in his name.

Julia Apostle Partner, Technology Transactions, Cyber, Privacy & Data Innovation

Paris

See my bio

D:+33153537500
E: [email protected]

Practice:

Technology & Innovation Sector
Technology Transactions
Cyber, Privacy & Data Innovation
Technology & Innovation

vCard

See full bio

Julia Apostle Partner

Paris

Julia counsels on compliance issues in relation to European and French tech and data regulations, including the GDPR, the Digital Services Act, the regulation of AI, the Data Act and other new and emerging legislation impacting online platforms, technology developers, and eCommerce businesses. She advises companies of all sizes on a wide range of compliance matters, ranging the drafting of internal policies, to assisting with regulatory investigations, and product counseling.

In the context of strategic transactions covering significant and complex technological issues, she is involved in the drafting and negotiation of agreements relating to data transfer, IT, software, content and brand licensing.

Qualified to practice in the UK and France, Julia is deeply familiar with the commercial considerations’ clients face, having practiced in-house at Twitter, Financial Times and CBS for more than a decade prior to joining Orrick.