Significant developments in artificial intelligence, cybersecurity and consumer privacy occurred across the globe in 2021 with the anticipation of more activity in 2022. Our roundup for the year captures some of the major legislative, regulatory and litigation updates that occurred throughout the year in China, Europe (EU), the United Kingdom (UK) and the United States (U.S.).
China’s Data Security Law (DSL) took effect on September 1, 2021, and marks China’s first comprehensive data regulatory regime, one of three key frameworks that will buttress the country’s data and cybersecurity governance. With the broad extraterritorial reach of the DSL, international companies that collect data and do business in and with China now have a new set of data rules by which to play.
In November 2021, the European Data Protection Board (EDPB) issued draft guidance on the interplay between Article 3 of the General Data Protection Regulation (GDPR) and the provisions on international transfers outlined in Chapter V GDPR (“Guidance”). The Guidance aims to clarify various international data transfer questions. We have prepared a FAQs that summarizes and provides recommendations for the key points outlined in the new Guidance.
In June 2021, the European Commission published its long-awaited Implementing Decision adopting standard contractual clauses for the transfer of personal data to third countries referred to as the new Standard Contractual Clauses, which are designed to comply with the General Data Protection Regulation (GDPR) and take into account the Schrems II judgment of the Court of Justice of the European Union.
In April 2021, the European Commission published its highly-anticipated communication and proposal for a "Regulation laying down harmonised rules on artificial intelligence." The Regulation is the first ever legal framework, globally, focused solely on AI and has striking similarities to the GDPR. If adopted as drafted, the AI Regulation would have significant consequences for many organisations who develop, sell or use AI systems, including the introduction of a new set of legal obligations and a monitoring and enforcement regime with hefty penalties for non-compliance.
In September 2021, the UK's statutory code of practice setting out standards which will apply to online or connected products or services that (i) process personal data and (ii) are likely to be accessed by anyone under the age of 18 in the UK, went into effect. The Age-Appropriate Design Code was issued by the Information Commissioner's Office (ICO) and required under the UK's Data Protection Act 2018. As children's privacy continues to be one of the primary areas of concerns for legislators and privacy advocates, the Code reflects a global direction of travel with similar reforms being considered in the USA, Europe and globally.
Warren v DSG Retail Ltd – Shifting the Liability Landscape in Post‐Cyberattack Litigation
In August 2021, the English High Court handed down an important judgment in Warren v DSG Retail Ltd  EWHC 2168 (QB) (Warren) which casts doubt on three of the potential heads of claim typically pleaded in the wake of a cybersecurity breach and which could impact on how these claims are brought, and funded, going forward.
A roundup of some of the major state consumer privacy regulatory and legislative activities that occurred across the U.S. in 2021, including developments in California, Colorado, Nevada, New York and Virginia.
A year-end summary of the artificial intelligence-related (AI) regulatory guidelines that have been proposed on an agency-by-agency basis in the U.S. by the U.S. Department of Commerce, the FTC, the Food and Drug Administration (FDA), the National Security Commission and Government Accountability Office (GAO) and the White House.
In September 2021, the Federal Trade Commission (FTC) announced its intent to "vigorously" enforce its 2009 Health Breach Notification Rule via a policy statement that sheds light on the Rule's scope. The policy statement includes an expanded interpretation of entities subject to the Rule and clarifies that not only does the acquisition of health data by a bad actor constitute a reportable breach but that the disclosure of it to a third-party without an individual's authorization is also a reportable breach.
In October 2021, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) announced several actions focused on disrupting criminal digital finance infrastructure, including virtual currency exchanges, responsible for laundering cyberattack ransoms, and encouraging incident and ransomware payment reporting to U.S. authorities. OFAC issued an updated advisory on potential sanctions risks associated with facilitating ransomware payments.
BIS published a rule in October 2021 that will restrict some exports, reexports, and other overseas transfers of equipment, software, and technology (technical know-how) that can be used for cyberattacks or surveillance. The new rule is scheduled to come into effect on January 19, 2022.
In July 2021, the U.S. Supreme Court resolved a circuit split regarding the federal Computer Fraud and Abuse Act (CFAA), specifically weighing in on the “exceeds authorized access” provision of the statute. The CFAA subjects to criminal liability anyone who “intentionally accesses a computer without authorization or exceeds authorized access”.
In May 2021, the United States Court of Appeals for the Third Circuit unanimously affirmed a district court’s decision granting summary judgment for Bank of America in a Telephone Consumer Protection Act (“TCPA”) class action case. The Third Circuit found that Plaintiff lacked standing because he failed to allege an injury from having received a prerecorded telemarketing call on his landline. The decision is a good reminder for companies defending against TCPA lawsuits to inquire into the plaintiff’s conduct to determine if there has been any alleged harm, including whether the plaintiff actively solicited telemarketing calls for purposes of initiating such suits.