In July, we wrote about New York City’s Automated Employment Decision Tool Law (the “AEDT Law” or the “Law”), which requires employers to conduct an independent bias audit of their AI employment tools by January 1, 2023. On September 23, 2022, New York City’s Department of Consumer and Worker Protection (“DCWP”) released proposed rules (the “Proposed Rules”) that would implement…

One of the most difficult challenges for cybersecurity professionals is the increasing complexity of corporate systems. Mergers, vendor integrations, new software tools and remote work all expand the footprint of companies’ information systems, creating a larger attack surface for hackers. The adoption of artificial intelligence presents additional and, in some ways, unique cybersecurity challenges for protecting the AI models themselves…

What happened? In the wake of the Court of Justice of the European Union’s decision in Schrems II (covered here and here) and Brexit, the EU and UK respectively updated and issued new cross-border transfer clauses. The purpose of the clauses is to help legitimise the cross-border transfer of personal data to jurisdictions without “adequacy decisions,” which include the US…

On September 15, 2022, California Governor Gavin Newsom signed into law the bipartisan AB 2273, known as the California Age-Appropriate Design Code Act (“California Design Code”). The California Design Code aims to protect children online by imposing heightened obligations on any business that provides an online product, service, or feature “likely to be accessed by children.” Governor Newsom stated that…

On Thursday, September 22, at 10:00 AM ET, Debevoise’s Avi Gesser will teach the FiscalNote Executive Institute’s CLE class, “Ethical Use of AI and the Emerging Legal Landscape.”  Avi will be joined by Debevoise’s Anna Gressel, as well as Deepa Kairen, Associate General Counsel of AIG’s Innovation Legal Group. More information on the FiscalNote Executive Institute’s CLE class can be…

On August 24, 2022, the California Attorney General announced updates to its California Consumer Privacy Act’s (“CCPA”) enforcement case examples. A large number of the examples focused on compliance with the CCPA’s requirements for “sales” of personal information, including the obligation that businesses honor consumers’ use of a Global Privacy Control (“GPC”) opt-out signals. In a similar vein, the California…

Russia has enacted amendments to its Personal Data Law (the “Amendments”) that may have a significant impact on companies operating in Russia. The Amendments became effective on September 1, 2022, save for certain provisions that will become effective on March 1, 2023. This blog post addresses key aspects of the Amendments that impact multinational companies: (i) expanded extraterritorial effect; (ii) enhanced cross-border…

On August 31, 2022, the legislative session in California came to a close without any amendments that would further extend—or make permanent—existing limited exemptions under the California Consumer Privacy Act (the “CCPA”) for personal information collected from California individuals in context of recruitment and employment (“HR”) or business-to-business (“B2B”) arrangements. Unlike other state privacy laws, some of which exclude individuals…

As we noted in previous posts, on August 11, 2022, the Federal Trade Commission (“FTC”) announced its Advance Notice of Proposed Rulemaking (“ANPR”) seeking public comment on 95 questions focused on harms stemming from “commercial surveillance and lax data security practices” and whether new trade regulation rules under section 18 of the FTC Act are needed to protect people’s privacy…

On 18 July 2022, the UK government published the Data Protection and Digital Information Bill (the “Bill”), which proposes reforms to the UK’s data protection and e-privacy landscape in-line with the National Data Strategy. All companies that conduct business in the UK – whether on the ground or remotely – could be affected by the changes given the regime’s extraterritorial…