U.S. state privacy continues to be at the forefront of legislative and policymaking activity. Although states continue to pass comprehensive privacy laws in 2023, Washington’s My Health My Data Act (“MHMDA”) deserves closer attention due to its breadth as well as its novel—and potentially onerous—provisions. This post highlights key aspects of the MHMDA with a focus on net-new provisions that…

On July 10, 2023, the European Commission adopted with immediate effect an adequacy decision for the EU-U.S. Data Privacy Framework (the “DPF”). The decision enables businesses in Europe to transfer personal data to DPF-certified U.S. businesses without having to implement additional data protection safeguards. In this Debevoise Data Blog post, we explain the DPF’s scope and operation, discuss implications for…

On July 26, 2023, the SEC adopted the long-anticipated final rules on cybersecurity risk management, strategy, governance, and incident disclosure for issuers. The new rules are part of the SEC’s larger efforts focused on cybersecurity regulation with a growing universe of rules aimed at different types of SEC registrants, including: (i) its proposed cybersecurity rules for registered investment advisers and funds and market entities,…

On July 14, 2023, California Attorney General Rob Bonta announced a California Consumer Privacy Act (“CCPA”) enforcement sweep focused on large California employers’ compliance with the CCPA’s requirements applicable to the personal information of employees and job applicants. This is a clear signal that the Attorney General will not wait to pursue enforcement of these provisions, even though the California…

The proliferation of AI tools and rapid pace of AI adoption have led to calls for new regulation at all levels. President Biden recently said “[w]e need to manage the risks [of AI] to our society, to our economy, and our national security.” The Senate Judiciary Subcommittee on Privacy, Technology and the Law recently held a hearing on “Rules for…