On April 15, 2026, the European Data Protection Board (EDPB) adopted guidelines on the processing of personal data for scientific research purposes.[1] The guidelines aim to clarify GDPR compliance requirements for scientific research involving personal data.

The concepts addressed by the EDPB are of particular relevance to companies active in life sciences, artificial intelligence (AI), and advanced technology R&D.

The guidelines are open for public consultation until June 25, 2026.

The most significant aspect of the guidelines is the EDPB’s clarification of what constitutes “genuine” scientific research. The guidelines set out six key-indicative factors to be considered alongside the nature, scope, context, and purposes of the processing. These factors appear to restrict the scope of processing that can be classified as scientific research, meaning that researchers may need to re-evaluate whether their activities genuinely qualify for the GDPR’s more flexible treatment of scientific research.

Six Factor Test to Define “Scientific Research” Under GDPR

The six key-indicative factors are as follows:[2]

1. Methodical and systematic approach: The research activities, including formulation and testing of a hypothesis, follow a methodical and systematic approach in the relevant field, for example in accordance with a comprehensive research plan.

• Adherence to ethical standards: The research activities adhere to ethical standards in the relevant field, including respect for human autonomy and consent, transparency, accountability, and (human) oversight.

• Verifiability and transparency: The research activities aim to achieve verifiable results, with hypotheses, methods, data and conclusions open to criticism (normally through peer review), and results shared with other parties, for example by publication.

• Autonomy and independence: The research activities are conducted autonomously and independently, with the research team having the freedom to define research questions, identify methods, choose scientific theories, and disseminate results. The researchers have academic or scientific qualifications in the relevant field.

• Objectives of the research: The research activities aim to contribute to the growth of society’s general knowledge and wellbeing. This does not exclude research that may also further commercial interests, but the EDPB does suggest in one of the examples included in the guidelines that research “solely concerned with furthering […] commercial interests” would not qualify.

• Potential to contribute to existing scientific knowledge or apply existing knowledge in novel ways: The research activities have the potential to contribute to existing scientific knowledge or apply existing knowledge in novel ways, and their scientific merits can be subject to assessment, review or approval by independent experts or committees.

If all six factors are met, the activities can be presumed to constitute scientific research. If not, the controller must justify and demonstrate why the activities should nonetheless qualify.

Anonymization and Pseudonymization in the Context of Scientific Research

The remainder of the guidelines address GDPR compliance more generally in the context of scientific research, including with respect to: data protection principles, lawfulness of processing, transparency, data subjects’ rights, attribution of responsibility, and appropriate safeguards.

While these sections largely restate existing principles (albeit with useful clarifications on “broad” and “dynamic” consent, including through specific examples on how organizations can navigate the tension with the principles of specificity and purpose limitation as part of their overall data protection governance structure), the EDPB’s views on data minimization merit highlighting.[3] The EDPB takes the view that, because personal data must be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”[4], anonymization should be the default approach for scientific research. Once data is truly anonymized, it falls outside the scope of the GDPR entirely, although the anonymization process itself must still comply with GDPR requirements.[5] Where research aims cannot be achieved using anonymized data, personal data should be pseudonymized.[6] Processing data that can directly identify individuals should only occur where “strictly” necessary and proportionate to the research purpose.[7] Controllers will welcome the clarity provided by the guidelines, though ongoing compliance may require updates to internal processes. The full practical implications will become clearer once the dedicated guidance on anonymization and pseudonymization is published later this year.

Data subjects must be transparently informed about whether their data is processed in identifiable or pseudonymized form, and must not be misled into believing that their data is anonymized when it is not.[8]

Other Recent EDPB Updates

In addition to adopting these guidelines, the EDPB established a dedicated “sprint team” to finalize its upcoming and much anticipated guidelines on anonymization by summer 2026.[9] The questions of when personal data qualifies as “anonymous” under the GDPR and under what circumstances personal data (including sensitive personal data) can be used to train AI models, is currently also the subject of ongoing negotiations at EU level on the Digital Omnibus Package.[10]

Finally, the EDPB adopted two opinions approving two sets of Europrivacy certification criteria as a European Privacy Label, simplifying the data transfer process and enhancing accountability in high-risk sectors. The first approves an updated set of criteria whose scope now includes controllers and processors established outside Europe that are subject to Article 3(2) GDPR.[11] The second recognizes Europrivacy certification criteria as a European Data Protection Seal that can be used as a transfer mechanism under Articles 42 and 46 GDPR.[12] This will allow data importers outside Europe that are not subject to the GDPR to seek Europrivacy certification for transferred data they receive.

---

[1] EDPB Press Release, April 16, 2026, available here.

[2] EDPB Guidelines, section 2.1.

[3] EDPB Guidelines, section 8.3.

[4] GDPR Article 5(1)(c).

[5] EDPB Guidelines, para. 156.

[6] EDPB Guidelines, paras. 157-158.

[7] EDPB Guidelines, para. 159.

[8] EDPB Guidelines, para. 164.

[9] EDPB Press Release, April 16, 2026, available here.

[10] Cleary AI and Technology Insights, “Reset or rollback: Unpacking the EU’s Digital Omnibus Package”, November 21, 2025, available here.

[11] Opinion 14/2026 on the Europrivacy certification criteria regarding their approval by the Board as European Data Protection Seal pursuant to Article 42.5 GDP, adopted April 15, 2026, available here.

[12] Opinion 15/2026 on the Europrivacy certification criteria regarding their approval by the Board as European Data Protection Seal to be used as tool for transfers pursuant to Articles 42 and 46 GDPR, adopted April 15, 2026, available here.

As states continue to grapple with establishing regulatory frameworks for the most powerful artificial intelligence (“AI”) systems, New York has joined California in targeting frontier AI models with the Responsible AI Safety and Education Act (the “RAISE Act” or the “Act”).[1] Signed into law on December 19, 2025 by Governor Hochul, the Act creates a comprehensive regulatory framework for developers of the most advanced AI systems, marking New York’s entry into the vanguard of state AI safety regulation.

The final version of the Act[2] is narrower than the version of the Act enacted by the legislature in June, reflecting negotiations that more closely align the Act with California’s SB 53 (the “TFAIA”), which took effect January 1. However, while the Act shares California’s focus on transparency and safety, it diverges in critical ways, particularly regarding enforcement mechanisms and reporting timelines. Additional chapter amendments (expected to be finalized in early 2026) will further align New York with California by substituting a $500 million revenue threshold for compute-cost triggers and adjusting reporting timelines, penalties and oversight mechanisms. Below, we discuss the RAISE Act’s requirements at a high level, while also flagging key distinctions from the TFAIA, and anticipated revisions before the law takes effect on January 1, 2027.

 Applicability Thresholds and Scope

As enacted, the RAISE Act applies to (1) frontier models with a certain compute intensity and cost and (2) large developers with aggregate compute spend.

Specifically, the RAISE Act currently defines “frontier model” as an AI model trained using greater than 10^26 computational operations with a compute cost exceeding $100 million, or a model produced through “knowledge distillation”[3], and applies to “large developers” meaning persons that have trained at least one frontier model (the compute cost of which exceeds $5 million) and spent over $100 million in aggregate compute costs training frontier models.[4]

However, significant changes are expected that will bring the RAISE Act in line with applicability thresholds set forth under TFAIA. While California’s TFAIA is likewise limited to “frontier models” using computing power greater than 10^26 operations, the TFAIA distinguishes “large frontier developers” using a revenue threshold where developers (together with affiliates) with annual gross revenues above $500 million in the preceding year face heightened obligations. The California regime thus layers a compute-based model definition with a revenue-based developer trigger, creating a narrower class of entities subject to more stringent transparency and governance documentation.

Although the RAISE Act, as signed, uses compute-cost thresholds to define covered entities, public reporting suggests that Governor Hochul has secured legislative agreement to replace those provisions with a revenue-based trigger that mirrors California’s approach. Specifically, New York policymakers have publicly signaled an intent to align the “large developer” trigger with California’s $500 million revenue threshold to materially harmonize coverage with the TFAIA, simplifying compliance for companies operating in both jurisdictions. The revisions would have the effect of narrowing applicability given that many emerging AI developers (particularly those attracting substantial venture capital to fund compute-intensive model development) may quickly exceed compute-cost thresholds while generating little or no revenue, and that international competitors operating at lower revenue levels could otherwise face disproportionate regulatory burdens under a compute-only framework.

Key Operative Requirements

The RAISE Act imposes three core obligations on large developers:

1. Safety and Security Protocols. Before deploying a frontier model, developers must implement a written safety and security protocol similar in nature to the frontier AI framework required under the TFAIA. Specifically, the protocol must consist of documented technical and organizational protocols that (a) specify reasonable protections to reduce the risk of “critical harm”[5], (b) describe reasonable cybersecurity protections against unauthorized access to or misuse of frontier models that could lead to “critical harm” and (c) outline detailed testing procedures and assessment measures to evaluate unreasonable risk of “critical harm” (including how the frontier model could be misused or modified, how it could evade control of the large developer or user, etc.), (d) state compliance requirements with specificity to allow for confirmation of adoption and otherwise describe how the developer will comply with the Act and (e) designate senior personnel responsible for ensuring compliance. The protocol must be conspicuously posted (though the posted version may be appropriately redacted) and transmitted to the NY Attorney General and Division of Homeland Security and Emergency Services (with redactions only where required by federal law) upon request. Frontier model developers must further annually review and, where applicable, modify and republish the protocol to account for changes in model capabilities and industry best practices. Finally, developers are further required to implement appropriate safeguards to prevent unreasonable risk of “critical harm” and are prohibited from deploying a frontier model if doing so would create an unreasonable risk of “critical harm” (although this last requirement is anticipated to be removed in the chapter amendments).
2. Safety Incident Reporting. The most significant operational difference between New York and California’s regimes lies in incident reporting timelines. Under the RAISE Act, large developers must disclose reportable safety incidents[6] to the Division of Homeland Security and Emergency Services within 72 hours of learning of the incident or within 72 hours of learning facts sufficient to establish a reasonable belief that a safety incident has occurred. California’s TFAIA, by contrast, requires frontier developers to report “critical safety incidents” within 15 days of discovery, with a shortened 24-hour window only for incidents posing imminent risk of death or serious physical injury. New York’s uniform 72-hour requirement thus represents a middle ground (i.e., stricter than California’s standard timeline but more flexible than the 24-hour emergency threshold).
3. Recordkeeping. Large developers must record and retain (a) copies of its unredacted safety and security protocol, including records and dates of any updates or revisions and (b) information on specific tests and test results with sufficient detail for third parties to replicate the testing procedure, in each case, for as long as the frontier model is deployed plus 5 years.

In addition, the Act confirms that large developers violate the Act where they “knowingly make false or materially misleading statements or omissions in or regarding documents produced” under the Act and, unless removed by the chapter amendments, requires annual, independent third party compliance audits with detailed reporting that must also be conspicuously published and provided to regulatory authorities.

Enforcement

In addition to oversight by an AI office to be established within the New York Department of Financial Services, the RAISE Act grants the Attorney General authority to bring civil actions for violations of the Act. Following anticipated chapter amendments, penalties will be capped at $1 million for initial violations and $3 million for repeat offenses (substantially reduced from the $10 million and $30 million figures in the originally signed statute). The Attorney General may also pursue injunctive or declaratory relief. Critically, the Act does not establish a private right of action.

By comparison, California’s TFAIA authorizes the California Attorney General to seek civil penalties up to $1 million per violation, scaled to the severity of the offense, and also contains provisions that empower whistleblowers to bring civil actions for injunctive relief and recovery of attorneys’ fees for violations of their rights.[7]

Key Takeaways

Most businesses, including the vast majority of AI developers, will be relieved that the RAISE Act has narrow applicability. With thresholds targeting only frontier models and anticipated chapter amendments further narrowing coverage, the Act is unlikely to materially impact most organization’ operations. However, compliance remains a moving target, and thus businesses must stay abreast of legislative developments (particularly in light of the recently issued Executive Order aimed at state AI law preemption)[8].

For the few businesses that may meet the RAISE Act’s applicability thresholds, the alignment between New York and California’s frameworks offers a welcome development what is already slated to be an otherwise fragmented regulatory environment. Just as state privacy laws have created a challenging patchwork of requirements that businesses have learned to navigate, the harmonization of New York’s revenue threshold with California’s TFAIA represents a step toward more coherent multi-state compliance. However, where requirements diverge (such as New York’s stricter 72-hour incident reporting window compared to California’s 15-day standard) covered entities should draw upon the strategies and infrastructure developed through their privacy compliance programs. The same disciplined approach to documentation, risk assessment and incident response that businesses have refined while managing obligations under state privacy laws and the GDPR can be effectively adapted to address the RAISE Act’s nuanced requirements. 

To prepare for compliance:

• Prepare for Threshold Alignment: Businesses should (a) anticipate January amendments replacing New York’s compute-cost thresholds with California’s $500 million revenue standard and (b) conduct threshold analyses to determine whether it will qualify as a large frontier developer under the harmonized framework.
• Implement Dual-Compliant Safety Protocols: While awaiting confirmation of New York’s amendments, covered entities should develop safety and security protocols that satisfy both states’ requirements, combining New York’s emphasis on pre-deployment implementation with California’s focus on annual public disclosure and risk assessment reporting.
• Prioritize Incident Response Capabilities: New York’s 72-hour reporting window demands robust incident detection and response systems. Covered entities operating in both jurisdictions should build compliance infrastructure around the stricter New York timeline to ensure dual compliance, including by revising contracts where relevant to revise reporting timelines by third party vendors.
• Account for Enforcement Risk: With penalties up to $3 million for repeat violations, New York’s RAISE Act presents potentially higher financial exposure than California’s framework. Risk management strategies should reflect this disparity, with particular attention to documentation practices and compliance verification to avoid repeat violations.

---

[1] A copy of the RAISE Act can be accessed here.

[2] This article reflects the RAISE Act as it will be implemented following expected chapter amendments that Governor Hochul and legislative leaders committed to enacting in January 2026, including substituting a $500 million revenue threshold for the compute-cost triggers in the enacted text, reducing enforcement penalties and establishing a Department of Financial Services oversight office.

[3] Defined in the Act as “any supervised learning technique that uses a larger artificial intelligence model or the output of a larger artificial intelligence model to train a smaller artificial intelligence model with similar or equivalent capabilities as the larger artificial intelligence model.”

[4] Notably, the Act applies to frontier models “developed, deployed or operating in whole or in part in New York State”, and exempts accredited colleges and universities conducting academic research or persons that subsequently transfer full intellectual property rights in its frontier model to a third party.

[5] The Act defines “critical harm” to mean the death or serious injury of at least 100 people or at least $1 billion of damages to rights in money or property caused or materially enabled by a large developer’s use, storage, or release of a frontier model, through either of the following: (a) the creation or use of a chemical, biological, radiological, or nuclear weapon; or (b) an AI model engaging in conduct that does both of the following: (i) acts with no meaningful human intervention; and (ii) would, if committed by a human, constitute a crime specified in the penal law that requires intent, recklessness, or gross negligence, or the solicitation or aiding and abetting of such a crime.

[6] The Act defines “safety incident” broadly to include known incidences of critical harm, autonomous model behavior, theft or unauthorized access to model weights, critical failure of technical controls or unauthorized use of a frontier model.

[7] Notably, RAISE Act does expressly (a) prohibit large developers, or their contractors or subcontractors, from preventing an employee from disclosing or attempting to disclose information to the large developer or the NY Attorney General, if the employee has reasonable cause to believe that the large developer’s activities pose an unreasonable or substantial risk of “critical harm”, regardless of the employer’s compliance with applicable law and (b) permit an employee to seek injunctive relief for any harms caused by such retaliation.

[8] For our Firm’s detailed analysis of the Executive Order, see here.

CJEU ruling heralded as “landmark” GDPR judgment turns on a specific set of facts and requires careful interpretation in the post-DSA regulatory reality.

The judgment of the Court of Justice of the European Union (CJEU) in the Russmedia case is a significant ruling for online platforms. Caution is needed when making inferences from the specific facts and circumstances of that case, which involved a severe breach of privacy, the processing of sensitive personal data, and an operator of an online marketplace that the CJEU deemed a “data controller” in respect of its processing of that sensitive personal data.

Key facts and findings

The case can be traced back to August 2018, when an anonymous third party published a false advertisement on an online marketplace operated by Russmedia Digital.[1] The ad falsely and maliciously presented a woman as offering sexual services and included photographs of the woman and her personal telephone number. When contacted by the woman, Russmedia took down the ad within the hour, but at that point it had already been reproduced on other websites and the damage was done.

On these facts, the Court found that Russmedia, as operator of the online marketplace, should be qualified as a “controller” under GDPR in respect of the processing of the sensitive personal data contained in the ad and that, in that specific capacity, Russmedia should have taken the following actions, in each case “by means of appropriate technical and organisational measures” (within the meaning of GDPR), to prevent the harm caused:

• Proactively screen ads proposed to be placed on its platform to identify ads that contain sensitive personal data (a.k.a. special categories of personal data within the meaning of Article 9 of GDPR).[2]

• If an ad containing sensitive data is identified during the screening, perform an identity check – before publishing the ad – to verify if the advertiser is the person whose sensitive data appear in the ad.

• If the advertiser is not the person whose sensitive data are included, refuse publication unless the advertiser can prove that the relevant person has given his or her explicit consent to the publication of the ad on the online marketplace.[3]

• Prevent ads containing sensitive personal data from being scraped (copied) from the online marketplace and unlawfully published on other websites.[4]

The Court also held that Russmedia could not rely on the hosting liability safe harbour provisions of the e-Commerce Directive. Russmedia had successfully invoked the safe harbour before the Romanian court. The CJEU disagreed, however, and held that the application of the liability exemptions provided for by the e-Commerce Directive safe harbour in a case where a breach of GDPR was (allegedly) at issue and where – crucially – the operator in question qualified as a “controller” in relation to the processing of the sensitive personal data in question would “interfere with the GDPR regime” (at §131). Therefore, in this specific instance, Russmedia could not invoke the e-Commerce Directive hosting liability safe harbour provisions to defend against the claim for breach of its obligations as a controller under the GDPR.

Why the precedential value of the judgment should not be overstated

A number of findings of the Court require a detailed analysis and raise some challenging interpretations of the GDPR and the e-Commerce Directive. For example:

• The Court adopted a broad interpretation of the concept of “controller” under GDPR and applied it to the very specific set of facts and circumstances of the case. The fact that Russmedia’s general terms and conditions gave it “considerable freedom to exploit the information published on [its] marketplace […] for its own advertising and commercial purposes” (at §§67), in combination with the specific architecture of the online marketplace, seem to have been determining factors. In reaching its conclusion, the Court did not clearly differentiate between the roles of the key actors during the different stages of processing of the personal data in question (e.g., the placement of the ad by the third-party advertiser vs. any subsequent processing by the marketplace operator for its own purposes).[5] This stands in stark contrast to a seemingly more measured approach taken by Advocate General (AG) Szpunar in his opinion. The AG opined that the third-party advertiser alone determined the purpose of the ad, since Russmedia had no knowledge of why the advertiser would post the ad. The AG also more clearly distinguished the role of the marketplace operator when processing sensitive personal data contained in ads from its role when processing personal data of advertisers (e.g., when creating or managing their accounts) and, on that basis, concluded that Russmedia qualified as a processor (not a controller) in relation to the processing of sensitive personal data contained in ads posted on the online marketplace.[6]

• The Court appears to have moved very quickly from qualifying the online marketplace operator as “controller” to subsequently grounding several potentially far-reaching and highly specific ex-ante screening and due diligence obligations for data controllers processing sensitive personal data, in the much more general GDPR principles of accountability, data protection by design and by default, and data security (in particular Articles 5(2), 24, 25 and 32 of GDPR).

• The exclusion of GDPR breaches from the hosting liability safe harbour is dealt with only briefly – almost in passing (at §§129-136) – and could have benefited from more elaborate analysis, in particular regarding the potential impact of the exclusion to the careful balance struck by the EU legislator in respect of the liability of intermediary service providers under the e-Commerce Directive.[7]

Moreover, the judgment is fundamentally predicated on several highly specific facts, which were highlighted by the Court itself:

• The Court went out of its way to stress the particular sensitivity of the personal data in question and the severity of the consequences for the data subject (see, for example, at §§47-53 and 90-96). The judgment should be read in a context where the Court had already signalled that it would be a champion of European data protection rights in a world where the harmful effects of online harassment are becoming increasingly severe and visible. The findings of the Court should therefore not necessarily be extrapolated to apply to all types of personal data or all data processing activities subject to GDPR.

• To come to the conclusion that Russmedia was a “joint controller” in relation to the processing of the sensitive personal data included in the harmful ad in question, the Court analysed in considerable detail the specific manner in which Russmedia operated its online marketplace. Relevant elements taken into account by the Court included – as set out above – the broad rights Russmedia reserved for itself in relation to further processing of personal data included in ads, the specific architecture of the online marketplace, as well as the fact that there appear to have been few constraints on anonymous advertisers placing potentially harmful and false ads on the online marketplace in a way that means injured parties have no recourse to, or way of identifying, such malicious third-party advertisers (see, for example, at §§69-73).

• The Court was asked to rule on the e-Commerce Directive, which governed the underlying facts back in 2018. The hosting liability safe harbour provisions of the e-Commerce Directive have since been replaced by the Digital Services Act.[8]

The precedential value of the judgment should therefore not be overstated:

• Other online marketplaces may be operated in a different manner, have a different architecture and content limitations, and may therefore not qualify as “controller” in relation to the processing of sensitive personal data included in ads placed on their platforms by third parties.

• Most ads will not contain any sensitive personal data, and are therefore much less likely to cause the type of severe harm to data subjects which was at issue here. Those ads would not trigger the same requirements that the Court seems to impose on Russmedia in this specific case.

• The e-Commerce Directive has been replaced by the DSA. Although the DSA incorporated hosting liability safe harbour provisions that mirror to a large extent the equivalent language in the e-Commerce Directive, there are some important textual differences that may provide scope for broader protection under the DSA. If the same facts as those at issue in this case were to occur today, the analysis under the DSA may be different and more nuanced.[9] Case law on the hosting liability safe harbour (even some of the other recent e-Commerce Directive rulings from the CJEU) appears to be evolving to take into account technological advancements and the practical architectural realities of today’s online marketplaces and content hosting platforms.

Practical takeaways for operators which are nevertheless impacted by the judgment

The findings of the Court were limited to general findings of law, since the judgment was in response to a request for a preliminary ruling from the Romanian court of appeal. It therefore remains to be seen how these findings will be applied by national courts and data protection authorities to specific fact patterns sufficiently similar to the ones at issue in Russmedia.

For example, the Court did not specify how operators of online marketplaces should operationalise the requirements summarised above. Several of those requirements – such as preventing ads from being scraped or pre-screening ads for sensitive personal data before they are published – indeed appear difficult to reconcile with how online marketplaces and the AdTech ecosystem operate in reality and, even if they were to operate differently, what is (and may in the future become) technically feasible at scale.

Moreover, the GDPR neither compels organisations to do the impossible nor requires absolute data protection in any and all circumstances. The GDPR allows due account to be taken of “the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing” of personal data (Articles 25 and 32 of GDPR).[10] Accordingly, we expect that a key battleground will remain the issue of what measures are technically feasible and proportionate considering the “state of the art”. The Russmedia judgment still offers considerable leeway on how to ensure GDPR compliance, even for operators whose online platforms may fall within the specific scope of the judgment.

---

[1] See §§30 and 31 of the Judgment of December 2, 2025, Russmedia Digital and Inform Media Press, Case C-492/23, available here.

[2] The Court came to the unsurprising conclusion that the data in question qualified as special category personal data since they concerned the data subject’s sex life and sexual orientation. The fact that the data was untrue and harmful did not change that conclusion (see Judgment, § 53). There is an active debate, however, on how broadly the concept of special category personal data should be interpreted under the GDPR, including in the context of the preparation of the EU’s proposed Digital Omnibus Package (which we commented on in an earlier blog post “Reset or rollback: Unpacking the EU’s Digital Omnibus Package”).

[3] Or that another exception under Article 9(2) of GDPR is satisfied that can be relied on to justify the publication without consent, which seems rather theoretical in the context of an online marketplace such as the one operated by Russmedia as described in the Judgment.

[4] The Court held that, to this end, the operator “must consider in particular all technical measures available in the current state of technical knowledge that are apt to block the copying and reproduction of online content” (§122).

[5] The Court held that the anonymous third-party advertiser was also a “joint controller”, together with Russmedia (see Judgment, §§54-75), and clarified that “the existence of joint responsibility does not necessarily imply equal responsibility”(§63), leaving it to the national court to determine the exact extent of Russmedia’s responsibility in the case at hand; On earlier CJEU case-law adopting a comparably extensive interpretation of joint controllership, see our earlier blog post “EU Court of Justice confirms earlier case law on broad interpretation of “personal data” and offers extensive interpretation of “joint controllership”, with possible broad ramifications in the AdTech industry and beyond”.

[6] See §111 and following of the AG opinion of February 6, 2025, available here.

[7] For example, even though the Court held that the requirements imposed on Russmedia “cannot, in any event, be classified as […] a general monitoring obligation” prohibited by Article 15 of the e-Commerce Directive, this can certainly be debated.

[8] Regulation (EU) 2022/2065 of the European Parliament and of the Council of 19 October 2022 on a Single Market For Digital Services and amending Directive 2000/31/EC (Digital Services Act); In accordance with Article 89 of the Digital Services Act (DSA), references to Articles 12 to 15 of the e-Commerce Directive (Directive 2000/31/EC) are now to be construed as references to Articles 4, 5, 6 and 8 of the DSA.

[9] The AG also hinted at this in §160 of his opinion, by pointing to the textual differences between the e-Commerce Directive and the DSA.

[10] Even the Court admitted, in respect of the anti-scraping measures referenced above, that “the unlawful dissemination of personal data initially published online is [not] sufficient to conclude that the measures adopted by the controller concerned were not appropriate” (at §123).

As of July 8, the U.S. Department of Justice (“DOJ”) is scheduled to begin full enforcement of its Data Security Program (“DSP”) and the recently issued Bulk Data Rule after its 90-day limited enforcement policy expires, ushering in “full compliance” requirements for U.S. companies and individuals.[1] 

Although it remains to be seen whether DOJ’s National Security Division (“NSD”) will have the necessary infrastructure and personnel in place to launch comprehensive investigations to enforce such an expansive regulatory program, companies should be wary to wait to verify the NSD’s operational readiness.  Instead, companies should bear in mind certain considerations, discussed below, when approaching this new and uncertain enforcement frontier.

The DSP is a brand new regulatory framework based on the Bulk Data Rule that imposes restrictions designed to prevent certain countries—China, Cuba, Iran, North Korea, Russia, and Venezuela—and covered persons from accessing Americans’ bulk sensitive personal data and U.S. government-related data.[2]  Violations of the Rule are subject to steep penalties.  Pursuant to the DSP and the International Emergency Economic Powers Act (“IEEPA”), DOJ is authorized to bring not only civil enforcement actions, but also criminal prosecutions for willful violations of the DSP’s requirements.  Civil penalties may reach up to the greater of $368,136 or twice the value of each violative transaction, while willful violations are punishable by up to 20 years imprisonment and a $1,000,000 fine.[3]

Although the DSP largely went into effect on April 8, 2025, DOJ instituted a 90-day limited enforcement period.  During this period, NSD stated it would deprioritize civil enforcement actions for companies and individuals making a “good-faith effort” to come into compliance with the DSP.  This grace period comes to an end on July 8, 2025.  As detailed below, this broad grant of investigative and enforcement authority—especially the potential for both civil and criminal liability—creates a number of potential logistical and legal challenges for DOJ.

Investigation and Enforcement Challenges

Enforcement of the DSP falls to the NSD, and more specifically to a small, specialized section named the Foreign Investment Review Section (“FIRS”).  Historically, FIRS was comprised of approximately 10-20 attorneys, with a niche portfolio of responsibilities that included representing DOJ on the Committee on Foreign Investment in the United States and Team Telecom.  With this portfolio, FIRS generally enjoyed a comparatively lower profile than other sections within the Department, leaving most federal prosecutors and criminal defense attorneys unfamiliar with its activities.

However, that all could change in the near future given that FIRS has been tasked with implementing and enforcing an entirely new regulatory and enforcement regime.  Going forward, FIRS – a section traditionally without litigators or a litigating function – will have both civil and criminal authority to investigate, bring enforcement actions, and prosecute violations of the Rule. 

Complications Associated with Adding Criminal Prosecutors to FIRS

The availability of criminal penalties under the DSP will require a number of changes at FIRS.  Notably, unlike other NSD sections, the scope of FIRS’s work did not previously include criminal prosecutions and instead maintained a regulatory focus.[4]

Given FIRS’s lack of experience with criminal cases, FIRS must now decide how it will staff enforcement matters going forward, including whether to hire federal prosecutors directly or to instead coordinate with U.S. Attorneys’ Offices or other sections of NSD in connection with criminal investigations and prosecutions.  It seems likely that NSD would consider staffing up FIRS in anticipation of its dual criminal and civil enforcement authority under the DSP.  But the introduction of criminal prosecutors into the same small section as civil regulators opens up potential risks in terms of parallel civil and criminal investigations:

1. Due Process Considerations: While DOJ often conducts parallel criminal and civil investigations, such coordination is subject to limitations imposed by the Due Process Clause of the Fifth Amendment.[5]  In United States v. Kordel, the Supreme Court suggested that the Government may be found to have acted in bad faith in violation of the Fifth Amendment by bringing “a civil action solely to obtain evidence for its criminal prosecution” or by “fail[ing] to advise the defendant in its civil proceedings that it contemplates his criminal prosecution.”[6]  Lower courts have “occasionally suppressed evidence or dismissed indictments on due process grounds where the government made affirmative misrepresentations or conducted a civil investigation solely for purposes of advancing a criminal case.”[7]  In order to avoid such consequences, FIRS will have to ensure that any cooperation or coordination in parallel civil and criminal investigations of DSP violations complies with Due Process requirements.
2. DOJ Internal Policy Limitations: In addition to Due Process requirements, internal DOJ guidance places guardrails around parallel or joint civil and criminal investigations.  Section 1-12.00 of the Justice Manual notes that “when conducted properly,” parallel investigations can “serve the best interests of law enforcement and the public.”[8]  However, the same section goes on to warn DOJ attorneys that “parallel proceedings must be handled carefully in order to avoid allegations of . . . abuse of civil process.”[9]  Section 1-12.100 addresses parallel or joint corporate investigations and similarly emphasizes that DOJ attorneys “should remain mindful of their ethical obligations not to use criminal enforcement authority unfairly to extract, or to attempt to extract, additional civil or administrative monetary payments.”[10]
3. Maintaining the Secrecy of Rule 6(e) Grand Jury Materials: Finally, FIRS will need to implement precautions to ensure that its civil enforcement attorneys are walled off from the disclosure of materials covered by Federal Rule of Criminal Procedure 6(e).  Rule 6(e) establishes a general rule of secrecy for grand jury materials with limited exceptions.  Although Rule 6(e)(3)(A)(i) permits disclosure “to an attorney for the government for use in the performance of such attorney’s duty,” civil enforcement attorneys within FIRS could only view Rule 6(e) materials if they obtain a court order.[11]  Moreover, pursuant to DOJ guidance, even when disclosure is authorized for use in civil proceedings, it is considered a “better practice to forestall the disclosure until the criminal investigation is complete,” given the potential “danger of misuse, or the appearance thereof.”[12]  Given that none of the exceptions under Rule 6(e) appear readily applicable, criminal attorneys within FIRS will have to take particular precautions to ensure that grand jury material covered under Rule 6(e) is not disclosed to their civil colleagues.

Following July 8, as we wait to see whether FIRS initiates investigations and enforcement actions under the DSP, it will need to address the above limitations and potential pitfalls that come with parallel civil and criminal proceedings.  This will be especially important given the relatively small size of FIRS, its historic regulatory focus, and the addition of criminal prosecutors and criminal enforcement authority as it tries to administer an entirely new regulatory and enforcement regime.

Limited Investigative Resources

In addition to potential concerns associated with criminal enforcement of the DSP, there is also uncertainty about how FIRS will investigate potential violations.  Unlike traditional sanctions and export control enforcement, which relies on the Department of Treasury’s Office of Foreign Assets Control and the Department of Commerce’s Bureau of Industry and Security, respectively, it is unclear what, if any, dedicated investigative resources or interagency cooperation FIRS will have at its disposal.  While federal prosecutors typically investigate alongside agents from the Federal Bureau of Investigation and Homeland Security Investigations, such investigative resources historically were not allocated to FIRS, and it is unclear which federal investigating agency – if any – has been tasked with leading these investigations.  This raises questions about FIRS’s capacity to effectively investigate and bring enforcement actions for potential violations.

One option that could be considered is to have FIRS limit its role to civil enforcement and – to the extent it comes across potential criminal conduct – make criminal referrals to either (i) the appropriate United States Attorney’s Office, all of which have federal prosecutors who have been trained in national security investigations and have routine access to a grand jury, or (ii) NSD’s Counterintelligence and Export Control Section, which currently includes federal prosecutors that specialize in investigating criminal violations of sanctions and export control laws.

Alternatively, the Federal Trade Commission (“FTC”) could also provide investigative support regarding potential violations under the DSP given its enforcement authority under a related law: the Protecting Americans’ Data from Foreign Adversaries Act (“PADFA”).  The FTC has enforcement authority under PADFA to seek civil penalties but is first required to refer the matter to the DOJ.[13]  Given the potential overlap between the DSP and PADFA, the FTC may be particularly well-situated to investigate and refer cases of DSP violations to FIRS.

Seventh Amendment Implications: The Jarkesy Challenge

As noted above, the DOJ has broad authority to pursue both civil penalties and prosecute criminal offenses for non-compliance with the Bulk Data Rule under the DSP, but just how the DOJ plans to pursue civil penalties for violations is also unclear.  Specifically, to the extent the DOJ seeks to impose penalties in a way that implicates administrative proceedings, it is likely to face challenges following the Supreme Court’s decision in SEC v. Jarkesy.[14]  In Jarkesy, the Supreme Court held that the Seventh Amendment entitles a defendant to a jury trial when the SEC seeks civil penalties for securities fraud,[15] thereby limiting the SEC’s ability to adjudicate cases for civil penalties through its administrative proceedings.

Jarkesy’s reasoning regarding the Seventh Amendment’s application to actions seeking civil penalties could impact the DSP’s enforcement framework.[16]  Similar to the civil penalties at issue in Jarkesy, civil penalties imposed under the DSP and IEEPA serve to punish violations and deter future misconduct, as opposed to compensate victims.[17]  However, unlike antifraud provisions, the DSP arguably lacks clear common law analogies, and it is possible that the DSP and IEEPA could be viewed under the “public rights” exception given the links to national security.[18]

Going forward, Jarkesy is expected to affect how other federal agencies conduct enforcement actions seeking civil penalties.  The DOJ will have to consider these implications as it decides on an enforcement framework for imposing civil penalties for DSP violations.

Conclusion

The DSP represents the U.S.’s first data localization requirement ripe for enforcement, but its implementation faces substantial practical challenges that may hinder DOJ’s ability for wide-ranging or swift action.  As companies work to ensure their activities are in compliance with the DSP and the Bulk Data Rule ahead of July 8, many are left wondering whether the DOJ will be ready to begin investigating and enforcing this Rule given its breadth and the clear potential challenges that lie ahead.  While we await DOJ’s next steps toward enforcement, companies should be prepared to document their good-faith efforts to demonstrate compliance with the DSP and the Rule to prevent early investigations and enforcement actions.  Additionally, as emphasized by the DOJ’s non-binding Compliance Guidance,[19] companies that proactively implement compliance programs will be better positioned to respond and adapt to this uncertain enforcement environment.

---

[1] U.S. Dep’t of Just., Nat’l Sec. Div., Data Security Program: Implementation and Enforcement Policy Through July 8, 2025 (Apr. 11, 2025), https://www.justice.gov/opa/media/1396346/dl?inline [hereinafter Enforcement Policy].

[2] Our prior alert memorandum on the DSP is available here, and our alert on DOJ’s 90-day limited enforcement policy of the DSP is available here.

[3] Enforcement Policy, at 1.

[4] U.S. Dep’t of Just., Nat’l Sec. Div., NSD Organizational Chart (June 16, 2023), https://www.justice.gov/nsd/national-security-division-organization-chart

[5] See, e.g., United States v. Stringer, 535 F.3d 929, 933 (9th Cir. 2008) (“There is nothing improper about the government undertaking simultaneous criminal and civil investigations.”).

[6] See United States v. Kordel, 397 U.S. 1, 11 (1970) (holding that the Government did not violate due process when it used evidence from a routine FDA civil investigation to convict defendants of criminal misbranding given that the agency made similar requests for information in 75% of civil cases and there was no suggestion the Government brought the civil case solely to obtain evidence for the criminal prosecution).

[7] Stringer, 535 F.3d at 940 (collecting cases).

[8] Justice Manual 1-12.00 – Coordination of Parallel Criminal, Civil, Regulatory, and Administrative Proceedings (May 2018), https://www.justice.gov/jm/jm-1-12000-coordination-parallel-criminal-civil-regulatory-and-administrative-proceedings

[9] Id.

[10] Justice Manual 1-12.100 – Coordination of Corporate Resolution Penalties in Parallel and/or Joint Investigations and Proceedings Arising from the Same Misconduct (May 2018), https://www.justice.gov/jm/jm-1-12000-coordination-parallel-criminal-civil-regulatory-and-administrative-proceedings

[11] See United States v. Sells Eng’g, Inc., 463 U.S. 418, 427 (1983) (rejecting the argument that all attorneys within the DOJ’s civil division are covered under (A)(i), and instead holding that “(A)(i) disclosure is limited to use by those attorneys who conduct the criminal matters to which the materials pertain”).

[12] U.S. Dep’t of Just., Crim. Resource Manual, 156. Disclosure of Matters Occurring Before the Grand Jury to Department of Justice Attorneys and Assistant United States Attorneys (Oct. 2012), https://www.justice.gov/archives/jm/criminal-resource-manual-156-disclosure-matters-occurring-grand-jury-department-justice-attys

[13] A violation of PADFA is treated as a violation of an FTC rule pursuant to 15 U.S.C. § 57a(a)(1)(B).

[14] 603 U.S. 109 (2024).

[15] Id. at 140.

[16] The Court in Jarkesy also established a two-part test for determining whether a cause of action implicates the Seventh Amendment.  First, courts must determine whether the cause of action is “legal in nature” and whether the remedy sought is traditionally obtained in courts of law.  Id. at 121–27.  If legal in nature, courts must then assess whether the “public rights” exception permits congressional assignment of adjudication to an agency.  Id. at 127–34.

[17] Id. at 121–27.

[18] Id. at 135.

[19] U.S. Dep’t of Just., Nat’l Sec. Div., Data Security Program: Compliance Guide (Apr. 11, 2025), https://www.justice.gov/opa/media/1396356/dl

On March 12, the California Privacy Protection Agency (“CPPA”) announced an enforcement action against American Honda Motor Co. (“Honda”), with a $632,500 fine for violating the California Consumer Privacy Act and its implementing regulations (“CCPA”).[1]  This action, which is the CCPA’s first non-data broker action, arose in connection with the Enforcement Division’s ongoing investigative sweep of connected vehicle manufacturers and related technologies, and serves as a cautionary tale for companies handling consumer personal information, highlighting the stringent requirements of the CCPA and the consequences of non-compliance.

Alleged CCPA Violations

In connection with its review of Honda’s data privacy practices, the CPPA’s Enforcement Division concluded that Honda violated the CCPA’s requirements by:

1. Placing an undue burden on consumers, requiring Californians to verify their identity and provide excessive personal information to exercise certain privacy rights, such as the right to opt-out of sale or sharing and the right to limit;
2. Making it difficult for Californians to authorize other individuals or organizations (known as “authorized agents”) to exercise their privacy rights;
3. Employing dark patterns, by using an online privacy management tool that failed to offer Californians their privacy choices in a symmetrical or equal way; and
4. Sharing consumers’ personal information with ad tech companies without contracts that contain the necessary terms to protect privacy.

Below, we summarize the conduct giving rise to the alleged violations, and provide practical tips for businesses to consider for implementation.

1. Undue Burden on Requests to Opt-Out of Sale/Sharing and Requests to Limit

According to the Stipulated Final Order, Honda provided consumers with the same webform to submit all of their CCPA privacy rights requests irrespective of whether the requests required identity verification or not, in violation of the CCPA. Specifically, the CCPA distinguishes between privacy rights that permit a business to conduct prior identity verification (e.g., rights to know/access, correct and delete) and those that do not (e.g., rights to opt-out of data sales or “sharing” and to limit the use and disclosure of sensitive personal information), meaning businesses are prohibited from requiring consumers to verify their identities before actioning opt-out or limitation requests.[2] 

In reviewing Honda’s practices, the CPPA found that the use of the same webform for all privacy rights requests, and in turn by requiring personal information be provided before honoring opt-out and limitation requests, Honda imposed an unlawful verification standard on California consumers.  In addition, the CPPA further found that the webform required consumers to provide more information than necessary[3] for Honda to verify requests to access, delete and change their data.  Accordingly, the CPPA found that Honda’s webform was unduly burdensome, interfering with the ability of consumers to exercise their rights thereby violating the CCPA.

• Practice Tip.  Businesses covered by the CCPA should review their consumer rights requests processes and methods to confirm that they do not require verification in order for consumers to submit consumer opt-out and limitation requests, and should further limit the information required to be provided by consumers in order to submit other privacy rights requests to only the information truly necessary to confirm the identity of the requestor.

2. Undue Burden on Exercise of CCPA Rights through Authorized Agents

Similar to the allegations above, the second alleged violation arose in connection with Honda’s practice of requiring consumers to directly confirm that they had given permission to their authorized agents to submit opt-out and limitation requests on their behalf. 

Under the CCPA, consumers can authorize other persons or entities to exercise their aforementioned rights, and, as above, the CCPA prohibits verification requirements for rights to opt-out and limit.  While businesses may require authorized agents to provide proof of authorization, the CCPA prohibits requiring consumers to directly confirm that authorized agents have their permission.  Instead, businesses are only allowed to contact consumers directly to check authorization, provided this relates to requests to know/access, correct or delete personal information.

Despite these requirements, because Honda’s process for submitting CCPA privacy rights requests did not distinguish between verifiable and non-verifiable requests, and Honda sent confirmatory correspondence directly to consumers to confirm they had given permission to the authorized agent for all such privacy requests, the CPPA found Honda in violation of the CCPA.

• Practice Tip.  As above, businesses should audit their consumer rights requests procedures and mechanisms to ensure that they do not impose verification requirements, including those related to the use of authorized agents, in connection with opt-out and limitation requests.

3. Asymmetry in Cookie Management Tool

The third alleged violation regards Honda’s use of a cookie consent management tool on its website used to effectuate consumer requests to opt-out of personal information “sharing”, which was configured to opt consumers in by default.

Specifically, through the OneTrust cookie consent management tool utilized on Honda’s websites, consumers were automatically opted-in to the “sharing” of their personal information by default as shown below.  To opt-out, consumers were required to take multiple steps (i.e., to toggle the button to turn off cookies and then confirm their choices) while opting in required either no steps or, assuming a consumer were to decide to opt back in after opting out, only one step to “allow all” cookies.

 The CCPA requires business to design and implement methods for submitting CCPA requests that are easy to understand, provide symmetrical choices and avoid confusing language, interactive elements or choice architecture that impairs one’s ability to make a choice and are easy to execute.  Here, the CPPA focused specifically on providing symmetrical choices, meaning that the path for a consumer to exercise a more privacy-protective option cannot be longer or more difficult or time-consuming than the path to exercise a less privacy-protective option because that would impair or interfere with the consumer’s ability to make a choice.  The Stipulated Final Order went further to confirm that a website banner that provides only two options when seeking consumers’ consent to use their personal information—such as “Accept All” and “More Information,” or “Accept All” and “Preferences”—is not equal or symmetrical.

• Practice Tip.  Businesses must audit their cookie consent management tools to ensure that consumers are not opted-in to data “sales” or “sharing” by default, and that the tool does not require a consumer to take more steps to effectuate consumer opt-out requests than to opt-in.  Moreover, cookie consent management tools that present only two options should allow consumers to either “accept” or “reject” all cookies (rather than presenting the option to “accept” and another option that is not full rejection (such as to receive more information or go to a “preferences” page)).

4. Absence of Contractual Safeguards with Vendors

Finally, the CPPA alleged that although Honda disclosed consumer personal information to third-party advertising technology vendors in situations where such disclosure was a “sale” or “sharing” under the CCPA, it failed to enter into a CCPA-compliant contract with such vendors.  Specifically, businesses that “sell” or “share” personal information to or with a third party must enter into agreements containing explicit provisions prescribed by the CCPA to ensure protection of consumers’ personal information. The CPPA found that by failing to implement such contractual safeguards, Honda placed consumers’ personal information at risk.

• Practice Tip.  Businesses should audit all contracts pursuant to which consumer personal information is disclosed or otherwise made available to third parties, particularly third-party advertising technology vendors, to ensure the provisions required by the CCPA are included.

Enforcement Remedies

In addition to a $632,500 fine[4], the Stipulated Final Order requires Honda to (1) modify its methods for consumers to submit CCPA requests, including with respect to its method for the submission and confirmation of CCPA requests by authorized agents, (2) change its cookie preference tool to avoid dark patterns and ensure symmetry in choice, (3) ensure all personnel handling CCPA requests are adequately trained and (4) enter into compliant contracts with all external recipients of consumer personal information within 180 days.

Conclusion

The enforcement action against Honda underscores the importance of strict compliance with the CCPA. Businesses must ensure that their processes for handling consumer privacy requests are straightforward, do not require unnecessary information, and provide equal choice options, and must enter into CCPA compliant contracts prior to and in connection with the disclosure of consumer personal information to third parties.

---

[1] The Stipulated Final Order (the “Stipulated Final Order”) can be found here.

[2] Under the CCPA, businesses can verify requests to delete, correct and know personal information of consumers because of the potential harm to consumers from imposters accessing, deleting or changing their personal information; conversely, requests to opt-out of sale or sharing and requests to limit use and disclosure are prohibited from having a verification requirement because of the minimal potential harm to consumers.  Accordingly, while businesses may ask for additional information in connection with such requests to identify the relevant data in their systems, they cannot ask for more information than necessary to process such requests and, to the extent they can comply without additional information, they must do so.

[3] Specifically, the form required consumers to provide their first name, last name, address, city, state, zip code, email address and phone number, although Honda “need[ed] only two data points from [the relevant] consumer to identify [them] within its database.” 

[4] Notably, the Stipulated Final Order details the number of consumers whose rights were implicated by some of Honda’s practices, serving as a reminder to businesses that CCPA fines apply on a per violation basis.

Last week, the New York legislature passed the New York Health Information Privacy Act (S929) (“NYHIPA” or the “Act”)[1]. The Act, which is currently awaiting the Governor’s signature, seeks to regulate the collection, sale and processing of healthcare information, akin to Washington’s My Health My Data Act.

Importantly, the Act as currently drafted is very broad and may have far-reaching consequences giving rise to extensive compliance obligations, including as a result of the fact that it (i) extends to non-health related data, (ii) does not contain applicability thresholds based on the number of individuals whose data is processed, or the type of activity carried out, by the regulated entity, (iii) requires minimal nexus to New York and applies to non-New York entities that process non-New York residents’ data, and (iv) applies to information collected in the context of employment and business-to business relationships. If signed by the Governor, the Act will go into effect one year after it becomes law.

Below, we provide an overview of the broad categories of entities and data subject to NYHIPA, the key compliance obligations and consumer rights provided, and what businesses need to know in order to comply.

Who and What is Covered by the Act?

Regulated Health Information.  The Act covers a wide range of data given the broad definition of “regulated health information.” Specifically, “regulated health information” includes “any information that is reasonably linkable to an individual, or a device, and is collected or processed in connection with the physical or mental health of an individual” (the foregoing referred to herein as “RHI”); by definition, RHI does not include “deidentified information,”[2] protected health information (“PHI”) governed by HIPAA or information collected as part of a clinical trial. The Act’s provisions also apply to seemingly non-health related data, such as location information and payment information collected in connection with health-related products or services, as well any inference that can be drawn or derived therefrom.

Accordingly, the Act as drafted implicates a significant amount of information and, as further discussed below, given the absence of applicability thresholds (e.g., based on the number of New York residents whose data is processed), applies to a vast number of entities. RHI is not limited to medical records, but covers biometric data, genetic information, and even information that could identify a person indirectly. Additionally, since the Act lacks a definition of “individual,” it arguably applies to information collected in the context of commercial and employment relationships unlike typical U.S. state privacy laws, expanding the compliance obligations of entities both within and outside New York’s borders.

Regulated Entities. In a stark contrast to the processing thresholds advanced by other US privacy laws, the Act defines a regulated entity as any entity that:

1. Controls the processing of RHI of an individual who is a New York resident;
2. Controls the processing of RHI of an individual who is physically present in New York, or
3. Is located in New York and controls the processing of RHI.

Excluded from coverage are local, state, and federal governments and municipal corporations (given that any information they process is exempt from the Act’s reach), as well as HIPAA covered entities solely to the extent they maintain patient information in the same manner as PHI. Additionally there is no exemption for nonprofits or entities regulated by the GLBA, meaning additional restrictions may be imposed on the financial information they collect (e.g., payment transactions relating to physical or mental health, or from which inferences can be drawn) to the extent processed in connection with health-related purposes.

Unlike other state privacy laws enacted to date, the Act’s extraterritorial application will impact many organizations beyond those that conduct business in New York as, even if the entity itself is located outside the state, its activities will be subject to the Act so long as it processes RHI regarding individuals (not even necessarily state residents) physically present in New York.   Further, individuals beyond New York residents may benefit from the Act’s protections, given that any entity located in New York will be covered by the Act regardless of where the individual whose RHI is processed is domiciled.

Compliance Obligations

Entities subject to typical U.S. consumer privacy laws will recognize a number of familiar obligations imposed by NYHIPA, including:

1. Obligations to provide a publicly available privacy policy through a regularly used interface (e.g., a website or platform) informing such individual what RHI will be collected, the nature and purpose of processing, to whom and for what purposes RHI will be disclosed, and how consumers can request access to or deletion of their RHI;

2. Restrictions on “selling”[3] RHI;

• Notably, it is unclear whether, based on the current drafting of the Act, all “sales” of RHI are expressly prohibited (other than in the context of business transactions), as the exceptions that would seem to be appropriate (i.e., where an individual provides a valid authorization or the processing is otherwise necessary for a permitted purpose) are not clearly provided with respect to RHI sales and instead only appear to be tied to other types of RHI processing.  Such exceptions would appear to be appropriate in the context of “sales”, given that reading the Act any other way appears to suggest that any sharing of RHI is prohibited where valuable consideration is provided in exchange.  By way of example, if no such exceptions apply, then there is a risk that regulated entities would be prohibited from providing RHI to their service providers if that would be considered, under a broad interpretation of “sale”, sharing RHI for “valuable consideration”  (i.e., the relevant services).

3. Restrictions on otherwise processing RHI unless (a) the covered entity obtains valid authorization as governed by the Act, detailed further below, (which must be easily revocable at any time) or (b) the processing is “strictly necessary” for one of seven specific purposes enumerated in the Act (e.g., to provide the product or service requested, to comply with legal obligations, for internal business operations excluding marketing);

4. Providing individuals access and deletion rights, including by providing an easy mechanism by which individuals can effectuate such rights and allowing such requests to be made by an individual’s authorized agent, with which regulated entities must comply within 30 days;

• Deletion requests must also be passed to and honored by a regulated entity’s third party service providers.

5. Implementing reasonable administrative, physical, and technical safeguards to protect the confidentiality and security of RHI;

6. Securely disposing of RHI pursuant to a publicly available retention schedule, where disposal must occur no later than 60 days after retention is no longer necessary for the permissible purposes or for which consent was given; and

7. Entering into contracts with third party service providers, imposing equivalent confidentiality, information security, access and deletion obligations, as well as processing restrictions, as those imposed on the regulated entity under the Act.

Valid Authorization

While many U.S. state privacy laws contain prescriptive requirements regarding what constitutes consumer consent, NYHIPA goes a step further in providing not only a number of requirements on how an authorization must be presented to be valid, but also substantive requirements to include in authorization request forms. 

In order for an authorization to be considered valid, it must meet specific criteria including that the request: (i) must be made separately from any other transaction or part of a transaction, (ii) cannot be sought until at least twenty-four hours after an individual creates an account or first uses the requested product or service, (iii) cannot be obtained through a dark pattern, (iv) if made for multiple processing activities, must allow for specific authorization for each specific activity, and (v) cannot relate to an activity for which the individual has revoked or withheld consent in the past year.  Following trends set by recent privacy-related litigations, such as California wiretapping litigation, the Act makes clear that requests for consent must be specific to the particular processing activity, and cannot be bundled with other disclosures or consent requests.  Further, consent must be clearly communicated to the relevant individual, and freely revocable.

In terms of substantive requirements, the Act further requires that valid authorizations disclose the RHI to be collected and the purposes for which it will be processed, the names or categories of third parties with whom RHI will be disclosed (similar to the approaches taken in the Oregon and Delaware consumer privacy laws), any monetary or valuable consideration that may be received by the regulated entity, assurances that failure to consent will not affect an individual’s experience, the expiration date of the authorization, which may be up to one year from when authorization was provided and how the individual can revoke consent, how the individual can request access to or deletion and any other information material to the individual’s decision-making. Authorizations must also be executed by the individual, though can be done electronically. 

Enforcement

Enforcement rights under the Act are primarily vested in the New York AG, who has broad authority to investigate violations, and impose civil penalties on entities that engage, or are about to engage, in unlawful acts or practices under the NYHIPA.  The New York AG can commence an action within 6 years of becoming aware of the alleged violation, and, in addition to seeking an injunction, can seek civil penalties of not more than  $15,000 per violation or 20% of revenue obtained from New York consumers within  the  past  fiscal  year, whichever is greater, as well as any such other and further relief as the court may deem proper. The Act also contemplates rulemaking authority for the New York AG.

Conclusion

The applicability of NYHIPA is broad, covering a wide array of entities involved in the collection, use, and management of RHI within New York. To determine whether NYHIPA applies, an organization must evaluate its role in handling health information, the nature of the data it processes, and its geographic operations. Until now, state consumer privacy laws have been focused on comprehensive data privacy, designed on the Washington model. Perhaps New York is showing us a shift back to sectoral laws instead. At this current juncture, it is unclear whether Governor Hochul will sign the law as drafted given it is likely to be subject to a number of challenges, including on First Amendment grounds; Cleary Gottlieb will keep monitoring for updates.

---

[1] The text of the bill can be found here.

[2] “Deidentified information” under the Act has the same meaning provided under comprehensive U.S. state privacy laws (i.e., information that cannot reasonably be used to infer information about, or otherwise be linked to, a particular individual, household or device, provided that the regulated entity or service provider (i) implements reasonable measures to prevent reidentification, (ii) publicly commits to process the information in deidentified form and not attempt to reidentify the information and (iii) imposes contractual obligations on third party recipients consistent with the foregoing (i)-(iii).

[3] “Sell” under the Act is defined as sharing RHI for monetary or other valuable consideration, exempting only sharing of RHI in the context of a business transaction in which a third party assumes control of all or part of the covered entity’s assets.

On October 22, 2024, the SEC announced settled enforcement actions charging four companies with making materially misleading disclosures regarding cybersecurity risks and intrusions. These cases mark the first to bring charges against companies who were downstream victims of the well-known cyber-attack on software company SolarWinds. The four companies were providers of IT services and digital communications products and settled the charges for amounts ranging from $990,000 to $4 million.

In 2023, the SEC sued SolarWinds and its Chief Information Security Officer for allegedly misleading disclosures and deficient controls. Most of the SEC’s claims in that case were dismissed by a judge in the Southern District of New York, in part because the judge ruled that SolarWinds’ post-incident disclosures did not misleadingly minimize the severity of the intrusion. This new round of charges indicates the SEC’s intent to continue to enforce disclosure and reporting requirements surrounding cybersecurity breaches. The SEC’s recent charges focus on the companies’ continued use of generic and hypothetical language following significant data breaches, as well as allegations of downplaying the severity of the breaches by omitting material information about their nature and extent. Public companies should carefully consider the lessons from these actions when making disclosures following a cybersecurity breach.  

Background

According to the SEC’s allegations, which the companies neither admitted nor denied, in December 2020, each of the four companies charged last week learned that its systems had been affected by the SolarWinds data breach. Public reporting at the time indicated that the breach was likely performed by a state-sponsored threat actor. Each of the companies performed investigations of the breach, determining that the threat actor had been active in their systems for some period of time and accessed certain company or customer information.[1]

The SEC brought negligent fraud charges against all four companies, charging two primary types of materially misleading disclosures. Two companies, Check Point[2] and Unisys,[3] were charged because the SEC believed their post-breach risk factor disclosures—containing generic and hypothetical language about the risk of cybersecurity breaches similar to their pre-breach disclosures—were misleading given that the companies had become aware of the actual SolarWinds-related breaches. The SEC alleged that the other two companies, Avaya[4] and Mimecast,[5] while they did make specific disclosures that they had been affected by cybersecurity breaches, misleadingly omitted details that the SEC asserted would be material to investors. The SEC noted that all four companies were in the information technology industry, with large private and government customers, and therefore their reputation and ability to attract and retain customers would be affected by disclosure of a data breach.

 The Charges

There were two categories of charges.

Charges for disclosing hypothetical cyber risks in wake of actual cyber attack. The SEC has repeatedly brought charges against companies for allegedly using generic and/or hypothetical language in their risk factors after a known data breach.[6] That trend has continued with the recent actions against Check Point and Unisys.

i. Check Point

Check Point’s Form 20-F disclosures in 2021 and 2022 stated, “We regularly face attempts by others to gain unauthorized access…” and “[f]rom time to time we encounter intrusions or attempts at gaining unauthorized access to our products and network. To date, none have resulted in any material adverse impact to our business or operations.”[7] These filings were virtually unchanged before and after the data breach. The SEC alleged that these risk disclosures were materially misleading because the company’s risk profile materially changed as a result of the SolarWinds compromise-related activity for two reasons: the threat actor was likely a nation-state and the threat actor “persisted in the network unmonitored for several months and took steps, including deployment and removal of unauthorized software and attempting to move laterally” in the company’s environment.[8]

ii. Unisys

The company’s risk factors in its Form 10-Ks following the breach were substantially unchanged from 2019. The risk factor language was hypothetical: cyberattacks “could … result in the loss … or the unauthorized disclosure or misuse of information…” and “if our systems are accessed ….”[9] The SEC alleged that hypothetical language is insufficient when the company is aware that a material breach occurred. The SEC also alleged that the company did not maintain adequate disclosure controls and procedures because they had no procedures to ensure that, in the event of a known cybersecurity incident, information was escalated to senior management, which in this case did not happen for several months. The SEC’s order also alleged that the company’s investigative process after the breach “suffered from gaps that prevented it from identifying the full scope of the compromise,” and that these gaps constituted a material change to the company’s risk profile that should have been disclosed.[10]

Charges for allegedly failing to disclose material information. Two of the charged companies did disclose that their systems had been affected by suspicious activity, but the SEC nevertheless found fault with those disclosures.

i. Avaya

In its Form 10-Q filed two months after learning of the breach, the company disclosed that it was investigating suspicious activity that it “believed resulted in unauthorized access to our email system,” with evidence of access to a “limited number of Company email messages.”[11] The SEC alleged that these statements were materially misleading because they “minimized the compromise and omitted material facts” that were known to the company “regarding the scope and potential impact of the incident,”[12] namely, omitting: (i) that the intrusions were likely the work of a state actor, and (ii) that the company had only been able to access 44 of the 145 files compromised by the threat actor and therefore could not determine whether these additional files contained sensitive information.[13]

ii. Mimecast

In its Form 8-Ks filed in the months after learning of the breach, Mimecast disclosed that an authentication certificate had been compromised by a sophisticated threat actor, that a small number of customers were targeted, that the incident was related to SolarWinds, and that some of the company’s source code had been downloaded. The company stated that the code was “incomplete and would be insufficient to build and run” any aspect of the company’s service.[14] The SEC alleged that these statements were materially misleading “by providing quantification regarding certain aspects of the compromise but not disclosing additional material information on the scope and impact of the incident,” such as the fact that the threat actor had accessed a database containing encrypted credentials for some 31,000 customers and another database with systems and configuration information for 17,000 customers, and by not disclosing that the threat actor had exported source code amounting to more than half of the source code of the affected projects, or information about the importance of that code.[15]

Dissenting Statement

The two Republican Commissioners, Hester Peirce and Mark Uyeda, voted against the actions and issued a dissenting statement accusing the Commission of “playing Monday morning quarterback.”[16] The dissenters noted two key issues across the orders. First, the dissenters viewed the cases as requiring disclosure of details about the cybersecurity incident itself, despite previous Commission statements that disclosures should instead be focused on the “impact” of the incident.[17] Second, the dissenters argued that many of the statements the SEC alleged to be material would not be material to the reasonable investor, such as the specific percentage of code exfiltrated by the threat actor.[18]  

The SEC Is Not Backing Off After SolarWinds

These enforcement actions come months after the Southern District of New York rejected several claims the SEC brought against SolarWinds for the original breach.[19] The recent actions show that the SEC is not backing away from aggressively reviewing incident and other related cybersecurity disclosures. Notably, the SEC did not allege that any of the companies’ cybersecurity practices violated the Exchange Act’s internal controls provision.  In an issue of first impression, the SolarWinds court held that the internal controls provisions focus on accounting controls and do not encompass the kind of cyber defenses at issue in that case.  It is not clear whether the absence of such charges here represents the SEC adopting a new position after the SolarWinds ruling, or rather a reflection of these cases involving different cybersecurity and intrusions. The SEC did allege failure to maintain proper disclosure controls in one of the four new orders, which was another allegation rejected by the SolarWinds court as insufficiently pled.[20] Moreover, the SolarWinds court dismissed claims that the company had misled its investors by making incomplete disclosures after its cyber intrusion, finding that the company adequately conveyed the severity of the intrusion and that any alleged omissions were not material or misleading.  While the dissenters questioned whether the allegedly misleading disclosures here were any different than those in SolarWinds, at a minimum these cases show that the SEC will continue to closely scrutinize post-incident disclosures, notwithstanding its loss in SolarWinds.

Takeaways

There are several takeaways from these charges.

• The SEC is signaling an aggressive enforcement environment and continuing to bring claims against companies for deficient disclosure controls, despite similar charges being rejected in SolarWinds. The Unisys order shows that the SEC will continue to pursue disclosure controls charges where, in its view, a company did not adequately escalate incidents to management, consider the aggregate impact of related incidents, or adopt procedures to guide materiality determinations, among other things.
• The SEC will reliably bring charges against companies that use generic or hypothetical risk factor language to describe the threat of cybersecurity incidents when the company’s “risk profile changed materially”[21] due to a known breach.
• The SEC will give heightened scrutiny to disclosures by companies in sectors such as information technology and data security, because in the SEC’s view cybersecurity breaches are more likely to affect the reputation and ability to attract customers for these types of companies.
• Companies should take care in crafting disclosures about the potential impact of cybersecurity breaches, including in Form 8-K and risk factor disclosure, and consider factors such as:
  • Whether the threat actor is likely affiliated with a nation-state.
  • Whether, or the extent to which, the threat actor persisted in the company’s environment.
  • If the company seeks to quantify the impact of the intrusion, such as by the number of files or customers affected, the SEC will scrutinize whether the company selectively disclosed quantitative information in a misleading way.
  • Whether the company should disclose not only the number of files or amount customer data compromised, but the importance of the files or data and the uses that can be made of them.
  • If the company quantifies the impact of the intrusion but is aware of gaps in its investigation or in the available data that mean the severity of the impact could have been worse, the SEC may consider it misleading not to disclose those facts.

---

[1] For information on the four orders, See Press Release, SEC Charges Four Companies With Misleading Cyber Disclosures, SEC, https://www.sec.gov/newsroom/press-releases/2024-174.

[2] Check Point Software Technologies Ltd., Securities Act Release No. 11321, Exchange Act release No. 101399, SEC File No. 3-22270 (Oct. 22, 2024).

[3] Unisys Corporation, Securities Act Release No. 11323, Exchange Act Release No. 101401, SEC File No. 3-22272 (Oct. 22, 2024).

[4] Avaya Holdings Corp., Securities Act Release No. 11320, Exchange Act Release No. 101398, SEC File No. 3-22269 (Oct. 22, 2024).

[5] Mimecast Limited, Securities Act Release No. 11322, Exchange Act Release No. 101400, SEC File No. 3-22271 (Oct 22, 2024).

[6] Press Release, Altaba, Formerly Known as Yahoo!, Charged With Failing to Disclose Massive Cybersecurity Breach; Agrees To Pay $35 Million, SEC,https://www.sec.gov/newsroom/press-releases/2018-71; Press Release, SEC Charges Software Company Blackbaud Inc. for Misleading Disclosures About Ransomware Attack That Impacted Charitable Donors, SEC, https://www.sec.gov/newsroom/press-releases/2023-48.

[7] Check Point, supra note 2, at 2–4.

[8] Id.

[9] Unisys Corporation, supra note 3, at 6.

[10] Id. at 5–7.

[11] Avaya Holdings Corp, supra note 4, at 4.

[12] Id. at 2.

[13] Id. at 4.

[14] Mimecast Limited, supra note 5, at 4.

[15] Id.

[16] Statement, Comm’rs Peirce and Uyeda, Statement Regarding Administrative Proceedings Against SolarWinds Customers (Oct. 22, 2024), https://www.sec.gov/newsroom/speeches-statements/peirce-uyeda-statement-solarwinds-102224.

[17] Id.

[18] Id.

[19] See Cleary Alert Memo, SDNY Court Dismisses Several SEC Claims Against SolarWinds and its CISO (July 26, 2024).

[20] Id.

[21] Unisys Corporation, supra note 3,at 5.

Following on the heels of major developments coming out of the Senate last week to advance privacy protections for children online, the Department of Justice (“DOJ”) officially filed a lawsuit on Friday against TikTok, Inc., its parent company, ByteDance, and certain affiliates (collectively, “TikTok”), over alleged violations of the Children’s Online Privacy Protection Act (“COPPA”) and its implementing rule (the “COPPA Rule”) as well as an existing FTC 2019 consent order (the “2019 Order”) alleging violations of the same.[1]

After an investigation by the Federal Trade Commission (“FTC”) into TikTok’s compliance with the 2109 Order allegedly revealed a flagrant, continued disregard for children’s privacy protections, the FTC took the rare step of releasing a public statement referring the complaint to the DOJ which subsequently filed suit in the Central District of California last week.  “TikTok knowingly and repeatedly violated kids’ privacy, threatening the safety of millions of children across the country,” said FTC Chair Lina M. Khan.  “The FTC will continue to use the full scope of its authorities to protect children online—especially as firms deploy increasingly sophisticated digital tools to surveil kids and profit from their data.”

According to the complaint, TikTok is alleged to have violated not only COPPA and the COPPA Rule but also the 2019 Order by:

1. Knowingly allowing millions of children under thirteen to create and use TikTok accounts that are not reserved for children, enabling full access to the TikTok platform to view, make and share content without verifiable parental consent;
2. Collecting extensive data, including personal information, from children without justification and sharing it with third parties without verifiable parental consent;
3. Failing to comply with parents’ requests to delete their children’s accounts or personal information; and
4. Failing to delete the accounts and information of users TikTok knows are children in direct violation of the 2019 Order. 

In highlighting a number of actions undertaken by TikTok, which allegedly led to “unlawful, massive-scale invasions of children’s privacy”, the DOJ’s complaint contains several allegations that TikTok knowingly disregarded its obligations under applicable law and under the 2019 Order requiring TikTok to prevent child users from accessing its platform without verifiable parental consent and to take measures to protect, safeguard and ensure the privacy of the information of its child users once obtained. Among others, the DOJ alleged the following illegal practices:

• Insufficient Age Identification Practices.  Despite implementing age gates since March 2019 on its platform in efforts to direct users under thirteen to TikTok Kids Mode (a version of the app designed for younger users which allows users to view videos but not create or upload videos, post information publicly or message other users) the complaint alleges that TikTok continued to knowingly create accounts for child users that were not on Kids Mode without requesting parental consent by allowing child users to evade the age gate.  Specifically, upon entering their birthdates and being directed to Kids Mode, under-age users could simply restart the account creation process in order to provide a new birthdate to gain access to the general TikTok platform without restriction (even though TikTok knew it was the same person); alternatively, users could also avoid the age gate entirely by logging in via third-party online services in which case TikTok did not verify the user’s age at all. 

• Unlawful and Overinclusive Data Collection from Child Users. Even where child users were directed to Kids Mode, the complaint alleges that personal information was collected from children, such as username, password and birthday as well as other persistent identifiers such as IP addresses or unique device IDs, without providing notice to parents and receiving consent as required under COPPA.  TikTok also collected voluminous account activity data which was then combined with persistent identifiers to amass profiles on child users and widely shared with third parties without justification.  For example, until at least mid-2020, TikTok is alleged to have shared information collected via Kids Modes accounts with Facebook and AppsFlyer, a third party marketing analytics firm, to increase user engagement; the collection and sharing of persistent identifiers without parental consent was unlawful under the COPPA Rule because use of such data was not limited to the purpose of providing “support” for TikTok’s “internal operations”.

• Failures to Honor Deletion Requests.  Though the COPPA Rule and the 2019 Order required TikTok to delete personal information collected from children at their parent’s request, TikTok failed to inform parents of this right and separately to act upon such requests.  To request deletion under TikTok’s policies, TikTok allegedly employed an unreasonable and burdensome process, often times requiring parents to undertake a series of convoluted administrative actions to delete their child’s account before taking action, including scrolling through multiple webpages to find and click on a series of links and menu options that gave no clear indication that they apply to such a request.  Even where parents successfully navigated this process, their requests were infrequently honored due to rigid policies maintained by TikTok related to account deletion.[2]   The complaint also suggests that even where such accounts were deleted, TikTok maintained certain personal information related to such users, such as application activity log data, for up to eighteen months without justification.

• Failures to Delete Accounts Independently Identified by TikTok as Children’s Accounts. In clear violation of the 2019 Order, TikTok is also alleged to have employed deficient technologies, processes and procedures to identify children’s accounts for deletion, and even appears to have ignored accounts flagged by its own human content moderators as belonging to a child and ripe for deletion.  Instead, despite strict mandates to delete such accounts, TikTok’s internal policies permitted account deletion only if rigid criteria were satisfied—such as explicit admissions by the user of their age—and provided human reviewers with insufficient resources or time to conduct even the limited review permitted under such policies.[3]

In addition to a permanent injunction to cease the infringing acts and prevent further violations of COPPA, the complaint requests that the court impose civil penalties against TikTok under the FTC Act, which allows civil penalties of up to $51,744 per violation, per day.  Given the uptick in recent enforcement related to children’s privacy issues and potential for material fines, entities should carefully consider the scope of COPPA’s coverage to their existing products and services, as well as their existing policies, practices and product functionality, to ensure compliance and avoid regulatory scrutiny.

---

[1] Specifically, the 2019 Order (i) imposed a $5.7 million civil penalty, (ii) required TikTok to destroy personal information of users under the age of thirteen and, by May 2019, remove accounts of users whose age could not be identified, (iii) enjoined TikTok from violating the COPPA Rule and (iv) required TikTok to retain certain records related to compliance with the COPPA Rule and the 2019 Order.

[2] According to the complaint, in a sample of approximately 1,700 children’s TikTok accounts about which TikTok received complaints and deletion requests between March 21, 2019, and December 14, 2020, approximately 500 (30%) remained active as of November 1, 2021, and several hundred were still active in March 2023.

[3] For example, despite having tens of millions of monthly active users at times since the entry of the 2019 Order, TikTok’s consent moderation team included fewer than two dozen fulltime human moderators responsible for identifying and removing material that violated all of its content related policies, including identifying and deleting accounts of unauthorized users under thirteen.  Further, during at least some periods since 2019, TikTok human moderators spent an average of only five to seven seconds reviewing each flagged account to determine if it belonged to a child.

In our Alert Memorandum of 19 July 2022 (available here), we outlined the European Commission’s (the “Commission”) proposal for a regulation on the “European Health Data Space” (the “Regulation” or the “EHDS”). The proposal, which was published in May 2022, is the first of nine European sector- and domain-specific data spaces set out by the Commission in 2020 in the context of its “European strategy for data”.

The EU is now reportedly aiming to conclude the EHDS dossier and adopt the Regulation before the end of the EU Parliament’s current term (June 2024). To this end, on 15 March 2024, the EU Council and the EU Parliament announced that they had reached a provisional agreement on the text of the Regulation (the text is available here). And on 24 April 2024, the EU Parliament formally adopted the text of the provisional agreement.

Background:

The proposed Regulation is an initiative that attempts to create a “European Health Union” to make it easier to exchange and access health data at EU level. The Regulation builds on other recent EU reforms such as the recently enacted Data Act and the proposed AI Act. It seeks to tackle legacy systemic issues that have hindered lawful access to electronic health data. It promotes the electronic exchange of health data by enhancing individuals’ access to and portability of these data and by enabling innovators and researchers to process these data through reliable and secure mechanisms. It contains rules that govern both primary use (i.e., use of such data in the context of healthcare) and secondary use of health data (e.g. use for non-healthcare purposes such as research, innovation, policy-making, statistics).

Recent Proposals:

On 6 December 2023, the EU Council issued a press release (available here) confirming the agreement on the EU Council’s position and its mandate to start negotiations with the EU Parliament as soon as possible in order to reach a provisional agreement on the proposed Regulation (see the EU Council’s proposed amendments here). Subsequently, on 13 December 2023, the EU Parliament finalised its proposed amendments to the Regulation (see the EU Parliament’s proposed amendments here).

Following the inter-institutional trilogue negotiations between the EU Parliament, the EU Council and the Commission, on 15 March 2024, the EU Council and the EU Parliament issued a press release (available here) confirming the reach of a provisional agreement on the text of the Regulation. They introduced new rules and also modified or clarified some of the rules that were originally proposed (some of which were outlined in our Alert Memorandum of 19 July 2022).

Some of the highlights from the provisional agreement are as follows:

• Scope of Prohibited Purposes: The new text seeks to expand and clarifies the scope of prohibited purposes for secondary use of health data. For instance, the Regulation now provides that the secondary use of health data to take decisions that will produce economic or social effects should be prohibited – this provides an additional prohibition on top of the original proposal, which intended to prohibit secondary use of health data only where the decisions produced “legal” effects. In addition, the Regulation further includes within the scope of the prohibited purposes: (i) decisions in relation to job offers; (ii) offering less favourable terms in the provision of goods or services; (iii) decisions regarding conditions of taking loans or any other discriminative decisions taken on the basis of health data.
• Categories of Personal Data subject to Secondary Use: As above, electronic health data can be subject to “secondary use” and health data holder should make certain categories of electronic data available for secondary use. The EU Parliament and the EU Council confirmed in their provisional agreement that Member States will be able to establish trusted data holders that can securely process requests for access to health data in order to reduce the administrative burden. The text includes a number of amendments to such categories of electronic data that can be made available for secondary use.
• IP and Trade Secrets:
  • The EU Commission’s first draft of the Regulation did not include specific measures to preserve the confidentiality of IP rights and trade secrets; however, the Regulation now includes a set of new provisions on the protection of IP rights and trade secrets (Recital 40c, Article 33a). Accordingly, where health data is protected by IP rights or trade secrets, the Regulation should not be used to reduce or circumvent such protection. The provisions impose, among other things, an obligation on the “health data access bodies”[1] to take all specific measures, including legal, organisational and technical measures that are necessary to preserve the confidentiality of  data entailing IP rights or trade secrets. Such legal, organisational and technical measures could include common electronic health data access contractual arrangements, specific obligations in relation to the rights that fall within the data permit, pre-processing the data to generate derived data that protects a trade secret (but still has utility for the user or configuration of the secure processing environment so that such data is not accessible by the health data). If a health data user requests access to such data but should the granting of access of electronic health data for secondary purpose incur a serious risk that cannot be addressed in a satisfactory manner of infringing the intellectual property rights, trade secrets and/or the regulatory data protection right, the health data access body must refuse access and explain the reason to the user (see Article 33a(1)(d) of the Regulation).
  • In addition, the Regulation now includes additional obligations to health data holders[2] with respect to electronic health data that entail IP rights or trade secrets. For example, the original proposals required a health data holder to make the electronic data they hold available upon request to the health data access body in certain circumstances. The Regulation now requires health data holders to inform the health data access body of such IP rights or trade secrets, as well as to indicate which parts of the datasets are concerned and justify why the data needs the specific protection which the data benefits from, when communicating to the health data access body the dataset descriptions for the datasets they hold, or at the latest following a request from the health data access body.
  • The Regulation also requires health data access bodies to apply certain criteria when deciding to grant or refuse access to health data. These criteria include whether the requests demonstrate sufficient safeguards to protect the health data holder and the natural persons concerned; whether there is a lawful basis the GDPR in case of access to pseudonymised health data; whether the requested data is necessary for the purpose described in the request application. In addition, the health data body must also take into account certain risks when deciding on the same. The health data access body must permit the data access where it concludes that the above-mentioned criteria are met and the risks that it must take into account are sufficiently mitigated.
• Transparency: The Regulation now intends to impose an additional obligation on the data holders to provide certain information to natural persons about their processing of personal health data. This information obligation is intended to supplement the transparency obligations that the data holders may have under the GDPR.
• Right to access to personal electronic health data:The Regulation now addsthe individuals’ right to download their electronic health data and specifies that the right to access to personal electronic health data in the context of the EHDS complements the right to data portability under Article 20 of the GDPR (see Recital 11). In this context it should be noted that the GDPR right to data portability is limited only to data processed based on consent or contract – which excludes data processed under other legal bases, such as when the processing is based on law – and only concerns data provided by the data subject to a controller, excluding many inferred or indirect data, such as diagnoses, or tests.
• Right to opt-out and need to obtain consent: New Recital 37c and Article 35f provide patients with a right to opt-out of the processing of all their health data for secondary use, except for purposes of public interest, policy making, statistics and research purposes in the public interest. In addition, individuals shall be provided with sufficient information on their right to opt-out, including on the benefits and drawbacks when exercising this right. In addition, Member States may put in place stricter measures governing access to certain kinds of sensitive data, such as genetic data, for research purposes.
• Data localisation: Data localisation requirements are imposed in Articles 60a and 60aa. These provisions are intended to requires that personal electronic health data be stored exclusively for the purposes of primary and secondary use of personal electronic health data within the territory of the EU or in a third country, territory or one or more specified sectors within that third country covered by an adequacy decision pursuant to Article 45 of the GDPR. These proposed changes are seemingly intended to address some of the concerns expressed by the European Data Protection Board (the “EDPB”) and the European Data Protection Supervisor (the “EDPS”) in their joint opinion of 12 July 2022. However in certain ways the provisions do seem to go beyond the recommendations of the EDPB / EDPS (for example, with respect to the localisation of data, the EDPB/EDPS opinion actually proposed to require that electronic health data be stored in the EEA, but to allow for transfers under Chapter V of the GDPR, i.e. including, for example, transfers under standard contractual clauses or under the derogations provided for in Article 49 of the GDPR).

Next steps:

The provisional agreement will now have to be endorsed by the EU Council. It has been reported that the aim of the institutions is to conclude the EHDS dossier and adopt the Regulation before the end of the EU Parliament’s term (June 2024).

Once formally adopted and published in the Official Journal of the EU, the EHDS will be directly applicable following a grace-period (currently, two years) after the entry into force of the Regulation (with the exception of certain provisions which will have different application dates).

---

[1] This is a body that Member States will set up to be responsible for granting access to electronic health data for secondary use).

[2] This means the natural or legal person that has the ability to make available data; however note that negotiations between the EU Parliament, the EU Council and the EU Commission are still ongoing on the definition of “data holders”.

After years of fits and starts—including failed attempts to pass the American Data Privacy and Protection Act in 2022—Congress has renewed its attempt to nationalize privacy protections for American consumers with introduction of the American Privacy Rights Act (the “APRA” or “Act”).[1]  The APRA, a new bipartisan, bicameral proposal for comprehensive data protection legislation introduced by the House Committee on Energy and Commerce and the Senate Committee on Commerce, Science and Transportation in early April, is a direct response to a flurry of activity at the state level over the past few years and attempts to harmonize the resulting patchwork of privacy legislation that has created a burdensome and costly labyrinth of shifting compliance obligations for covered organizations that collect and process personal data.

Several core provisions of the APRA—including strict data minimization obligations; consent requirements for certain data transfers; and consumer rights of access, correction, deletion and portability and to opt-out of certain processing activities—parallel recently enacted foreign and state privacy laws, including those currently in effect in California, Colorado, Connecticut, Utah and Virginia. In establishing these protections for consumers nationwide, the APRA creates a comprehensive, and in some ways more restrictive, framework to serve as the U.S. counterpart to Europe’s General Data Protection Regulation (the “GDPR”) that adjusts—and in some respects expands—the compliance burden on organizations that collect and use personal data. Most notably, and as those following Congress’ efforts to bring federal privacy legislation to fruition will recall, the APRA addresses the two most contentious aspects of federal privacy legislation by broadly preempting state and local data privacy laws and providing consumers a private right of action for violations of their privacy rights. If enacted, the Act would come into effect 180 days after its passing.

Key Takeaways of the Act:

1. Broad Preemption.  The Act as currently drafted contains broad preemption provisions that will largely do away with the patchwork of comprehensive privacy laws at the state level with some carve outs for certain state laws on discrete subjects related to privacy—notably, provisions of the California Consumer Privacy Act related to employee personal information are likely to remain in effect. 
2. Consumer Private Right of Action.  In addition to enforcement by the FTC and state attorneys generals, individuals are provided with a private right of action that permits claims against covered entities for failures to comply with certain of the Act’s obligations.  Actions alleging substantial privacy harms or actions by a minor are prohibited from being subject to mandatory arbitration, and individuals can recover actual damages, injunctive relief, declaratory relief and reasonable attorney fees and costs.
3. Strict Data Minimization Requirements.  In line with recent heightened regulatory scrutiny of organizations’ data collection practices, the Act imposes strict data minimization obligations, prohibiting the collection, processing, retention and transfer of personal data, unless such activity meets general data-minimization principles (e.g., such processing is necessary, proportionate and limited to a specific purpose) or one of fifteen (15) specific permitted purposes.
4. Broad Coverage.  Unlike recently enacted state privacy laws, the APRA does not contain any revenue or processing thresholds when it comes to applicability—broadly applying instead to any entity that determines the means and purposes of processing covered data and is subject to the Federal Trade Commission’s (“FTC”) jurisdiction, as well as to non-profits and common carriers.  Large data holders, high impact social media companies and data brokers have heightened, bespoke obligations under the Act, and even small businesses are subject to the Act to the extent such businesses engage in data sales. Data covered by the Act includes any data that identifies or is linked or reasonably linkable to an individual or device, but does not include de-identified data, employee data or publicly available information, amongst other carve outs.
5. Sensitive Data Transfers and Express Consent.  Affirmative express consent is required before sensitive data—which is defined far more broadly under the Act than any current state privacy law and includes any data related to individuals under the age of seventeen (17)—can be transferred to a third party, unless the transfer is necessary, proportionate and limited to one of the permitted purposes.  Additional considerations are required for transfers of biometric and genetic data.

Summary of the APRA

Applicability.  The Act broadly applies to covered entities that alone or jointly with others determine the purposes and means of collecting or processing covered data and (i) are subject to FTC jurisdiction, (ii) qualify a common carrier subject to Title II of the Communications Act of 1934 or (iii) are a non-profit organization. Affiliates who share common branding with a covered entity are also in scope, while small businesses[2], governments and their service providers, the National Center for Missing and Exploited Children and, except for data security obligations, fraud-fighting non-profits are excluded.  There are additional heightened requirements for large data holders[3], covered high-impact social media companies[4] and data brokers.

Covered Data. Covered data is defined as any information that identifies or is linked to or reasonably linkable to an individual or device, excluding (i) deidentified data[5], (ii) employee data, (iii) publicly available information, (iv) inferences made from multiple sources of publicly available information that do not meet the definition of sensitive covered data and are not combined with covered data and (v) information in a library, archive, or museum collection subject to specific limitations.  The Act contains an extremely expansive definition of publicly available information, which serves to significantly narrow the Act’s scope.  Specifically, in addition to defining publicly available information to include information from government records or made available to the general public via widely distributed media, the definition also includes an information lawfully made available from “a website or online service made available to all members of the public, for free or for a fee, including where all members of the public can log-in to the website or online service” provided that the individual to whom the information pertains did not restrict the information to a specific audience.

Sensitive covered data, the transfer of which requires affirmative opt-in consent unless expressly permitted under the Act, is a subset of covered data that generally includes any data relating to “covered minors” (i.e., individuals under the age of seventeen (17)), as well as government identifiers; health information; biometric information; genetic information; financial account and payment data; precise geolocation information; log-in credentials; private communications; information revealing sexual behavior; calendar or address book data, phone logs, photos and recordings for private use; any medium showing a naked or private area of an individual; video programming viewing information; an individual’s race, ethnicity, national origin, religion, or sex, in a manner inconsistent with a reasonable expectation of disclosure; online activities over time and across third party websites or over time on a high-impact social media company website or service[6]; and other data the FTC defines as sensitive covered data by rule.

Obligations of Entities Subject to the APRA.  Broadly speaking, covered entities are subject to the obligations and restrictions under the Act set forth below. Notably, while the APRA does not contain specific revenue or processing thresholds to determine the Act’s applicability, it does impose specific, heightened compliance obligations on certain types of covered entities (such as large data holders and covered high-impact social media companies) based on annual revenues or the volume of covered data processed thereby. 

• Data Minimization.  The Act prescribes strict data minimization requirements, limiting covered entities’ (or the service providers acting on their behalf) ability to collect, process, retain or transfer any covered data (i) beyond what is necessary, proportionate and limited to provide or maintain a specific product or service requested by the consumer or to communicate with a consumer in a manner reasonably anticipated within the context of the relationship or (ii) for an expressly permitted purpose (e.g., data security, compliance with legal obligations, preventing fraud, de-identification of data for product or service development or improvement).  Furthermore, covered entities are expressly prohibited from transferring (i) any sensitive covered data or (ii) biometric or genetic information, in each case, to a third party without express affirmative consent unless expressly permitted by the Act. 
  • Business Transfers. Notably the transfer of covered data as an asset to a third party in the context of a business transaction or bankruptcy is also set forth as a permitted purpose under the Act; provided that the covered entities provides in a reasonable time prior to such transfer each affected individual with (a) a notice describing such transfer, including the name of entity receiving the individual’s data and its privacy policy and (b) a reasonable opportunity to withdraw any previously given consent or request deletion of their data.
• Transparency.  In a deviation from current requirements under state privacy laws, not only would covered entities be required to provide publicly available privacy policies detailing their data processing and security practices, but service providers would now also incur such obligations as well.  The privacy policy must be made available in each language the covered entity or service provider provides a product or service and disclose (i) the categories of covered data collected, (ii) purposes for processing and (iii) to whom the information is transferred (including a list of any data broker transfers), as well as (iv) how consumers can exercise their privacy rights.  Material changes to a covered entity’s privacy policy—i.e., a change that would likely impact an individual’s decision to provide affirmative consent for or opt-out of the entity’s data processing—require advanced notice to consumers and the provision of a means to opt-out. Uniquely, privacy policies must also disclose whether any covered data is transferred to, processed in or otherwise accessible to a foreign adversary.
  • Large Data Holders. Large data holders must further provide all copies of their privacy policies for the previous ten (10) years, including a log of all material changes (excluding for versions that predate the Act), as well as provide a short-form notice of their policies to consumers not to exceed 500 words in length.
• Consumer Rights.  Like state privacy laws, the Act provides consumers with rights to access, correct and delete their data, as well as rights to data portability.  With respect to opt-out rights, consumers have rights to opt-out of (i) transfers of non-sensitive covered data and (ii) use of their data for targeted advertising, in each case, made through an opt-out mechanism. Not later than two (2) years after the Act’s enactment the FTC is directed to establish requirements and technical specifications for a privacy protective, centralized mechanism (including global privacy signals, such as browser or device privacy settings and registries of identifiers) for individuals to exercise their opt-out rights.  In addition, covered entities are prohibited from retaliating against any individual for exercising their APRA rights, provided that covered entities may offer bona fide loyalty programs or market research opportunities upon receipt of opt-in consent from the individual. Finally, users must be provided an “easy-to-execute” means to withdraw any affirmative express consent provided (i.e., in connection with the processing of their sensitive covered data).
  • Dark Patterns. The Act further prohibits covered entities from using any dark patterns—i.e., a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making or choice—to  divert an individual’s attention from any required notice, impair the ability of any individual to exercise their rights or to obtain, infer or facilitate consent.
• Data Security and Executive Responsibility. Covered entities and service providers would be required to implement and maintain reasonable data security practices to protect the confidentiality, integrity and accessibility of, and prevent unauthorized access to, covered data, taking into account the size and complexity of the relevant business and the context, volume and sensitivity of the data to be processed. Entities must routinely assess vulnerabilities and take preventative and corrective actions to mitigate any reasonably foreseeable internal or external risk to, or vulnerability of, covered data. Additionally, covered entities must designate a privacy or data security officer to implement and facilitate ongoing review of the entity’s data privacy and security program, while large data holders must further (i) designate both a privacy and separate data security officer, (ii) beginning one year after the Act’s enactment, file annual certifications by the entity’s chief executive officer and each of its privacy and data security officers to the FTC detailing its internal controls and internal reporting structures for compliance with the Act, (iii) conduct privacy impact assessments on a biennial basis and (iv) develop a program to educate and train employees, amongst other responsibilities.
• Additional Service Provider and Third Party Obligations. In addition to the obligation to enter into data processing agreements discussed below, the Act places similar requirements on service providers as those existing under current state privacy legislation, including requirements to (i) refrain from collecting, processing or transferring covered data other than to the extent necessary and proportionate to provide a service requested by the covered entity or where the service provider has actual knowledge that the covered entity violated the Act with respect to such data, (ii) assist the covered entity in responding to consumers attempting to exercise their APRA-rights, (iii) upon request by the covered entity, make available the necessary information to demonstrative the service provider’s compliance with the Act, (iv) delete or return covered data, as determined by the covered entity, upon the end of provision of services unless retention is required by law, (v) engage other service providers only after exercising reasonable due diligence, providing notice to the covered entity and entering into a written contract satisfying the disclosing service provider’s obligations under the Act, (vi) develop, implement and maintain reasonable administrative, technical and physical safeguards to protect covered data and (vii) allow for and cooperate with reasonable audits by the covered entity.
  • Data Processing Agreements. Akin to the Article 28 requirements under the GDPR, the APRA mandates that covered entities and service providers enter into data processing agreements in order to establish a service provider relationship.  Such agreement governs the data processing procedures of the service provider with respect to any such data collection, processing or transfer performed on behalf of the covered entity or primary service provider and must clearly define the instructions for collecting, processing, retaining or transferring data, the nature, purpose and duration of the processing, the type of data subject to the processing and the rights and obligations of each party.  Finally, the contract must specifically prohibit the service provider from combining its own data with covered data it receives from or on behalf of another covered entity or person. Notably, not only must covered entities enter into contracts with their service providers, but are also required under the Act to conduct reasonable due diligence in selecting a service provider as well as when deciding to transfer covered data to a third party.
  • Third Party Processing Restrictions. The Act expressly prohibits third parties from processing the covered data transferred to it for any purpose other than (i) in the case of sensitive covered data, the processing purpose for which the consumer gave affirmative express consent or (ii) in the case of non-sensitive covered data, the processing purpose for which the third party made a disclosure in its privacy policy.
• Data Brokers. Borrowing from the obligations imposed under the California Delete Act (previously discussed here), the APRA imposes a set of requirements on data brokers, including obligations to register with the FTC (which will be subsequently used to create a public-facing, searchable data broker registry) and maintain a publicly accessible website that contains a clear, conspicuous notice informing individuals that the entity is a data broker using language to be prescribed by the FTC.  The notice must further include a tool for individuals to exercise their individual controls and opt-out rights and a link to the FTC’s data broker registry website. The FTC is further directed to include a “Do Not Collect” mechanism on the data broker registry website that permits an individual to submit a request to all registered data brokers, subject to certain exceptions, that results in registered data brokers no longer collecting covered data related to such individual without the affirmative express consent of such individual.
• Civil Rights and Covered Algorithms.  With respect to race gender, and other protected characteristics, the APRA would prohibit a covered entity or service provider from collecting, processing or transferring covered data “in a manner that discriminates in or otherwise makes unavailable the equal enjoyment of goods or services” on a discriminatory basis subject to certain exceptions such as using such data for self-testing by the covered entity to prevent or mitigate unlawful discrimination or diversifying an applicant, participant or customer pool.  An additional requirement for large data holders would align with restrictions on algorithmic decision-making introduced by the GDPR, pursuant to which large data holders that use covered algorithms in a manner that would pose a consequential risk of harm to an individual or group of individuals and uses such covered algorithm to collect, process or transfer covered data would be required to produce “algorithm impact assessments”.  The Act sets forth a list of prescriptive requirements for what must be included in such assessments, including detailed descriptions of the design process and methodologies, the data used by the covered algorithm, the steps taken to mitigate potential harms and an assessment of the necessity and proportionality of the covered algorithm in relation to its stated purpose.  Conversely, covered entities and service providers are only required to conduct such impact assessments where such entity knowingly develops a covered algorithm that is designed, solely or in part, to collect, process, or transfer covered data in furtherance of a consequential decision.  In each case, however, such assessments must (i) be submitted to the FTC for evaluation, (ii) upon request, be made available to Congress and (iii) be summarized and made publicly available.
  • Opt-Out Rights.  Any entity (not just covered entities as defined) that uses a covered algorithm to make or facilitate a consequential decision (e.g., related to access to or equal enjoyment of housing, employment, education enrollment or opportunity, healthcare, insurance or credit or use of or access to any place of public accommodation) must provide the relevant individual notice and an opportunity to opt-out of the designation.

Enforcement. Departing from the approach adopted by most states (other than California), the APRA permits consumers to file private lawsuits against covered entities that violate certain their APRA rights (e.g., failures to receive consent for transfers of sensitive data or collection or transfer of biometric or genetic data, failures to provide privacy notices or to permit consumers to exercise their privacy rights), pursuant to which they may recover actual damages, injunctive relief, declaratory relief and reasonable attorney fees and costs.[7]  Where injunctive relief or actual damages are sought, consumers must provide the covered entity with thirty (30) days’ written notice of the alleged violation[8], unless the alleged violation that resulted in a substantial privacy harm.[9] 

In addition to the private right of action, the APRA delegates primary enforcement authority to the FTC and permits state attorneys general, chief consumer protection officer and other state or federal offices authorized to enforce privacy or data security laws, including the California Privacy Protection Agency, to bring enforcement actions after notification to the FTC, subject to certain exclusions. The FTC is also provided the authority to promulgate regulations under a variety of provisions under the Act as well as tasked with establishing a new bureau comparable in nature to the existing bureaus within the FTC related to consumer protection and competition to assist the FTC in carrying out its duties under the Act.

Violations of the Act will be treated as violations of a rule defining an unfair or deceptive trade practice under the FTC Act, carrying a maximum civil penalty of $51,744 per violation.  Civil penalties obtain are to be deposited in the Privacy and Security Victims Relief Fund to provide redress, payment, compensation or other monetary relief to individuals affected by an APRA violation.  States may further seek  injunctive relief; civil penalties, damages, restitution, or other consumer compensation; attorneys’ fees and other litigation costs; and other relief, as appropriate. 

Preemption of State and Local Privacy Laws. The APRA would generally preempt states from adopting, maintaining or enforcing any law or regulation covered by provisions of the Act with the exception of an enumerated list of state laws, rendering moot most aspects of the privacy legislation recently passed at the state level.   Despite its wide-ranging preemptive effects, there are a few notable exceptions to the APRA’s broad preemption provisions, including privacy laws related to the protection of employee data (meaning the California Consumer Privacy Act would remain in effect with respect to employee data) as well as carve outs for certain state laws on discrete subjects related to privacy (e.g., provisions of laws that address privacy rights or other protections of students or student information, data breach notification laws, general consumer protection or civil rights laws).  Similarly, entities subject to and in compliance with other specified federal privacy laws, including the Gramm-Leach-Bliley Act and Health Insurance Portability and Accountability Act, or federal data security requirements shall be deemed in compliance with the related provisions of the APRA.

State law preemption under the APRA has drawn heavy criticism from legislators and consumer advocacy groups who have criticized Congress’ approach as creating a ceiling for individual privacy rights rather than a floor.  Opponents of state law preemption argue that the federal government is ill-equipped to quickly respond to technological advancements that impact consumer privacy as compared with the states, which are often better positioned to respond to rapid changes in the digital environment. On the other hand, small and medium businesses and large corporations from around the country have expressed support for the APRA’s broad preemption provisions, citing the untenable compliance obligations imposed by the current patchwork of privacy legislation.

Conclusion

Because of its nationwide scope and potential to preempt state law, the APRA would markedly change the regulatory framework for entities that collect and process data of U.S. individuals. However, given the APRA’s uncertain future, covered entities should continue to monitor legal developments at the federal and state levels.

---

[1] A copy of the discussion draft APRA can be found here.

[2] Defined as entities and their affiliates whose average annual gross revenue for the previous three (3) years did not exceed $40 million, that, on average did not process the covered data of more than 200,000 (excluding payment transactions) and that do not transfer covered data to third parties for value (i.e., entities that do not “sell” data).

[3] Covered entities or service providers that have $250 million or more in annual revenue; collect, process, retain, or transfer the covered data of more than 5 million individuals (or 15 million portable devices or 35 million connected devices that are linkable to an individual) or the sensitive data of more than 200,000 individuals (or 300,000 portable devices or 700,000 connected devices) subject to certain exemptions such as entities that collect, processor, retain or transfer personal mailing or email addresses, personal telephone numbers, log-in information or sellers of  the case of a covered entity that is a seller of goods or services (other than payment processors or platforms), credit, debit, or mobile payment information strictly necessary to initiate, render, bill for, finalize, complete, or otherwise facilitate payments for goods or services.

[4] Covered entities that provide any internet-accessible platform and generate $3 billion or more in global annual revenue, have 300 million global monthly active users and constitute an online product that is primarily used by individuals to access or share user-generated content.

[5] Similar to comprehensive state privacy laws passed to date, “de-identified data” is defined as information that cannot reasonably be used to infer or derive the identity of an individual, does not identify and is not linked or reasonably linkable to an individual or a device that identifies or is linked or reasonably linkable to such individual, regardless of whether the information is aggregated, if the relevant covered entity or service provider (i) takes reasonable physical, administrative, or technical measures to ensure that the information cannot, at any point, be used to re-identify any individual or device that identifies or is linked or reasonably linkable to an individual; (ii) publicly commits in a clear and conspicuous manner to: (A) process, retain, or transfer the information solely in a de-identified form without any reasonable means for re-identification; and (B) not attempt to re-identify the information with any individual or device that identifies or is linked or reasonably linkable to an individual; and (iii) contractually obligates any entity that receives the information from the covered entity or service provider to: (A) comply with all of the provisions of this paragraph/clauses (i) and (ii) with respect to the information; and (B) require that such contractual obligations be included contractually in all subsequent instances for which the data may be received.

[6] Notably, this would mean any browsing data on such platforms, even without cross-site tracking, would require affirmative consent for third party transfers.

[7] Notably, (i) California residents are further entitled to recover statutory damages consistent with the CCPA for an action related to a data breach and (ii) consumers may recover statutory damages consistent with Illinois’s Biometric Information Privacy Act and Genetic Information Privacy Act for an action involving a violation of the affirmative express consent provisions for biometric and genetic information where the conduct occurred substantially and primarily in Illinois.

[8] If a cure for the alleged violation is possible within thirty (30) days, and the entity in fact cures and provides written notice of such cure to the individual, an action for injunctive relief will not be permitted.

[9] Substantial privacy harms include financial harms of $10,000 or more and physical and mental harms that involve (i) treatment by a licensed health care provider, (ii) physical injury, (iii) highly offensive intrusions into the privacy expectations of a reasonable consumer or (iv) discrimination on the basis of a protected characteristic.

On March 7, 2024, the Court of Justice of the European Union (the “CJEU”) handed down its judgment in the IAB Europe case, answering a request for a preliminary ruling under Article 267 TFEU from the Brussels Market Court.[1]  The case revolves around IAB Europe’s Transparency and Consent Framework (“TCF”) and has been closely monitored by the AdTech industry ever since the Belgian DPA investigated and subsequently imposed a 250,000 euro fine on IAB Europe for alleged breaches of GDPR and e-Privacy rules back in 2022.[2]

Factual Background

IAB Europe is a European-level standard setting association for the digital marketing and advertising ecosystem.  Back in 2018, when GDPR entered into force, it designed the TCF as a set of rules and guidelines that addresses challenges posed by GDPR and e-Privacy rules in the context of online advertising auctions (such as real-time bidding).  The goal was to help AdTech companies that do not have any direct interaction with the website user (i.e., any company in the AdTech ecosystem that is not the website publisher, such as ad-networks, ad-exchanges, demand-side platforms) to ensure that the consent that the website publisher obtained (through cookies or similar technologies) is valid under the GDPR (i.e., freely given, specific, informed and unambiguous) and that, therefore, those AdTech companies can rely on that consent to serve ads to those users in compliance with GDPR and e-Privacy rules.

On a technical level, overly simplified, the TCF is used to record consent (or lack thereof) or objections to the reliance on legitimate interests under GDPR among IAB’s members by storing the information on consents and objections in a Transparency and Consent String (the “TC String”).  The TC String is a coded representation (a string of letters and numbers) of a user’s preferences, which is shared with data brokers and advertising platforms participating in the TCF auction protocol who would not otherwise have a way to know whether users have consented or objected to the processing of their personal data.[3]

First Question: Does the TC String constitute Personal Data?

The CJEU now ruled, echoing its earlier decision in Breyer,[4] that the TC String may constitute personal data under the GDPR to the extent those data may, by “reasonable means”, be associated with an identifier such as an IP address, allowing the data subject to be (re-)identified.  The fact that IAB Europe can neither access the data that are processed by its members under its membership rules without an external contribution, nor combine the TC String with other factors itself, did not preclude the TC String from potentially being considered personal data according to the CJEU.[5] 

Second Question: Does IAB Europe act as Data Controller?

Secondly, the Court decided that IAB Europe, as a sectoral organization proposing a framework of rules regarding consent to personal data processing, which contains not only binding technical rules but also rules setting out in detail the arrangements for storing and disseminating personal data, should be deemed a joint controller together with its members if and to the extent it exerts influence over the processing “for its own purposes” and, together with its members, determines the means behind such operations (e.g., through technical standards).  In the IAB Europe case, this concerns in particular the facilitation by IAB of the sale and purchase of advertising space among its members and its enforcement of rules on TC String content and handling.  It also seemed particularly relevant to the Court that IAB Europe could suspend membership in case of breach of the TC String rules and technical requirements by one of its members, which may result in the exclusion of that member from the TCF.

Further, in keeping with earlier CJEU case-law[6], the Court found it irrelevant that IAB Europe does not itself have direct access to the personal data processed by its members.  This does not in and of itself preclude IAB Europe from holding the status of joint controller under GDPR.

However, the Court also reiterated that joint controllership doesn’t automatically extend to subsequent processing by third parties, such as – in this case – website or application providers further processing the TC String following its initial creation, unless the joint controller continues to (jointly) determine the purpose and means of that subsequent processing.  This is in line with the Court’s 2019 Fashion ID judgment.[7]  In addition, the Court opined that the existence of joint controllership “does not necessarily imply equal responsibility” of the various operators engaged in the processing of personal data. The level of responsibility of each individual operator must be assessed in the light of all the relevant circumstances of a particular case, including the extent to which the different operators are involved at different stages of the data processing or to different degrees.  So not all joint controllers are created equal.

Key Takeaways

In our view, the first finding is not groundbreaking.  It largely confirms the Court’s previous case-law establishing that “personal data” must be interpreted broadly under GDPR, meaning the standard for truly “anonymized data” continues to be very high.  It will now be for the Brussels Market Court to determine whether, based on the specific facts of the IAB Europe case, the TC String indeed constitutes personal data.

The second finding may have caught more people off guard.  While it will again be up to the Brussels Market Court to determine whether IAB Europe is actually a joint controller in respect of the personal data alleged to be included in the TC String, the Court’s expansive interpretation of the concept of joint controllership (i.e., where “two or more controllers jointly determine the purposes and means of processing” (Article 26 GDPR)) could have broader ramifications beyond the AdTech industry. 

Organizations who until now have consistently taken the position that they do not qualify as a data controller in respect of data processing activities of their members, users or customers, may need to re-assess that position and, based on the specific factual circumstances relevant to them, consider whether they might in fact be subject to GDPR’s onerous obligations imposed on data controllers.  This may be particularly relevant for standard-setting bodies and industry associations active or established in Europe, potentially hampering their ability to continue developing relevant standards and rules.  Arguably, this could even capture certain providers or deployers of software and other computer systems, including those developing or deploying AI models and systems, in case they would be found to issue “binding technical rules” and “rules setting out in detail the arrangements for storing and disseminating personal data”, and they would actually enforce those rules against third parties using their models and systems to process personal data. 

Even if some solace can be found from a liability perspective in the confirmation by the Court that joint controllership relating to the initial collection of personal data does not automatically extend to the subsequent processing activities carried out by third-parties, and that not all joint controllers are created equal, the compliance burden on “newfound joint controllers” may nevertheless be burdensome because key obligations on lawfulness, transparency, data security and accountability are triggered irrespective of the “degree” of controllership in question.

In our view that would take the concept of “joint controllership” too far beyond its literal meaning and originally intended purpose, but it remains to be seen which other enforcement actions will be taken and which other cases raising similar questions may find their way through the European courts in the coming months and years.

---

[1]           CJEU, judgment of March 7, 2024, IAB Europe, C-604/22, ECLI:EU:C:2024:214 (https://curia.europa.eu/juris/document/document.jsf?text=&docid=283529&pageIndex=0&doclang=FR&mode=req&dir=&occ=first&part=1&cid=167405).

[2]           For more information on the original case in front of the Belgian DPA, see the DPA’s dedicated landing page: https://www.dataprotectionauthority.be/iab-europe-held-responsible-for-a-mechanism-that-infringes-the-gdpr.

[3]           For more information, see the IAB Europe website: https://iabeurope.eu/.

[4]           CJEU, judgment of 19 October 2016, Breyer, C‑582/14, EU:C:2016:779, paragraphs 41-49 (https://curia.europa.eu/juris/document/document.jsf?text=&docid=184668&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=1303370).

[5]           Recital 26 of GDPR further clarifies that, “to ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments.”  This will always require a fact-intensive, case-by-case inquiry, but it is now even more clear that “it is not required that all the information enabling the identification of the data subject must be in the hands of one person” (CJEU, IAB Europe judgment, §40).

[6]           CJEU, judgment of July 10, 2018, Jehovan todistajat, C‑25/17, EU:C:2018:551, paragraph 69 (https://curia.europa.eu/juris/document/document.jsf?text=&docid=203822&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=1305431), and CJEU; judgment of June 5, 2018, Wirtschaftsakademie Schleswig-Holstein, C‑210/16, EU:C:2018:388, paragraph 38 (https://curia.europa.eu/juris/document/document.jsf?text=&docid=202543&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=1305548).

[7]           CJEU, judgment of July 29, 2019, Fashion ID, C‑40/17, EU:C:2019:629, paragraph 74 (https://curia.europa.eu/juris/document/document.jsf?text=&docid=216555&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=1305826), as commented on in our earlier blog post here: https://www.clearycyberwatch.com/2019/08/cjeu-judgment-in-the-fashion-id-case-the-role-as-controller-under-eu-data-protection-law-of-the-website-operator-that-features-a-facebook-like-button/; See also the EDPB Guidelines 07/2020 on the concepts of controller and processor in the GDPR (version 2.1, adopted on July 7, 2021), in relation to the concept of “converging decisions”, at paragraphs 54-58 (https://www.edpb.europa.eu/system/files/2023-10/EDPB_guidelines_202007_controllerprocessor_final_en.pdf).

The Biden administration recently issued Executive Order 14117 (the “Order”) on “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern.”  Building upon earlier Executive Orders[1], the Order was motivated by growing fears that “countries of concern” may use artificial intelligence and other advanced technologies to analyze and manipulate bulk sensitive personal data for nefarious purposes.  In particular, the Order notes that unfettered access to American’s bulk sensitive personal data and United States governmental data by countries of concern, whether via data brokers, third-party vendor agreements or otherwise, may pose heightened national security risks. To address these possibilities, the Order directs the Attorney General to issue regulations prohibiting or restricting U.S. persons from entering into certain transactions that pose an unacceptable risk to the national security of the United States.  Last week, the Department of Justice (“DOJ”) issued an Advance Notice of Proposed Rulemaking, outlining its preliminary approach to the rulemaking and seeking comments on dozens of issues ranging from the definition of bulk U.S. sensitive personal data to mitigation of compliance costs. 

The forthcoming proposed rule will apply to transactions that (i) involve bulk sensitive personal data or U.S. Government-related data; (ii) are part of a class of transactions determined by the Attorney General to pose an unacceptable risk to the national security of the U.S.; (iii) were initiated, are pending, or will be completed after the effective date of the regulations; (iv) do not qualify for an exemption and are not authorized by a license as set forth in the regulations; and (v) are not “incident to and part of the provision of financial services, including banking, capital markets, and financial insurance services, or required for compliance with any Federal statutory or regulatory requirements.”  The proposed rule will be published for public notice and comment by August 26, 2024.  What is interesting is that the Order specifically does NOT impose generalized data localization requirements or prohibit commercial transactions with countries of concern, but rather is tailored to the types of transactions described above.

The proposed rule will also (i) identify classes of prohibited transactions; (ii) identify classes of restricted transactions; (iii) identify countries of concern and other covered persons; (iv) establish mechanisms to provide further clarity regarding the Order and any implementing regulations; (v) establish a process to issue licenses authorizing transactions that would otherwise be prohibited or restricted; (vi) define relevant terms; (vii) address coordination with other government entities; and (viii) address the need for recordkeeping and reporting of transactions to inform investigative, enforcement, and regulatory efforts.  Among other factors, the proposed regulations will consider both the nature of the class of transaction and the volume of bulk sensitive personal data involved.  Any proposed regulations will also “establish thresholds and due diligence requirements for entities to use in assessing whether a transaction is a prohibited transaction or a restricted transaction.”  Additionally, the Secretary of Homeland Security is directed to propose and seek public comment on security requirements to mitigate the risk posed by restricted transactions.  The security requirements will be based on the National Institute of Standards and Technology Cybersecurity and Privacy Frameworks.  The Secretary of Homeland Security will also issue interpretive guidance regarding such security requirements and the Attorney General will issue enforcement guidance.

Several other agencies are also directed or advised by the Order to address risks relating to network infrastructure, health data and human genomic data, and the data brokerage industry.  The Order also requires the  Attorney General, the Secretary of Homeland Security, and the Director of National Intelligence to make recommendations as to how to mitigate risks from transfers of bulk sensitive personal data to countries of concern that have already occurred.

Many of the key concepts in the Order, including “countries of concern” and prohibited and restricted transactions will be further defined and clarified through the rulemaking process. However, it is clear that transactions involving cross-border transfers of large quantities of sensitive personal information will be the enhanced focus of regulatory scrutiny and eventual enforcement, particularly if it involves countries of concern.  The DOJ is accepting comments to the Advance Notice of Proposed Rulemaking until April 19, 2024.  The public will also have the opportunity to comment on the DOJ’s proposed rule later this year.

---

[1] Executive Order 13873 of May 15, 2019 (Securing the Information and Communications Technology and Services Supply Chain) and Executive Order 14034 of June 9, 2021 (Protecting Americans’ Sensitive Data from Foreign Adversaries).

On January 16, 2024, New Jersey officially became one of a growing number states with comprehensive privacy laws, as Governor Phil Murphy signed Senate Bill 332 (the “New Jersey Privacy Act”) into law.[1]  New Hampshire followed closely behind, with its own comprehensive privacy law, Senate Bill 255 (the “New Hampshire Privacy Act” and, together with the New Jersey Privacy Act, the “Acts”), signed into law by Governor Chris Sununu on March 6, 2024.[2] 

As with many of the other comprehensive privacy laws enacted around the country in the past few years, the Acts are based on the Washington Privacy Act model, containing many familiar consumer rights and protections, though with some notable differences highlighted below.  Joining all currently enacted comprehensive U.S. state privacy laws with the exception of California, the New Jersey Privacy Act and the New Hampshire Privacy Act do not include a private right of action and do not apply to New Jersey or New Hampshire residents acting in a commercial or employment context.  The New Jersey Privacy Act will come into effect 365 days from enactment, or January 15, 2025, with certain provisions, including regarding universal opt-out mechanisms discussed below, coming into effect later in 2025, while the New Hampshire Privacy Act will come into effect on January 1, 2025.

Applicability

Processing Thresholds.  Following the trend set by other comprehensive state privacy laws, such as those in Connecticut and Colorado, the New Jersey Privacy Act applies to controllers that (i) conduct business in New Jersey or produce products or services that are targeted to New Jersey residents and (ii) during a calendar year either control or process the personal data of (a) at least 100,000 consumers (i.e., New Jersey residents acting in an individual or household context), excluding personal data processed solely for the purpose of completing a payment transaction or (b) at least 25,000 consumers and derive revenue, or receive a discount on the price of any goods or services, from the sale[3] of personal data.

The New Hampshire Privacy Act similarly follows the applicability standards of many prior state privacy laws, though with a few changes to account for the smaller population of the state.  The New Hampshire Privacy Act applies to persons that (i) conduct business in New Hampshire or produce products or services that are targeted to New Hampshire residents and (ii) during a one year period either control or process the personal data of (a) not less than 35,000 unique consumers (i.e., New Hampshire residents acting in an individual or household context), excluding personal data controlled or processed solely for the purpose of completing a payment transaction or (b) not less than 10,000 unique consumers and derived more than 25 percent of gross revenue from the sale of personal data. 

Exceptions.  While the New Jersey Privacy Act contains some common exceptions to applicability, such as for protected health information collected by a covered entity or business associate under the Health Insurance Portability and Accountability Act or financial institutions and their affiliates or data subject to the Gramm-Leach-Bliley Act, there is no exception for non-profit organizations or higher education institutions.  Non-profit organizations that may be exempt under many other state privacy laws (i.e., Colorado, Delaware (which only exempts nonprofits dedicated to preventing and addressing insurance crime) and Oregon (where the non-profit applicability exemption will expire in July of 2025)) will need to pay close attention to the New Jersey Privacy Act, since such an organization will need to meet the standard requirements of the New Jersey Privacy Act if it meets the general applicability threshold by either processing or selling the personal data of the relevant number of New Jersey-based consumers. 

The New Hampshire Privacy Act also contains many of the familiar exceptions to applicability, including for non-profit organizations and higher education institutions.  However, the exception for financial institutions or data subject to Title V of the Gramm-Leach-Bliley Act, does not include affiliates of such institutions.  Entities that have some affiliates that are subject to the Gramm-Leach-Bliley Act but others that are not will need to carefully consider applicability under the New Hampshire Privacy Act.

Data Protected

Both Acts apply to a similar set of data as other state comprehensive privacy laws, applying to personal data that is “linked or reasonably linkable to an identified or identifiable ” individual.[4] However, there are a few notable expansions in the types of data the Acts cover and the protections afforded to certain data when compared with other similar state privacy laws.

Sensitive Data.  The definition of sensitive data under the New Jersey Privacy Act includes not only typical information such as personal data revealing racial or ethnic origin, religious beliefs, mental or physical health condition, etc., but also a few more unique categories.  First, like California, the definition encompasses financial information, which includes a consumer’s account number, account log-in, financial account or credit or debit card number in combination with any required security or access code or password that would permit access to a consumer’s financial account.  Following Oregon and Delaware’s definitions, sensitive data also includes personal data revealing status as transgender or non-binary.  Conversely, the New Hampshire Privacy Act’s sensitive data definition largely aligns with other state laws, without such additions.  Like other state privacy laws with the exception of California, both Acts require consumer consent to process sensitive data, and such processing additionally requires controllers to conduct data protection assessments, as discussed later in this post. 

Children’s and Minors’ Data.  In addition to requirements to process personal data of children under the age of 13 in accordance with the Children’s Online Privacy Protection Act, the New Jersey Privacy Act requires controllers to obtain consent before processing personal data for purposes of targeted advertising, selling personal data or profiling in furtherance of decisions that produce legal or similarly significant effects where the controller has actual knowledge, or willfully disregards, that the consumer is at least 13 years old but younger than 17 years old.  The New Hampshire Privacy Act has a similar requirement as regards the processing of a minor’s data, but consent is only required where a controller is processing personal data for purposes of targeted advertising or selling personal data (and not profiling) and the requirement applies when a controller both has actual knowledge and willfully disregards that the consumer is at least 13 years old but younger than 16.

Other Notable Provisions

            While this post dose not attempt to cover all provisions of the Acts, there are a few additional provisions that differentiate the New Jersey Privacy Act and the New Hampshire Privacy Act from similar state privacy acts.

Website Link.  Similar to California, the New Hampshire Privacy Act requires that controllers provide a “conspicuous link” on the controller’s website that enables a consumer or their agent to opt-out of targeted advertising or the sale of personal data.

Data Protection Assessments.  Like other state privacy laws, both Acts require controllers to conduct data protection assessments for processing activities that present a heightened risk of harm to a consumer.  The New Jersey Privacy Act is unique, however, in that it makes clear that such assessments must be conducted before the relevant processing activity requiring such assessment can occur.  In other words, controllers are expressly prohibited from conducting processing activities that present a heightened risk of harm to consumers without first conducting and documenting a data protection assessment of each of its processing activities involving personal data acquired on or after the New Jersey Privacy Act’s effective date.  Fortunately, in line with the requirements set forth under other state regimes, including New Hampshire, “heightened risk” is defined to include processing personal data for targeted advertising,  profiling if it presents certain reasonably foreseeable risks, selling personal data and processing sensitive data, and the items required to be considered in the data protection assessments, including weighing benefits of processing against rights of the consumer and using de-identified data, are also in line with other states’ requirements.  Accordingly, to the extent controllers covered by the Acts who engage in the aforementioned processing activities are also subject to the requirements to conduct data protection assessments under other currently effective privacy regimes, such controllers should be able to leverage such assessments for compliance purposes.

Universal Opt-Out.  Both Acts require controllers to recognize universal opt-out signals if controllers undertake certain processing activities.  The New Jersey Privacy Act provides that no later than 6 months after the New Jersey Privacy Act’s effective date, controllers that process personal data for targeted advertising or that sell personal data must allow consumers to exercise their rights to opt-out of such processing through a user-selected universal opt-out mechanism (the technical specifications for which will be subject to further regulation as discussed below).  Under the New Hampshire Privacy Act, controllers that process personal data for targeted advertising or sell personal data must allow consumers to opt-out through an opt-out preference signal no later than January 1, 2025, which is the same as the New Hampshire Privacy Act’s effective date.  Both Acts set forth a number of requirements for the universal opt-out mechanisms, with New Hampshire’s aligning more closely with terms used in other state privacy laws that contain universal opt-out mechanisms such as Colorado and Connecticut; however, both Acts instruct that the universal opt-out mechanisms should be “as consistent as possible” with similar mechanisms required by federal or state law or regulation, highlighting the intent to encourage standard opt-out mechanisms. 

Rulemaking.  New Jersey becomes only the third state with a comprehensive privacy law to specifically contemplate rulemaking by a state agency, joining California and Colorado.  Here, the Director of the Division of Consumer Affairs in the Department of Law and Public Safety is empowered to promulgate rules and regulations necessary to effectuate the purposes of the New Jersey Privacy Act, including with regard to universal opt-out mechanisms as discussed above.  No timeline is given for the enactment of such rules, but as seen in the rulemaking process occurring in California, such rules could have significant impacts on privacy requirements in the state.  The New Hampshire Privacy Act provides for only limited rulemaking by the secretary of state with respect to establishing standards for “clear and meaningful” privacy notices and the means by which consumers may submit requests to exercise their rights.

Sunsetting Cure Periods.  Both acts contain cure periods before actions are brought against controllers (30 days in New Jersey and 60 days in New Hampshire), but these cure periods are set to expire under each of the Acts.  The New Jersey Privacy Act requires the Division of Consumer Affairs in the Department of Law and Public Safety issue a notice to the controller in violation if cure is deemed possible up until 18 months after the effective date of the act (July 2026), whereas the New Hampshire Privacy Act requires the attorney general to issue a notice of violation to the controller if cure is possible only until December 31, 2025, after which the notice of violation is discretionary.  The sunsetting cure periods indicate that the states expect entities to come into compliance with the new requirements reasonably quickly.

Conclusion             The New Jersey Privacy Act and the New Hampshire Privacy Act do not break the mold when it comes to comprehensive privacy laws in the United States.  However, differences in applicability, scope of protection and requirements on data controllers means that businesses must pay close attention to the nuances of each new privacy law enacted to ensure continued compliance.

---

[1] The full text of Senate Bill 332 is available here.

[2] The full text of Senate Bill 255 is available here.

[3] Note that both the New Jersey Privacy Act and New Hampshire Privacy Act define “sales” to include exchanges of personal data to a third party for monetary or other valuable consideration. 

[4] This definition in both Acts also carves out de-identified and publicly available information which follow the definitions set forth under other state privacy laws; however, the New Jersey Privacy Act is silent with respect to pseudonymous data, suggesting that such data may qualify as personal data subject to the New Jersey Privacy Act’s requirements and restrictions. By contrast, the New Hampshire Privacy Act provides that certain of the rights afforded to consumers do not apply to pseudonymized data in cases where the controller is able to demonstrate that any information necessary to identify the consumer is kept separately and subject to effective controls to prevent the controller from accessing it.