Author: Josephine Law, FIP, CIPP/US, CIPM

The Senate has passed a law that reauthorizes part of the Foreign Intelligence Surveillance Act, which allows the US government to collect and monitor electronic communications of foreign targets. The passing of this law happened on Friday, just minutes after the deadline, despite opposition from privacy advocates and former President Donald Trump. Section 702, which has been in place since 2008, allows US intelligence officers to bypass the warrant process and compel companies such as AT&T and Google to share communications of foreigners who live outside of the US. While doing so, officials may also track messages from Americans who…

The Cybersecurity Framework of the U.S. National Institute of Standards and Technology has been updated to version 2.0. This is the first update since 2014. The CSF 2.0 is designed to support the implementation of the U.S. National Cybersecurity Strategy, with a broadened scope beyond protecting critical infrastructure. It includes resources and best practices applicable to organizations across all economic sectors. NIST indicated that the updates also added emphasis on governance, risk management, and information sharing, among other things. The CSF 2.0 is a valuable tool for organizations looking to improve their cybersecurity posture and protect against cyber threats. The…

The White House recently announced that all federal agencies have successfully completed the 90-day tasks mandated by U.S. President Joe Biden’s executive order to promote the safe adoption and development of artificial intelligence technologies. This executive order, signed on January 20, 2021, emphasized the importance of collaboration among federal agencies to identify and manage AI safety and security risks and promote the development of safe and innovative AI practices. To ensure the mandate was met, Deputy Chief of Staff Bruce Reed convened a meeting with the heads of various federal agencies, including the Department of Defense, the National Science Foundation,…

The AI Literacy Act is a significant legislative proposal introduced in Congress with bipartisan support. Its central objective is to enhance AI skills and workforce readiness to prepare the country for the future of work. The act seeks to provide AI literacy and training programs emphasizing ethical considerations and ensure learners develop the necessary competencies to work with artificial intelligence. Additionally, the legislation aims to expand grant eligibility to K-12 schools, colleges, and nonprofit organizations, enabling them to access funding to support AI education and training initiatives. By doing so, the act would promote greater access to AI skills and…

On January 8, 2024, Senate Bill 332 passed both chambers of the New Jersey state legislature, positioning the state to become the thirteenth U.S. state to enact comprehensive privacy legislation. If approved by the governor, the state will have its own law that shares similarities with those of other states but also has unique features that distinguish it. IAPP News editor Joe Duball has written an article that explores the intricacies of the bill and emphasizes its distinguishing characteristics. Full story If the governor signs the bill into law, New Jersey residents will have more control over their personal data,…

Gov. Gavin Newsom, D-Calif., signed Senate Bill 362, also known as the Delete Act, into law on October 10. SB 362 is a bill that directs the California Privacy Protection Agency (CPPA) to establish a bulk deletion mechanism linked to the state’s data broker registry. This mechanism will allow 45 million Californian residents to submit a single request to delete their personal data from the databases of the approximately 500 data brokers registered to operate in the state. By January 1, 2026, data brokers must process new deletion requests submitted under this mechanism every 45 days, starting August 1, 2026.…

U.S. President Joe Biden and European Commission President Ursula von der Leyen announced Friday that the U.S. and EU have reached a new trans-Atlantic data flow agreement in principle. Though the details about the deal are not yet known, in a press conference, Biden said, “Today we have agreed to unprecedented protections for data privacy and security for our citizens. This new arrangement will enhance the Privacy Shield framework, promote growth and innovation in Europe and in the United States and help companies, both small and large, compete in the digital economy.” Von der Leyen added, “This will enable predictable…

ITPro Today reports a recent analysis conducted by regulatory compliance vendor Zendata showed a majority of websites belonging to U.S.-based companies do not comply with the EU General Data Protection Regulation. The vendor examined 1,000 U.S. websites in December 2021 and found 67% had compliance issues in the areas of transparency and user tracking. Further analysis showed 44% of websites did not provide an opt-out mechanism while 55% did not present a third-party cookie notice when first entering the site. Full Story

Joining the global trend originating in Europe with the General Data Protection Regulation (GDPR), Brazil recently enacted its own omnibus law governing the use of personal data, the Lei Geral de Proteção de Dados (LGPD), or General Law for the Protection of Privacy. Similar to the EU’s GDPR and California’s Consumer Privacy Act (CCPA), LGPD is intended to regulate the processing of personal data. The stated purpose of the law is to protect “the fundamental rights of freedom and privacy and the free development of the personality of the natural person.” Read More

On July 9, the New York City biometric data protection law entered into force with anticipated impacts on local businesses and restaurants, many of which still address COVID-19 health and safety protocols. The law requires certain businesses to post formal notices if they collect biometric data, and it expressly prohibits them from using such data for transactional purposes. The law also creates a private right of action enabling aggrieved parties to collect statutory damages — ranging from $500 to $5,000 — per violation. Interestingly, the New York general assembly considers a state-wide biometric privacy law (Assembly Bill 27), which contains…