Utah enacts data privacy legislation in the mold of California, Colorado, and Virginia, but with less onerous requirements for businesses, in what is expected to be a model for more states going forward.

By Jennifer Archie, Michael Rubin, Joseph Hansen, and Wesley Tiu

On March 24, 2022, Utah Governor Spencer Cox signed the Utah Consumer Privacy Act (UCPA), making Utah the fourth US state to enact comprehensive data privacy legislation. The UCPA was introduced on February 17, 2022, and sped through the state legislature, receiving final passage on March 3, 2022.

The UCPA, which is set to take effect on December 31, 2023, builds off existing and forthcoming privacy legislation in California, Colorado, and Virginia, but lightens some of the compliance burdens on businesses. The UCPA does not impose any new privacy obligations on businesses that are not already required in California, and businesses will be familiar with the UCPA’s requirements — all of which have appeared in existing and forthcoming state data privacy laws. In a welcome change for businesses, however, the UCPA is narrower in certain respects as compared to its analogues in California (CCPA/CPRA), Colorado (CPA), and Virginia (VCDPA). (See, e.g., Virginia Consumer Data Protection Act: Second US State Passes Comprehensive Data Privacy Legislation.)

The UCPA represents the latest in a string of state privacy laws that seek to fill a nationwide gap while Congress continues to debate the merits of a federal data privacy law. The UCPA marks a slightly different variation, as it appears to have been more directly informed by industry groups such as TechNet and the State Privacy Security Coalition. These industry groups are working toward a uniform set of privacy laws in the United States, and Utah could set an example for additional states.

This blog post discusses some of the UCPA’s key provisions.

The French Data Protection Authority’s white paper discusses how companies can comply with data privacy and security obligations.

By Christian F. McDermott, Myria Saarinen, Calum Docherty, Charlotte Guerin, Jiou (Alex) Park, and Amy Smyth

The use of card, contactless, and innovative digital payment solutions has significantly increased in recent years, fueled by the immediate impacts of the ongoing COVID-19 pandemic and the longer-term growth of e-commerce and open banking. In this context, the legal and regulatory environment around payment data is no longer limited to traditional actors in the banking sector or the long-established ambit of banking secrecy rules. As such, stakeholders from fintech startups to established technology giants face an increasing patchwork of compliance obligations.

The Personal Information Protection Law, or PIPL, imposes stringent obligations of a similar standard to the GDPR and will take effect on November 1, 2021.

By Hui Xu, Kieran Donovan, and Bianca Lee

On August 20, 2021, the Standing Committee of the National People’s Congress adopted the Personal Information Protection Law of the People’s Republic of China (PIPL), the first legislation dedicated to protecting personal information in China. PIPL will take effect on November 1, 2021. PIPL previously

The regulations aim to protect the security of the CII and impose more compliance obligations in support of the Network Security Law.

By Hui Xu and Kieran Donovan

On July 30, 2021, the State Council of the People’s Republic of China (PRC) published the Security Protection Regulations on the Critical Information Infrastructure (the Regulations), which was adopted by the State Council on April 27, 2021. The Regulations took effect on September 1, 2021, along with the recently passed Data Security

The Data Security Law will enhance an increasingly comprehensive legal framework for information and data security in the PRC.

By Hui Xu and Kieran Donovan

On June 10, 2021, the Standing Committee of China’s National People’s Congress passed the Data Security Law (DSL), which will come into effect on September 1, 2021. The primary purpose of the law is to regulate data activities, safeguard data security, promote data development and usage, protect individuals and entities’ legitimate rights and interests, and

Online retailers storing credit card data for the sole purpose of facilitating further purchases will likely need to obtain consumer consent.

By Christian F. McDermott, Calum Docherty, and Victoria Wan

Online shopping has boomed in recent years. In 2020, the European statistics agency Eurostat estimated that 7 out of 10 internet users made online purchases within a 12-month period. The European Central Bank found that the total number of non-cash payments in the euro area increased by 8.1% in 2019 (the last year statistics are available) year-on-year with a total value of €162 trillion, which included 45 billion transactions processed by retail payment systems worth €35 trillion. This growth has likely surged during the COVID-19 pandemic, when many consumers turned to e-commerce.

The opportunities for retailers also present data protection risks. On 19 May 2021, the European Data Protection Board (EDPB) adopted Recommendations 02/2021 on the legal basis for the storage of credit card data for the sole purpose of facilitating further online transactions (the Recommendations) to address the vast data processing operations behind these transactions. The Recommendations focus on when and how online retailers can store a customer’s credit card data after a sale or transaction for the sole purpose of facilitating future purchases by that customer. The EDPB has expressly excluded from the scope of the Recommendations the storage of credit card data in relation to ongoing contracts, such as for subscription services, and the activities of payment institutions operating in online stores. The Recommendations only reference credit cards and not payment cards more generally (such as debit cards, prepaid cards, etc.). It is unclear whether the EDPB might have similar expectations of online retailers that store other payment card or direct debit data for the same purposes.

The Recommendations are not legally binding, but provide a brief exploration of the EDPB’s assessment of the legal bases available to the online retailer. The EDPB concludes that, in its view, the only appropriate legal basis for such processing is consent under Article 6(1)(a) of the General Data Protection Regulation 2016/679.

The EDPB takes a strict approach in its recent guidance on international data transfers following Schrems II, posing a difficult challenge for businesses.

By Gail Crawford, Ian Felstead, Fiona Maclean, Serrin Turner, Tim Wybitul, Victoria Wan and Amy Smyth

On 10 November, the European Data Protection Board (EDPB) released its much anticipated draft guidance on international personal data transfers (the Guidance) in the wake of the CJEU Schrems II decision. The EDPB simultaneously issued updated recommendations on the European Essential Guarantees for surveillance measures, which are referred to in the Guidance. The Guidance sets out the EDPB’s proposed step-by-step process for data controllers or data processors that export personal data outlining how to assess their data transfers and implement General Data Protection Regulation (GDPR)-compliant mechanisms to protect data flows. One day later, the European Commission released draft updated Standard Contractual Clauses (SCCs) for the transfer of personal data. The draft updated SCCS are explicitly designed to address Schrems II requirements, and cross-refer extensively to the Guidance in the draft implementing decision. —

The proposed Data Security Law has a broad jurisdictional scope and will expand the PRC’s regulatory framework for information and data.

By Hui Xu, Gail E. Crawford, Jennifer C. Archie, Kieran Donovan, and Aster Y. Lin

On July 3, 2020, the Standing Committee of the National People’s Congress of the People’s Republic of China (PRC) issued the draft Data Security Law (DSL) for public comment. Once finalized, the DSL, together with the PRC Network Security Law and the proposed PRC Personal Information Protection Law, will form an increasingly comprehensive legal framework for information and data security.

Eliminating the risk of business email compromise (BEC) attacks requires all parties to a financial transaction to pay close attention to email security, financial controls, and communication protocols.

By Jennifer C. Archie, Serrin Turner, and Tim Wybitul

Key Points:

  • The FBI has identified BEC fraud as the No. 1 financial threat to businesses in the US.
  • The FBI’s Internet Crime Complaint Center (IC3) estimates that global “exposed dollar losses” to BEC fraud has exceeded US$26 billion in the past three years.[i] In 2019 alone, the IC3 recorded 23,775 complaints about BEC, which resulted in losses worth some US$1.7 billion.
  • All parties to financial transactions must be aware of this fraud risk. Each should put in place not only appropriate security controls for email, but also financial controls for bank account and wiring-instruction verification.

What Is Business Email Compromise?

Business email compromise is a type of Internet-based fraud that typically targets employees with access to company finances — using methods such as social engineering and computer intrusions. The objective of the fraud is to trick the employee into making a wire transfer to a bank account thought to belong to a trusted partner, but that in fact is actually controlled by the fraudster.

As Russia’s internet law imposes new obligations on technology and infrastructure companies, the Russian government considers subordinate legislation.

By Tim Wybitul, Ulrich Wuermeling, and Ksenia Koroleva

On November 1, 2019, the majority of provisions of Russia’s internet law (RuNet Law) entered into force. Its principal purpose is to ensure the independent operation, safety, and security of the Russian segment of the internet. However, the overall effect of the RuNet Law is expected to be similar to China’s Great Firewall, a system of legal and technical measures employed by the Chinese government to monitor and restrict the use of the internet.