With its private right of action and expansive scope – extending far beyond Washington state’s borders and applying to a wide swath of health- and non-health-oriented companies alike – Washington’s My Health My Data Act is poised to be more ground-shifting than any other consumer privacy law that came before it. Join Kyle Fath, Bola Shonowo and Gicel Tomimbang for a discussion of:

Continue Reading Join us on September 28 for a Webinar on Washington’s My Health My Data Act and other Consumer Health Data Regulation

Until late August 2023, California’s data protection law, the California Consumer Privacy Act, or “CCPA,” only provided for future rulemaking on automated decision-making, including profiling, on risk assessments, and on cybersecurity audits. However, during a board meeting it held this past Friday, September 8th, the California Privacy Protection Agency (“CPPA” or “Agency”), which shares enforcement authority of the CCPA with the California Attorney General, discussed a new set of draft regulations (“Regs”) it released for Agency discussion purposes in late August 2023. While not yet part of the official rulemaking, the draft and the discussions around it provides direction on its upcoming rulemaking on these topics. We will refer to the draft and related commentary as the “Roadmap.” Most notably, the Roadmap proposes that condensed versions of assessments and audits completed by businesses pursuant to their CCPA obligations be filed with the CPPA and sets forth detailed obligations surrounding such assessments and audits. The implication of this is that it may become obvious to the Agency which companies are or are not conducting assessments or audits and thus complying with their CCPA obligations. It may also provide the Agency an easily accessible way to review the evaluate businesses’ practices, especially with regard to higher risk processing activities. Furthermore, the Agency’s Roadmap suggests assessment requirements that not only incorporate, but exceed, what is required in the Colorado regulations, including risk / harm assessments of any monitoring of personnel or students, or monitoring of consumers in public places. We will be co-hosting a webinar with Ankura to take a deeper dive into what companies should be doing regarding assessments and audits. Register here to join us on October 18 to learn more.

Continue Reading California’s Potential Approach to Regulations on Risk Assessments and Cybersecurity Audits Could Be a Game Changer

In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

China Generative AI New Provisional Measures | Privacy World

Red Hot Enforcement Summer: No Vacation for California and Colorado Privacy Regulators | Privacy World

India Welcomes Landmark Data Protection Law | Privacy World

Join Us Live in Washington DC on September 19: Avoiding Litigation and Navigating Regulatory Challenges Amid Growing Privacy, Cybersecurity and Artificial Intelligence Scrutiny | Privacy World

The French CNIL’s New Guidance on Whistleblowing | Privacy World

Recently, the Cyberspace Administration of China issued new comprehensive provisional measures, which went into effect on August 15, 2023, and govern the development and use of generative AI (GAI) in China. The measures cover “GAI services” (including foreign-invested GAI services) provided within the PRC, including the text, pictures, audios, videos and other content they generate. These rules apply to the use of GAI services provided to the public, and not the internal use of generative AI by a company or research institution.

The importance of this regulation is that it confirms that the GAI service provider (including the platform operator) takes the primary responsibility for compliance. The GAI service provider will be viewed as the “internet content provider” (ICP) under the Chinese laws, which makes them subject to various other regulations and licensing requirements. Based on these measures, the practical effect of this law appears likely to prevent foreign generative AI service providers from providing such services in China.

Article 4 of the measures require providers of GAI services to ensure it complies with:

  • “Upholding socialist core values” – Including not generating any prohibited content, such as incites “subversion of the state power or the overthrow of the socialist system, endangers national security and interests, damages the national image, incites splitting the country, undermines national unity and social stability, advocates terrorism, extremism, ethnic hatred and discrimination, violence, pornography, and false and harmful information.”
  • Taking effective measures to prevent discrimination – With regard to, for example, nationality, religion, country, region, gender, occupation and health, in the design of the algorithm, training data set, model generation, optimization and service provision.
  • Respecting intellectual property rights and business ethics – Including keeping confidential trade secrets and refraining from “carrying out acts of monopoly and unfair competition” regarding proprietary algorithms, data and platforms.
  • Respecting others’ legitimate rights and interests – Refraining from endangering others’ physical and mental health and respecting their honor and privacy.
  • Boosting the transparency, accuracy and reliability of the contents generated by GAI services. 

A stated goal of the measures is to promote independent innovations as to GAI algorithms, frameworks, chips and supporting software platforms, including international exchanges on an “equal and mutually beneficial basis.” 

GAI service providers must conduct pre-training, optimization and other training ensuring that the use of data is:

  • From lawful sources
  • Not infringing IP
  • Obtained with the individual’s consent

GAI service providers are required to improve the quality of the training data set, carry out quality assessments and provide necessary training to the annotation staff in order to respect the law. The provider, which is the entity ultimately providing the service to the public in China, is responsible for the operation of GAI services, including ensuring that underage users (under 18 years old) are prevented from “over-relying on or addicting to GAI Services.” As for the information input by the user, the provider is bound not to unnecessarily or illegally collect, use or share the input (including personal) information.

The provider is required to obtain governmental approvals to the extent that the generated content creates text, pictures, videos or other content that are subject to government labeling requirements (such as requiring watermarks with the name and unique ID of the service provider). In addition, depending on the nature of the GAI services, an internet content provider license may be required. Further, additional licenses, such as press and publication, film and television and public opinion broadcast licenses, may be required. We note that most of the content-related licenses listed above prohibit foreign investment. 

The GAI service provider must timely remove illegal content, report the incident to the relevant authority and retrain the system to avoid such from happening again. For users who utilize GAI services for illegal activities, the provider must give warnings and service restrictions, keep records of the activity and report to the relevant authorities. In addition, the provider must provide an effective complaint- and whistleblower system for its users to report such abuse. Users also have the right to complain directly to the relevant authorities. 

To the extent that a GAI service may create public opinions or is capable of social mobilization, it must undergo a state security assessment, including filing the algorithm. 

GAI service providers that fail to follow the regulations are subject to punishment under any existing laws and, failing that, can be ordered to revise the service, issue public criticism of the service and/or to suspend the service. 

If you would like to discuss these measures or any other regulation applicable to AI, feel free to reach out to any of our market-leading global AI and data group including Scott Warren, Lindsay Zhu, Charmian Aw and Nick Chan (for APAC), David Naylor and Charles Helleputte (for Europe), or Alan Friel, Julia Jacobson and Kyle Fath (for the US)

Disclaimer: While every effort has been made to ensure that the information contained in this article is accurate, neither its authors nor Squire Patton Boggs accepts responsibility for any errors or omissions. The content of this article is for general information only, and is not intended to constitute or be relied upon as legal advice.

As many of our readers know, keeping up with new developments in the privacy landscape is sometimes like drinking from a firehose. With respect to privacy enforcement, particularly in California and Colorado, the hose was turned on June 30th and has been running all summer long. This barrage of information has left unanswered questions for many. What does the delay in enforcement of the California Consumer Privacy Act, as amended by the California Privacy Rights Act (CPRA) (together, CCPA) regulations really mean? What am I required to comply with as of today? What are regulators already focusing on in their privacy enforcement efforts this summer?

Continue Reading Red Hot Enforcement Summer: No Vacation for California and Colorado Privacy Regulators

In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

India Welcomes Landmark Data Protection Law | Privacy World

Join Us Live in Washington DC on September 19: Avoiding Litigation and Navigating Regulatory Challenges Amid Growing Privacy, Cybersecurity and Artificial Intelligence Scrutiny | Privacy World

The French CNIL’s New Guidance on Whistleblowing | Privacy World

SEC Adopts Final Cybersecurity Risk Management and Incident Disclosure Regulations | Privacy World

Singapore Consults on Personal Data Guidelines for AI | Privacy World

Illinois Supreme Court Refuses to Reconsider Decision That BIPA Claims Accrue Individually with Each Violation | Privacy World

The Close of the Javier Saga | Privacy World

On 11 August 2023, after close to a decade since its initial conception, India’s Digital Personal Data Protection Act (Act) received presidential assent, formalising the nation’s first ever comprehensive data protection law.

Definitions

There are several key definitions and references adopted in the Act, as follows:

  • “Data principal” means a data subject.
  • “Data fiduciary” means a data controller.
  • “Data processor” means a data processor, but it is remains unclear if it includes a sub-processor.
  • “Consent manager” means a person registered with the Data Protection Board of India (Board), who acts as a point of contact to enable a data principal to give, manage, review and withdraw their consent.
  • Prior references to sensitive personal data and critical personal data found in the earlier 2022 version of the Digital Personal Data Protection Bill (Bill) have since been removed.

Scope and Applicability

The Act applies to digital personal data, including non-digital data that is subsequently digitised.

Similar to the EU GDPR and UK GDPR, the Act asserts extraterritorial reach, applying to the “processing of digital personal data outside the territory of India, if such processing is in connection with any activity related to the offering of goods or services to Data Principals within the territory of India”. As such, overseas entities that offer goods or services in India may find themselves subject to the obligations under the Act. However, unlike the EU GDPR, UK GDPR and even the earlier 2022 version of the Bill, those extraterritorial reach provisions do not apply to processing in connection with profiling of individuals within India. That omission is potentially helpful to organisations outside India looking to use data to, for instance, train artificial intelligence (AI) models using big datasets likely to include personal data relating to individuals within India. It potentially allows AI service providers to scrape publicly available personal data from the internet without consent and without being swept up by other provisions of the Act.

A noteworthy aspect is that business process outsourcing (BPO) providers are exempted from the Act for offshore personal data processing. More specifically, the exclusion applies where “personal data of Data Principals not within the territory of India is processed pursuant to any contract entered into with any person outside the territory of India by any person based in India”. This, in effect, insulates BPO service providers in India from many of the Act’s provisions, though not from the obligation to implement “reasonable safeguards to prevent [a] personal data breach”. This seems particularly pertinent, given that India houses the world’s largest BPO industry.

Further, the Act does not apply where processing is necessary for “research, archiving or statistical purposes” if the personal data is not used in any decision specific to a data principal and is carried on in accordance with standards that are to be prescribed.

There are also narrower exemptions (specifically, exclusions from most of the obligations imposed on data fiduciaries, save for implementing reasonable security measures to protect the data) in respect of processing of personal data:

  • That is necessary for enforcing any legal right or claim
  • In the interest of prevention, detection, investigation or prosecution of any offence or contravention of any law
  • That is for a scheme of arrangement, merger or amalgamation, or transfer of an undertaking, or involving the division of one or more companies, approved by a court or tribunal or other competent authority
  • For debt recovery purposes as circumscribed under the Act

Legal Bases for Processing

The Act only recognises two main lawful grounds for processing personal data, namely:

  • Consent from data principals
  • Certain “legitimate uses”, such as:
    • A data principal voluntarily providing, to the data fiduciary, their personal data for a specified purpose, without indicating that they do not consent to the use of such data[1]
    • Where the state provides or issues to the data principal any subsidy, benefit, service, certificate, licence or permit, or performs any functions at law or in the interest of India’s sovereignty, integrity or security
    • To fulfil any legal obligation or comply with any judgement, decree or order at law
    • To respond to a medical emergency, provide medical treatment or health services during an epidemic, or for the safety of or to provide assistance during a disaster

Notice and Consent

Notices have the following content requirements:

  • They must be in clear and plain language, either in English or, at the data principal’s option, any of the 21 languages specified in the Eighth Schedule to the Constitution of India.
  • Notices must include:
  • The nature of personal data being collected and processed
  • The purpose of processing
  • The mechanism or process through which a data principal can exercise their rights in relation to their personal data
  • The mechanism or process through which a data principal can make a complaint to the Board
  • If a data fiduciary is a significant data fiduciary (see below), the contact details of the data protection officer or any other person authorised by the data fiduciary to respond to complaints and grievances

Unlike its earlier 2022 version of the Bill, however, an itemised notice is not required. Further requirements in relation to notices may be prescribed by the central government from time to time.

Notably, a recent committee report [2] contains statements from the Ministry of Electronics and Information Technology, which suggest that these forthcoming rules may require data fiduciaries to provide videos and animations to help data principals actually understand the notice and any consent form used.

The Act introduces the concept of a consent manager. Data principals can give, manage, review or withdraw their consent to the data fiduciary through a consent manager, who remains accountable to the data principal and must act on their behalf in such manner and subject to such obligations as may be prescribed. Consent managers must also be registered with the Board in such manner and subject to such technical, operational, financial and other conditions as may be prescribed.

Where personal data was collected prior to the enactment of the Act, the data fiduciary must notify the data principal of such collection and use of their data within a reasonably practicable time. If the processing is based on consent from the data principal, then the data fiduciary can only continue to process their personal data until such time as the data principal withdraws their consent.

Significant Data Fiduciaries

The central government is empowered to classify any persons or category of persons as “significant data fiduciaries” based on the following factors:

  • The volume and sensitivity of personal data processed
  • Risk to the rights of harm to the data principal
  • Potential impact on the sovereignty and integrity of India
  • Risk to electoral democracy
  • Security of the state
  • Public order

Once designated, significant data fiduciaries will be required to carry out periodic data protection impact assessments and independent audits, and appoint a data protection officer, who must be an individual based in India, and responsible to the company’s board of directors.

Accuracy

Compared to the earlier 2022 version of the Bill, the obligation to keep personal data accurate has been enhanced. A data fiduciary must ensure the completeness, accuracy and consistency of any personal data it processes, so long as that data is likely to be disclosed to another data fiduciary, or used to make a decision affecting the data principal.

Protection and Security

A data fiduciary must protect personal data in its possession or under its control, by taking reasonable security safeguards to prevent a personal data breach. This extends to where a data fiduciary engages a data processor to carry out processing of personal data on its behalf.

Cross-border Transfers

Unlike the earlier 2022 version of the Bill, the Act adopts a “negative list” approach for cross-border transfers of personal data from India overseas. It remains to be seen whether neighbouring countries will be included in this negative list, similar to the approach taken in the regulation of foreign direct investment. Additionally, this provision potentially allows sectoral regulatory bodies to introduce specialised legislation aimed at overseeing the storage and transfer of personal data within their respective sectors.

If there are other such requirements or rules that accord a higher standard of protection or impose stricter restrictions for the transfer of data than those under the Act, then these latter requirements will prevail over the Act.

Data Principal Rights

Data principals have the following rights under the Act:

  • Right of access
  • Right to correction
  • Right to erasure[3]
  • Right to withdraw consent
  • Right to grievance redressal
  • Right to nominate any other individual who, in the event of death or incapacity of the data principal, can exercise their rights under the Act.

Retention

Data fiduciaries must erase personal data upon a data principal withdrawing their consent or as soon as the purpose for its processing no longer exists, whichever is sooner. This extends to its having to procure its data processor to erase such data, where the data was made available to such data processor. Under the Act, the central government is entitled to set maximum retention periods for personal data; however, no further details have been provided yet.

Data Breaches

The Act does not prescribe any thresholds or timelines for data breach notifications. It stipulates that in the event of a personal data breach, the data fiduciary must give the Board and each affected data principal “intimation of such breach in such form and manner as may be prescribed”. These aspects are expected to be addressed in forthcoming rules to be issued by the government of India. It is unclear whether exceptions will be granted for minor breaches.

Notwithstanding, this is a notable new obligation, especially when compared to the existing requirements of having to report to the Indian Computer Emergency Response Team (CERT-In) within six hours of an incident, or to a sectoral regulator, where these rules do not appear as actively enforced.

Additionally, the Act makes it clear that data security and breach reporting now lie solely on data fiduciaries and not processors.

Children

Data fiduciaries must, prior to processing any personal data of children under 18 years of age, obtain verifiable consent of their parents or legal guardians. There are also prohibitions imposed on the tracking or behavioural monitoring of children or advertising targeted at children.

Implementation Period

While the industry has generally embraced this legislation, certain concerns regarding its implementation have arisen. There has not been any definitive stipulation of an implementation timeframe for the Act. It is generally expected that businesses will be given a transitional period of between six and 10 months, though this has yet to be formally published or announced. The Indian government has expressed a willingness to engage in discussions with stakeholders to address the transition period, ensuring a seamless implementation process. Therefore, it is also presently uncertain whether all provisions will come into effect simultaneously or in phases.

Authority

The Board has been vested with the authority to handle complaints in connection with the Act. Aggrieved parties that wish to appeal against a decision by the Board can do so to the Telecom Disputes Settlement and Appellate Tribunal of India.

The central government has very broad discretion and powers under the Act[4], including to exempt certain startups and other data fiduciaries from any specific obligations. The decision to grant such exemptions would typically be based on factors like the volume and nature of personal data being processed.

Penalties

The Board is entitled to impose up to US$30 million in regulatory fines for contraventions of the Act, as well as to compel the blocking of applications and services for repeat offenders.

Takeaways

Now that India has enacted a comprehensive law on data privacy, the importance of undertaking thorough data mapping and information governance cannot be overstated. It forms a crucial starting point for businesses operating in India to ascertain what obligations apply to the data collected, processed and transferred and what compliance measures need to be adopted under the Act, including determining the notices, consents, and protocols needed to respond to data principal rights, conducting periodic trainings on data policies, implementing data management, retention, security, incident response measures, and ensuring robust and compliant contracts with third-party processors. Businesses with significant data processing activities (and thus likely to be classified as a significant data fiduciary down the road) should also consider appointing a data protection officer.

While enactment of the Act is certainly a monumental step for a nation that has a population of a whopping 1.43 billion people, it is also expected that further regulations and guidance will be issued to provide clarity and certainty over specific aspects of the law. With this in mind, businesses should regard compliance with the Act as an ongoing exercise, failing which they risk incurring large regulatory fines and potential lawsuits for infringements.

If you have any questions on any aspect of the Act, or require assistance to comply with it, feel free to reach out to your usual contact at the firm, or any of the authors from our market-leading global Data Privacy, Cybersecurity & Digital Assets group, including Malcolm Dowden (UK), Charmian Aw (Singapore), Bindu Janardhanan (India), Scott Warren (Japan/China), Alan Friel (US), Julia Jacobson (US), Kyle Fath (US), Lindsay Zhu (China), Nick Chan (Hong Kong), David Naylor (UK) and Charles Helleputte (Belgium).

Disclaimer: While every effort has been made to ensure that the information contained in this article is accurate, neither its authors nor Squire Patton Boggs accepts responsibility for any errors or omissions. The content of this article is for general information only, and is not intended to constitute or be relied upon as legal advice.



[1] This has replaced the reference to “deemed consent” in the earlier 2022 version of the Bill.

[2] 48th report of the Standing Committee on Communications and Information Technology of the Lok Sabha on the new bill.

[3] Data fiduciaries are obliged to erase personal data that they hold, upon withdrawal of consent by the relevant data principal(s), unless retention is necessary for a specified purpose or to comply with applicable law.

[4] Section 40

In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

Join Us Live in Washington DC on September 19: Avoiding Litigation and Navigating Regulatory Challenges Amid Growing Privacy, Cybersecurity and Artificial Intelligence Scrutiny | Privacy World

The French CNIL’s New Guidance on Whistleblowing | Privacy World

SEC Adopts Final Cybersecurity Risk Management and Incident Disclosure Regulations | Privacy World

Singapore Consults on Personal Data Guidelines for AI | Privacy World

Illinois Supreme Court Refuses to Reconsider Decision That BIPA Claims Accrue Individually with Each Violation | Privacy World

The Close of the Javier Saga | Privacy World

Join us TOMORROW, 7/19, for the Association of National Advertisers (ANA) Law One-day Conference | Privacy World

Copyright Protection for AI Works: UK vs US | Privacy World

The U.S. Gets Adequacy, Again – For Now. | Privacy World

NYDFS Revises Its Proposed Amendments to Cybersecurity Regulations | Privacy World

Texas Two-Steps into the Childrens Privacy Dance: The Securing Children Online through Parental Empowerment Act | Privacy World

Squire Patton Boggs Team Provides Practice Guidance on U.S. Direct Marketing Laws – Download Guide and Register for Conference | Privacy World

A Guide Comparing EU, China, ASEAN Standard Contracts for Data Transfers | Privacy World

Digital Assets in England and Wales: Law Commission final report | Privacy World

Singapore releases responsible AI toolkit for finance sector | Privacy World

ChatGPT ‘hallucinates’ and other conclusions from OpenAI’s paper on safety concerns | Privacy World

Developing a compliant privacy and cybersecurity program is a challenging undertaking that requires balancing profitability with current enforcement and litigation risk. Join us live in our Washington DC office to hear from in-house leaders, a former FBI agent, an incident response forensic expert, world-class public policy experts and our privacy and cybersecurity professionals who help companies balance these risks on a regular basis. CLE credit will be offered.

Date: Tuesday, September 19

Time: 2 – 5 p.m. ET, with networking reception to follow.

Location: Squire Patton Boggs Washington DC Office, 2550 M Street NW, Washington, DC 20037

Register here.

Seats are limited for this half-day event where we will dive deep, in four separate panels:

Continue Reading Join Us Live in Washington DC on September 19: Avoiding Litigation and Navigating Regulatory Challenges Amid Growing Privacy, Cybersecurity and Artificial Intelligence Scrutiny

In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

The French CNIL’s New Guidance on Whistleblowing | Privacy World

SEC Adopts Final Cybersecurity Risk Management and Incident Disclosure Regulations | Privacy World

Singapore Consults on Personal Data Guidelines for AI | Privacy World

Illinois Supreme Court Refuses to Reconsider Decision That BIPA Claims Accrue Individually with Each Violation | Privacy World

The Close of the Javier Saga | Privacy World

Join us TOMORROW, 7/19, for the Association of National Advertisers (ANA) Law One-day Conference | Privacy World