Tech & Sourcing @ Morgan Lewis

In our January 2023 blog post, Study Finds Average Cost of Data Breaches Reaches All-Time High in 2022, we highlighted the key findings of the Ponemon Institute’s Cost of a Data Breach Report 2022. Each year, the report sets forth a vast dataset analyzing data breaches at hundreds of organizations to spot trends and developments in security risks and best practices. Recently, Ponemon Institute published its Cost of a Data Breach Report 2023, showing an increase in data breach costs in many areas of business.

In October, California enacted its newest privacy legislation, commonly referred to as the “Delete Act” (California Senate Bill No. 362). The Delete Act will allow consumers to request that any data broker that maintains any personal information related to that consumer delete such personal information.

The UK government has announced the UK extension to the EU-US Data Privacy Framework, known as the UK-US data bridge. The new framework will allow businesses to transfer personal data between the United Kingdom and the United States. This blog post  explores the significance of the UK-US Data Bridge and what it means for businesses on both sides of the Atlantic.

The United Kingdom’s Information Commissioner’s Office and data protection authorities from Canada, Australia, Hong Kong, Mexico, Switzerland, Norway, New Zealand, Colombia, Jersey, Morocco, and Argentina have released a joint statement on data scraping and its impact on data privacy.

Morgan Lewis is hosting our annual Tech & Sourcing Summit in New York on Wednesday, October 25. The summit will include a full day of sessions starting in the morning with breakfast, followed by a networking lunch.

The EU-US Data Privacy Framework (DPF) became effective on July 10, and on the same day, the European Commission adopted an Adequacy Decision relating to the DPF, as a successor of the EU-US Privacy Shield. While only those companies subject to the jurisdiction of either the Federal Trade Commission or the US Department of Transportation are eligible to self-certify their compliance with the DPF, the scope of eligibility is likely to broaden in the future.

As part of our Spotlight series, we welcome Todd Liao, a partner in our Shanghai office who works with clients on a wide range of complex commercial and financial transactions and legal issues involving China. Todd is a thought leader on issues facing tech firms doing business in China, recently publishing articles on new measures for online advertising in China, data privacy, and key drivers of Asia’s tech scene. We caught up with Todd to discuss data privacy regulations in China and cross-border data transfers.

The UK communications regulator and concurrent competition authority, Ofcom, announced on April 5 its proposal to refer the UK cloud services market to the Competition and Markets Authority (CMA) for further investigation. This coincided with publication of the interim report of Ofcom’s market study of the largest providers of cloud services (referred to by the authority as “hyperscalers”) in the United Kingdom’s £15 billion ($18.7 billion) cloud services market.

The UK government published a white paper on March 29 setting out a “pro-innovation” UK regulatory framework for artificial intelligence (AI). The framework centers upon five cross-sectoral principles, of which implementation will be context-specific to the use of AI, rather than the technology itself. The government does not propose introducing a new regulator or any new legal requirements on businesses, instead leveraging existing powers of UK regulators and their domain-specific expertise.

The European Union’s General Data Protection Regulation (GDPR) requires companies to monitor and comply with some of the strictest privacy laws in effect. Now, the European Commission is refocusing efforts and oversight on ongoing investigations under the GDPR. Going forward, companies may want to focus even more intently on their compliance as the EU steps up investigatory procedures.