On December 28, 2022, the Spanish Data Protection Authority (“AEPD”) published a statement on the interplay between its recently approved Spanish code of conduct for the pharmaceutical industry and the European Federation of Pharmaceutical Industries and Associations’ (“EFPIA”) proposal for an EU code of conduct on clinical trials and pharmacovigilance. The statement relates specifically to
Colorado Attorney General Releases Revised Colorado Privacy Act Draft Rules
The Colorado Attorney General released updated draft rules interpreting the Colorado Privacy Act on December 21, 2022 (“Draft Rules”). These revisions follow a series of stakeholder sessions on November 10th, 15th, and 17th. The Attorney General will convene a formal rulemaking hearing on February 1, 2023. In advance of the formal rulemaking hearing, stakeholders may
New York Department of Financial Services Proposed Second Amendment to Cybersecurity Regulation – Comments Close January 9, 2023
The New York Department of Financial Services (“NYDFS”) published the latest draft of its Proposed Second Amendment to its landmark Cybersecurity Regulation (23 NYCRR 500) on November 9, 2022. The proposed second amendment comes after an initial comment period on an earlier-released draft amendment released on July 29, 2022. NYDFS is accepting comments
OECD and the EU adopt Declaration on Government Access to Personal Data
On December 14, 2022, the members of the Organization for Economic Co-operation and Development (“OECD”) (which includes various EU Member States, Mexico, Turkey, the UK and the United States) and the EU, adopted the Declaration on Government Access to Personal Data held by Private Sector Entities (“Declaration”).
CJEU’s Advocate General Issues Opinions on the GDPR’s Right of Access to Personal Data
On December 15, 2022, the Advocate Generals (“AG”) of the Court of Justice of the European Union (“CJEU”) issued two separate opinions in cases C‑487/21 and C‑579/21 on the right of access, pursuant to Article 15 GDPR. The first case concerns the proper interpretation and application of Article 15(3), which permits a data subject to
New Jersey Assembly Introduces Age-Appropriate Design Code Bill
Last week, New Jersey Assemblyman Herb Conway Jr. introduced a bill similar to the California Age-Appropriate Design Code (“CA AADC”) enacted in September. The bill, NJ A4919, tracks the CA AADC in many respects but contains several notable differences, which we summarize below:
- Covered businesses. The CA AADC applies to any online service, product,
European Commission Releases Draft Adequacy Decision on the EU-U.S. Data Privacy Framework
On December 13, 2022, the European Commission released its draft adequacy decision on the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”), which, once formally adopted, would recognize that the United States ensures an adequate level of protection for personal data transferred from the EU to organizations certified under the EU-U.S. DPF. The draft decision follows the
HHS Proposes Changes to More Closely Align Part 2 and HIPAA
In a new post on the Covington Digital Health blog, our colleagues discuss recently issued proposed rule to implement statutory amendments enacted by Section 3221 of the 2020 Coronavirus Aid, Relief, and Economic Security Act (“CARES Act”). Specifically, the proposed rule would harmonize certain provisions of the Confidentiality of Substance Use Disorder Patient Records under
Google and iHeartMedia Reach Settlements with FTC and States for Deceptive Endorsements
On November 28, 2022, the Federal Trade Commission (“FTC”) and seven state attorneys general announced that they reached settlements with Google LLC and iHeartMedia, Inc., to resolve claims that the companies aired deceptive advertisements promoting Google’s Pixel 4 phone by arranging for iHeartMedia radio personalities who never actually used the phone to personally endorse it.
CJEU Invalidates Public Anti-Money Laundering Registers on Privacy Grounds
On November 22, 2022, the Grand Chamber of the Court of Justice of the European Union (“CJEU”) issued its judgment in joint cases C‑37/20 and C‑601/20, holding that provisions of an EU anti-money laundering directive relating to the publication of beneficial ownership registers were incompatible with the EU Charter of Fundamental Rights (“CFR”). The Court