EU Conducts First Review of EU-U.S. Data Privacy Framework

The European Commission completed its first review of the EU-U.S. Data Privacy Framework, concluding that the U.S. has established necessary processes for its effective operation. The review focused on ensuring the framework's elements were in place, including U.S. data protection reforms and certification processes. U.S. regulators reported over 2,800 companies are certified under the framework. The Commission plans the next review in three years, monitoring further U.S. reforms and ongoing collaboration between EU and U.S. authorities. No citizen complaints have been filed under the framework to date. Read more

Illinois Biometric Privacy Law Sparks Business Lawsuits

Suparossa Restaurant Group in Chicago faced a lawsuit for violating Illinois' Biometric Information Privacy Act (BIPA) by collecting employee handprints without consent. BIPA, enacted in 2008, requires companies to obtain written consent before collecting biometric data like fingerprints or facial geometry. Over 400 lawsuits alleging BIPA violations have emerged in recent years, often targeting businesses unaware of the law. Suparossa settled for $400,000 and now uses retinal scans with proper consent. Illinois amended BIPA in August to limit damages plaintiffs can claim in such cases. Read more

Marriott Settles with FTC Over Multiple Data Breaches

The U.S. Federal Trade Commission (FTC) has mandated Marriott International and its subsidiary, Starwood Hotels, to implement an information security program following data breaches from 2014 to 2020 affecting 344 million customers. Marriott also agreed to offer U.S. customers the ability to request deletion of their personal data and restore stolen loyalty points upon request. Additionally, Marriott will pay a $52 million penalty to settle similar allegations with 49 states. Marriott emphasized its commitment to improving data security but did not admit liability. Read more

Colorado’s AI Act: A Model for AI Governance Roles and Responsibilities

The Colorado AI Act distinguishes between deployers and developers of AI tools, assigning specific obligations to each in high-risk use cases like hiring and lending. Deployers must conduct impact assessments and establish governance programs, while developers disclose AI risks and data used in training. The Act aims to prevent algorithmic discrimination, promoting a partnership model for managing AI risk. Similar distinctions are emerging in U.S. federal policy and international AI governance frameworks. However, exemptions for deployers and overlaps with privacy laws raise concerns about effective risk management. Read more

California Passes Law to Protect Domestic Abuse Survivors from Car Technology Misuse

California Governor Gavin Newsom signed a bill requiring automakers to implement measures protecting domestic abuse survivors from stalking through internet-connected car features. The law mandates that automakers establish a process for terminating remote access for abusers within two business days after receiving a restraining order and allows drivers to easily disable location tracking. No car manufacturers officially opposed the law, and the automotive industry has expressed support, while raising some concerns about technical feasibility. The new standards may influence car safety regulations nationwide. Read more