Category: Policy & Legislation
Guidelines 02/2024 on Article 48 of the GDPR: EDPB Clarifies Rules for Data Sharing With Third-Country Authorities
In the ever-evolving landscape of data protection and privacy, the General Data Protection Regulation (GDPR) stands as the most significant legislative framework for processing personal data. Known for its extraterritorial reach, the GDPR sets out the rules for transferring personal data from private organizations established in the European Economic Area […]
New European Commission: What Data-Driven Tech Companies Need to Know
This blog post summarizes the key points presented by Cooley lawyers Patrick Van Eecke, Enrique Capdevila and Athina Gaki during the Cooley webinar, “New European Commission: What Data-Driven Tech Companies Need to Know”, part of the CooleyREG Talks (EU) series, “New European Commission, New Economic Regulation for the EU and […]
CPPA Adopts Data Broker Registration Regulations, Begins Delete Act Enforcement
On November 9, 2024, the five-person board of the California Privacy Protection Agency (CPPA) voted unanimously to adopt the proposed Data Broker Registration regulations without modifications. The new regulations seek to clarify key provisions of the California Delete Act, which requires data brokers to register with the state of California […]
China Issues Network Data Security Management Regulations
On September 30, 2024, China’s State Council released the Network Data Security Management Regulations, which will enter into force on January 1, 2025. The regulations apply to “electronic data processed and generated through the network” (covering personal information, “important data” and all other types of electronic data) and provide implementing […]
Cybersecurity in the US
As our world becomes increasingly digital, the importance of cybersecurity has never been more critical. In the first blog post in our series for Cybersecurity Awareness Month, we explored the cybersecurity regulatory efforts in Europe, looking at the Digital Operational Resilience Act (DORA), the Network and Information Security Directive (NIS2) […]
Navigating Privacy and Cybersecurity Challenges in the Automotive and Mobility Sector
In this first installment of our series on the automotive and mobility sector, Cooley cyber/data/privacy lawyers introduce the key data privacy legal issues facing the automotive and mobility sector and provide an overview of the US state and federal regulatory enforcement environment. US Regulators Target Automotive Sector The wave of […]
Cybersecurity in the European Union
As our world becomes increasingly digital, the importance of cybersecurity has never been more critical. From personal devices to enterprise networks, cyber threats are evolving at an alarming pace, targeting vulnerabilities and exploiting our growing reliance on technology. October marks ‘Cybersecurity Awareness Month’ – a global initiative to promote awareness […]
EU AI Act: Does It Affect Your Organization or Not?
This blog post is part of our series on the European Union’s Artificial Intelligence (AI) Act. As we explained in our July 2024 blog post, the EU’s AI Act establishes an extensive regulatory framework for AI and will be fully effective starting 2 August 2026, with some requirements (such as […]
SEC Reporting Implications for Publicly Traded Companies Impacted by CrowdStrike Defective Software Update
There are a number of US Securities and Exchange Commission (SEC) reporting implications arising from the server-related outages caused by CrowdStrike’s defective software update on July 19, 2024, and their impacts on public companies, particularly in light of the SEC’s new cybersecurity disclosure rules. While the situation on the ground […]
SEC Settles Charges Against RR Donnelley Related to Cybersecurity Incident Disclosure and Internal Access Controls
On June 18, 2024, the Securities and Exchange Commission (SEC) announced that it had settled claims against RR Donnelley (RRD) related to a 2021 ransomware and cyber extortion attack. Despite RRD having discovered and reported the incident within 30 days (a relatively short time frame for investigating complex data breaches), […]