Skip to content

Privacy & Data Protection

A proposed law issued by the People’s Republic of China (PRC) on October 21, 2020, the draft Personal Information Protection Law, seeks to impose restrictions on entities and individuals, including those operating outside of China, that collect and process personal data and sensitive information on subjects in China. The proposed law also provides for penalties

This article was originally published in Automotive World.

The future of the mobility is dependent on AI, but without greater understanding among consumers, trust could be hard to build.

The mobility sector is keen to realise the full benefits of artificial intelligence (AI), not least to open up the revenues which data-driven connected services could offer. But moving forward, it must balance these opportunities with the rights of drivers, passengers and pedestrians. A number of concerns have already surfaced, all of which will become more pressing as the technology is further embedded into vehicles, mobility services and infrastructure.

Privacy and liability are two of the major challenges. As Christian Theissen, Partner, White & Case explains, mobility has become inherently connected to consumer habits and behavioural patterns, much like the e-commerce and social media industries. “The access, ownership, storage and transmission of personal data, such as driving patterns, must be taken into consideration by both lawmakers and companies gathering and using data,” he says. Meanwhile, in a world of AI-powered self-driving, at what point do regulators start blaming the machine when something goes wrong?

Part of the challenge in considering these issues is that as things stand, there is limited understanding among consumers around what rights there are. “Consumers appreciate AI,” says Cheri Falvey, Partner, Crowell & Moring, “and in particular the ease with which navigational apps help guide them to their destination. Whether they appreciate how their data is accumulating and developing a record of their mobility patterns, and what their rights are in respect to that data, is another question.”

There is often little precedent for regulators to rely on when making new policy in this arena, so it’s a good time to create a proactive regulatory strategy that invites discussion and collaboration from the start

This is in part because it is not always clear when AI is at work. A driver may register when a car’s navigation system learns the way home, but won’t necessarily realise that data on how a car is driven is being collected for predictive maintenance purposes, or that their data is being fed into infrastructure networks to manage traffic flow.Continue Reading Automakers and Regulators Must Educate Consumers on Mobility AI

On August 14, 2020, California Attorney General Becerra announced that the Office of Administrative Law approved final regulations under the California Consumer Privacy Act (CCPA). The approved regulations, which became effective immediately, guide businesses and consumers on the CCPA.  The final regulations can be found here.

Even before final approval of the regulations, the California Attorney General’s Office announced that it had already begun enforcing the CCPA in California. By July 10, 2020, the Office had issued warning notices to online businesses for failure to comply with the CCPA. The businesses receiving these notices will have 30 days to comply with the CCPA, or they risk a lawsuit being filed against them by the Attorney General’s Office. It is expected that in the future the AG will no longer issue warning letters and proceed with enforcement.Continue Reading California Attorney General Begins Enforcement of CCPA Even Ahead of Regulations’ Approval

On August 14, 2020, California Attorney General Xavier Becerra released final implementing regulations for the California Consumer Privacy Act (CCPA). The CCPA became enforceable on July 1, 2020, and Becerra’s office submitted a final proposed draft of the regulations to the California Office of Administrative Law (OAL) on June 1, 2020. The Proposed Regulations have gone through several revisions since the publication of the initial draft in October of 2019. The OAL approved the final version along with an updated Addendum to the Final Statement of Reasons. The final implementing regulations take effect immediately. All businesses subject to the CCPA must now comply with both the statute and the regulations.

The final implementing regulations are similar to the draft proposed in June. However, the AG’s office has made several changes it characterizes as “non-substantive” and withdrawn certain proposed provisions “for additional consideration.” The “non-substantive” changes are intended to improve consistency in language (e.g., ensuring “consumer” is used throughout the regulations, or reorganizing definitions in alphabetical order) and are described in detail in the Addendum to the Final Statement of Reasons.Continue Reading California Approves Final CCPA Regulations

At 9:30 a.m. Central European Time, privacy professionals around the world were refreshing their browsers to read the long-awaited judgment of the Court of Justice of the European Union (CJEU) principally addressing the viability of Standard Contractual Clauses (SCCs) and the EU-U.S. Privacy Shield (Privacy Shield) as means to transfer personal data from the European Union (EU) to the United States (U.S.).

When the judgment arrived, it landed with a bang: though the CJEU upheld the use of SCCs, it invalidated the Privacy Shield, the well-known mechanism to transfer personal data from the EU to the U.S.  The decision also cast doubt on the viability of other options, including SCCs, for making transatlantic transfers.

The foundation of this decision and previous decisions affirming challenges to U.S. privacy practices is that the protection of personal data is a fundamental right in the EU, akin to a constitutional right in the U.S.  The General Data Protection Regulation (GDPR) enshrined these fundamental rights and established uniform data protection standards across the EU designed to protect the personal data of EU-based individuals.Continue Reading Privacy Shield Invalidated: EU Data Transfers to the U.S. under Siege (again…)

Companies in the online marketplace have been paying close attention to Section 230 of the U.S. Communications Decency Act of 1996 (CDA) in recent weeks and months. As noted in our previous client alert, CDA Section 230 “is a powerful law that provides websites, blogs, and social networks that host third-party speech with liability


On March 11, 2020, California’s Office of the Attorney General (OAG) released a second set of proposed revisions to the California Consumer Privacy Act (CCPA) draft regulations originally released in 2019 (Proposed Regulations).

The latest revisions, available here, are substantial and come in response to public comments submitted to the OAG during a 15-day

California businesses have been nervously waiting for the first class action asserting a violation of California’s now-infamous California Consumer Privacy Act (CCPA).

The wait is now over.

The CCPA, a consumer privacy law that Crowell & Moring has analyzed and written about at length provides California consumers with a private right of action when

On February 7, 2020, California’s Office of the Attorney General (OAG) released proposed revisions to the California Consumer Privacy Act (CCPA) draft regulations of 2019.

The proposed revisions, available here, are substantial and come in response to public comments submitted to the OAG last year. The revisions and a new deadline of February 24,

On January 1, 2020, California’s landmark privacy law, the California Consumer Privacy Act (CCPA), took effect. The CCPA imposes various obligations on covered businesses and provides extensive rights to consumers with respect to controlling the collection and use of their personal information. While some companies have largely completed their CCPA compliance efforts, many others are