Data & Privacy Update: Six Most Significant Developments Companies Need to Know About

There have been a number of significant legal and policy developments recently related to data and cybersecurity. Some of the most important are:

• Standard Contractual Clauses. The European Commission adopted revised Standard Contractual Clauses for International Transfers (SCCs) on June 4. The new SCCs replace the SCCs that pre-date the General Data Protection Regulation (GDPR) and are intended to be used for transfer of personal data outside Europe – including the United States. The new SCCs go into effect in three months; however, businesses that are parties to existing SCCs have 18 months to enter into the new SCCs or find another lawful means to transfer data.
• Executive Order on Protecting America’s Sensitive Information from Foreign Adversaries. President Biden issued an Executive Order on June 9 directing government agencies to (i) provide recommendations to protect against harm from the sale or transfer of, or access to foreign adversaries of, U.S. citizens’ sensitive data and (ii) evaluate transactions involving software applications that may pose an undue risk of sabotage or subversion or catastrophic effects on the security or resiliency of the critical infrastructure or digital economy of the United States or otherwise pose an unacceptable risk to the national security of the United States.
• Biden Administration Launches the National Artificial Intelligence Research Resource (NAIRR) Task Force. On June 10, the White House announced the formation of a Federal advisory committee to help create and implement a blueprint for NAIRR. The NAIRR is intended to be a shared research infrastructure that will provide a broad array of researchers and students with access to high-quality data and other resources for the use of artificial intelligence across scientific disciplines.
• Cybersecurity Framework Profile for Ransomware Risk Management (Preliminary Draft). On June 9, the National Institute of Standards and Technology released for public comment a preliminary draft framework to address ransomware attacks. The goal of the report is to be a guide to manage the risk of ransomware events and to help gauge an organization’s level of readiness to mitigate ransomware threats and to react to the potential impact of events.
• Space Infrastructure Act. According to reports, Reps. Ted Lieu (D-Calif.) and Ken Calvert (R-Calif.) plan on introducing the Space Infrastructure Act (the “Act”), a bill that would classify space systems as critical infrastructure and require the federal government to develop appropriate guidelines. The Act follows Space Policy Directive 5 – Cybersecurity Principles for Space Systems issued under the Trump Administration which identified key principles to protect space system functions, such as global communications; positioning, navigation, and timing; scientific observation; exploration; weather monitoring; and multiple vital national security applications.
• Colorado Privacy Act. The Colorado Privacy Act passed the state’s legislature on June 8. When, as expected, the bill is signed by Colorado’s governor, Colorado will become the third state – after California and Virginia – with a law that provides its residents broad protection of their personal data.

Williams Mullen attorneys regularly advise businesses on privacy and data protection laws, including data breaches, and help establish corporate data security plans. For more information, please contact Kevin Pomfret at (703) 760-5204 or kpomfret@williamsmullen.com.