In a very short time, AI has evolved from an abstract idea to a practical tool. This demands legal thinking that can account for its use. AI as a concept began in the 1950s when well-known mathematician and scientist Alan Turing conceptualized using computers to simulate intelligent behavior and critical thinking. However, even though labs developed checkers and chess programs in the 1950s and rudimentary chatbots by the 1960s, hardware and software constraints made AI inaccessible to most people until the 2000s, when developers began to integrate deep learning into AI applications. Today, cell phones, computers, and other intelligent machines perform complicated functions that once only inhabited human imagination and (science) fiction. For example, map applications use AI to help drivers efficiently navigate traffic; social media applications use AI in facial recognition functions; digital devices use AI for voice recognition commands; and cars are increasingly self-driving with the help of AI. In addition, businesses use AI to predict consumer trends, monitor employees, and make important financial decisions such as approving loans and deciding customers’ insurance policies. The potential applications of AI are still being realized, and the possibilities seem endless.

Continue Reading An Overview of AI

One of today’s litigation hot spots has its roots among the cobwebs of ancient data privacy law. The United States today has a patchwork of national data privacy laws, all of which deal with sectors, be it ages of data subjects (like the Children’s Online Protection Act), healthcare patients (the Healthcare Insurance Portability and Accountability Act), and financial customers (the Gramm-Leach-Bliley Act). These laws were all passed before 2001, there has never since been a single comprehensive national data privacy act, and the proposed American Data Privacy and Protection Act has languished in fights about preemption.

We do have precedent for fast action in data privacy laws. The first true national data privacy law – one that required explicit opt-in for sharing of personal data – sailed through the Capitol in one year, in 1987-1988, by a bipartisan vote. Congress only needed the right motivation:

Continue Reading Don’t Forget to Rewind: Replaying Video Privacy Laws.

In data privacy and security, we might have a “forest for the trees” moment right now. And they may not be the trees we expected. By now, you are familiar with the term ESG (Environmental, Social, and Governance). Although the term itself can induce political and social tensions today, it is a shorthand for a basket of intangible aspects of a business that, through the reactions of shareholders, employees, and customers, can affect the bottom line or even enterprise viability. The terminology is new; the underlying concepts of internal and external perception go back to the 1960s, if not much earlier. The danger of this new name lies in divisive cultural issues relating to “E” and “S” overwhelming “G”—governance, an uncontroversial concept crucial to businesses handling personal data.

Continue Reading Focusing on the “G” in ESG: Why it Makes the Most Money Sense for the Short and the Long Haul

The Securities and Exchange Commission (SEC) has taken a significant step in bolstering cybersecurity disclosures for public companies by adopting new rules that aim to provide investors with comprehensive and standardized information on cyber risk management, strategy, governance, and incidents. These rules build upon previous interpretive guidance issued by the SEC.

Continue Reading SEC Adopts New Cybersecurity Disclosure Requirements

On Monday, May 22, the European Data Protection Board (EDPB) published a decision hitting Meta, parent of Facebook, WhatsApp, and Instagram, with a €1.2b ($1.3b) fine for impermissibly transmitting personal information from the European Economic Area (EEA) to the United States. The EDPB described Meta’s activities as “serious” and including “transfers that are systematic, repetitive, and continuous,” and it stated that the fine was intended to serve as a “strong signal to organizations that serious infringements have far-reaching consequences.”

Continue Reading How Much Forgiveness Does $1.3 Billion Buy in the EU?

In between impeaching an Attorney General and creating a new type of business court, the 88th Texas Legislature passed the Texas Data Privacy and Security Act (TDPSA) (H.B. 4), which, once signed by Governor Abbott, will take effect July 1, 2024. State data privacy statutes generally track concepts in Europe’s General Data Protection Regulation (GDPR), including notices of data collection, data subject rights (knowing what data a business has, correcting it, deleting it, opting out of certain uses of personal data, etc.), and restrictions on use or transfer of personal data. Texas, which would join nine other states in enacting “comprehensive” data privacy regulations, has added some twists and traps for the unwary, particularly midsized businesses engaging in interstate commerce. Here are three notable features of the TDPSA.

Continue Reading Texas Passes One of the Strongest Data Privacy Laws in the Nation

With two of crypto’s largest trading platforms coming under fire last week, what’s next for the digital currency industry? Ashley Fickel and Brian Newman of Dykema’s Financial Services Industry Group weigh in.

Continue Reading What Do the Coinbase and Binance Lawsuits Mean for the Future of Crypto?

Continuing the state-by-state legislative trend, three more state legislatures; Indiana, Montana, and Tennessee (via their respective “Acts”); have passed comprehensive data privacy laws. Even while a federal comprehensive data privacy law remains elusive, these laws join the patchwork of data privacy laws in California, Colorado, Connecticut, Iowa, Utah, and Virginia. Below are some highlights from these Acts:

Continue Reading The Patchwork Continues… Montana, Tennessee, and Indiana Pass Comprehensive Data Privacy Laws

On April 18, 2023, the Washington legislature passed the My Health My Data Act (the “Health Act”), a broad-sweeping data privacy and protection law governing individual personal health data. Although this bill is pending Governor Jay Inslee’s signature, the privacy community expects signature this year and braces itself for this novel law.

Continue Reading An “Apple A Day” Does Not Keep Washington Regulators and Consumers Away: Washington Passes My Health My Data Act

The United Kingdom may be headed for a major break from EU GDPR. In mid-2022, the UK began studying potential reform of GDPR. This was revived with the United Kingdom’s Data Protection and Digital Information (No. 2) Bill (Bill 265, 58/3), introduced on March 8, 2023. It includes 106 groups of line-item amendments to the General Data Protection Act 2018 (UK GDPR). Particularly significant is a modification to what qualifies “personal data” under the prior act (and the EU GDPR). Article 4(1) of GDPR (and present UK GDPR) sweeps into “personal data;”

“any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person…”

(emphasis added).

Continue Reading UK GDPR Reform: A Bridge Too Far?