Insights

Crowell attorneys prepared Lexology’s Advertising and Marketing USA reference guide enabling side-by-side comparison of a variety of countries’ advertising and marketing standards, including the legal and regulatory framework; private enforcement (litigation and administrative procedures); misleading advertising; prohibited and controlled advertising; social media advertising; and recent trends.

On Dec. 8, 2023, after lengthy and intense negotiations, European legislators reached a political agreement on the EU Artificial Intelligence Act (AI Act). The EU Parliament formally adopted its position during its plenary session of March 13, 2024, and after legal-linguistic finalization and formal adoption by the EU Council, the AI Act is expected to be published in the Official Journal of the EU before the end of Q2, 2024.

It’s fair to call 2023 the year of artificial intelligence. The 2023 AI boom was largely driven by the widespread adoption of new technologies like ChatGPT, Google Bard, and Microsoft Copilot. Alongside the excitement surrounding these new technologies, alarm over the possible consequences of increased AI use without appropriate guardrails caused both government and private entities to act. 

In 1967, California passed the California Invasion of Privacy Act (CIPA) to protect its citizens from attempted eavesdropping on their private conversations. Now, California plaintiffs are wielding CIPA to challenge whether websites may use marketing technology that tracks website usage absent prior explicit consent. Dozens of class action cases based on this theory of liability have been filed in federal and state courts in California. Hundreds of demand letters based on this same theory have been sent to companies. Crowell has been closely monitoring the wave of website-based wiretap class actions cropping up.

In 2023, data moved beyond serving as just an “important currency” in the marketplace and evolved into a truly transformative asset class. With this transformation, data requires increased attention and concern by its owners and controllers. Companies are increasingly building, creating derivative works, collecting data, and even focusing on acquiring data through accretive transactions. As a result, stakeholders must understand and address the nuanced legal matters associated with developed or acquired data, which run the gamut from how to actually acquire particular data rights under applicable laws to managing restrictions related to use of tools, such as data analytics and artificial intelligence.

Protecting critical infrastructure is paramount to today’s digital age. Critical infrastructure includes physical and virtual systems essential for the functioning of our society, economy, and national security. Such a definition may include power grids, communication networks, and financial institutions, among other networks that heavily rely on interconnected computer systems. These systems are also considered critical infrastructure, as they are used to protect critical cybersecurity infrastructure. 

Cybersecurity plays a key role in various legal instruments of the European Union. It frequently appears as a specific duty or as a necessary element for establishing trust with the public.

On January 11, 2024, the Data Act entered into force. This marks a significant milestone in the evolving landscape of digital regulation. The Data Act is part of the broader European data strategy and plays a significant role in advancing the EU’s digital transformation objectives outlined in the Digital Decade Policy Program 2030.

Across the Asia-Pacific (APAC), the past year has brought defining developments for privacy and cybersecurity regulations in the region. A number of countries have implemented new or updated existing policy instruments—a testament to the growing relevance of a strong privacy and cybersecurity framework in the face of rapid global digital transformation. Topline 2023 changes and actions across APAC have included Vietnam’s Decree on Personal Data Protection; Bangladesh’s Cyber Security Act and draft Data Protection Act; amendments to Taiwan’s Cyber Security Management Act; and Indonesia’s Presidential Regulation Number 47 of 2023 on Cyber Crisis Management and National Cyber Security Strategy.

The risks faced by companies in light of new federal cybersecurity regulations are particularly acute for government contractors, who must also be aware of compounded exposure from the False Claims Act (FCA). The U.S. government is increasingly scrutinizing corporate cybersecurity programs, and companies are vulnerable to new risks of civil and criminal liability related to data breaches. The specter of individual criminal liability looms large since the 2022 conviction of the chief security officer at a leading rideshare company for actions related to his response to data breaches. And now, the SEC has charged the CISO of SolarWinds in his individual capacity with securities fraud related to the company’s cybersecurity regime. All companies—especially government contractors—should consider mitigating risk by auditing their cybersecurity protocols and updating their incident response plans.

On July 10, 2023, the European Commission formally adopted a new adequacy decision for the EU-U.S. Data Privacy Framework (DPF), which provides companies transferring personal data to the U.S. an additional mechanism to legitimize their cross-Atlantic data transfers. The DPF replaces the previously invalidated Privacy Shield and Safe Harbour framework. The DPF is in many ways a “Safe Harbour III” – mainly due to the way that organizations can adhere to it, how it is administered, and the way that its compliance is monitored. However, the legal framework in the U.S. did change to accommodate the requests from the EU and the concerns expressed in the CJEU’s Schrems I and II judgments (reflected in the Executive Order On Enhancing Safeguards For United States Signals Intelligence Activities of October 7, 2022 and regulations adopted by the U.S. Attorney General).

Crowell & Moring’s Privacy and Cybersecurity Outlook: The 2024 Landscape offers clients forward-looking analysis on the biggest trends impacting their work across the world. This first edition marks a milestone for our premier Privacy and Cybersecurity group, which was recognized in 2023 as one of the leading U.S. practices for organizations and individuals facing cybersecurity incidents, data breaches, compliance concerns, and other privacy risks.

With stronger rules requiring disclosure of cyber risk and cyber breaches, 2023 has seen heightened SEC enforcement of companies’ obligations in cyber breaches and, notably, enforcement charges brought directly against Chief Information Security Officers (CISOs).

Every day, organizations face a barrage of attacks from cybercriminals looking to do harm by gaining access to IT systems and sensitive data. Repercussions from these attacks can be significant—lost business data, legal liability, regulatory scrutiny, and a damaged reputation. To prepare for potential attacks, companies need a robust incident response plan that can be quickly and effectively deployed against cyber threats as they arise.

State privacy law developments continued on a similar trajectory as previous years, marked by a legislative focus on data privacy issues. At the beginning of the 2023 legislative session, five states (California, Colorado, Virginia, Utah, and Connecticut) passed comprehensive privacy laws, all of which are now effective and enforceable.