privacy – Duane Morris TechLaw

July 23, 2024 by Duane Morris

Embracing Artificial Intelligence in the Energy Industry

Last year, President Joe Biden signed Executive Order 14110 on the “Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence.” Since the issuance of the executive order, a lot of attention has been focused on the provision requiring “the head of each agency with relevant regulatory authority over critical infrastructure … to assess potential risks related to the use of AI in critical infrastructure sectors involved, … and to consider ways to mitigate these vulnerabilities.” Naturally, government agencies generated numerous reports cataloging the well-documented risks of AI. At the same time, nearly every company has implemented risk-mitigation guidelines governing the use of artificial intelligence. To be sure, the risks of AI are real, from privacy and cybersecurity concerns, to potential copyright infringements, to broader societal risks posed by automated decision-making tools. Perhaps because of these risks, less attention has been focused on the offensive applications of AI, and relatedly, fewer companies have implemented guidelines promoting the use of artificial intelligence. Those companies may be missing out on opportunities to reduce legal risks, as a recent report by the Department of Energy highlights.

Read The Legal Intelligencer article by Duane Morris partners Phil Cha and Brian H. Pandya.

June 26, 2024 by Duane Morris

Colorado Privacy Act’s Universal Opt-Out Provision Goes Into Effect July 1, 2024

While the Colorado Privacy Act (CPA) has already been in effect, as of July 1, 2024, companies that meet the threshold compliance criteria for CPA and that engage in the processing of personal data for purposes of targeted advertising or the sale of personal data (“covered entities”) must implement a universal opt-out mechanism, which allows users to more easily exercise their opt-out rights with these covered entities. Specifically, a universal opt-out mechanism allows a user to configure their internet browser settings, and as a result, the websites the user visits from that browser automatically receive the user’s opt-out signal. As of July 1, 2024, covered entities must recognize and honor a user’s opt-out preferences where communicated through a universal opt-out mechanism.

Read the full Alert on the Duane Morris LLP website.

June 7, 2024 by Duane Morris

Texas Data Privacy and Security Act Coming July 1, 2024: What You Need to Know

In the absence of a federal comprehensive privacy law, states have been enacting their own in a sort of domino effect, creating a patchwork of compliance laws with their own nuances. The Texas Data Privacy and Security Act (TDPSA) is one of those new laws and goes into effect July 1, 2024, bringing Texas into the fold of U.S. states with a comprehensive data privacy law. While the TDPSA is similar to existing state data privacy laws, it has a unique threshold requirement that may broaden its reach compared to other states. Below are some key considerations that covered businesses should take into account to get ready for compliance with this upcoming new law. Read the full Alert on the Duane Morris website.

April 17, 2024April 17, 2024 by Duane Morris

Webinar: Practical Impacts of the New EU AI Act

Duane Morris will present Get Smart with AI: Practical Impacts of the New EU AI Act, a webinar on risk mitigation strategies for AI use in business, presented by the Technology, Media and Telecom Industry Group’s Artificial Intelligence Team, on Thursday, May 16, 2024, from 11:00 a.m. to 12:00 p.m. Eastern time and 4:00 p.m. to 5:00 p.m. London time. REGISTER FOR THE WEBINAR. Continue reading “Webinar: Practical Impacts of the New EU AI Act”

March 15, 2024 by Duane Morris

The Implications of Europe’s Artificial Intelligence Act

Duane Morris partner Agatha Liu spoke with Vogue Business on the implications of Europe’s AI Act on various sectors, including the fashion industry. Read the full article on the Vogue Business website.

March 7, 2024March 11, 2024 by Duane Morris

Common Uses for AI in Beauty & Associated Risks

Kelly Bonner and Agatha Liu of Duane Morris LLP shared their insights and experience with CosmeticsDesign on the risks of incorporating AI technology into business practices, and how can beauty companies protect themselves.

While “today’s AI technology can save a fair amount of time in not only performing conventional services, but also uncovering hidden insight into consumer motivation and behavior,” Liu noted, “on the other hand, today’s AI technology generally lacks transparency and suffers from hallucination and thus still requires a considerable amount of human review.” Therefore, she recommended that “while companies are encouraged to incorporate AI technology into their offerings, they should closely monitor how it is utilized and what it produces and make adjustments or take remedial steps as appropriate.” […]

Continue reading “Common Uses for AI in Beauty & Associated Risks”

November 13, 2023November 13, 2023 by Duane Morris

Webinar Replay: Data Privacy and Security Landscape – Wearable Fitness and Health Tech

A replay of the Duane Morris webinar The Data Privacy and Security Landscape: Let’s Talk About Tech ‒ Wearable Fitness and Health Tech is now available.

June 5, 2023 by Duane Morris

Webinar Replay: Legal Developments in U.S. Consumer Data Protection Regulations

A video replay of the webinar “The Data Privacy and Security Landscape: Legal Developments in U.S. Consumer Data Protection Regulations” is available to view.

April 20, 2023 by Duane Morris

Vietnam: New Decree on Personal Data Protection

On 17 April 2023, Decree No. 13/2023/ND-CP on personal data protection (PDPD) was officially issued by the Vietnamese Government. The long-awaited and controversial decree is set to be the first ever legal document with comprehensive regulations on both personal data and its protection in Vietnam. With an exception being the grace period of 2 years for SMEs, after 1 July 2023, the PDPD will be applicable to all entities located in Vietnam and/or outside Vietnam but directly con-ducting activities in relation to the processing of personal data in Vietnam.

To read the full text of this blog post by Duane Morris Vietnam partner Dr. Oliver Massmann, please visit the Duane Morris Vietnam Blog.

March 14, 2023 by Sheila Raftery Wiggins

Preservation of Ephemeral Messaging for Business Purposes

Ephemeral messaging is short-lived, yet the data preservation and regulatory obligations remain.

Ephemeral messaging apps – like WhatsApp and SnapChat – are a form of digital communication available for a limited time and then deleted. The two key characteristics of ephemeral messaging are: (1) automated deletion of message content for both the sender and the receiver and (2) end-to-end encryption which enhances privacy by making it more difficult for hackers and others to read the encrypted data while it is in transition between devices.

The three degrees of ephemerality in messaging apps are:

Pure which involves the permanent and automated deletion of messages;
Quasi which permits preservation of messages in certain circumstances; and
Non-ephemeral in which messages usually remain on a source (such as a server) and may not include end-to-end encryption.

The benefits of ephemeral messaging include:

Information governance: Data storage and records preservation/management are reduced by ephemeral messaging.
Legal compliance: Encryption and automatic deletion of personal data help reduce exposure if a data breach occurs.
Data security: Even if a mobile device is lost, the automatic deletion of data will likely protect against hackers.

The legal risks of ephemeral messaging include: (1) complying with subpoenas and (2) preservation of data when litigation is “reasonably anticipated”.

Subpoenas often define documents and communications broadly to capture all communications, including ephemeral messaging. Thus, the failure to preserve documents may result in an inability to fully comply with a subpoena and/or a criminal exposure, particularly if the subpoena was issued by the government.

Regarding the preservation of data, legal hold policies may need to be amended to address ephemeral messaging, including when a company is dealing with government regulators. See e.g., Federal Trade Commission v. Noland, et al., Case No. CV-20-00047-PHX-DWL (D. Ariz. 2021) (sanctioning defendants for installing and using ephemeral messaging after learning they were investigation targets).

Some regulators caution against the use of ephemeral messaging. For example:

The U.S. Securities and Exchange Commission (“SEC”) issued a guidance in 2018 that prohibits business use of apps which permit automatic destruction of messages.
The U.S. Department of Justice (“DOJ”) updated its Evaluation of Corporate Compliance Programs in March 2023 which discusses the factors that prosecutors should consider in conducting an investigation of a corporation including the adequacy and effectiveness of the corporation’s compliance program at the time of the offence as well as at the time of the charging decision.

Accordingly, establishing adequate and effective corporate compliance programs are important, including:

establishing a corporate compliance program which is monitored, updated, and works in practice, and
reviewing the company’s document-retention policies and procedures, including whether they address ephemeral messaging and mobile device data.

In sum, although ephemeral messaging is short-lived, the consequences – of failing to comply with data preservation and regulatory obligations – may be long lasting.