Digital Download May 10, 2023

The Digital Download – Alston & Bird’s Privacy & Data Security Newsletter – May 2023

Publications and Advisories

Selected U.S. Privacy and Cyber Updates

HHS and FTC Expanding Technology, Privacy, and Cybersecurity Divisions

The Federal Trade Commission (FTC) and U.S. Department of Health and Human Services (HHS) announced the expansion of operational areas of their organizations that are dedicated to the enforcement of laws and regulations related to technology, privacy, and cybersecurity. On February 17, 2023, the FTC announced the creation of a new Office of Technology to “strengthen the FTC’s ability to keep pace with technological challenges in the digital marketplace,” including to “strengthen and support law enforcement investigations and actions.” On February 27, 2023, HHS announced the rebranding and reorganization of divisions within the Office for Civil Rights.

New NAIC Consumer Privacy Model Law Proposed for Insurers

On January 31, 2023, the National Association of Insurance Commissioners (NAIC) Privacy Protections Working Group released Insurance Consumer Privacy Protection Model Law #674 for comment. Model 674 is intended to modernize and replace the Insurance Information and Privacy Protection Model Act #670 and the Privacy of Consumer Financial and Health Information Regulation #672, which have been widely adopted nationwide but are approximately 30 to 40 years old. Unlike its predecessors, Model 674 notably includes a safe harbor for entities that comply with the Health Insurance Portability and Accountability Act (HIPAA). The proposed model law does not impact the reporting obligations for cybersecurity events set forth under Insurance Data Security Model Law #668.

Selected Global Privacy and Cybersecurity Updates

International Data Transfers: Lessons from the EDPS’s “101 Task Force”

In August 2020, privacy activist organization None of Your Business (NOYB) – European Center for Digital Rights filed 101 complaints with the EU supervisory authorities (SAs) in connection with the transfer of personal data from Europe to the United States by companies that implemented Google Analytics and Facebook Business Tools on their websites.

EU Supervisory Authorities Clarify Breach Notification Requirements

On April 4, 2023, the European Data Protection Board (EDPB), which is composed of representatives of the EU SAs and the European Data Protection Supervisor, published an updated version of the Working Party 29 Guidelines on personal data breach notification under the EU General Data Protection Regulation (GDPR). The EDPB initially endorsed the Working Party 29 Guidelines – without amendments – when the GDPR became applicable in May 2018. However, the EDPB reconsidered whether there was a need to clarify the GDPR’s breach notification requirements, in particular regarding personal data breaches suffered by controllers that do not have an establishment in the EU. The EDPB has therefore revised and updated the relevant section of the Guidelines, while the rest was left unaltered (save for editorial changes).

China’s Standard Contractual Clauses for Cross-Border Transfers of Personal Information

On February 24, 2023, the Cyberspace Administration of China released its final version of the Standard Contract Measures for Exporting Personal Information, accompanied by a template contract outlining the standard contractual clauses. The Standard Contract Measures are effective June 1, 2023; however, organizations transferring personal information outside China before June 1, 2023 will have a six-month grace period to comply with and enter into the standard contractual clauses with the overseas recipient.

The EU Supervisory Authorities’ Coordinated Enforcement Action in the EU: This Year It’s All About DPOs

On March 15, 2023, the EDPB along with 26 EU SAs officially launched a coordinated enforcement action, focusing on the designation of data protection officers (DPOs) under the EU GDPR, and the position that DPOs hold in the organizations that appoint them.


In the News

  • March 15, 2023 – Peter Swire is quoted on how companies can be proactive about cybersecurity by digging deep into their own code in AdExchanger.
  • February 13, 2023 – Paul Greaves is noted in Global Legal Chronicle for representing Spectrum Science in a strategic investment from Knox Lane.

Press Releases

Partners Wim Nauwelaerts and Kimberly Kiefer Peretti Named to Cybersecurity Docket’s 2023 “Incident Response 50”

Wim Nauwelaerts and Kim Peretti have been named to Cybersecurity Docket’s 2023 “Incident Response 50.” This marks the seventh consecutive year that Kim has been recognized among this select group of leaders in security incident management and data breach response. She was previously named to Cybersecurity Docket’s “Incident Response 30” in 2016, 2018, 2019, and 2020 and “Incident Response 40” in 2021 and 2022.

Alston & Bird Recognized by Chambers Global 2023

Alston & Bird has been recognized in the 2023 edition of Chambers Global, with 9 practices and 18 lawyers cited for excellence. Our Privacy, Cyber & Data Strategy practice is ranked Band 4 in Privacy & Data Security: The Elite. Kim Peretti is ranked Band 2 in Privacy & Data Security and in Privacy & Data Security: Incident Response.

“The Digital Download” is produced by Alston & Bird’s Privacy, Cyber & Data Strategy Team, led by Kim Peretti and David Keating. It is edited by Paul Greaves and Dorian Simmons.

For additional updates, please be sure to visit our blog at

The Digital Download, as well as any articles or other content linked to or otherwise cited by or attached to it, is not intended to constitute and should not be relied upon as or construed to be legal advice.

Media Contact
Alex Wolfe
Communications Director

This website uses cookies to improve functionality and performance. For more information, see our Privacy Statement. Additional details for California consumers can be found here.