Digital Download August 8, 2023

The Digital Download – Alston & Bird’s Privacy & Data Security Newsletter – August 2023

Publications and Advisories

  • June 26, 2023 – Wim Nauwelaerts published “EU: EDPB’s Finalized Guidelines on International Data Transfers Under the GDPR Explained” in Data Guidance.

Selected U.S. Privacy and Cyber Updates

FTC Launches Investigation into Creator of ChatGPT

In mid-July, the Federal Trade Commission (FTC) reportedly opened an investigation into OpenAI, the maker of ChatGPT, sending the company an extensive civil investigative demand (CID). While FTC investigations are not normally public, the Washington Post published what appears to be part of the CID. This investigation comes on the heels of FTC Chair Lina Khan stating her intention to use existing consumer protection law to protect people from the potential dangers of generative artificial intelligence. President Joe Biden’s Administration has signaled that they will take a “whole of government” approach to using existing law to combat any potentially harmful outcomes of artificial intelligence.

FTC Seeks Comments on a New Verifiable Parental Consent Mechanism Under COPPA

On July 19, 2023, the FTC announced that it is seeking comment on an application for a new verifiable parental consent mechanism under the Children’s Online Privacy Protection Act. The application, submitted jointly by the Entertainment Software Rating Board, Yoti, and SuperAwesome, requests the FTC to approve Yoti’s “Facial Age Estimation” technology as a method to obtain parental consent. The request for public comment was published in the Federal Register on July 20, 2023. Interested parties have until August 21, 2023 to submit comments.

Chinese Hackers Exploit Gap in Cloud Environment Used by U.S. Government

According to recent reports issued by Microsoft and U.S. government agencies, hackers recently exploited a gap in Microsoft’s cloud environment, enabling the malicious actors to access the email accounts of employees at the U.S. Commerce and State Departments. The hackers victimized 10 organizations in the United States, including the U.S. government, and 25 organizations worldwide. The U.S. government has not yet attributed the attack to any country or group, though Microsoft disclosed that the attack came at the hands of a “China-based threat actor.”

HHS and FTC Fire a Warning Shot at Health Care Companies Using Online Tracking Technologies

On July 20, 2023, the Office for Civil Rights of the U.S. Department of Health and Human Services and the FTC published a joint letter sent to approximately 130 hospital systems and telehealth providers. The letter warns that certain online tracking technologies that “may be present” on the recipients’ mobile apps or websites could be “impermissibly disclosing consumers’ sensitive personal health information to third parties.”

California Attorney General Launches CCPA Investigative Sweep for Employers

On July 14, 2023, California Attorney General Rob Bonta launched investigations into large California employers’ compliance with the California Consumer Privacy Act as it relates to their processing of employee and job applicant personal information.

Texas Becomes Tenth State to Enact a Comprehensive State Privacy Law

On June 18, 2023, Texas Governor Greg Abbott signed the Texas Data Privacy and Security Act (TDPSA) into law, making Texas the latest contributor to the growing patchwork of comprehensive U.S. state privacy laws. The TDPSA takes effect July 1, 2024, except for provisions that enable consumers to designate authorized agents to exercise on the consumers’ behalf rights to opt out of data sales and targeted advertising, which take effect on January 1, 2025.

NYDFS Releases Revised Proposed Second Amendment of Its Cybersecurity Regulation

On June 28, 2023, the New York Department of Financial Services (NYDFS) published an updated proposed Second Amendment to its Cybersecurity Regulation in the New York State Register, updating its previous proposed Second Amendment published November 9, 2022. While the new language is largely similar to the previous draft, the NYDFS incorporated a number of changes as a result of the 60-day comment period.

SEC’s Proposed Cybersecurity Rules Delayed Yet Again

On June 13, 2023, the U.S. Securities and Exchange Commission published its spring 2023 rulemaking agenda that delayed finalizing the proposed Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure rule for public companies and proposed rule on Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies until at least October 2023. The proposed rules were originally intended to be finalized in April 2023.

CL0P Ransomware Gang’s Exploitation of MOVEit Vulnerability: What It Means for Companies

On June 7, 2023, the Federal Bureau of Investigation and the Cybersecurity and Infrastructure Security Agency released a Joint Cybersecurity Advisory in connection with a recent zero-day (or previously undetected) vulnerability in Progress Software’s managed file transfer software, exploited by the CL0P ransomware group. CL0P publicly claimed responsibility for exploiting the vulnerability on June 5, 2023 and has a well-established history of targeting vulnerabilities in file transfer software, gaining notoriety in 2021 after the group exploited the zero-day vulnerability in Accellion’s File Transfer Appliance.

NYDFS Penalizes bitFlyer $1.2 Million for Violations of Cybersecurity Regulation

On May 1, 2023, bitFlyer USA Inc. entered into a consent order with the NYDFS for multiple deficiencies in its cybersecurity program, most notably for the failure to conduct periodic risk assessments to sufficiently inform the program’s design. BitFlyer operates a cryptocurrency trading platform and provides custodial wallet services for U.S. dollars and digital currencies, holding a virtual currency license (commonly referred to as a BitLicense) under the NYDFS virtual currency regulation. By virtue of its BitLicense, bitFlyer is a “covered entity” and must comply with the NYDFS Cybersecurity Regulation, as well as the NYDFS cybersecurity-specific requirements for virtual currency licensees, which contain substantially similar requirements as those set forth in the NYDFS Cybersecurity Regulation.

Selected Global Privacy and Cybersecurity Updates

International Data Transfers: European Commission Gives Green Light to EU-U.S. Data Privacy Framework

On July 10, 2023, the European Commission (EC) adopted its long-awaited adequacy decision approving the EU-U.S. Data Privacy Framework. By doing so, the EC confirmed that personal data transferred to the United States under the framework is adequately protected in line with the EU General Data Protection Regulation’s international data transfer rules.

Council of Europe Launches Model Contractual Clauses for Transfers of Personal Data

On June 16, 2023, the Council of Europe’s Committee of Convention 108+ (the Convention for the Protection of Individuals with Regard to the Processing of Personal Data) adopted model contractual clauses for cross-border data flows. The model contractual clauses are intended to cover the transfers of personal data to countries that are not parties to Convention 108+. According to the Council of Europe, the model contractual clauses have the potential to bridge similar data transfer tools – such as the EC’s standard contractual clauses (SCCs) – and to contribute to the convergence towards appropriate data protection standards globally.

Joint Regulatory Guidance Aims to Help Companies Transfer Personal Data Across ASEAN and EU Member States

On May 23, 2023, the EC and the Association of Southeast Asian Nations (ASEAN) published guidance that identifies commonalities and differences between the EU SCCs and ASEAN’s model contractual clauses to assist companies with their efforts to comply with data transfer rules in both regions. The guidance includes a reference guide that compares the EU SCCs and the ASEAN model contractual clauses and will shortly be complemented by an implementation guide providing best practices for companies that plan to use both sets of clauses.


In the News

  • July 18, 2023 – Dan Felz is quoted on the impact of the Norwegian Data Protection Authority’s ruling limiting Meta’s behavioral advertising in Digiday.
  • May 26, 2023 – Kim Peretti is quoted on early messaging to consumers to build trust after a data breach in Bloomberg.
  • May 23, 2023 – Peter Swire is quoted on how the U.S. government is implementing changes to its surveillance of incoming data transfers from Europe in Bloomberg Law.
  • February 8, 2023 – Alston & Bird’s Women in Cyber webinar “The CPRA Is Here: A Deeper Look at Data Retention & Disposal,” hosted by Kim Peretti and Kate Hanniford, was the source of “How to Comply with the CPRA’s Data Minimization Standards” in Cybersecurity Law Report.

Press Releases

Alston & Bird Earns New Practice Rankings in The Legal 500 US 2023

Alston & Bird has received recognition by The Legal 500 United States in Media, Technology, and Telecoms: Cyber Law. Partner Kim Peretti continues to be named a “Leading Lawyer” in Cyber Law.

Alston & Bird Increases Practices and Attorneys Recognized in Chambers USA 2023

Alston & Bird has received significant recognition in the 2023 edition of Chambers USA: America’s Leading Lawyers for Business, with 68 practice rankings and 149 leading lawyer listings. The Privacy, Cyber & Data Strategy Team is ranked Band 4 for Privacy & Data Security: The Elite (USA - Nationwide). Kim Peretti is ranked Band 1 for Privacy & Data Security: Incident Response and Band 2 for Privacy & Data Security (USA - Nationwide).

Pathstone Acquires Brainard Capital Management and Receives New Private Equity Investments

Alston & Bird represented Pathstone, a New Jersey–based wealth management advisor, in its acquisition of Brainard Capital Management, an independent advisory boutique in Austin, Texas, as well as in its new strategic private equity investment from Kelso & Company and its additional private equity investment from Lovell Minnick Partners. Dan Felz and Sara Pullen Guercio were noted along with other Alston & Bird attorneys for their representation of Pathstone.


“The Digital Download” is produced by Alston & Bird’s Privacy, Cyber & Data Strategy Team, led by Kim Peretti and David Keating. It is edited by Paul Greaves and Dorian Simmons.

For additional updates, please be sure to visit our blog at

The Digital Download, as well as any articles or other content linked to or otherwise cited by or attached to it, is not intended to constitute and should not be relied upon as or construed to be legal advice.

Media Contact
Alex Wolfe
Communications Director

This website uses cookies to improve functionality and performance. For more information, see our Privacy Statement. Additional details for California consumers can be found here.