Privacy and Data Protection Law / April 2023

Data protection and privacy update – April 2023

New US laws: Iowa and Indiana

On March 29, 2023, the State of Iowa, and on April 13, 2023 the state of Indiana, became the sixth and seventh states to enact a comprehensive state privacy law, following the footsteps of California, Virginia, Colorado, Connecticut and Utah.

The new privacy law in Iowa will take effect on January 1, 2025. Companies should assess the applicability of this new law and consider compliance.
Applicability test:
1. A business that controls or processes personal data of at least 100,000 Iowa consumers during a calendar year,
2. A business that derives more than 50% of gross revenue from the sale of personal data, and/or
3. A business that does business in the state and makes USD25 million in annual revenue.

The new privacy law in Indiana will take effect on January 1, 2026.
Applicability test: Companies that do business in Indiana or produce products or services that are targeted to residents of Indiana and:

  1. Control or process the personal data of 100,000 customers or more; or
  2. Control or process personal data of at least 25,000 consumers and derive more than 50% of gross revenue from the sale of personal data.
Controller vs Processor: Not allowing to negotiate Data Processing Agreements (DPA)

The European Data Protection Board has raised a concern over the role of the parties (controller / processor) when data processors (e.g., large cloud-based services) refuse to negotiate DPAs or receive instructions from their customers (i.e. data controllers), especially if there is an imbalance of power between the parties. The refusal of negotiating a DPA may result in the data processor becoming a data controller. In the event that this occurs, the service provider may be considered an autonomous controller under Article 28(10) of the GDPR and may be held liable for any violation of the relevant provisions of the GDPR (e.g., lack the appropriate legal basis or fail to provide sufficient information to data subjects). Data processors who have traditionally refused to negotiate DPAs should be aware of this risk since GDPR violations may involve severe consequences, including, investigation of supervisory authorities, fines and reputational risks.

New York – AI law regarding employee data
New York City (NYC) has put in place new regulations that impact the use of automated employment decision tools (“AEDTs”) by employers, specifically with regards to hiring and promotions. Employers are obligated to determine whether they use AEDTs in making employment decisions. According to the new law, the use of such tools is prohibited unless certain requirements are met, amongst others:

  1. Engage an auditor to conduct a bias audit of any AI feature/tool utilized. The employer should publish the results of the bias audit on their website. Employers should conduct such audits and publish results annually.
  2. provide notice to applicants and employees residing in NYC of the AI usage in hiring and/or promotion decisions.

If you have employees in the US, more specifically in NYC and you use AI tools for HR purposes or you provide AI HR tools to your customers with employees in NYC, you should be aware of this new law.

In addition, please note that the FTC has repeatedly warned businesses to avoid using AI tools that are biased or have discriminatory effects.