Access Legal & IG Quarterly Update – Q1 2024

2024 began with a flurry of activity in the EU, coming from evolving environmental efforts in the areas of greenhouse and ozone-depleting gases, and a first-of-its-kind artificial intelligence regulation focusing on the protection of citizens’ rights. In the US, a consensus is emerging among the states to protect the data of consumers, following California’s lead, and laying the groundwork to establish an American version of the landmark GDPR legislation in Europe.

Continue reading to become informed of these new laws and regulations from across the globe, and empower yourself with the information you need to do your job as efficiently and confidently as possible.

Throughout the update, we’ve included notations in italics, where applicable, if the regulatory updates have been added to our IG and retention management software, Virgo™, as a courtesy to active clients.

European Union – Regulating Ozone Layer Depleting Substances, and Fluorinated Greenhouse Gases

On February 7, 2024, the European Union signed regulation 2024/590 on substances that deplete the ozone layer, and regulation 2024/573 on fluorinated greenhouse gases, into law. Each regulation updates and replaces existing EU legislation to align them with the goals of the European Green Deal. The regulations share a consistent 5-year retention requirement for impacted documents.

Regulation (EU) 2024/590 on Substances That Deplete the Ozone Layer

Regulation 2024/590 codifies controls on ozone-depleting substances, whether alone or contained in mixtures, products, and equipment, and parts thereof, or whose functioning relies upon those substances.

Prohibitions on activities related to ozone-depleting substances are exempted for essential laboratory and analytical uses, and 2024/590 requires the maintenance of records to support those activities. EU research undertakings, shall for a minimum of five years, keep records containing specific details of any ozone-depleting substances or mixtures containing such substances produced for, including as by-production or side-production, supplied to, or marketed to parties within the Union. The material details shall include the name of the substance, quantities exchanged between parties or destroyed, contact details of parties involved, and the actual use of those materials by those parties.

Operators of equipment containing halons and ozone-depleting substances or those servicing them shall keep records of relevant information for 5 years, including:

  • Identification of the undertaking which performed leak checks, the maintenance or servicing, as well as the dates and results of the leak checks carried out.
  • The quantity and type of halons added, ozone-depleting substances recovered during maintenance or servicing, and final disposal of the equipment or systems.
  • Any documented evidence that the purity of the recovered or recycled halons from fire protection systems and fire extinguishers does not technically allow its reclamation and subsequent re-use.

Cited in Virgo as, “Regulation (EU) 2024/590 of the European Parliament and of the Council of 7 February 2024”.

Regulation (EU) 2024/573 on Fluorinated Greenhouse Gases

Regulation 2024/573 codifies rules on activities involving fluorinated greenhouse gases from production to destruction or use, rules on specific products and equipment containing or relying on them, and related ancillary measures, such as certification and training.

Regulation 2024/573 requires a regulated party to maintain records under the following conditions for a minimum of five years:

  • In the case of fumigation with sulfuryl fluoride — documentation of the use of capturing and collection measures or the reasons for which capturing, and collection measures were not technically or economically feasible.
  • In the case of operators of equipment which is required to be checked for leaks of CO2 or fluorinated greenhouse gases — records for each piece of such equipment.
  • In the case of undertakings supplying fluorinated greenhouse gases — records of relevant information on the purchasers of those fluorinated greenhouse gases, to include, certificate number of each purchaser, and respective quantities of the gases purchased.
  • In the case of undertakings which sell non-hermetically sealed equipment charged with fluorinated greenhouse gases — records of the equipment sold and of the certified undertakings that will carry out the installation.
  • In the case of undertakings that produce, including as by-product, market, supply or receive substances intended for exempted uses — records containing the name of the substance, quantities exchanged between parties or destroyed, contact details of parties involved, and the actual use of those materials by those parties.
  • In the case of putting into operation electrical switchgear using or whose functioning relies upon insulating or breaking medium with a global warming potential in derogation to established limits — documentation establishing the evidence for the derogation.
  • In the case of putting into operation of any equipment or utilization of any specified product after the respective prohibition date — evidence that the relevant safety requirements at the location do not permit the installation of equipment using fluorinated greenhouse gases below the prohibitive global warming potential value, or the equipment was placed on the market before the relevant prohibition date.
  • In the case of placing on the market pre-charged refrigeration and air-conditioning equipment, heat pumps and metered dose inhalers — documentation and the declaration of conformity the substances with which the products or equipment have been pre-charged are accounted for within the quota system.

Cited in Virgo as, “Regulation (EU) 2024/573 of the European Parliament and of the Council of 7 February 2024”.

Regulation of the European Parliament and of the Council Laying Down Harmonized Rules on Artificial Intelligence (Artificial Intelligence Act)

On March 13, 2024, Members of the European Parliament voted to approve the Regulation of Artificial Intelligence in the European Union. The regulation is a first of its kind legal framework designed to address concerns surrounding high-risk AI by codifying regulations on the development and deployment of AI for the EU market. The regulatory focus is on the protection of citizens’ rights from the impact of AI. The law’s influence will not be immediately felt as the earliest applicability of any regulation will not be for about 6 months. Requirements on General-Purpose Artificial Intelligence Systems (GPAIS) will be delayed for 12 months, and the bulk of the artificial intelligence regulation will not apply until 24 months. The trigger for each period begins when the regulation is published in the Official Journal of the European Union.

Beginning 24 months after publication in the Official Journal of the European Union, the following retention requirements will take effect:

  • Providers of high-risk AI systems shall keep for 10 years after the AI system has been placed on the market or put into service:
    • technical documentation,
    • documentation concerning the quality management system,
    • documentation concerning the changes approved by notified bodies,
    • decisions and other documents issued by the notified bodies, and
    • the EU declaration of conformity.
  • Providers of high-risk AI systems shall keep automatic event recording logs generated by the system for 6 months, unless provided otherwise in applicable Union or national law, particularly Union law on the protection of personal data.
  • Authorized representatives of providers of high-risk AI systems established outside the Union making their systems available on the Union market shall keep for 10 years after the high-risk AI system has been placed on the market or put into service:
    • contact details of the provider by which the authorized representative has been appointed,
    • a copy of the EU declaration of conformity,
    • the technical documentation, and
    • if applicable, the certificate issued by the notified body.
  • Importers of high-risk AI systems shall keep for 10 years after the AI system has been placed on the market or put into service:
    • a copy of the certificate issued by the notified body, where applicable,
    • a copy of the instructions for use, and
    • a copy of the EU declaration of conformity.
  • Deployers of high-risk AI systems shall keep the logs automatically generated by a high-risk AI system for 6 months, unless provided otherwise in applicable Union or national law, in particular Union law on the protection of personal data.
  • Providers of high-risk AI systems shall keep a written machine readable, physically or electronically signed EU declaration of conformity for each high-risk AI system for 10 years after the AI high-risk system has been placed on the market or put into service.

Beginning 12 months after publication in the Official Journal of the European Union, the following retention requirements will take effect:

  • Subcontractors of a notified body connected with a conformity assessment shall keep documents concerning the qualifications assessment of the subcontractor or the subsidiary and the work carried out by them for 5 years from the termination date of the subcontracting activity.
  • Authorized representatives of providers established outside the Union placing a General Purpose AI model on the Union market shall keep a copy of technical documentation and the contact details of the provider by which the authorized representative has been appointed for 10 years after the model has been placed on the market.

Currently cited in Virgo as, “Regulation of the European Parliament and of the Council laying down harmonised rules on artificial intelligence (Artificial Intelligence Act)”, pending publication in the Official Journal of the European Union.

Beyond Storage – A Comprehensive Information Management Checklist

Organizations of all kinds and sizes are finding themselves faced with an array of information management challenges. Some of these challenges, like the transformation of information technologies and the growth of data sets, have remained relatively unchanged for years.

U.S. Data Privacy and Consumer Data Protection — 2024

California led the way in data protection for the United States with the Consumer Privacy Act taking effect in 2020. It was followed up by the Privacy Rights Act, alongside the first wave of data privacy and consumer data protection acts taking effect in 2023.

Five data privacy and consumer data protection acts took effect last year.

  • California Privacy Rights Act — January 1, 2023
  • Virginia Consumer Data Protection Act — January 1, 2023
  • Colorado Privacy Act — July 1, 2023
  • Connecticut Data Privacy Act — July 1, 2023
  • Utah Consumer Privacy Act — December 31, 2023

Four others are getting ready to take effect this year. By July, the next batch of acts will begin to take effect.

  • Texas Data Privacy and Security Act — July 1, 2024
  • Florida Digital Bill of Rights — July 1, 2024
  • Oregon Consumer Privacy Act — July 1, 2024
  • Montana Consumer Data Privacy Act — October 1, 2024

On January 16, 2024, the New Jersey governor signed Senate Bill 332, the New Jersey Data Privacy Act. On March 6, 2024, the New Hampshire governor signed Senate Bill 255, the New Hampshire Expectation of Privacy Act.

Neither act will take effect until next year, but they will join 3 other state acts taking effect in 2025.

  • Delaware Personal Data Privacy Act — January 1, 2025
  • Iowa Consumer Data Protection Act — January 1, 2025
    New Hampshire Expectation of Privacy Act — January 1, 2025
  • New Jersey Data Privacy Act — January 15, 2025
  • Tennessee Information Protection Act — July 1, 2025

New Hampshire and New Jersey will raise the percentage of the country covered by this package of data or consumer protections to just over 25% by January of 2025, and almost 30% by 2026. Georgia, Wisconsin, and Kentucky have bills, with similar frameworks, in legislative committees, and have a high likelihood of passage before the end of 2024, or early next year.

New Hampshire Expectation of Privacy Act

  • Effective Jan. 1, 2025
  • Applies to companies doing business in New Hampshire, or where companies try to market products to New Hampshire residents. Application shall include those companies processing or controlling 100,000 New Hampshire consumers’ personal data, or 25,000 with 25 percent of the company’s gross revenue derived from the sale of personal data. Personal data processed for the purpose of completing payment transactions is excluded.
  • Key requirements:
    • Common with many other jurisdictions in the United States, New Hampshire ensures consumers right to access, right to correct, right to delete, right to opt-out of processing, right to portability, right to-opt out of sales of information, and right to opt-in for sensitive data processing.
    • New Hampshire also provides for a right against automated decision-making, specifically profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer.
    • The right of private action for violations of the law is absent, like most of the other data privacy or consumer data protection acts in the United States, and the “business-friendly approach” continues with New Hampshire preventing consumers from bringing actions against companies for violations of the law. Instead, the New Hampshire Attorney General will enforce the law.

Virgo citations will be available when the final text is published in New Hampshire.

New Jersey Data Privacy Act

  • Effective Jan. 15, 2025
  • Applies to companies doing business in New Jersey, or where companies try to market products to New Jersey residents, and those companies process or control either 100,000 or 25,000 New Jersey consumer’s personal data where 25,000 requires receiving revenue or discounts from the sale of the personal data. New Jersey, unlike other jurisdictions, excludes specific revenue requirements for application of the law, applying it more broadly than other regulations. Personal data processed for the purpose of completing payment transactions is excluded.
  • Key requirements:
    • Like New Hampshire, New Jersey ensures consumers the right to access, right to correct, right to delete, right to portability, right to-opt out of sales of information, and right to opt-in for sensitive data processing.
    • Unlike New Hampshire, New Jersey provides for a right to opt-out of processing that allows the consumer to prevent the processing of their information. However, in line with most other jurisdictions, New Jersey does not extend the option to opt-out of processing of data beyond profiling or targeted advertising.
    • New Jersey also provides similar protections as New Hampshire, for a right against automated decision-making pertaining to profiling in furtherance of decisions producing legal or similarly significant effects impacting consumers.
    • Aligning itself with most of the rest of the states passing legislation, New Jersey does not provide for a right of private action to violations of the law. Instead, the New Jersey Attorney General will enforce the law.

Virgo citations will be available when final text is published in New Jersey.

To learn more about how to address records retention, data privacy and security requirements more efficiently, request a call with an Access expert, or request a product demonstration of Virgo.

Related Resources

View all resources
The Disastrous Effects of a Data Breach
The Disastrous Effects of a Data Breach
Blog | 2 min read
From Compliance to Accessibility: 6 Reasons to Perform Document Digitization
From Compliance to Accessibility: 6 Reasons to Perform Document Digitization
Blog | 4 min read
Going Paperless? Legal Guidelines for Retaining Electronic Personnel Files
Going Paperless? Legal Guidelines for Retaining Electronic Personnel Files
Blog | 5 min read
The Five W’s (and Sometimes How) of Efficient Records Retention: Part Two
The Five W’s (and Sometimes How) of Efficient Records Retention: Part Two
Blog | 3 min read