Access Legal & IG Quarterly Update – Q4 2023

Stay up to date with this quarter’s legal and information governance update, which covers a wide range of new laws and regulations from across the globe.

As we look back over 2023, we’ve shared the many changes that we’ve seen to privacy legislation, employment law, retention requirements, and more. We’ve also kept you apprised of new regulations, as we’ve observed with artificial intelligence, these developments have not only made news headlines but are also highlighted here. We hope you’ll continue to join us in 2024 for the latest regulatory and provisional information you need!

Throughout the update, we’ve included notations in italics, where applicable, if the regulatory updates have been added to our IG and retention management software, Virgo™, as a courtesy to active clients.

California – New Law Requires Employers to Implement a Workplace Violence Prevention Plan (WVPP)

On September 30, 2023, Governor Newsom signed a law establishing a new written workplace violence prevention plan requirement for nearly all California employers. This requirement, which becomes effective on July 1, 2024, is the first of its kind in the nation to apply to employers across industries. In addition to implementing and maintaining this plan, employers must also train employees on workplace violence hazards, maintain a violent incident log and other workplace violence-related records, and conduct periodic reviews of the WVPP.

Recordkeeping

Consistent with Cal/OSHA’s Injury and Illness Prevention Program recordkeeping requirements, this new law requires employers to create and maintain training records for a minimum of one year. Additionally, the following records must be maintained for a minimum of five years:

  • Records of workplace violence hazard identification, evaluation, and correction;
  • Violent incident logs; and
  • Workplace violence incident investigations (these records shall not contain “medical information”).

Employers must make these required records available to Cal/OSHA upon request. Additionally, hazard assessment records, training records, and violent incident logs must be made available to employees upon request and without cost within 15 calendar days of a request.

Cited in Virgo as, “CAL. LAB. CODE § 6401.9”.

California Delete Act – New Obligations for Data Brokers

On October 10, 2023, Governor Newsom signed into law the “California Delete Act”. This Act imposes new registration requirements for data brokers (defined as “a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship”), increases the administrative fine for failure to register, requires the California Privacy Protection Agency (CPPA) to set up a deletion mechanism that allows consumers to make requests to all registered data brokers and obligates data brokers to every deletion request made by consumers.

Recordkeeping

Beginning January 1, 2028, and every three years after, data brokers must undergo an audit by an independent third party to determine compliance with requirements imposed by this Delete Act. Upon completion of the audit, data brokers must submit the audit report and any related materials to the California Privacy Protection Agency. These records must be retained for at least six years.

Cited in Virgo as, “CAL. CIV. CODE § 1798.99.86”.

European Union Data Act – Rules for a Fair and Innovative Data Economy

On November 27, 2023, the final text of the Data Act was adopted. In a nutshell, this Act requires data holders (defined as “a natural or legal person that has the right or obligation . . . to use and make available data, including . . . product data or related service data which it has retrieved or generated during the provision of a related service”) to share data collected with others in the value chain through connected products, related services, and virtual assistants.

The Data Act applies to both personal and non-personal data collected through in-scope products or during the provision of in-scope services. Some key requirements:

  1. Data access. Upon request, data holders must provide access to certain data from the in-scope products or services. A data holder can require certain conditions to be satisfied before sharing data that constitutes trade secrets, or withhold the user’s access, or the sharing of such data with third parties if the confidentiality of trade secrets could be undermined.
  2. Data sharing with third parties. Data holders must make the in-scope data available to third parties under fair, reasonable, and non-discriminatory terms and conditions.
  3. Data sharing with public sector bodies. Where public interest is high, private data holders are required to make the data available to public EU institutions. Personal data can only be requested in cases of exceptional need.
  4. Design requirements and transparency. In-scope products must be designed and manufactured, and in-scope services must be provided in a way that allows users to access the data by default, in an easy and secure manner, free of charge, and in a structured, commonly used, and machine-readable format.
  5. Unfair contractual terms. To prevent the abuse of imbalances in business-to-business relationships, unfair contractual terms concerning access to, and the use of, data are prohibited.
  6. Unlawful international governmental access and transfer. To prevent international and third-country governmental access and transfer of non-personal data held in the EU, providers of data processing services must implement adequate technical, organizational, and legal measures, including contractual agreements, to protect the data.

How does this Act compare to the GDPR?

While the scope of the GDPR is limited to personal data, the Data Act applies to both personal data and non-personal data, which means that its scope of application is broader. However, according to Article 1(5) of the Data Act, the Data Act is without prejudice to the GDPR. Where personal data is generated from connected products or related services, the requirements of both the Data Act and the GDPR must be satisfied.

Cited in Virgo under the Title, “Regulation (EU) 2023 of the European Parliament and of the Council on harmonized rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Act)”.

Beyond Storage – A Comprehensive Information Management Checklist

Organizations of all kinds and sizes are finding themselves faced with an array of information management challenges. Some of these challenges, like the transformation of information technologies and the growth of data sets, have remained relatively unchanged for years.

New York Extends Statute of Limitations for Employment Claims

Governor Hochul signed Assembly Bill 501 into law on November 17, 2023. Effective February 15, 2024, the statute of limitations to file a complaint with the New York State Division of Human Rights will extend from one to three years. Previously, the law provided a three-year statute of limitations only for sexual harassment claims. After its effective date, the amended law gives employees three years to file any type of workplace discrimination or harassment claim.

Cited in Virgo as, “N.Y. EXECUTIVE LAW § 297”.

United States – SEC Adopts Securities Lending Disclosure Requirement

On October 13, 2023, the SEC adopted new Rule 10c-1a under the Securities Exchange Act of 1934, which will require the reporting of certain details regarding securities lending transactions.

Key takeaways:

  1. “Covered persons” will be required to report specific information about securities loans to a registered national securities association (RNSA).
  2. Institutional investment managers will be required to report certain data on short sales on new Form SHO to be published on the SEC’s website.
  3. These changes are intended to increase the transparency and efficiency of the securities lending market.

Recordkeeping

If a reporting agent assumes the reporting obligation on behalf of a covered person, she must preserve for a period of not less than three years, the first two years in an easily accessible place:

(i) The Rule 10c-1a information obtained by the reporting agent from the covered person, including the time of receipt, and the corresponding Rule 10c-1a information provided by the reporting agent to an RNSA, including the time of transmission to an RNSA; and

(ii) The written agreements she entered into with the covered person.

Cited in Virgo as, “17 C.F.R. § 240.10c-1a”.

To learn more about how to address records retention, data privacy, and security requirements more efficiently, request a call with an Access expert, or request a product demonstration of Virgo.

Related Resources

View all resources
The Disastrous Effects of a Data Breach
The Disastrous Effects of a Data Breach
Blog | 2 min read
From Compliance to Accessibility: 6 Reasons to Perform Document Digitization
From Compliance to Accessibility: 6 Reasons to Perform Document Digitization
Blog | 4 min read
Going Paperless? Legal Guidelines for Retaining Electronic Personnel Files
Going Paperless? Legal Guidelines for Retaining Electronic Personnel Files
Blog | 5 min read
The Five W’s (and Sometimes How) of Efficient Records Retention: Part Two
The Five W’s (and Sometimes How) of Efficient Records Retention: Part Two
Blog | 3 min read