2023 was the year of artificial intelligence — and 2024 is already shaping up to be more (much more) of the same.  The European Union’s legislative bodies passed the AI Act earlier this month, and although the text has yet to be finalised on the world’s first comprehensive AI law, the hype around it already feels unstoppable.  That hype will turn into hard work over the next 12 months, as organisations grapple with understanding their obligations under the Act and putting in a governance framework that meets those obligations.  Needless to say, it will not be an easy task.Continue Reading The Three European Union Laws That Need Your Attention in 2024

Earlier this year, the UK government released an AI white paper outlining its light-touch, pro-business proposal to AI regulation. Eight months on, and the UK appears to be sticking firm with this approach, with Jonathan Camrose (UK First Minister for AI and Intellectual Property) stating in a speech on 16 November 2023 that there will be no UK law on AI ‘in the short term’.

This stance has been taken in spite of the developments being made around the world in this area. The EU for example, by contrast, continues to make significant steps towards finalization and implementation of its landmark AI Act, with policy-makers announcing that they had come to a final agreement on the Act on 8 December 2023. Progress has also been made across the pond with President Biden issuing the executive order on Safe, Secure and Trustworthy Artificial Intelligence on 30 October 2023, with the intention of cementing the US as a world leader in the field. The UK’s reluctance to regulate in this area has been criticised by some as not addressing consumer concerns – but will this approach continue into 2024?Continue Reading AI Regulation in 2024 – Will The UK Continue to Remain The Outlier?

Introduction

Throughout 2022, cybersecurity lawyers have kept their eyes firmly fixed on two pieces of EU cybersecurity legislation: the NIS2 Directive (“NIS2”) and the Cyber Resilience Act (the “CRA”). With NIS2 having been formally enacted by the EU and the draft text of the CRA being published by the European Commission in September 2022, businesses should take time in 2023 to digest the implications of NIS2 and the CRA on their cybersecurity compliance programmes, both in terms of organisational measures and product compliance.Continue Reading 2023 – A Year for Reflection on EU Cybersecurity

Preeminent privacy scholar and George Washington University Law School professor, Daniel Solove joined Ropes & Gray’s virtual conference on “The Future of Global Data Protection,” for a wide-ranging discussion with Edward McNicholas, co-leader of the Ropes & Gray data, privacy & cybersecurity practice, in which the pair explored:

  • The state of complexity and inconsistency in the international privacy law landscape
  • The inherent flaws in the models on which privacy laws are currently based
  • The risks of moving toward a regulatory model
  • Theories of harm in data breach cases
  • The role of the courts in adjudicating privacy laws

Please see below for an overview of some of these topics, or to access a recording of the session please visit our blog: RopesDataPhiles.Continue Reading How Data Breaches Are Shaping the Global Data Protection Debate

The Courts of Justice of the European Union (CJEU) held in its July 2020 Schrems II decision that, in order for entities in other countries to import personal data from the European Economic Area (EEA), the importer must be able to provide data protections ‘essentially equivalent’ to those the EEA offers under its General Data Protection Regulation. The CJEU expressed particular concern that United States’ national security intelligence gathering laws prevent U.S.-based entities from providing such protections. This decision has sharply limited the sharing of clinical research data from the EEA to the United States. After describing the pertinent aspects of the Schrems II decision, this article evaluates U.S. national security intelligence gathering frameworks, including Section 702 of the Foreign Intelligence Surveillance Act and Executive Order 12333. The article then leverages recent draft guidance from the European Data Protection Board to explain how entities may be able to adopt widely used contractual and technical measures, such as data pseudonymization, to provide ‘essentially equivalent’ protections in the clinical research context.
Continue Reading Demystifying Schrems II for the Cross-Border Transfer of Clinical Research Data

The European Commission (EC) may be set to propose extensive new legislation – potentially later this week – which, among other things, would ban the use of facial recognition technology for surveillance purposes and the use of algorithms that influence human behavior, according to recently leaked draft documents. The proposals would also introduce new rules regarding high-risk artificial intelligence (AI).

Although the use of AI systems is regarded as beneficial in many areas of society, use of AI in some contexts can be controversial. For example, the use of algorithms in the context of employment-related decision-making, allegedly based solely on automated personal data processing, including profiling, has recently been challenged under the GDPR in the Dutch courts, although this decision is likely to be contested.
Continue Reading EU Proposals May Limit the Use of Artificial Intelligence

GDPRAn interesting article in today’s FT on the need to update the GDPR will not be welcomed by those that toiled with compliance programs, policy updates and the preparation of records of processing less than three years ago.

It is reported that German MEP Axel Voss, a driving force behind the GDPR, recognizes that the GDPR is not sufficiently nuanced for some of today’s challenges including blockchain, facial or voice recognition, text and data mining. The COVID pandemic and the shift to remote working have also created unexpected issues, including the technical challenges of compliance by organizations with a remote  workforce using software that authenticates them for a host of services with a single login or monitors what they do online.
Continue Reading Is the GDPR Outdated and in Need of Replacement?

Since passage of the California Consumer Privacy Act (“CCPA”) and California Privacy Rights Act (“CPRA”), many states have proposed data protection bills that have floundered in the legislative process. Virginia, previously a dark horse in the race amongst US states to pass data protection legislation, is now poised to take the lead with the Virginia Consumer Data Protection Act (“CDPA”). Unlike bills that have repeatedly stalled in key states like Washington, the CDPA has progressed swiftly and easily in this now “trifecta Blue” Virginia, with the Virginia Senate passing a version of the bill on February 3, less than a week after the House passed a near-identical companion bill. If the governor signs the CDPA into law, the CDPA will take effect January 1, 2023, simultaneously with the CPRA.
Continue Reading Virginia Poised to Join California with Comprehensive Data Protection Framework

GDPROn 16 October 2020, in a long-awaited decision, the UK Information Commissioner’s Office (ICO) finally announced that it has fined British Airways (BA) £20 million for failing to protect the personal and financial details of over 400,000 customers.  The ICO originally announced in July 2019 its intention to fine BA £183 million in respect of a security breach, meaning that the final amount of the fine was over 90% lower than the original suggested amount.  Notwithstanding this, the BA fine is still the largest fine that the ICO has ever issued.
Continue Reading British Airways Fined £20 Million by ICO for Data Breach