Data Privacy

The UK Information Commissioner’s Office (“ICO”) recently announced a new online tracking strategy, which aims to ensure a “fair and transparent online world where people are given meaningful control over how they are tracked online.”

Online advertising is one of the ICO’s current areas of strategic focus (others areas of focus include AI and children’s privacy). The ICO has identified four key areas of concern—all of which the ICO states mean that individuals do not have sufficient control over their personal data:

  • “deceptive or absent choice” regarding non-essential cookies and tracking technologies;
  • “uninformed choice,” which refers to organizations not providing appropriate information to individuals;
  • “undermined choice,” where individuals’ choices are not respected and they are surprised about how their data is used; and
  •  “irrevocable choice,” meaning that individuals cannot effectively change their minds after they have made a choice over how their personal data is processed.

Having identified these areas of concern, the ICO states that it will take the following actions in 2025:Continue Reading ICO announces its online tracking strategy for 2025

On 16 January 2025, the European Data Protection Board (“EDPB”) published a position paper, as it had announced last year, on the “interplay between data protection and competition law” (“Position Paper”).

In this blogpost, we outline the EDPB’s position on cooperation between EU data protection authorities (“DPAs”) and competition authorities (“CAs”) in the context of certain key issues at the intersection of data protection and competition law.

Key takeaways

  1. In the interest of coherent regulatory outcomes, the EDPB advocates for increased cooperation between DPAs and CAs.
  2. The Position Paper offers practical suggestions to that end, such as fostering closer personal relationships, mutual understanding, and a shared sense of purpose, as well as more structured mechanisms for regulatory cooperation.
  3. The EDPB is mindful of the Digital Markets Act’s (“DMA”) significance in addressing data protection and competition law risks.

Continue Reading EDPB highlights the importance of cooperation between data protection and competition authorities

In a new post on the Inside Privacy blog, our colleagues discuss recent guidance from the attorneys general in Oregon and Connecticut interpreting their authority under their state comprehensive privacy statutes and related authorities.  Specifically, the Oregon Attorney General’s guidance focuses on laws relevant for artificial intelligence (“AI”), and the Connecticut Attorney General’s guidance

Continue Reading State Attorneys General Issue Guidance On Privacy & Artificial Intelligence

On November 6, 2024, the UK Information Commissioner’s Office (ICO) released its AI Tools in recruitment audit outcomes report (“Report”). This Report documents the ICO’s findings from a series of consensual audit engagements conducted with AI tool developers and providers. The goal of this process was to assess compliance with data protection law, identify any risks or room for improvement, and provide recommendations for AI providers and recruiters. The audits ran across sourcing, screening, and selection processes in recruitment, but did not include AI tools used to process biometric data, or generative AI. This work follows the publication of the Responsible AI in Recruitment guide by the Department for Science, Innovation, and Technology (DSIT) in March 2024.Continue Reading ICO Audit on AI Recruitment Tools

This quarterly update highlights key legislative, regulatory, and litigation developments in the third quarter of 2024 related to artificial intelligence (“AI”) and connected and automated vehicles (“CAVs”).  As noted below, some of these developments provide industry with the opportunity for participation and comment.

I.     Artificial Intelligence

Federal Legislative Developments

There continued to be strong bipartisan

Continue Reading U.S. Tech Legislative, Regulatory & Litigation Update – Third Quarter 2024

This update focuses on how growing quantum sector investment in the UK and US is leading to the development and commercialization of quantum computing technologies with the potential to revolutionize and disrupt key sectors.  This is a fast-growing area that is seeing significant levels of public and private investment activity.  We take a look at how approaches differ in the UK and US, and discuss how a concerted, international effort is needed both to realize the full potential of quantum technologies and to mitigate new risks that may arise as the technology matures.

Quantum Computing

Quantum computing uses quantum mechanics principles to solve certain complex mathematical problems faster than classical computers.  Whilst classical computers use binary “bits” to perform calculations, quantum computers use quantum bits (“qubits”).  The value of a bit can only be zero or one, whereas a qubit can exist as zero, one, or a combination of both states (a phenomenon known as superposition) allowing quantum computers to solve certain problems exponentially faster than classical computers. 

The applications of quantum technologies are wide-ranging and quantum computing has the potential to revolutionize many sectors, including life-sciences, climate and weather modelling, financial portfolio management and artificial intelligence (“AI”).  However, advances in quantum computing may also lead to some risks, the most significant being to data protection.  Hackers could exploit the ability of quantum computing to solve complex mathematical problems at high speeds to break currently used cryptography methods and access personal and sensitive data. 

This is a rapidly developing area that governments are only just turning their attention to.  Governments are focusing not just on “quantum-readiness” and countering the emerging threats that quantum computing will present in the hands of bad actors (the US, for instance, is planning the migration of sensitive data to post-quantum encryption), but also on ramping up investment and growth in quantum technologies. Continue Reading Quantum Computing: Developments in the UK and US

This quarterly update highlights key legislative, regulatory, and litigation developments in the second quarter of 2024 related to artificial intelligence (“AI”), connected and automated vehicles (“CAVs”), and data privacy and cybersecurity. 

I.       Artificial Intelligence

Federal Legislative Developments

  • Impact Assessments: The American Privacy Rights Act of 2024 (H.R. 8818, hereinafter “APRA”) was formally introduced in the House by Representative Cathy McMorris Rodgers (R-WA) on June 25, 2024.  Notably, while previous drafts of the APRA, including the May 21 revised draft, would have required algorithm impact assessments, the introduced version no longer has the “Civil Rights and Algorithms” section that contained these requirements.
  • Disclosures: In April, Representative Adam Schiff (D-CA) introduced the Generative AI Copyright Disclosure Act of 2024 (H.R. 7913).  The Act would require persons that create a training dataset that is used to build a generative AI system to provide notice to the Register of Copyrights containing a “sufficiently detailed summary” of any copyrighted works used in the training dataset and the URL for such training dataset, if the dataset is publicly available.  The Act would require the Register to issue regulations to implement the notice requirements and to maintain a publicly available online database that contains each notice filed.
  • Public Awareness and Toolkits: Certain legislative proposals focused on increasing public awareness of AI and its benefits and risks.  For example, Senator Todd Young (R-IN) introduced the Artificial Intelligence Public Awareness and Education Campaign Act (S. 4596), which would require the Secretary of Commerce, in coordination with other agencies, to carry out a public awareness campaign that provides information regarding the benefits and risks of AI in the daily lives of individuals.  Senator Edward Markey (D-MA) introduced the Social Media and AI Resiliency Toolkits in Schools Act (S. 4614), which would require the Department of Education and the federal Department of Health and Human Services to develop toolkits to inform students, educators, parents, and others on how AI and social media may impact student mental health.

Continue Reading U.S. Tech Legislative, Regulatory & Litigation Update – Second Quarter 2024

On June 6, the Texas Attorney General published a news release announcing that the Attorney General has opened an investigation into several car manufacturers.  The news release states that the investigation was opened “after widespread reporting that [car manufacturers] have secretly been collecting mass amounts of data about drivers directly from their vehicles and then

Continue Reading Texas Attorney General Opens Investigation into Car Manufacturers’ Collection and Sale of Drivers’ Data

This week, the FTC published a blog post on the collection and use of consumer data in vehicles.  The FTC warned that “Car manufacturers—and all businesses—should take note that the FTC will take action to protect consumers against the illegal collection, use, and disclosure of their personal data” and provided a summary of some recent

Continue Reading FTC Publishes Blog Post on Cars and Consumer Data

Over the past few months, the Federal Trade Commission (“FTC”) has received requests from U.S. Senators asking the FTC to investigate the data collection practices of several automotive manufacturers.  Last week, Senators Ed Markey (D-MA) and Ron Wyden (D-OR) sent a letter to the FTC asking the agency to investigate several automakers for “deceiving their customers by falsely claiming to require a warrant or court order before turning over customer location data to government agencies.”  Among other things, the letter alleges inconsistent data collection and retention practices in the industry, asserting that some automakers only collect location data for a “critical safety event” (e.g., collision, air bag deployment, or automatic emergency braking event) while others “routinely collect[] and retain[] vehicle location data.”  The letter also states that only one automaker has a policy of informing consumers about legal demands for their data.  The letter refers to the FTC’s recent geolocation “crack down” in other contexts and urges “the FTC to investigate these auto manufacturers’ deceptive claims as well as their harmful data retention practices” and to, “in addition to taking appropriate action against the companies, . . . consider holding these companies’ senior executives accountable for their actions.”Continue Reading Data Collection by Auto Manufacturers under Scrutiny