Data Privacy

On March 15, 2024, the European Parliament and the Council of the EU reached political agreement on the European Health Data Space (EHDS).

In a series of posts on Inside Privacy, our colleagues discuss the EHDS’ key takeaways, obligations on data holders, and obligations on data users.

Continue Reading Political Agreement on European Health Data Space

Earlier this month, the Kentucky legislature passed comprehensive privacy legislation, H.B. 15  (the “Act”), joining California, Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Tennessee, Montana, Oregon, Texas, Florida, Delaware, New Jersey, and New Hampshire.  The Act is awaiting the Governor’s signature. If signed into

Continue Reading Kentucky Passes Comprehensive Privacy Bill

This quarterly update highlights key legislative, regulatory, and litigation developments in the first quarter of 2024 related to artificial intelligence (“AI”), connected and automated vehicles (“CAVs”), and data privacy and cybersecurity.  As noted below, some of these developments provide industry with the opportunity for participation and comment.Continue Reading U.S. Tech Legislative, Regulatory & Litigation Update – First Quarter 2024

On 6 March 2024, the ICO issued a call for views on so-called “Consent or pay” models, where a user of a service has the option to consent to processing of their data for one or more purposes (typically targeted advertising), or pay a (higher) fee to access the service without their data being processed for those purposes. This is sometimes referred to as “pay or okay”.

The ICO has provided an “initial view” of these models, stating that UK data protection law does not outright prohibit them. It also sets out factors to consider when implementing these models and welcomes the views of publishers, advertisers, intermediaries, civil society, academia and other interested stakeholders. The consultation is open until 17 April 2024.Continue Reading UK ICO launches a consultation on “Consent or Pay” business models

The field of artificial intelligence (“AI”) is at a tipping point. Governments and industries are under increasing pressure to forecast and guide the evolution of a technology that promises to transform our economies and societies. In this series, our lawyers and advisors provide an overview of the policy approaches and regulatory frameworks for AI in jurisdictions around the world. Given the rapid pace of technological and policy developments in this area, the articles in this series should be viewed as snapshots in time, reflecting the current policy environment and priorities in each jurisdiction.

The following article examines the state of play in AI policy and regulation in China. The previous articles in this series covered the European Union and the United States.Continue Reading Spotlight Series on Global AI Policy — Part III: China’s Policy Approach to Artificial Intelligence

On January 29, 2024, the Department of Commerce (“Department”) published a proposed rule (“Proposed Rule”) to require providers and foreign resellers of U.S. Infrastructure-as-a-Service (“IaaS”) products to (i) verify the identity of their foreign customers and (ii) notify the Department when a foreign person transacts with that provider or reseller to train a large artificial intelligence (“AI”) model with potential capabilities that could be used in malicious cyber-enabled activity. The proposed rule also contemplates that the Department may impose special measures to be undertaken by U.S. IaaS providers to deter foreign malicious cyber actors’ use of U.S. IaaS products.  The accompanying request for comments has a deadline of April 29, 2024.Continue Reading Department of Commerce Issues Proposed Rule to Regulate Infrastructure-as-a-Service Providers and Resellers

Opt-out collective actions (i.e. US-style class actions) can only be brought in the UK as competition law claims.  Periodic proposals  to legislate to expand this regime to consumer law claims have so far faltered.  However, this is now back on the Parliamentary agenda.  Several members of the House of Lords have indicated their support for expanding the regime to allow consumers and small businesses to bring opt-out collective actions for breaches of consumer law, and potentially on other bases.

If implemented, this expansion would be very significant and would allow for many new types of class actions in the UK.  Tech companies are already prime targets as defendants to competition-related opt-out class actions.  An expansion of the regime to allow actions for breaches of consumer law, as well as competition law, would only increase their exposure further.

As there is now limited time for legislation to be passed to effect such changes before the UK Parliament is dissolved in advance of an upcoming general election, this may be an issue for the next Parliament.  It will therefore be important to assess what the UK’s main parties say on this – and any manifesto commitments – in the run-up to the election.Continue Reading UK Opt-Out Class Actions for Non-Competition Claims back on Parliamentary Agenda

On 15 January 2024, the UK’s Information Commissioner’s Office (“ICO”) announced the launch of a consultation series (“Consultation”) on how elements of data protection law apply to the development and use of generative AI (“GenAI”). For the purposes of the Consultation, GenAI refers to “AI models that can create new content e.g., text, computer code, audio, music, images, and videos”.

As part of the Consultation, the ICO will publish a series of chapters over the coming months outlining their thinking on how the UK GDPR and Part 2 of the Data Protection Act 2018 apply to the development and use of GenAI. The first chapter, published in tandem with the Consultation’s announcement, covers the lawful basis, under UK data protection law, for web scraping of personal data to train GenAI models. Interested stakeholders are invited to provide feedback to the ICO by 1 March 2024.Continue Reading ICO Launches Consultation Series on Generative AI

This quarterly update highlights key legislative, regulatory, and litigation developments in the fourth quarter of 2023 and early January 2024 related to technology issues.  These included developments related to artificial intelligence (“AI”), connected and automated vehicles (“CAVs”), data privacy, and cybersecurity.  As noted below, some of these developments provide companies with the opportunity for participation and comment.Continue Reading U.S. Tech Legislative, Regulatory & Litigation Update – Fourth Quarter 2023

Several EU data protection supervisory authorities (“SAs”) have recently issued guidance on cookies.  On January 11, 2024, the Spanish SA published guidance on cookies used for audience measurement (often referred to as analytics cookies) (available in Spanish only).  On December 20, 2023, the Austrian SA published FAQs  on cookies and data protection (available in German only).  On October 23, 2023, the Belgian SA published a cookie checklist (available in Dutch and French).

The new guidance builds on existing guidance but addresses some new topics which we discuss below.Continue Reading EU Supervisory Authorities Publish New Guidance on Cookies