data protection

On 15 January 2024, the UK’s Information Commissioner’s Office (“ICO”) announced the launch of a consultation series (“Consultation”) on how elements of data protection law apply to the development and use of generative AI (“GenAI”). For the purposes of the Consultation, GenAI refers to “AI models that can create new content e.g., text, computer code, audio, music, images, and videos”.

As part of the Consultation, the ICO will publish a series of chapters over the coming months outlining their thinking on how the UK GDPR and Part 2 of the Data Protection Act 2018 apply to the development and use of GenAI. The first chapter, published in tandem with the Consultation’s announcement, covers the lawful basis, under UK data protection law, for web scraping of personal data to train GenAI models. Interested stakeholders are invited to provide feedback to the ICO by 1 March 2024.Continue Reading ICO Launches Consultation Series on Generative AI

On 21 June 2023, at the close of a roundtable meeting of the G7 Data Protection and Privacy Authorities, regulators from the United States, France, Germany, Italy, United Kingdom, Canada and Japan published a joint “Statement on Generative AI” (“Statement”) (available here). In the Statement, regulators identify a range of data protection-related concerns they believe are raised by generative AI tools, including legal authority for processing personal information, and transparency, explainability, and security. The group of regulators also call on companies to “embed privacy in the design conception, operation, and management” of generative AI tools.

In advance of the G7 meeting, on 15 June 2023, the UK Information Commissioner’s Office (“ICO”) separately announced that it will be “checking” whether businesses have addressed privacy risks before deploying generative AI, and “taking action where there is risk of harm to people through poor use of their data”.Continue Reading UK and G7 Privacy Authorities Warn of Privacy Risks Raised by Generative AI

In Episode 12 of our Inside Privacy Audiocast, together with special guest Advocate Pansy Tlakula, Chairperson of the Information Regulator of South Africa, we discussed the Information Regulator’s mandate and the implementation of data protection legislation in South Africa.  Now, with less than a month to go before South Africa’s Protection of Personal Information Act, 2013 (“POPIA”) takes full effect on July 1, 2021, it is critical for organizations operating in South Africa to ensure that they are ready, if and when the Information Regulator comes knocking.

It is only when organizations start their POPIA journey that they realize just how wide the POPIA net is cast, and that very few businesses fall outside of its reach.  The road to POPIA compliance should be viewed as a marathon, and not a sprint.  While implementing and maintaining an effective POPIA compliance program will take continued effort and resources well beyond the July 1, 2021 go-live date, here we outline five steps to which companies subject to POPIA should give their attention in the short term.Continue Reading Final Countdown to POPIA Compliance: Five Critical Steps to Take Before July 1st, 2021

On February 19, 2021, the European Commission published two draft decisions finding that UK law provides an adequate level of protection for personal data.  The first would allow private companies in the EU to continue to transfer personal data to the UK without the need for any additional safeguards (e.g., the Commission’s standard contractual clauses), while the second would allow EU law enforcement agencies to transfers personal data subject to Directive 2016/680 — the Data Protection and Law Enforcement Directive (LED) — to their UK counterparts.
Continue Reading European Commission Publishes Draft UK Adequacy Decisions