Updated Guidance for Edtech Providers The UK Privacy Regulator (ICO) recently updated its guidance on privacy compliance for providers of education technologies (Edtech). This should be seen as a call to action for Edtech providers to ensure their privacy compliance program is fully up to date. This blog post sets out key elements of the … Continue Reading
On July 10, 2023, the European Commission (EC) adopted an adequacy decision in relation to the EU-U.S. Data Privacy Framework (DPF). This paves the way for organizations to certify to the DPF, reducing friction for transfers of personal data from the EU to the U.S., and allowing companies to simplify their compliance with EU data flow restrictions. … Continue Reading
On June 28, 2023, the European Commission (EC) published a Proposal for a Regulation on Financial Data Access (FIDA). FIDA aims to create a framework through which data holders (e.g., banks, credit institutions) share the financial data they hold with other players in the finance industry (e.g., fintech companies). Customers of financial institutions will be able to … Continue Reading
On July 4, 2023, the European Commission (EC) published its proposal for a regulation laying down additional procedural rules for the enforcement of the EU General Data Protection Regulation (GDPR) (proposal). The proposal focuses on procedural issues relating to handling complaints and conducting investigations in cross-border cases.1 The proposal adds to the procedural rules laid down in the … Continue Reading
On June 8, 2023, the UK and the U.S. governments issued a joint statement announcing that they had committed in principle to the establishment of a “UK Extension to the Data Privacy Framework,” which would facilitate flows of personal data between the two countries (the “Data Bridge”).… Continue Reading
In Europe, recent advances in artificial intelligence (AI) have given rise to intense debate over how this technology should be regulated. Companies that have developed AI tools, or who are considering implementing AI, should assess the implications of recent legislative developments and regulatory action. This alert discusses the most recent legislative and regulatory developments in … Continue Reading
On May 22, 2023, Ireland’s Data Protection Commission (DPC) published its long-awaited decision in the Meta EU-U.S. data transfer case (Decision). In its landmark Decision, the DPC imposed a record 1.2 billion EUR fine and ordered Meta Platforms Ireland Limited (Meta) to suspend any EU-U.S. transfers of personal data within approximately five months. Meta was … Continue Reading
On February 24, 2023, the European Commission (EC) opened a public consultation on its initiative (Initiative) to revise procedural rules relating to the enforcement of the EU General Data Protection Regulation (GDPR). The EC invites companies to give feedback on the Initiative by March 24, 2023.… Continue Reading
Since the invalidation of the Privacy Shield framework in 2020 in the “Schrems II” case, the EU and the U.S. have been working to set up a new framework for data flows from the EU to the U.S. A draft of a new “Data Privacy Framework” (DPF), which is designed to serve as the basis … Continue Reading
On February 1, 2023, the European Commission (EC) published Guidance on the requirement to publish user numbers under the Digital Services Act (DSA).1 The Guidance contains important information for providers of online platforms and online search engines that are required to publish the average monthly number of recipients of their service by February 17, 2023.… Continue Reading
The UK Online Safety Bill (OSB or the Bill) cleared an important hurdle in January 2023 after passing its third reading in parliament. The Bill was first published in May 2021 and has been subject to intense scrutiny. If enacted, it will place extensive obligations on providers of search engines and online platforms that enable … Continue Reading
On January 26, 2023, the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) released its Artificial Intelligence Risk Management Framework (AI RMF). The AI RMF is intended to provide a resource to organizations designing, developing, deploying, or using AI systems to manage risks and promote trustworthy and responsible development and use of AI … Continue Reading
On December 6, 2022, the European Union’s (EU) Regulation on Artificial Intelligence (AI Act) progressed one step towards becoming law when the Council of the EU (the Council) adopted their amendments to the draft act (Council General Approach). The European Parliament (Parliament) must now finalize their common position before interinstitutional negotiations can begin.… Continue Reading
On November 15, 2022, the European Data Protection Board (EDPB) adopted draft recommendations (here) for data controllers when applying for approval of their binding corporate rules for international data transfers (Recommendations).… Continue Reading
On November 7, 2022, the European Commission (EC) published its proposal for a regulation on data collection and sharing for short-term accommodation rental services (proposal). The proposal includes data sharing and website design requirements for online platforms providing short-term accommodation rental services. It also prompts EU countries to create a harmonized registration process for hosts providing such … Continue Reading
On December 9, 2022, the UK Government’s Department for Digital, Culture, Media, and Sport (DCMS) published a voluntary Code of Practice for App Store Operators and App Developers (Code). The Code sets out eight core principles to be followed by in-scope entities and is intended to help protect end users from malicious and poorly designed … Continue Reading
On October 27, 2022, the Digital Services Act (DSA) was published in the Official Journal of the European Union, sweeping in a new era in the regulation of digital services. (See Wilson Sonsini’s DSA Fact Sheet.) The DSA applies to providers of digital services, including those based outside the EU that provide services to users in the … Continue Reading
On October 7, 2022, President Biden signed an Executive Order (Order) on Enhancing Safeguards for United States Signals Intelligence Activities. This marks the latest step towards the new EU-U.S. Data Privacy Framework (Framework), a replacement for the defunct EU-U.S. Privacy Shield (Privacy Shield). The next stage in the process is for the European Commission (EC), with input from the … Continue Reading
On July 18, 2022, the EU Council formally adopted the EU Digital Markets Act (DMA), following approval by the EU Parliament earlier this month (the press releases are available here and here). The final DMA text as approved is available here. As next steps, the final text of the law will be signed by the … Continue Reading
EU lawmakers are preparing a new Artificial Intelligence Act (AIA). Timing for adoption remains unclear, but once the AIA enters into force, it will impose strict obligations on providers and users of AI systems. In the meantime, EU regulators have started issuing fines against companies using AI systems on the basis of the EU General … Continue Reading
On March 25, 2022, the U.S. and EU announced that they reached a political agreement in principle on a new “Trans-Atlantic Data Privacy Framework” (the Framework). This would be the third framework for EU-U.S. personal data transfers, after the invalidation of the Privacy Shield in 2020 and of its predecessor, the Safe Harbor, in 2015. … Continue Reading
On February 2, 2022, the UK privacy regulator (i.e., the Information Commissioner’s Office or the ICO) issued new model clauses to support data transfers from the UK. Subject to approval by the UK Parliament, the new model clauses will become effective March 21, 2022. Companies transferring personal data outside the UK will have until March … Continue Reading
On December 6, 2021, the Belgian Data Protection Authority (Belgian DPA) issued its recommendation on biometric data processing (Recommendation).[1] The Recommendation provides guidance on how to comply with the General Data Protection Regulation (GDPR) when processing biometric data.… Continue Reading
They State That Direct Collection of Personal Data by Non-EU Companies Is Not a “Data Transfer” Under the GDPR On November 18, 2021, the European Data Protection Board (EDPB) issued guidelines (Guidelines) that—for the first time—clarify the notion of “data transfer.” Departing from common understanding, the EDPB has determined that there is no data transfer … Continue Reading
