Privacy & Information Security Law Blog

On June 15, 2023, the UK Information Commissioner’s Office (“ICO”) called for businesses to address the privacy risks posed by generative artificial intelligence (“AI”) before “rushing to adopt the technology.” Stephen Almond, the ICO’s Executive Director of Regulatory Risk, said:  “Businesses are right to see the opportunity that generative AI offers . . . . But they must not be blind to the privacy risks.” An organization wishing to use AI should seek to understand at the outset how AI will use personal data, and mitigate any known risks. The ICO stated it is ...

On June 14, 2023, the European Parliament (“EP”) approved its negotiating mandate (the “EP’s Position”) regarding the EU’s Proposal for a Regulation laying down harmonized rules on Artificial Intelligence (the “AI Act”). The vote in the EP means that EU institutions may now begin trilogue negotiations (the Council approved its negotiating mandate on December 2022). The final version of the AI Act is expected before the end of 2023.

On June 6, 2023, the Federal Deposit Insurance Corporation (“FDIC”), the Board of Governors of the Federal Reserve System (“FRB”) and the Office of the Comptroller of the Currency (“OCC”) issued their final Interagency Guidance on Third-Party Relationships (“Guidance”). The Guidance provides principles that banking organizations should consider when developing and implementing risk management practices for all stages in the life cycle of third-party relationships.

On June 7, 2023, the European Data Protection Board (“EDPB”) adopted the final version of its Guidelines on the calculation of administrative fines under the GDPR (the “Guidelines”). Through the Guidelines, the EDPB intends to harmonize the methodology used by supervisory authorities (“SA”) to calculate fines.

On June 8, 2023, the United Kingdom and the United States announced they reached a commitment in principle to establish the UK Extension to the Data Privacy Framework, which will create a “data bridge” between the two countries. U.S. companies approved to join the framework would be able to receive UK personal data under the new data bridge.

On May 30, 2023, the Cyberspace Administration of China (“CAC”) issued the Guideline for Filing the Standard Contract for Cross-border Transfer of Personal Information (“SC”). On June 1, 2023, the SC became an effective mechanism for transferring personal data outside of China. When using the SC as a transfer mechanism, it must be filed with the CAC and the new Guideline provides guidance for doing so. The key elements of the Guideline are summarized below.

On May 24, 2023 Google LLC (“Google”) announced its recently updated privacy terms providing that, for many of Google’s advertising services, it will no longer act as a service provider for the purposes of the California Privacy Rights Act of 2020 (“CPRA”). The change may affect businesses’ prior determinations of whether they “sell” personal information under the California Consumer Privacy Act of 2018 (“CCPA”). The updated terms take effect on July 1, 2023, the day CPRA enforcement begins.

On June 8, 2023, the UK Information Commissioner’s Office (“ICO”) published a new report on neurotechnology. Neurotechnology is technology used to monitor neurodata, the information coming directly from the brain and nervous system. In its press release on the report, the ICO warns that “that newly emerging neurotechnologies risk discriminating against people if those groups are not put at the heart of their development” and predicts the use of such technologies to become “widespread over the next decade.”

On May 25, 2023, the European Data Protection Board (“EDPB”) elected Anu Talus, head of the Finish data protection authority, as its new Chair, replacing Andrea Jelinek. The EDPB also elected Irene Loizidou Nikolaidou, head of the Cypriot data protection authority, as one of its Deputy Chairs, replacing Ventsislav Karadjov.

On June 2, 2023, Judge Brantley Starr of the U.S. District Court for the Northern District of Texas released what appears to be the first standing order regulating use of generative artificial intelligence (“AI”)—which has recently emerged as a powerful tool on many fronts—in court filings. Generative AI provides capabilities for ease of research, drafting, image creation and more. But along with this new technology comes the opportunity for abuse, and the legal system is taking notice.