The AI Act Progresses Ahead With Approval of Key European Parliament Committees

Share

On 11 May 2023, the European Parliament Internal Market and Consumer Protection (IMCO) and Civil Liberties, Justice and Home Affairs (LIBE) committees voted by a large majority to adopt a compromise position on the draft text of the proposed AI Act. The AI Act is a landmark legislative proposal set to be one of the first and most significant set of rules on artificial intelligence. This compromise text approved by the Committees makes some key changes to the European Commission’s initial draft of the AI Act, outlined below.

Continue reading “The AI Act Progresses Ahead With Approval of Key European Parliament Committees”

The UK’s New AI Proposals

Share

On 29 March 2023, the UK Government published its latest proposals on regulating Artificial Intelligence (“AI”). The White Paper follows on from an initial policy paper published in July 2022 (the “2022 Policy Paper”), which we discussed in detail in our previous blog post. The proposals set out in the White Paper have been informed by the feedback received as part of the UK Government’s consultation on the 2022 Policy Paper.

A central theme is that the regulatory framework in the UK must not stifle innovation, but rather harness AI’s ability to drive growth and prosperity, and increase public trust in its use and application.

Continue reading “The UK’s New AI Proposals”

UK’s Updated Data Protection Reform Proposals

Share

The UK government recently introduced a new Data Protection and Digital Information (No. 2) Bill (the “New Bill”). The reforms are intended to update and simplify the UK’s data protection framework and reduce burdens on organisations, while maintaining high data protection standards.

The New Bill replaces the original Data Protection and Digital Information Bill introduced in July 2022 (the “Previous Bill”), which we discussed in detail in our previous blog post. Much of the original drafting remains the same in the New Bill. However, there are some key changes to the proposals, outlined below.

Continue reading “UK’s Updated Data Protection Reform Proposals”

China SCC Measures Officially Release a Path for Outbound Personal Information Transfer

Share

On February 24, 2023, the Cyberspace Administration of China (CAC) released the much-awaited Measures for the Standard Contract for Outbound Transfer of Personal Information (China SCC Measures) together with the issuance of finalized version of the standard contract for outbound transfer of personal information (China SCC), which will officially come into effect on June 1, 2023. For outbound transfers of personal information which have already been carried out before that date, the China SCC Measures require that the rectification shall be completed within six months from its effective date, i.e, before December 1, 2023.

As one of the three “legitimate grounds” for outbound personal information transfer of personal information under the Personal Information Protection Law of China (PIPL), the China SCC shares quite a number of similarities with the EU Standard Contractual Clauses (EU SCCs) under the GDPR, such as the protection of the data subject’s third-party beneficiary rights, the establishment of a “long-arm” jurisdiction for the exporting country through the execution of SCC-based contractual and other mandatory security requirements for the exported personal information. However, the China SCC Measures still vary significantly from the concept of SCCs under the GDPR. Rather than the four-module approach (controller – controller, controller – processor, processor – processor and processor – controller) under the EU SCCs, the China SCC adopts a one-size-fits-all approach towards exporting personal information by the personal information processor (PIP, a concept similar to the “data controller” under the GDPR) to the overseas recipient. There is no differentiation according to the role of the overseas recipient as a controller, processor or sub-processor. This article offers some key highlights of the newly released China SCC Measures.

Continue reading “China SCC Measures Officially Release a Path for Outbound Personal Information Transfer”

CJEU Rules on Dismissal of DPOs and Conflict of Interest

Share

In a recent judgment, the Court of Justice of the European Union (the CJEU) has confirmed that Data Protection Officers (DPOs) can maintain other tasks and duties within their role, provided they do not result in a conflict of interest. The CJEU also held that the GDPR allows for EU member states to legislate to give greater protection to DPOs against dismissal than those set out in the GDPR.

Background to Ruling

In October 2020, the Federal Labour Court of Germany, Bundesarbeitsgericht, requested a preliminary ruling from the CJEU relating to proceedings between X-FAB Dresden GmbH & Co. KG (X-FAB) and its former DPO (“FC”) to clarify under what circumstances an organisation may be allowed to lawfully dismiss its appointed DPO. FC had been DPO for X-FAB and several related companies within its group and had held the role of chair of the works council and vice-chair of the central works council for a few group companies, alongside the DPO position for those companies. FC had been dismissed by X-FAB in December 2017 at the request of the state officer for data protection and freedom of information of Thüringen, Germany. Subsequently, on the coming into force of the GDPR in May 2018, X-FAB had repeated this dismissal as a precautionary measure. FC sought a declaration by the German courts that he retain the DPO position. X-Fab argued FC’s dismissal was justified, stating “a risk of a conflict of interests” in performing both functions, i.e., as both DPO and chair/vice-chair of the works council, on the grounds of incompatibility between the roles. The courts at both first instance and appeal upheld FC’s claim.

Continue reading “CJEU Rules on Dismissal of DPOs and Conflict of Interest”

Meta Fines Expose EU Regulators’ Differences and Highlight Fundamental Issues for Data Controllers

Share

Meta Ireland (Meta) has recently been issued with two fines by the Irish Data Protection Commission (DPC) for breaches of the EU General Data Protection Regulation (GDPR) relating to advertisements run on its Facebook and Instagram services. The decisions highlight some fundamental issues for all data controllers in respect of identifying the appropriate legal basis for their data processing operations and the need to be transparent about how personal data is used. The decisions also reveal some core differences in approach between the DPC, the Irish national privacy regulator in this case, and the European Data Protection Board (EDPB). It signals the likelihood of ongoing wrangling between the various European data regulators as they seek to interpret the decisions and as they are (inevitably) challenged through the courts.

The penalty imposed against Meta Ireland

The substantial fines of €210m (approximately $223m) with respect to Facebook and €180m (approximately $191m) with respect to Instagram reflect the consolidated turnover of the Meta group and the level of fines which, in the EDPB’s view, are required to be effective, proportionate and dissuasive in accordance with Article 83(1) of the GDPR. Meta now has 3 months to take corrective action and amend its privacy policies (including identifying an appropriate legal basis for processing) and its operations to bring its data processing in line with the GDPR.

Continue reading “Meta Fines Expose EU Regulators’ Differences and Highlight Fundamental Issues for Data Controllers”

©2024 Faegre Drinker Biddle & Reath LLP. All Rights Reserved. Attorney Advertising.
Privacy Policy