On 24 November 2022, the Data Protection (Adequacy) (Republic of Korea) Regulations were laid before the UK parliament for approval. The Regulations are due to come into force on 19 December 2022.  From then onwards, transfers of personal data to South Korea by organisations in the UK may be made without the need to put UK International Data Transfer Agreements (UK versions of the Standard Contractual Clauses) or other transfer tools in place with recipients of personal data in South Korea.Continue Reading UK Government grants South Korea a data adequacy status

On 17 June 2022, in response to its consultation in 2021 on the same topic (which we wrote about here), the UK government published more detailed proposals to reform data protection laws in the UK. The response to the consultation can be found here. The intention of the reforms is to achieve greater personal data use enabling economic growth by removing barriers and reducing obstacles for organisations whilst maintaining high standards of personal data protection and EU adequacy.Continue Reading Government releases proposals to reform UK data protection laws

On 19 February 2020, the European Commission published details of its data strategy (here), the aim of which is to “create a single European data space – a genuine single market for data, open to data from across the world – where personal as well as non-personal data, including sensitive business data, are secure and businesses also have easy access to an almost infinite amount of high-quality industrial data, boosting growth and creating value, while minimising the human carbon and environmental footprint.”

The European Data Protection Supervisor (EDPS) published its opinion on the data strategy on 16 June 2020 (here). In essence, the EDPS supports the Commission’s commitment to develop the strategy in full compliance with the General Data Protection Regulation (GDPR) and European fundamental rights and values, including the right to the protection of personal data provided under Article 8 of the Charter of Fundamental Rights of the EU. However, the EDPS took the opportunity in its opinion to remind the Commission of a few specific areas of EU data protection law which it will need to consider in relation to some of the proposals set out in the strategy.Continue Reading EDPS opines on the Commission’s data strategy

The European Union Blockchain Observatory and Forum, on 21 April, published a report examining how blockchain can be combined with two other important emerging technologies – the Internet of Things (IoT) and artificial intelligence (AI) – to complement each other and build new kinds of platforms, products, and services.

The report first looks at the interplay of blockchain with the IoT, addressing how blockchain can aid its functioning by providing a decentralised platform to the otherwise centralised approach of the IoT. This centralisation poses a number of challenges while monitoring, controlling, and facilitating communication between the millions of heterogeneous devices. The report highlights how blockchain can provide a more robust, more scalable, and more direct platform to overcome these challenges.

The report similarly delves into the potential relationship between blockchain and AI. It explains some concerns surrounding AI, like how it is currently concentrated in the hands of a few large companies due to the high cost of gathering, storing, and processing the large amounts of data, as well as engaging AI experts. It then illustrates how blockchain can mitigate such concerns so that access to AI models is more readily available to individuals and small companies.Continue Reading EU Blockchain Observatory and Forum explores the convergence of blockchain, AI, and the IoT

Social media users may soon be able to easily transfer their personal information to competing platforms. On October 22, 2019, a bipartisan group of U.S. senators (Mark R. Warner (D-VA), Josh Hawley (R-MO), and Richard Blumenthal (D-CT)) introduced the Augmenting Compatibility and Competition by Enabling Service Switching Act (ACCESS Act), a bill aimed at encouraging market-based competition among today’s major social media platforms by requiring the largest of these tech companies to allow users to move their data from one service to another.

The bill, should it become law, would be regulated and enforced by the Federal Trade Commission (FTC), and would require large communications platforms (products or services with over 100 million monthly active users in the U.S.) to:

  • Make users’ personal data portable, by allowing users to retrieve and/or transfer their personal data in a structure and machine-readable format.
  • Maintain interoperability with other platforms, including competing companies.
  • Give users the ability to designate a trusted third-party service to manage their privacy, content, online interactions, and account settings.

Continue Reading Bipartisan social media data portability bill introduced in U.S. Senate

Researchers at the Information Commissioner’s Office (ICO) have started a series of blogs discussing the ICO’s work in developing a framework for auditing artificial intelligence (AI). In the first blog of the series, the discussion revolves around the degree and quality of human review in AI systems, specifically, in what circumstances human involvement can be

The President has made artificial intelligence technology a policy priority. On February 11, 2019, the President issued an Executive Order to direct most federal executive agencies to promote and protect American advancements in artificial intelligence while working with private industry. The order recognized that public trust in artificial intelligence is an important factor in the development and use of the technologies, and highlights the need to “protect civil liberties, privacy, and American values in their application in order to fully realize the potential of AI technologies for the American people.”>

Specifically, the President ordered the agencies to consider artificial intelligence as a research and development priority and

  • Invest in artificial intelligence (for example, machine learning) research and development.
  • Enhance access to data, models, algorithms, and computing resources to promote artificial intelligence research and development (consistent with obligations to maintain safety, security, privacy, and confidentiality).
  • Reduce barriers to the use of artificial intelligence (for example, machine learning) technologies.
  • Help develop technical standards that minimize vulnerability to attacks and “reflect Federal priorities for innovation, public trust, and public confidence in systems that use AI technologies.”
  • Train a workforce that can develop and take advantage of developments in artificial intelligence.
  • Develop an action plan to “to protect the advantage of the United States in AI and technology critical to United States economic and national security interests against strategic competitors and foreign adversaries.”

Continue Reading President prioritizes research, development, and deployment of artificial intelligence technology

In an interview dated February 2018,[1] Isabelle Falque-Pierrotin, at the Head of the French data protection authority (CNIL), stated that the CNIL would adopt a flexible and pragmatic approach from May 2018 onwards when controlling compliance with data protection requirements. The first decision of sanction rendered by the CNIL on Monday January 21, 2019, which is to date the most severe sanction ever imposed to a web giant (‘GAFA’) under the GDPR, gives a sense of what that flexible approach might be in the eyes of the French regulator.

Background: a wave of awareness among users at the EU level shows a new face of data protection

In a notice dated November 2018,[2] the CNIL reported that the number of claims related to privacy issues had significantly increased (by 34 percent) since the adoption of GDPR in May 2018. The protection of personal data seems therefore to be becoming an ever more important issue, especially since nonprofit associations are able to collectively report breaches and issue claims on behalf of users to EU data protection authorities, pursuant to Article 80 of the GDPR.

The January 21, 2019 decision of the CNIL against Google recalls the admissibility of complaints filed by nonprofit associations, which have a mandate to represent users. The decision thus follows the collective complaints filed a few days after the entry into force of the GDPR, on May 25 and 28, 2018, by the organization None of your business and the French organization La Quadrature du Net.

As reflected by the length and documented character of the decision (31 pages), delivered in an extremely short time frame after an expeditive procedure (barely 10 weeks), the CNIL shows a clear willingness to implement a far-reaching control over GAFAs regarding the information given to users and consent management, highlighting that the GDPR is aimed at fighting any form of “forum shopping.”Continue Reading First sanction decision rendered by the CNIL under the GDPR: GDPR awareness 2.0 has begun

On 18 December 2018, the European Commission published draft ethics guidelines for trustworthy AI. The guidelines are voluntary and constitute a working document to be updated over time. The guidelines have been opened up to a stakeholder consultation process.

The guidelines recognise that there are benefits to be gained from AI, but that humankind can only reap the benefits if we can trust the technology (in other words, that the technology contains trustworthy AI). An overarching principle in the guidelines is that AI should be human-centric, with the aim of increasing human well-being.

Trustworthy AI is defined as having two components:

  1. respect for fundamental rights, ethical principles and societal values – an “ethical purpose”, and
  2. be technically robust and reliable.

The guidelines set out a framework for implementing and operating trustworthy AI, aimed at stakeholders who develop, deploy or use AI.Continue Reading Draft ethics guidelines for trustworthy artificial intelligence published by the European Commission

Mark Carney’s extension as the governor of the Bank of England to January 2020 was put in place to ensure a smooth Brexit.

Mr Carney has become increasingly vocal in his attempts to maintain financial stability during that period. This has resulted in ‘Brexiteers’ hurling accusations of fuelling “Project Hysteria” after the bank published its economic analysis of Brexit at the end of November. To help mitigate such gloomy predictions, what else could Mr Carney do to support an orderly exit (and possibly create a lasting legacy for himself)?

Back in June, Mr Carney spoke about modernising the UK bank payment system by rebuilding the Bank of England’s real time gross settlement (RTGS) service “so that new private payment systems, including those using distributed ledgers, can simply plug into our system”, which includes those running off blockchain technology.[1]Continue Reading The fintech Carney-val