The European Commission published a proposal for a Cyber Resilience Act on 15 September 2022 (the ‘Regulation’), which aims to:

  • ensure that cyber security is considered during the development of hardware and software products and is continuously improved throughout that product’s life cycle; and
  • improve transparency so that users can take cybersecurity into account when selecting and using a product with digital elements.

Continue Reading EU Commission proposes Cyber Resilience Act to bolster the EU’s cyber security rules.

On 17 December 2021, the European Commission (the Commission) adopted an adequacy decision for South Korea. This means that free transfers of personal data from the European Economic Area (EEA) to private and public entities in South Korea will be permitted from that date onwards (including remote access from South Korea).
Continue Reading South Korea granted adequacy decision

On 18 October 2021, the European Commission (the Commission) launched a public consultation on adapting the civil liability rules for the digital age, with a specific focus on challenges arising from the adoption of artificial intelligence (AI).

The consultation builds on the Commission’s inception impact assessment roadmap (IIA) on this topic and is part of the Commission’s wider effort to modernise EU regulations for the digital age.

Why the civil liabilities rules need to change

While Product Liability Directive 85/374/EEC (Directive) sets out rules aimed to ensure that injured parties are compensated for damage caused by defective products, the Commission has previously noted in a report in 2018 and the IIA that the Directive is no longer fit for the digital age. Challenges include:

  • Whether and how intangible digital elements such as software can be classified as products
  • The lack of clarity on who should be liable for defects after products are put into circulation
  • Significant obstacles for injured parties to obtain compensation, especially given the difficulties in establishing causal links where the behaviours of AI systems are partially or wholly opaque

Continue Reading Civil liability rules in the digital age: EC launches consultation

In July 2021, the European Commission (the Commission) adopted three proposals for regulations and one proposal for a directive of the European Parliament and of the Council in relation to reforms to the EU’s anti-money laundering (AML) and counter-terrorist financing (CTF) regime. The proposals serve to implement aspects of the Commission’s May 2020 action plan in respect of the same, with a view to addressing weaknesses in these areas. The key reforms include a new EU AML and CTF authority and a new EU single AML and CTF rulebook.

On 22 September 2021, the EU’s independent data protection authority, the European Data Protection Supervisor (EDPS), Wojciech Wiewiórowski, published an opinion on the Commission’s proposals, alongside a press release.

Overall, the EDPS’ opinion of the proposals is positive, welcoming the AML package and its objective to increase the effectiveness of AML and CTF. In particular, Mr Wiewiórowski praised the envisaged increased harmonisation of the AML and CTF framework at EU level, which includes the creation of a European authority.
Continue Reading European Data Protection Supervisor publishes opinion on the European Commission’s AML and CTF legislative proposals package

On 24 September 2021, the European Data Protection Board (EDPB) issued its opinion on the European Commission’s (EC) draft adequacy decision in respect of South Korea.

On 16 June 2021, the EC launched the procedure for the adoption of an adequacy decision for South Korea under the General Data Protection Regulation (GDPR), which would allow free transfers of personal data from the European Economic Area (EEA) to South Korea’s commercial operators and public authorities.

Overall, the EDPB found the central aspects of South Korea’s data protection framework to be essentially equivalent to the European data protection framework. The EDPB’s review focused on both the general aspects of the GDPR (such as data protection concepts, transparency, data retention and grounds for lawful processing for a legitimate purpose) and also on the local laws allowing access by public authorities to personal data transferred from the EEA for law enforcement and national security purposes. The EDPB also reviewed the Notification adopted by the South Korean data protection authority that was designed to fill gaps between the GDPR and Korean framework (Notification).Continue Reading South Korea – EDPB adopts an opinion on the Commission’s draft adequacy decision

The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) adopted Joint Opinion 5/2021 on the proposal for a Regulation of the European Parliament and of the Council laying down harmonised rules on artificial intelligence (Joint Opinion).

The Joint Opinion follows the European Commission’s (Commission) Proposal for a Regulation of the European Parliament and of the Council laying down harmonised rules on artificial intelligence (AI) which was presented on the 21st April 2021 (Proposed Regulation). The Proposed Regulation laid out (i) harmonised rules for the placing on the market, the putting into service and the use of AI systems in the EU; (ii) prohibitions of certain AI practices; (iii) specific requirements for high-risk AI systems and obligations for operators of such systems; (iv) harmonised transparency rules for AI systems; and (v) rules on market monitoring and surveillance. We have previously summarised the obligations, scope and effect of the Proposed Regulation in our previous client alert, here.

The EDPB and the EDPS welcome the concern of the Commission in addressing the use of AI within Europe and stress that the Proposed Regulation has important data protection implications. Both authorities agree with the risk-based approach underpinning the Proposed Regulation and further welcome the fact that the Proposed Regulation designates the EDPS as the competent authority and the market surveillance authority for the supervision of the EU institutions. However, they note the role and tasks of the EDPS should be further clarified, specifically to its role as a market surveillance authority.Continue Reading EDPB and EDPS adopt joint opinion on the data protection implications raised from the proposed Artificial Intelligence Act

The European Commission is considering amending the existing rules for the financial sector regarding digital operational resilience, with a view to unifying and strengthening the legal framework in this area.

The proposed change to legislation would amend the existing Network and Information Security (NIS) Directive and create a new regulation on digital operational resilience, known

On April 21, 2021, a draft proposed European regulation on artificial intelligence (AI) (Regulation) was released following the European Commission’s white paper “On Artificial Intelligence – A European approach to excellence and trust”, published in February 2020. The regulation shows that the European Union is seeking to establish a legal framework for AI by laying

On the 14th of April 2021, the European Data Protection Board (EDPB) adopted two opinions on the European Commission’s draft adequacy decision for the transfers of personal data from the EU to the UK.

The EDPB assessed the alignment of the UK Data Protection Act to the GDPR and to the Law Enforcement Directive, and noted ‘strong alignment’ on key areas between the EU and UK data protection regimes such as lawful and fair processing for legitimate purposes, purpose limitation, data quality and proportionality, data retention, transparency and special categories of data, to name a few.Continue Reading European Data Protection Board opines on UK draft adequacy decision