On April 28 2025, the Court of Justice of the European Union (CJEU) published an updated version of the fact sheet (the Fact Sheet) summarising key case law on protection of personal data. The Fact Sheet covers the case law...more
On April 14 2025, the European Data Protection Board (EDPB) announced the outcomes of its plenary session that took place on April 8 2025, during which the EDPB adopted draft Guidelines on processing of personal data through...more
4/25/2025
/ AI Act ,
Artificial Intelligence ,
Blockchain ,
Data Privacy ,
Data Protection ,
Draft Guidance ,
EU ,
European Data Protection Board (EDPB) ,
General Data Protection Regulation (GDPR) ,
Privacy Laws ,
Regulatory Requirements ,
Technology
On March 24 2025, the European Commission (EC) adopted the final draft Delegated Regulation setting out Regulatory Technical Standards (RTS) for subcontracting ICT services supporting critical or important functions under the...more
4/16/2025
/ Cybersecurity ,
Data Protection ,
Digital Operational Resilience Act (DORA) ,
EU ,
European Commission ,
Financial Institutions ,
Information Technology ,
Regulatory Requirements ,
Risk Management ,
Subcontractors ,
Third-Party Service Provider
On February 27 2025, the Court of Justice of the European Union (CJEU) delivered a judgment in CK v Dun & Bradstreet (Case C-203/22).
This judgment clarifies the GDPR provisions regarding the right of access to personal...more
3/13/2025
/ Algorithms ,
Automated Decision Systems (ADS) ,
Court of Justice of the European Union (CJEU) ,
Data Privacy ,
Data Protection ,
Data Subject Access Requests ,
EU ,
General Data Protection Regulation (GDPR) ,
Personal Data ,
Privacy Laws ,
Trade Secrets
On February 3 2025, the European Commission published an updated version of the Frequently Asked Questions (FAQs) about the Regulation (EU) 2023/2854 on harmonised rules on fair access to and use of data (Data Act). Key...more
2/27/2025
/ Compliance ,
DATA Act ,
Data Management ,
Data Privacy ,
Data Protection ,
Digital Marketplace ,
EU ,
European Commission ,
Regulatory Agenda ,
Regulatory Requirements ,
Technology Sector
The European Union Artificial Intelligence Act (AI Act) entered into force on 1 August 2024. The AI Act establishes a risk-based approach to AI, prohibiting certain practices that are deemed unacceptable, such as social...more
2/6/2025
/ Artificial Intelligence ,
Compliance ,
Data Protection ,
Enforcement Actions ,
EU ,
European Commission ,
Healthcare ,
Regulation ,
Regulatory Requirements ,
Risk Management ,
Technology Sector
On January 21 2025, the Council of the European Union (Council) announced its decision to adopt the Regulation of the European Parliament and of the Council on the European Health Data Space (EHDS).
As we have previously...more
1/29/2025
/ Data Privacy ,
Data Protection ,
Data Security ,
EU ,
Health Care Providers ,
Healthcare ,
Member State ,
Patient Privacy Rights ,
Personal Data ,
Privacy Laws ,
Regulatory Agenda
On December 2 – 3 2024, the European Data Protection Board (EDPB) met for its 99th plenary session. It subsequently issued several documents, one of which calls for the need for greater alignment between the GDPR and EU...more
12/12/2024
/ Artificial Intelligence ,
Data Protection ,
Digital Markets Strategy ,
Digital Services ,
Draft Guidance ,
EU ,
EU Data Protection Laws ,
European Commission ,
European Data Protection Board (EDPB) ,
General Data Protection Regulation (GDPR) ,
Information Governance ,
Legislative Agendas ,
Machine Learning ,
New Legislation ,
Regulatory Agenda
On November 14, 2024, the European Commission published the first draft of the General-Purpose AI Code of Practice (the Draft Code).
The Draft Code is designed to help providers of general-purpose AI models (GPAI) and...more
12/2/2024
/ Artificial Intelligence ,
Copyright ,
Corporate Counsel ,
Cyber Incident Reporting ,
Data Privacy ,
Data Protection ,
EU ,
European Commission ,
Risk Management ,
Robots ,
Taxonomy ,
Technology Sector ,
Transparency
On November 5, 2024, the European Data Protection Board (EDPB) issued its first report under the EU-U.S. Data Privacy Framework (DPF) and released a statement on the access to data for law enforcement. Both documents were...more
11/20/2024
/ Artificial Intelligence ,
Biometric Information ,
Corporate Governance ,
Data Protection ,
EU ,
EU-US Privacy Shield ,
European Commission ,
European Data Protection Board (EDPB) ,
Exporters ,
Exports ,
Machine Learning ,
New Guidance ,
Privacy Laws ,
U.S. Commerce Department
On October 9, 2024, the European Commission (the Commission) published a report on the first periodic review of the adequacy decision of July 10, 2023. This decision determined that the EU-U.S. Data Privacy Framework (the...more
11/20/2024
/ Certifications ,
Complaint Procedures ,
Compliance Monitoring ,
Corporate Governance ,
Data Privacy ,
Data Protection ,
Enforcement Actions ,
EU ,
EU Data Protection Laws ,
EU-US Privacy Shield ,
European Commission ,
European Data Protection Board (EDPB) ,
General Data Protection Regulation (GDPR) ,
Privacy Laws
On 9 October 2024, the European Data Protection Board (EDPB) published its draft Guidelines on the processing of personal data based on legitimate interest for public consultation. The draft Guidelines, adopted on 8 October...more
This is the final note in a three-part series on the regulation of artificial intelligence in the financial services sector in the United States, the European Union and the United Kingdom. Our first note, we provided a...more
10/21/2024
/ Artificial Intelligence ,
Consumer Protection Laws ,
Data Protection ,
Enforcement Actions ,
EU ,
Financial Services Industry ,
General Data Protection Regulation (GDPR) ,
Information Commissioner's Office (ICO) ,
Legislative Agendas ,
Liability ,
Privacy Laws ,
Regulatory Agenda ,
Regulatory Requirements ,
Securities and Exchange Commission (SEC) ,
UK ,
United States
The CJEU considered: (a) whether a legitimate interest of the controller or third party must be determined by law, and (b) whether provision of personal data of the members of a sports federation to third parties in return...more
On 1 July 2024, the European Commission (the ‘Commission’) announced its preliminary findings in an investigation of a leading social media platform, concluding that its ‘pay or consent’ advertising model implemented in the...more
7/23/2024
/ Advertising ,
Consent ,
Corporate Counsel ,
Data Privacy ,
Data Protection ,
Digital Markets Strategy ,
EU ,
European Commission ,
European Economic Area (EEA) ,
Pay or Play ,
Privacy Laws ,
Social Media ,
Technology Sector
The Office of the Privacy Commissioner of Canada (the OPC) published two new resolutions which aim to protect the privacy of employees and young people, on 6 October 2023. The resolutions follow concerns of privacy federal,...more
The President of India gave assent for the Digital Personal Data Protection Bill 2023 on 11 August 2023, a matter of days after it had been passed by both the Lower and Upper House. The Digital Personal Data Protection Act...more
The White House announced on 21 July 2023 that seven companies involved in development of artificial intelligence (AI) technology had voluntarily committed to manage the risks posed by AI. These companies are: Amazon,...more
The European Commission published its Proposal for a Regulation (on 4 July 2023) laying down additional procedural rules relating to the enforcement of GDPR (the Proposal), which aims to complement the GDPR by specifying the...more
The Court of Justice of the European Union (CJEU) published its decision in the case of J.M. v Pankki S (Case C‑579/21) on 22 June 2023....more
The European Data Protection Board (EDPB) published the final version of the Guidelines on the calculation of administrative fines under the GDPR (Guidelines) on 7 June 2023. The Guidelines aim to harmonize the approach to...more
The Pakistan Ministry of Information Technology and Telecommunication (MITT) released a new draft of the Personal Data Protection Bill, 2023 (the PDPB) on 19 May 2023. The PDPB aims to regulate the collection, processing,...more
6/5/2023
/ Cybersecurity ,
Data Controller ,
Data Privacy ,
Data Processors ,
Data Protection ,
EU ,
EU Data Protection Laws ,
General Data Protection Regulation (GDPR) ,
International Data Transfers ,
Pakistan ,
Personal Data
The first week of May 2023 saw further EU case law emerge on the right to compensation under the GDPR, and in this blog we analyse the implications of these latest rulings and consider what may be coming next....more
The European Parliament’s committees for Civil Liberties, Justice and Home Affairs (LIBE) and for Internal Market and Consumer Protection (IMCO) adopted a report setting out the Parliament’s vision for the proposed EU...more
The Court of Justice of the European Union (CJEU) issued on 4 May 2023 three decisions in cases concerning interpretation of key aspects of the GDPR. It also published three opinions of the Advocate General (AG). Below is a...more