petrapirvan@gmail.com

Introduction  Utah has taken a pioneering step in the regulation of Generative AI (GenAI) with the enactment of S.B. 149, marking a significant milestone in U.S. legislative history.    Effective May 1, 2024, this legislation establishes Utah as the first state to introduce comprehensive laws tailored specifically for GenAI.  The inclusion of statutory damages underscores […]

Introduction  President Biden recently signed into law a bill that reauthorizes Section 702 of the Foreign Intelligence Surveillance Act (FISA) while incorporating reforms to enhance the protection of privacy and civil liberties for Americans.  This legislation has been a focal point for policy and privacy professionals in recent months, sparking discussions about potential amendments to

Introduction Representative Cathy McMorris Rodgers (R-Wash.), Chair of the U.S. House Committee on Energy and Commerce, alongside Senator Maria Cantwell (D-Wash.), Chair of the Senate Committee on Commerce, Science, and Transportation, unveiled a groundbreaking legislative proposal on April 7. This initiative aims to establish the United States inaugural comprehensive data privacy law at the federal

Microsoft Copilot is a groundbreaking addition to the Microsoft 365 suite, revolutionizing the way users interact with applications such as Teams, Outlook, SharePoint, and OneNote. Positioned as an enterprise-grade generative AI product, Microsoft Copilot harnesses the power of a vast language model and integrates seamlessly with various Microsoft 365 applications, offering unparalleled assistance to enhance

Background In response to the imperative need for safeguarding state-owned information assets, protecting privacy, and ensuring the well-being of California’s populace, the Statewide Information Management Manual (SIMM) 5305-F, Generative Artificial Intelligence (GenAI) Risk Assessment has been formulated.  This manual presents a structured risk assessment methodology tailored to assist state entities in comprehensively evaluating the potential

Introduction  An inquiry into the European Union’s utilization of Microsoft 365 has concluded that the Commission violated the bloc’s data protection regulations in its adoption of the cloud-based productivity software. The European Data Protection Supervisor (EDPS) announced its findings through a press release, stating that the Commission breached “several crucial data protection rules while employing

Introduction On February 28, 2024, President Biden signed Executive Order 14117, titled “Preventing Access to Americans’ Bulk Sensitive Data and United States Government-Related Data by Countries of Concern” (EO), marking a significant step in safeguarding national security and personal privacy. This executive action responds to the urgent need to protect Americans’ sensitive personal data and

BACKGROUND – 27TH NOVEMBER, 2023 ADMT DRAFT (OLDER ONE) The California Privacy Protection Agency (CPPA) unveiled its highly awaited draft regulations concerning the utilization of automated decision-making technology (ADMT) on November 27, 2023. Marking a significant development, these draft regulations provide a detailed framework for the oversight of ADMT and artificial intelligence (AI) by the

l. ISO/IEC 42001:2023 On December 18, 2023, the International Organization for Standardization (ISO) published the ISO/IEC 42001:2023 – Information Technology – Artificial Intelligence – Management System standard. ISO/IEC 42001:2023 has been developed by the International Organization for Standardization / International Electrotechnical Commission (ISO/IEC) Joint Technical Committee (JTC) 1, Information technology, Subcommittee (SC) 42, Artificial intelligence.

CNIL fined Amazon France Logistique! Introduction On December 27, 2023, the French Data Protection Authority (CNIL) fined AMAZON FRANCE LOGISTIQUE €32 million. This was due to the company’s use of excessively intrusive technology to monitor employee activities and performance. Furthermore, the corporation was penalised for using video monitoring without giving necessary information or security safeguards.

Introduction  As children today grow up in an increasingly digital world, their online activities leave behind a trail of data that shapes their digital footprint. Shockingly, by the time a child reaches the age of 13, online advertising firms have already amassed an average of 72 million data points about them. Against this backdrop, the

About the Act  While general EU competition regulations apply to Big Tech platforms like Apple, Google, Microsoft, and Meta, there have been instances of these digital platforms engaging in unfair activities and abusing their market strength. For example, in June 2023, the EU antitrust commission ordered Google to change its advertising business and accused it

Introduction In recent legal developments, The New York Times has taken decisive action against OpenAI and Microsoft, filing a complaint in the Southern District of New York on December 27, 2023. The crux of the matter revolves around the alleged utilization of the Times’s copyrighted works in the development of generative artificial intelligence (AI) products,

#inadequate data processing #lawfulness of processing #consent #personalised advertising #digital platforms #competition #dma 2023 had a significant privacy weight for Meta. Regulators from different European countries penalised the Californian technology conglomerate for inadequate data processing practices. The lawfulness of combining data across Meta’s suite of social platforms for personalised advertising purposes, dubbed as super-profiling, was

 Contentions of The Times The New York Times has launched a copyright infringement case against OpenAI and Microsoft. According to the Times, millions of its stories were used to train automated chatbots, notably ChatGPT, without permission. The newspaper claims that these chatbots are now competing with The Times as a source of information, potentially harming

In a recent publication, the EU Parliament’s research unit delves into the intricate relationship between the General Data Protection Regulation (GDPR) and the realm of Artificial Intelligence (AI). This comprehensive study explores the challenges and opportunities arising from the convergence of these two domains, shedding light on the ways in which law and technology can

Setting up the scene.   Data generated using connected products or related services can be personal and non-personal data and are often mixed sets of both types of data.  Whereas GDPR regulates the processing of personal data, for most non-personal data generated by connected products or related services there was no similar legal regime. This

The AI Act is part of the larger EU digital strategy agenda alongside regulations such as the Data Governance Act, the Data Act, the Digital Services Act, and the Digital Markets Act. The 125-page draft law to regulate AI was initially introduced in April 2021 and since then it garnered a reputation of the global

In today’s fast-paced world, businesses increasingly rely on artificial intelligence (AI) systems to make decisions that can significantly impact individual rights, human safety, and critical business operations. But how do these AI models derive their conclusions? What data do they use? And can we trust the results they produce? Addressing these critical questions is the

Introduction In an era marked by ever-increasing technological advancements, New York City has taken a pioneering step in ensuring accountability and transparency in the use of automated decision systems, particularly within the realm of employment. The New York City Local Law 144-21, often referred to colloquially as the NYC Bias Audit Law, stands as a

INTRODUCTION On October 10, 2023, Governor Gavin Newsom took a significant step in the world of data privacy by signing the California Delete Act, officially known as SB 362, into law. This landmark legislation places new obligations on a group known as “data brokers” and marks a pivotal moment in the world of data privacy

Introduction  In today’s digital landscape, consumer profiling techniques have become a central aspect of core platform services offered by tech giants. Recognizing the importance of safeguarding user privacy and promoting fair competition, Article 15 of the Digital Markets Act has introduced a key obligation:    an audit of these profiling techniques This pivotal regulation mandates

Online services such as social media platforms and online shopping platforms have become an integral part of our daily lives.  While GDPR regulates the processing of personal data, further regulation is required to ensure that digital platforms are not used for harmful purposes such as dissemination of illegal content and disinformation, among other issues. To

Last Friday the Irish Data Protection Regulator decided to apply a €345 million fine to TikTok (TTL) for GDPR violations. The very long 126 pages decision can be downloaded from the European Data Protection Board website.   At the core of the decision is the fact that TTL failed to implement appropriate technical and organisational

Introduction  As the California Privacy Protection Agency (CPPA) prepared for its board meeting scheduled for September 8, 2023, the privacy landscape is abuzz with anticipation. This heightened interest stems from the recent release of two pivotal documents by the CPPA: the draft Cybersecurity Audit Regulation and the draft Risk Assessment Regulation. Despite their preliminary status,

INTRODUCTION In a significant development, the California Privacy Protection Agency (CPPA) recently unveiled a trove of crucial materials on August 28, 2023, laying the groundwork for its upcoming board meeting scheduled for September 8, 2023. Among these materials are two pivotal documents that have garnered substantial attention within the privacy sphere: the draft Cybersecurity Audit

It is more than five years now since the GDPR came into force. Compared to the old Directive 95/46/EC, the GDPR is considerably a more complex and more far-reaching law, as it includes a very extensive set of data subject rights. Not surprising at all if we think that strengthening data subject’s rights was one

Starting with 25th of August 2023 the designated Very Large Online Platforms (VLOPs) and Very Large Online Search Engines (VLOSEs) must comply with the obligations laid down in the Regulation 2022/2065 or otherwise known as the Digital Services Act (DSA). Context The Digital Services Act is an update to the e-Commerce Directive 2000. It regulates:

The three distinct legal regimes for AI systems:  The AI Act describes itself as a risk-based legislation distinguishing between three distinct legal regimes for AI systems. Each regime lays down legal obligations that correlate with anticipated risks to public interests and values protected by EU law.    The first regime covers AI systems raising unacceptable

On April 21, 2021 the EU Commission unveiled the draft Regulation laying down harmonized rules on AI and amending certain Union legislative acts together with a new coordinated plan with Member State. The released draft reveals a comprehensive approach of an area which didn’t benefit of much framing up until the date. The draft comprises a set

Among others, one of the main preoccupations of the GDPR is to safeguard the interests and fundamental rights and freedoms of the data subjects. Understanding and being able to recognize what stands behind these concepts is paramount for any data privacy professional involved in the work of advising their companies on the path of compliance

Vision and priorities   From a legal standpoint protecting privacy in U.S. is primarily a counterbalance to the state administration power of intrusion over the citizen. The 4th Amendment in the U.S. Constitution is precisely written in the vein of accounting for the government activities constituting searches and seizures, and how to address public authorities’

The political communication.  On March 25th, 2022, the U.S. President Joe Biden, and the European Commission President Ursula von der Leyen announced in a joint press conference that they reached a political agreement on trans-Atlantic data transfers. “We have found an agreement in principle on a new framework for transatlantic data flows. This will enable predictable and

According to provisions in the GDPR the data controller is the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determine the overall control of the purpose for which, and how, personal data are processed. The data processor, in exchange is the natural or legal person, public authority,

On the 14th of June the Members of the E.U. Parliament voted with a large majority the AI Regulation. The EU AI Act is one of the first major laws to regulate artificial intelligence, and as Adam Satariano observes for the New York Times “a potential model for policymakers around the world as they grapple

Introduction. The technological advancements, increasing digitization of the society and the shift of nearly all economic activities and human interactions to online platforms has elevated the importance of data privacy rights. [1] In recent years, many countries have initiated measures to implement data protection requirements, or are actively considering such actions. Likewise, India is also taking initiatives in

On September 15, 2022, the E.U. Commission published the Cyber Resilience Act (CRA) draft setting out cybersecurity requirements for products with digital elements placed on the internal market and amending Regulation (EU) 2019/1020 on Market Surveillance and Compliance of Products.    To date, software has not been a central part of the E.U. product safety

Current legal systems for governing data are under stress which is not surprising given the speed of technological changes underway. While there is no immediate failure of the law the present legal regime is not capable of meeting the future challanges of data governance and requires to be reformed.  Data production and dissemination takes place

This article was first published by IAPP in Privacy Perspectives Although there is no universally accepted definition of international organizations in public international law, Article 4(26) of the General Data Protection Regulation describes them as “organizations and its subordinate bodies governed by public international law, or any other body which is set up by, or

This article was first published by the IAPP in the Privacy Advisor  On May 28, France’s data protection authority, the Commission nationale de l’informatique et des libertés, launched a public debate over its draft recommendation relating to terms of retention and use of data logs. According to the CNIL, maintaining data logs is an essential

Knowledge is power but responsible knowledge is ethics and compliance and a data mapping exercise can help achieve that. Not so long ago I participated in a webinar where, among others, I touched upon the importance of companies having a consistent and reliable data mapping exercise.  I referred to Article 29.3 of the GDPR which

Data flows of personal data which are undergoing processing or are intended for processing after transfer to a third-country or to an international organization are allowed only if enforceable data subjects rights and legal remedies to data subjects are available.   Starting with 27th of June 2021 organizations are able to use the European Commission’s long-awaited

Following already long-standing development in the area of innovative technologies the benefits of the digital economy are rooted in personal data collections and flows through a complex data ecosystem. Given the complexity of the digital products, systems and services individuals might find it hard to get their heads around the consequences this innovative technologies and