Brussels, 17 January - During its latest plenary, the EDPB adopted a report on the findings of its second coordinated enforcement action, which focused on the designation and position of Data Protection Officers (DPOs). The report is the result of an EU-wide coordinated investigation and lists the obstacles currently faced

The Court of Justice of the European Union (“CJEU“) has ruled on the conditions under which national data protection supervisory authorities may impose administrative fines on one or more data controllers for a violation of EU Regulation 679/2016 (“GDPR“). Let’s cover the specifics of the case: The case

On December 7, 2023, the Court of Justice of the European Union ruled that credit scoring constitutes automated decision-making, which is prohibited under Article 22 of the EU General Data Protection Regulation unless certain conditions are met.  Continue Reading https://www.huntonprivacyblog.com/2023/12/14/cjeu-rules-that-gdpr-prohibition-on-automated-decision-making-applies-to-credit-scoring/

Explore the intersection of privacy, cybersecurity and artificial intelligence related risks and board liabilities with Andy Serwin on our podcast. Andy Serwin, Co-Chair of the Global Data Protection, Privacy, and Security Practice at DLA Piper, is recognized as one of the world’s foremost privacy attorneys. In this edition of

France's data protection authority, the Commission nationale de l'informatique et des libertés, published recommendations for application programming interface data sharing. The guidance states data holders must ensure the security of any data shared using API, while eliminating risks associated with sharing sensitive data.Full story https://iapp.org/news/a/

Spain's data protection authority, the Agencia Española de Protección de Datos, published guidance on the use of biometric data for work and personal purposes, noting employers must follow the EU General Data Protection Regulation regardless of employee consent. The AEPD said consent is not a legal basis due to an

Inês Neves (Lecturer at the Faculty of Law, University of Porto | Researcher at CIJ - Centre for Legal Research | Member of the Jean Monnet Module team DigEUCit - A Digital Europe for Citizens. Constitutional and policymaking challenges) and Luísa Amaro de Matos (LL.M. in European Legal Studies – College of

On November 16, 2023, the European Data Protection Board published its Guidelines 2/2023 on the Technical Scope of Art. 5(3) of the ePrivacy Directive. Continue Reading https://www.huntonprivacyblog.com/2023/11/20/edpb-publishes-guidelines-to-clarify-scope-of-eu-cookie-notice-and-consent-requirements/

The response from Meta to privacy concerns was to introduce a paywall model with an ad-free subscription option for Facebook and Instagram, following significant legal scrutiny over personal data usage. After an announcement last August 2023, Meta has finally changed the legal basis used for processing its users’ data to

On October 11, 2023, the French Data Protection Authority (the “CNIL”) published a new set of guidelines addressing the research and development of AI systems from a data protection perspective.   Continue Reading https://www.huntonprivacyblog.com/2023/10/23/french-dpa-issues-guidelines-on-data-protection-and-ai/

The Italian Privacy Authority issued a decalogue of rules on artificial intelligence in the healthcare that sets out principles that can be applicable to both public and private companies using AI. Artificial intelligence (AI) systems are assuming an increasingly prominent role in healthcare services, however, the use of AI in

France's data protection authority, the Commission nationale de l'informatique et des libertés, released initial opinions on artificial intelligence deployments' compliance with the EU General Data Protection Regulation. The CNIL said the GDPR offers an "innovative and protective framework" for AI while noting how specific GDPR principles can apply to various

Italy's data protection authority, the Garante, released recommendations on how schools can protect the privacy of students, staff and families. The guidelines cover topics including how photos taken on school trips should be managed, regulatory updates and how to protect privacy while using education technology.Full story https://iapp.org/

On October 3, 2023, the UK Information Commissioner’s Office published new Guidance on lawful monitoring in the workplace, designed to help employers comply with their obligations under the UK General Data Protection Regulation and the Data Protection Act 2018. Continue Reading https://www.huntonprivacyblog.com/2023/10/05/uk-ico-publishes-guidance-on-workplace-monitoring/

On September 21, 2023, UK Secretary of State for Science, Innovation and Technology Michelle Donelan laid regulations in the UK Parliament, giving effect to a UK-U.S. Data Bridge. Continue Reading https://www.huntonprivacyblog.com/2023/09/21/breaking-uk-u-s-data-bridge-finalized/

The U.K. Information Commissioner's Office warned organizations against using the blind carbon copy function when sending emails containing sensitive personal information. The ICO also published guidance for organizations on protecting personal information when sending bulk emails. "Organisations that use and share large amounts of data, including sensitive personal information,

On August 24, 2023, 12 data protection authorities published a joint statement calling for the protection of personal data from unlawful data scraping. Continue Reading https://www.huntonprivacyblog.com/2023/08/25/joint-statement-published-on-data-scraping-and-the-protection-of-privacy/

Norway's data protection authority, Datatilsynet, offered guidelines for monitoring employees via company-issued electronic equipment. The DPA explained how "digital work tools can record large amounts of information about employees." Section Manager Ylva Marrable said the guidance "will help employers assess what may be legal to introduce in the workplace, and

Works produced by artificial intelligence systems CANNOT enjoy protection under copyright law in the United States, according to a recent case. How shall businesses protect their assets, then? The US case on the copyright protection of artificial intelligence creations and the precedent In the first landmark decision concerning Thaler v.

It is hard to deny that dominant internet services provide essential consumer goods for much of the world. Having to go a week, much less a day, without efficient Google searches, or losing the ability to interact with others via a social media platform like Instagram, would surely upend many

Today, the Future of Privacy Forum (FPF) releases the Generative AI for Organizational Use: Internal Policy Checklist. With the proliferation of employee use of generative AI tools, this checklist provides organizations with a powerful tool to help revise their internal policies and procedures to ensure that employees are using generative

On July 19, 2023, the European Data Protection Board issued an Information Note regarding data transfers to the U.S. following the adoption of an adequacy decision on the EU-U.S. Data Privacy Framework on July 10, 2023. Continue Reading https://www.huntonprivacyblog.com/2023/07/31/european-data-protection-board-issues-information-note-on-data-transfers-under-the-data-privacy-framework/

On July 14, 2023, the Norwegian Data Protection Authority ordered Meta Platforms Ireland Limited and Facebook Norway AS to temporarily cease the processing of personal data of data subjects in Norway for the purpose of targeting ads on the basis of “observed behavior” when relying on the contractual necessity legal

Artificial intelligence is increasingly an integral part of our daily lives, but at the same time it generates concerns, including legal issues, of a potential cognitive “bias”, and the resulting discrimination of the algorithm. In this article we analyze the legal issues of cognitive biases in artificial intelligence systems: What

The European Commission published its FAQs on the adequacy decision regarding data transfers, which don’t give all the necessary answers; let’s try to give some clarifications on potential grey areas. Based on the initial discussions with clients, here are the main requests of clarifications and relevant answers on