France's data protection authority, the Commission nationale de l'informatique et des libertés, published best practices for sharing personal data through application program interfaces. The CNIL identified cases when API use is recommended, listed risk factors to help organizations conduct a risk analysis, and offered recommended measures to help them achieve

Artificial intelligence (AI) has emerged as a game-changer in the healthcare sector, offering immense potential to revolutionize patient care, diagnostics, and medical research, but raising legal challenges as well. In particular, integrating artificial intelligence into the healthcare industry comes with legal challenges that must be tackled promptly since they might

The GDPR demonstrates the capacity of the European Union to prioritise data protection and privacy. The collection and use of health data by private corporations makes privacy protections critically important. Taken together, the provided policy recommendations here create comprehensive steps forward. https://edri.org/our-work/guarding-health-data-privacy-in-europe-the-limits-and-challenges-of-current-regulations/

Global flows of personal data have been a source of geopolitical concern for many years now. The Court of Justice of the European Union’s “Schrems II” judgement has revived the debate and organisations around the world now have to map personal data flows and conduct transfer impact assessments, while

Key takeaways Privacy laws around the world contain core principles and requirements (such as data minimization) that present new challenges for those using and developing AI At the same time, variations in approach and detail, specifically as regards consent and the use of publicly available data, mean that it is

Today, FPF released a new report on the effectiveness of a key federal children’s privacy requirement known as verifiable parental consent (VPC). The Children’s Online Privacy and Protection Act (COPPA) requires operators of child-directed services to provide parents with detailed, direct notice and obtain parents’ affirmative express consent

As with a colorblindness hue test, if you stare at the new version of the EU Artificial Intelligence Act for long enough, some patterns form (or maybe you are just losing your vision or your mind). Below is a decision tree to help assess whether you fall in scope. Is

On 22 May 2023, the Irish Data Protection Commission (“DPC”) fined Facebook parent Meta EUR 1.2 billion for transferring personal data to the U.S. in violation of GDPR. The DPC also ordered Meta to suspend further transfers unless it can bring such transfers into compliance within 5 months.

What is XAI? How does it work in practice? What are its benefits, risks, impact on data protection? Read Blogpost by EDPS Director EDPS Wojciech Wiewiórowski attended ENISA's Annual Privacy Forum where he delivered a keynote speech on Artificial Intelligence and Data Protection. Read Speech.Read Closing Remarks of the

The Italian Privacy Authority, the Garante, has sanctioned the use of dark patterns to collect personal data for the first time under the terms of the GDPR. On February. 23, 2023, the first ruling of the Italian data protection authority sanctioning the use of dark patterns for personal data collection

The AI Act is a European Commission proposal to regulate artificial intelligence. The AI Act bans certain AI practices and imposes specific requirements and obligations on creators and users of AI. The goal of these measures is to increase trust in AI, ensure the safety and fundamental rights of people

The Association of Southeast Asian Nations and the European Commission released joint guidance on the application and use of respective contractual clauses. The guide aims to provide a high-level comparison of ASEAN model contractual clauses and the EU's standard contractual clauses to help facilitate cross-border data transfers. By comparing and

The U.K. Information Commissioner's Office published guidance on responding to subject access requests. The ICO said businesses and employers risk fines or reprimands for compliance failures, but ICO Policy Group Manager Elanor McCombe said many employers misunderstand the requests or underestimate their importance. "It's important not to get caught

Decision could imperil other companies’ transatlantic transfers as well By: John Magee, Andrew Dyson, James Sullivan, Andrew Serwin, Claire O’Brien & Rachel De Souza The Irish Data Protection Commission (DPC) has published a decision that could impact the ability of thousands of companies to move personal data from the European

The GDPR fine of € 1.2 billion issued by the Irish data protection commission against Meta raises the question of how companies deal with data transfers leading to a status of anxiety perfectly expressed by The Scream of Munch. But let’s start from the beginning: The GDPR fine against

In this landmark decision, the DPC considered that even though Meta Ireland relied on the EU Standard Contractual Clauses in conjunction with additional supplementary measures to legitimize its data transfers to the U.S., these arrangements were not sufficient to address the requirements arising from the Court of Justice’s

The Future of Privacy Forum released a report on the efficacy of Article 25 of the EU General Data Protection Regulation's data protection by design and by default obligations. The report draws on more than 92 data protection authority cases, court rulings and guidance issued by 16 European Economic Area

On 26th April, the General Court of the European Union (EGC), published its judgment in Case T-557/20, Single Resolution Board (SRB) v European Data Protection Supervisor (EDPS), in relation to the threshold between pseudonymous and anonymous data. The EGC held that pseudonymised data transmitted to a data recipient will

In the same week the European Court of Justice published three rulings on the interpretation of the EU General Data Protection Regulation, the European General Court handed down a landmark ruling on the concept of personal data that IAPP DACH Regional Leader and Baumgartner Baumann Partner Ulrich Baumgartner, CIPP/E,

On May 17, the Future of Privacy Forum launched a new report on enforcement of the EU’s GDPR Data Protection by Design and by Default (DPbD&bD) obligations, which are outlined in GDPR Article 25. The Report draws from more than 92 data protection authority (DPA) cases, court rulings,

The EU Parliament’s Committees have agreed on the AI Act. However, Google’s decision to postpone the launch of Bard in the European Union prompts questions about the direction we’re headed in. The Compromise Text on the EU AI Act regulates Foundation Models (like ChatGPT, GPT4, Palm, etc.

The mere violation of the GDPR does not entitle per se to compensation, but it is not necessary for the damage suffered to reach a certain threshold of severity to produce a right to compensation. These are the conclusions reached by the Court of Justice of the European Union (CJEU)

Spain's data protection authority, the Agencia Española de Protección de Datos, published a guide for cryptographic systems as a data protection security measure in partnership with the Spanish Association for the Promotion of Information Security and Spanish Professional Association for Privacy. The guide states "encryption will be an adequate security

Dispute following inspection request The issue concerns a dispute between a consumer and the privacy regulator in Austria. The consumer had made an inspection request to a business consultancy firm that issues reports on creditworthiness (solvency). In response, the consumer had been provided with an overview of the personal data

Pseudnomized data might lead to anonymity, according to a recent ruling of the European General Court that can potentially have a massive impact on data protection compliance and sharing of (originally) personal data in the life sciences, banking, and any other sector. In the decision of April 26, 2023, T-557/