Category Archives: General Data Protection Regulation (GDPR)

Prohibited AI Practices—A Deep Dive into Article 5 of the European Union’s AI Act

by Dr. Martin Braun, Anne Vallery, and Itsiq Benizri

photo of authors

From left to right: Dr. Martin Braun, Anne Vallery and Itsiq Benizri. (Photos courtesy of Wilmer Cutler Pickering Hale and Dorr LLP).

Article 5 of the AI Act essentially prohibits AI practices that materially distort peoples’ behavior or that raise serious concerns in democratic societies.

As explained in our previous blog post, this is part of the overall risk-based approach taken by the AI Act, which means that different requirements apply in accordance with the level of risk. In total, there are four levels of risk: unacceptable, in which case AI systems are prohibited; high risk, in which case AI systems are subject to extensive requirements; limited risk, which triggers only transparency requirements; and minimal risk, which does not trigger any obligations.

Continue reading

Navigating Compliance Risks in Robotics Applications within EU and US Legal Frameworks

by Wanda R. Lopuch Ph.D

New Technologies in the European Union and the United States

Photo of author

(Photo courtesy of author)

In the realm of technological innovation, robotics stands out due to its rapid growth and transformative potential. However, this potential brings myriad compliance risks, particularly when navigating the complex legal landscapes of the European Union (EU) and the United States (US). Below, I explore these risks, focusing on the divergent legal frameworks of the EU and the US and the challenges they pose to robotics application.

Continue reading

EU Rules Restricting the International Transfers of Non-Personal Data

by Kristof Van Quathem and Anna Oberschelp de Meneses

Photos of the authors

Kristof Van Quathem and Anna Oberschelp de Meneses (Photos courtesy of Covington & Burling LLP)

While the EU GDPR regulates the international transfer of personal data, several recently enacted EU laws regulate the international transfer of non-personal data, which is any data that is not “personal data” under the GDPR.  In other words, these new laws apply to data that does not relate to an identified or identifiable natural person, including anonymized data and data about industrial equipment, significantly expanding the types of data subject to international transfer restrictions.  Some of this legislation has been enacted recently, and other legislation on this topic is making its way through the legislative process but has yet to be adopted.  In this blog post, we outline the current and forthcoming EU legislation on the international transfer of non-personal data.

Continue reading

New Jersey Governor Signs Comprehensive Privacy Law

by Nancy Libin, David L. Rice, John D. Seiver, and Benjamin Robbins

Photos of the authors.

From left to right: Nancy Libin, David L. Rice, John D. Seiver, and Benjamin Robbins. (Photos courtesy of Davis Wright Tremaine LLP)

On January 16, 2024, New Jersey Governor Phil Murphy signed into law Senate Bill 322 (“the Act”), making New Jersey the fourteenth state to enact a comprehensive consumer data privacy law, joining California, Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Tennessee, Montana, Florida, Texas, Oregon, and Delaware.  The Act will take effect on January 16, 2025.

Continue reading

Looking Back at Fall 2023 PCCE Events: Conference on Security, Privacy, and Consumer Protection

As we prepare for a full schedule of events in 2024, the NYU School of Law Program on Corporate Compliance and Enforcement (PCCE) is taking a moment to reflect on our busy Fall 2023 program. In this post, we review our November 17, 2023 full day conference on Security, Privacy, and Consumer Protection.

Photo of conference

(©Hollenshead: Courtesy of NYU Photo Bureau)

Continue reading

The Year That Was: Key Cybersecurity and Privacy Developments in 2023 and Issues for 2024

by John P. Carlin, Jeh Charles Johnson, Jeannie S. Rhee, Peter Carey, and Steven C. Herzog

From left to right: John P. Carlin, Jeh Charles Johnson, Jeannie S. Rhee, Peter Carey, and Steven C. Herzog. Photos courtesy of Paul, Weiss, Rifkind, Wharton & Garrison LLP.

At the beginning of the year, we predicted that the use of personal information and the protection of data in an evolving threat environment would be the focus of increased legislation, regulation, and regulatory enforcement. And 2023 delivered, with both threat actors and regulators presenting new challenges for technology and legal teams. At the same time, these teams are navigating how to harness the burgeoning potential of rapidly evolving artificial intelligence applications while mitigating associated security, legal, and related risks. Amidst all of the noise, we break down below ten key developments of 2023 that contributed to an increasingly complex legal and data security landscape and prompted business leaders to increase resources and attention to bolster their defenses and ensure compliance with their growing list of legal obligations. We predict a continued flurry of activity in 2024. Continue reading

The Data Act – the EU’s Bid to “Ensure Fairness in the Digital Environment and a Competitive Data Market” – Has Been Adopted

by Hope Anderson, Clara Hainsdorf, Tim Hickman, Dr. Sylvia Lorenz, and Jenna Rennie

Left to right: Hope Anderson, Clara Hainsdorf, Tim Hickman, Dr. Sylvia Lorenz, and Jenna Rennie (Photos courtesy of White & Case LLP)

On November 27, 2023, the European Union (“EU”) adopted the final text of the Data Act, marking an effort to create a harmonized, cross-sectoral data sharing framework with the stated goal of ensuring fair access to and use of data.

The Data Act is part of the European Data Strategy Package,[1] which aims for the EU to take a leading role in our networked world. Following the Data Governance Act,[2] which facilitates voluntary data sharing by businesses, individuals and the public sector, the Data Act is the second key piece of legislation aiming to make generated data more available for reuse. To that end, the Data Act seeks to maximize the value of data and to stimulate a competitive data market in which open opportunities for data-driven innovations make data more accessible for all.

Continue reading

The European Court of Justice Tightens the Requirements for Credit Scoring under the GDPR

by Katja Langenbucher

Photo of Professor Katja Langenbucher

Professor Katja Langenbucher (photo courtesy of author)

The quality of a credit scoring model depends on the data it has access to. Yesterday, the European Court of Justice (ECJ) decided its first landmark case on data protection in a credit-scoring situation. The court issued a preliminary ruling involving a consumer’s request to disclose credit-score related data against a German company (“Schufa”). The practice of credit reporting and credit scoring varies enormously across Europe. Somewhat similar to the US, the UK knows separate credit reporting and scoring agencies. In France, the central bank manages a centralized database that is accessible to credit institutions, which establish their own proprietary scoring models. In Germany, a private company (the “Schufa”) has a de facto monopoly, holding data on 68 million German citizens and establishing the enormously wide-spread “Schufa”-score. Banks look to that score when extending credit, as do landlords, mobile phone companies, utility suppliers, and, sometimes, potential employers. This every-day use stands in stark contrast with a lack of transparency as to which data Schufa collects and how it models the score.

Continue reading

The EU AI Act – Navigating the EU’s Legislative Labyrinth

by Avi GesserMatt KellyMartha HirstSamuel J. AllamanMelissa Muse, and Samuel Thomson

From left to right: Avi Gesser, Matt Kelly, Martha Hirst, Samuel J. Allaman, and Melissa Muse. Not pictured: Samuel Thomson. (Photos courtesy of Debevoise & Plimpton LLP).

As legislators and regulators around the world are trying to determine how to approach the novel risks and opportunities that AI technologies present, the draft European Union Artificial Intelligence Act (the “EU AI Act” or the “Act”) is a highly anticipated step towards the future of AI regulation. Despite recent challenges in the EU “trilogue negotiations”, proponents still hope to reach a compromise on the key terms by 6th December, with a view to passing the Act in 2024 and most of the provisions becoming effective sometime in 2026.

As one of the few well-progressed AI-specific laws currently in existence, the EU AI Act has generated substantial global attention. Analogous to the influential role played by the EU’s GDPR in shaping the contours of global data privacy laws, the EU AI Act similarly has the potential to influence the worldwide evolution of AI regulation.

This blog post summarizes the complexities of the EU legislative process to explain the current status of, and next steps for, the draft EU AI Act. It also includes steps which businesses may want to start taking now in preparation of incoming AI regulation.

Continue reading

EU Advocate General Defines “Identity Theft” and Reaffirms GDPR Compensation Threshold

by Kristof Van Quathem and Aleksander Aleksiev 

Photos of the authors

Left to right: Kristof Van Quathem and Aleksander Aleksiev (Photos courtesy of Covington & Burling LLP)

EU advocate general Collins has reiterated that individuals’ right to claim compensation for harm caused by GDPR breaches requires proof of “actual damage suffered” as a result of the breach, and “clear and precise evidence” of such damage – mere hypothetical harms or discomfort are insufficient. The advocate general also found that unauthorised access to data does not amount to “identity theft” as that term is used in the GDPR.

The right for individuals to claim compensation for data breaches has long been a controversial and uncertain aspect of the GDPR – see our previous blogs here, herehere, and here for example.

Continue reading