Tag Archives: Dr. Friedrich Popp

Eight GDPR Questions when Adopting Generative AI

by Avi Gesser, Robert Maddox, Friedrich Popp, and Martha Hirst

Photos of the authors

From left to right: Avi Gesser, Robert Maddox, Friedrich Popp, and Martha Hirst. (Photos courtesy of Debevoise & Plimpton LLP)

As businesses adopt Generative AI tools, they need to ensure that their governance frameworks address not only AI-specific regulations such as the forthcoming EU AI Act, but also existing regulations, including the EU and UK GDPR.

In this blog post, we outline eight questions businesses may want to ask when developing or adopting new Generative AI tools or when considering new use cases involving GDPR-covered data. At their core, they highlight the importance of integrating privacy-by-design default principles into Generative AI development and use cases (see here).

If privacy is dealt with as an afterthought, it may be difficult to retrofit controls that are sufficient to mitigate privacy-related risk and ensure compliance. Accordingly, businesses may want to involve privacy representatives in any AI governance committees. In addition, businesses that are developing their own AI tools may want to consider identifying opportunities to involve privacy experts in the early stages of Generative AI development planning.

Continue reading

Schrems II – Where are we now?

As covered in our previous blog post, the CJEU has invalidated the EU-U.S. Privacy Shield for cross-border transfers of personal data from the EU to the U.S. (the “Schrems II” decision) and cast significant doubts over whether companies can continue to use the European Commission-approved Standard Contractual Clauses (“SCCs”) to transfer EU personal data to the U.S., or to other jurisdictions with similarly broad surveillance regimes.

Continue reading

Schrems II: Privacy Shield Invalid and Severe Challenges for Standard Contractual Clauses

by , and  

Yesterday, the Court of Justice of the European Union (CJEU), the EU’s highest court, invalidated the EU-U.S. Privacy Shield for cross-border transfers of personal data.  The CJEU’s decision also cast significant doubts over whether companies can continue to use the European Commission-approved Standard Contractual Clauses (SCCs) to transfer EU personal data to the U.S., or to other jurisdictions with similarly broad surveillance regimes.  The CJEU’s lengthy decision is here and its short-form press release is here (PDF: 319.62 KB).

What does this mean for organizations that rely on Privacy Shield or SCCs?  History suggests that privacy enforcement authorities in the EU may hold their fire while efforts are made to come up with a replacement system for data transfers.  EU authorities hopefully will clarify their enforcement intentions soon.  In any event, organizations that have relied on Privacy Shield will have to turn immediately to considering what practical alternatives they might adopt.  U.S. government authorities will also have to turn to the knotty question of what data transfer mechanisms might ever satisfy the CJEU, given persistent EU concerns about U.S. government surveillance of personal data.

Continue reading

Preparing for and Responding to Ransomware Attacks: Thirteen Lessons from the NIST Framework and Recent Events

by Luke Dembosky, Avi Gesser, H Jacqueline BrehmerRobert Maddox, Dr. Friedrich Popp, and Mengyi Xu

Ransomware attacks continue to plague businesses across the globe. As companies enhance their defenses, attackers increase the sophistication of their software and its deployment. Ransomware attacks used to be limited to the locking of a company’s computer system by encryption software and a demand to pay in order to obtain the key, but not anymore.

In early June 2020, for example, the REvil ransomware group auctioned off three databases containing approximately 22,000 stolen files that were associated with a Canadian agricultural firm, for a starting price of $50,000, after the victim refused or failed to pay the ransom. This sale reflects a growing trend of ransomware attacks that includes theft of sensitive company data, along with the usual locking up of computer systems, as a means of amplifying the pressure on victim entities. As a result, companies that have operational backup systems, and therefore do not need to pay the ransom to get access to their data, may still consider paying in order to prevent the public release of their stolen confidential information.

Continue reading

Six Tips for Getting Rid of Old Electronic Files, Which Reduces Cyber and Privacy Risk and Is Now a Legal Requirement for Most Companies

by Avi Gesser, Michael Bloom, Mengyi Xu, and Dr. Friedrich Popp

Much has been written recently on the increased cybersecurity and privacy risks that companies are facing. One of the most effective ways for organizations to mitigate those risks is to significantly reduce the amount of data that they collect and maintain. Having less data means that there is less sensitive information to protect from hacks or leaks which is why regulators are increasingly focused on the following data minimization requirements:

  • Collecting only the data that you actually need;
  • Using collected data only for authorized purposes; and 
  • Retaining only data that you actually need.

Companies that have failed in the third element of data minimization, effectively getting rid of old data, have recently been the subject of regulatory action. In this Data Blog post, we discuss the regulatory requirements for getting rid of old data and offer six tips for complying with this new and difficult obligation.

Continue reading

COVID-19: Three Data Protection Tips for the EU and the UK

by Jeremy Feigelson, Avi Gesser, Jane Shvets, Ariane Fleuriot, Fanny Gauthier, Robert Maddox, and Dr. Friedrich Popp

As businesses adapt to the COVID-19 pandemic, the challenges of managing a remote workforce and its desire for information about the virus’s impact have significant data protection implications. While European Data Protection Board (“EDPB”) guidance (PDF: 211 KB) confirms that the GDPR should not impede the fight against the pandemic, even in these exceptional times, companies must continue to safeguard individuals’ data protection rights.

We share here our top three tips for those who oversee data protection compliance, drawing on guidance from the EDPB (PDF: 211 KB), UKFrenchGerman, and Irish supervisory authorities. Links to other authorities’ guidance are accessible here. Continue reading

The EPPO and International Co-Operation –– New Kid on the Block

by Karolos Seeger, Jane Shvets, Robin Lööf, Alma M. Mozetič, Martha Hirst, Antoine Kirry, Alexandre Bisch, Ariane Fleuriot, Dr. Thomas Schürrle, Dr. Friedrich Popp, Dr. Oliver Krauß

The European Public Prosecutor’s Office (“EPPO”) is a new European Union body responsible for investigating and prosecuting criminal offences affecting the EU’s financial interests in 22 of its 28 Member States.[1] The EPPO is expected to begin investigations in November 2020.

Fraud against the financial interests of the EU is an international phenomenon: in 2018, the European Anti-Fraud Office (“OLAF”) concluded 84 investigations into the use of EU funds, 37 of which concerned countries outside the EU.[2] In this part of our series of analyses of the EPPO[3] we, therefore, consider the framework for the EPPO’s future international co-operation. This includes dealings with enforcement authorities in non-participating EU Member States as well as the rest of the world.

Continue reading

Draft GDPR Transparency Guidelines Issued: What Does Your Privacy Policy Need to Contain?

by Jeremy Feigelson, Jane Shvets, Dr. Thomas Schürrle, Ceri Chave, Dr. Friedrich Popp, and Christopher Garrett

Late last year, the Article 29 Working Party (the “Working Party”) issued detailed draft guidance (the “Guidelines”) on transparency under the EU General Data Protection Regulation (the “GDPR”), which comes into force in May 2018. These Guidelines, which will be finalized following a consultation process, contain the Working Party’s interpretation of the mandatory transparency information that must be provided to a data subject by way of privacy policy or other disclosures.

One of the express requirements of the GDPR relates to how businesses communicate their use of a data subject’s personal information to that data subject at the point of data collection or consent, typically via a privacy policy or notice. Getting this right is crucial. Businesses will need to examine their current privacy policies and other disclosures closely, and consider whether these need revising not just in the light of the GDPR, but also to factor in the requirements listed in the Guidelines, which elaborate on existing GDPR provisions. While the Guidelines will not be binding, data protection authorities may take a dim view of businesses which fail to comply with the Guidelines without good reason, given that representatives from all of the EU data protection authorities are part of the Working Party. Businesses that fail to comply with the information duties under the GDPR will face fines of up to the higher of 4% of annual worldwide turnover or EUR 20 million. Continue reading