On 18 December 2024, the European Data Protection Board (âEDPBâ) adopted its new opinion on the use of personal data for the development and deployment of AI models: EDPB, Opinion 28/2024 on certain data protection aspects related to the processing of personal data in the context of AI models (âOpinion on AI Modelsâ). In its Opinion on AI Models the EDPB addressed the following topics: (i) when and how AI models can be considered anonymous;…
The new Cyber Resilience Act is the first EU regulation on the cyber security of products with digital elements. This includes not only software products, but also smart devices â from connected refrigerators to computer network devices. Software security has been a constant challenge since the dawn of the Internet. Every month, new security vulnerabilities are discovered which affected organizations then try to fix as quickly as possible. When security updates fail or are unavailable,…
The deadline for NIS2 implementation passed on 17 October, but only 6 EU Member States met that deadline, and 14 of the remaining 22 are not expected to have implementing legislation in force before the end of the year. The complexity and breadth of the new regime has clearly presented challenges for Member States, as well as organisations preparing to comply. Our map below shows the status of implementing legislation in each Member State and…
While the GDPR imposes strict rules on sensitive data processing, gender identity does not automatically fall under this category. Only personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data processed to uniquely identify a natural person, health data, and data concerning a natural person’s sex life or sexual orientation are explicitly protected as sensitive data by the GDPR. Consequently, the European Court of Justice…
GDPR compliance and inclusion: striking the right balance The General Data Protection Regulation (GDPR) generally prohibits the processing of sensitive data relating to, e.g., an individualâs sexual orientation, religious affiliation, health information or ethnic background unless certain prescribed exceptions are met. In practice, this can be an obstacle for inclusion and diversity initiatives. In todayâs challenging labor market, companies are asking themselves how they can become even more attractive to applicants and employees from diverse…
The use of Artificial Intelligence (AI) can, inadvertently, give rise to issues relating to data protection compliance and equality law. However, used properly, it also provides a unique opportunity to combat implicit systematic discrimination. The new EU AI Act supports such an optimistic approach towards AI. Discrimination through non-automated processes In the public discourse on AI and the associated risks of discrimination, it is often overlooked that human decisions could be unconsciously based on non-objective…
The deadline for Member State implementation of NIS2 is less than a month away, but the majority of Member States we surveyed are likely to miss this deadline. This raises practical compliance challenges for multinationals in Europe, but there are concrete steps organisations can and should take now to prepare. NIS2 repeals and replaces the NIS Directive and harmonizes the EUâs existing cybersecurity framework. It imposes more onerous cybersecurity obligations on entities in a wider…
In Brief The long-awaited EU AI Act was published in the Official Journal of the European Union today, 12 July 2024. The Act regulates activities across the AI lifecycle, as covered in more detail in our previous post, and the countdown for implementation has now started for companies developing or deploying AI technologies, with the Act entering into force 20 days after its publication on 1 August 2024. The Act as a whole is generally…
Copyright 2024 International Association of Privacy Professionals. Data minimization: An increasingly global concept. Data minimization requirements are not new but they are becoming more common, and enforcement is on the rise. “Legal basis” requirements for data processing, justifying data processing activities and transfers, and adhering to data minimization principles began hitting organizations’ radars with the EU General Data Protection Regulation. In response to the GDPR, many multinationals are differentiating regionally, or by jurisdiction, how they…
In a groundbreaking decision, an Austrian regional court has held that certain provisions of the Collective Redress Directive (Directive (EU) 2020/1828, âCRDâ, sometimes also referred to as Representative Actions Directive) are directly applicable given that Austria failed to transpose the directive into national law. As a consequence, the EUâs rules on privacy, AI, and digital products will soon see increased private collective enforcement. The CRD, adopted by the European Union in 2020, aims to facilitate…