Insights

AI is currently attracting a lot of attention, and not only for the stunning pace at which we have embraced AI for writing office speeches, shopping lists or mathematical formulas, or for creating illustrations or improving the visuals of slide shows. Lawyers have also started paying attention to AI, with analyses of copyright infringements in input and output, anti-competitive concerted behavior (such as price fixing) or violations of personality and privacy rights with deep fakes imitating celebrities’ images or voices.

On February 28, 2023, the European Data Protection Board (“EDPB”) adopted its Opinion 5/2023 (the “Opinion”) on the draft adequacy decision of the European Commission regarding the EU-U.S. Data Privacy Framework (“DPF”). The DPF aims to ensure that personal data transferred from the European Union to the U.S. receives an adequate level of protection. The framework is based on the principles of transparency, accountability, and oversight, and it includes safeguards to protect the data privacy rights of individuals.

On March 2, 2023, the Biden Administration released the 35-page National Cybersecurity Strategy (the “Strategy”) with a goal “to secure the full benefits of a safe and secure digital ecosystem for all Americans.”

The European Commission launched the formal process to adopt an adequacy decision for the EU-U.S. Data Privacy Framework on December 13, 2022. The framework will replace the Privacy Shield, which was invalidated by the Court of Justice of the European Union’s (“CJEU”) Schrems II ruling on July 16, 2020 (CJEU C-311/18, discussed in this client alert). The draft adequacy decision aims to foster transatlantic data flows and to address the concerns raised in Schrems II. The draft adequacy decision is therefore important for businesses on both sides of the Atlantic.

In a judgment of August 1, 2022, the Court of Justice of the European Union (CJEU) provided further guidance on two important aspects of the General Data Protection Regulation (GDPR) (CJEU C-184/20). In summary, the CJEU held that, first, for a national law that imposes a legal obligation to process personal data to be able to constitute a legal basis for processing, it needs to be lawful, meaning that it must meet an objective of public interest and be proportionate to the legitimate aim pursued, and second, that non-sensitive data that are liable to reveal sensitive personal data need to be protected by the strengthened protection regime for processing of special categories of personal data.

On October 7, 2022, President Biden signed an executive order implementing the EU-U.S. Data Privacy Framework.  Announced in March, this framework replaces the Privacy Shield program that the EU Court of Justice invalidated in July 2020 with its Schrems II decision. That decision stated that the United States did not provide a level of data protection that was “essentially equivalent” to that provided within the EU because signal intelligence surveillance by U.S. agencies was considered too broad and EU residents were not provided with effective remedies.

On Tuesday, July 5th, the European Parliament adopted the Digital Services Act (DSA) with a resounding 539 votes in favor, 54 votes against and 30 abstentions. The DSA is but one part of the multifaceted European digital strategy and, together with the Digital Markets Act (DMA), makes up the Digital Services Package, initially proposed by the European Commission in December 2020 (see our previous alert of January 12, 2021). The DSA takes the form of a Regulation, directly applicable in all EU Member States, and will amend (but not fully replace) the 2000 e-Commerce Directive (Directive 2000/31/EC).

On May 3, 2022, the European Commission published a proposed regulation (the “EHDS Proposal”) for the establishment of a European Health Data Space (or “EHDS”). This is the first proposal for establishing domain-specific common European data spaces following the European strategy for data and an important step in building a European “Health Union”.

On April 21, Canada, Singapore, Japan, the U.S., the Republic of Korea, Chinese Taipei, and the Philippines released a joint declaration announcing the creation of a Global Cross-Border Privacy Rules (CBPR) Forum. This global CBPR Forum, which is drawn from the Asia-Pacific Economic Cooperation (APEC) forum’s existing CBPR and Privacy Recognition for Processors (PRP) Systems, will allow for the expansion of the CBPR system beyond APEC’s twenty-one economies into a truly international framework.

Compensation claims for data breaches have become increasingly common in the UK in recent years. However, 2021 may come to be seen as a turning of the tide, as the English Courts made a number of decisions that will substantially reduce the scope of such claims and/or make them less attractive to funders. This alert looks at a few such decisions and their potential consequences.