Compliance and risk management

Subscribe to Compliance and risk management

The Commission’s guidelines on AI systems – what can we infer?

By Rosie Nance, Marcus Evans (UK) & Peter McBurney on February 13, 2025

The EU’s AI Act imposes extensive obligations on the development and use of AI. Most of the obligations in the AI Act look to regulate the impact of the specific use cases on health, safety, or fundamental rights. These sets…

CJEU Advocate General clarifies when pseudonymised data falls outside the definition of personal data

By Marcus Evans (UK), Rosie Nance & Alice Knowles on February 10, 2025

On 5 February 2025, the Advocate General of the Court of Justice of the European Union (CJEU) issued its opinion in the case of C 413/23 P European Data Protection Supervisor (EDPS) v Single Resolution Board…

TR v Land Hessen – DPA not obliged to fine under the GDPR

By Shan Nanayakkara on December 3, 2024

By Shan Nanayakkara

In TR v Land Hessen (C‑768/21) the European Court of Justice (“ECJ”) found that following a personal data breach, a supervisory authority is under no obligation to exercise its corrective powers, specifically the power to…

Lessons on international transfers to the US to organisations caught by the GDPR

By Jurriaan Jansen, Naomi Schuitema, Marcus Evans (UK) & Rosie Nance on September 11, 2024

The Dutch data protection authority, the Autoriteit Persoonsgegevens (AP) announced a fine of €290 million on Uber Technologies Inc. (UTI) and Uber B.V.,(UBV) (together Uber) with press releases in Dutch and English. The fine relates to the transfer of…

EDPB opines on the use of facial recognition in airports

By Marcus Evans (UK) & Shiv Daddar (UK) on July 18, 2024

Co-written by Swaathi Balajawahar, Trainee Solicitor

Introduction

On 23 May 2024, the European Data Protection Board (EDPB) issued Opinion 11/2024 on the use of facial recognition to streamline airport passengers’ flow (the Opinion). The Opinion considered the use of facial…

UK regulators’ strategic approaches to AI: a guide to key regulatory priorities for AI governance professionals

By Marcus Evans (UK), Lara White (UK), Amanda Sanders (UK), Miranda Cole, Rosie Nance, Simon Lovegrove (UK), Anita Edwards, Hannah Meakin (UK) & Georgina O'Sullivan on May 24, 2024

Background – white paper response on the UK’s approach to AI regulation

In February 2024, the UK Department for Science, Innovation, and Technology (DSIT) set out the government’s proposed approach to AI regulation. It published a response to its…

Is your Texas data protection assessment started?

By Susan Ross (US), David Kessler (US), Annmarie Giblin (US) & Joe McClendon (US) on May 23, 2024

As we have previously written, the Texas comprehensive privacy law, known as the Texas Data Privacy and Security Act (TDPSA), goes into effect on Monday, July 1, 2024. As a reminder, unlike other states’ comprehensive privacy laws that are…

OCR and FTC Issue a Joint Letter Suggesting Enforcement Actions May Be in the Pipeline

By Anna Rudawski (US) & Alexis Wilpon (US) on July 21, 2023

On July 20, 2023 HHS and the Federal Trade Commission (“FTC”) issued a joint letter to approximately 130 companies regarding their online data collection processes. The letter follows the much discussed December 1, 2022, Bulletin that expanded the kinds of…

Privacy law is becoming more technically sophisticated. So should you.

By Steve Roosa (US), Daniel Rosenzweig (US) & Susan Ross (US) on March 22, 2023

As privacy laws and requirements become more technically sophisticated, businesses may want to consider how they can follow suit.…

For whom the bell tolls: FTC, regulators and private parties are coming for online tracking technologies

By Anna Rudawski (US) & Alexis Wilpon (US) on February 2, 2023

Over a year ago the FTC fired the first warning shot – the FTC health breach notification rule would be used as the basis for enforcement actions where sites and apps shared health information without a user’s permission. Following suit…

Data Protection Report