Data Privacy

On 6 March 2024, the ICO issued a call for views on so-called “Consent or pay” models, where a user of a service has the option to consent to processing of their data for one or more purposes (typically targeted advertising), or pay a (higher) fee to access the service without their data being processed for those purposes. This is sometimes referred to as “pay or okay”.

The ICO has provided an “initial view” of these models, stating that UK data protection law does not outright prohibit them. It also sets out factors to consider when implementing these models and welcomes the views of publishers, advertisers, intermediaries, civil society, academia and other interested stakeholders. The consultation is open until 17 April 2024.Continue Reading UK ICO launches a consultation on “Consent or Pay” business models

The field of artificial intelligence (“AI”) is at a tipping point. Governments and industries are under increasing pressure to forecast and guide the evolution of a technology that promises to transform our economies and societies. In this series, our lawyers and advisors provide an overview of the policy approaches and regulatory frameworks for AI in jurisdictions around the world. Given the rapid pace of technological and policy developments in this area, the articles in this series should be viewed as snapshots in time, reflecting the current policy environment and priorities in each jurisdiction.

The following article examines the state of play in AI policy and regulation in China. The previous articles in this series covered the European Union and the United States.Continue Reading Spotlight Series on Global AI Policy — Part III: China’s Policy Approach to Artificial Intelligence

On January 29, 2024, the Department of Commerce (“Department”) published a proposed rule (“Proposed Rule”) to require providers and foreign resellers of U.S. Infrastructure-as-a-Service (“IaaS”) products to (i) verify the identity of their foreign customers and (ii) notify the Department when a foreign person transacts with that provider or reseller to train a large artificial intelligence (“AI”) model with potential capabilities that could be used in malicious cyber-enabled activity. The proposed rule also contemplates that the Department may impose special measures to be undertaken by U.S. IaaS providers to deter foreign malicious cyber actors’ use of U.S. IaaS products.  The accompanying request for comments has a deadline of April 29, 2024.Continue Reading Department of Commerce Issues Proposed Rule to Regulate Infrastructure-as-a-Service Providers and Resellers

Opt-out collective actions (i.e. US-style class actions) can only be brought in the UK as competition law claims.  Periodic proposals  to legislate to expand this regime to consumer law claims have so far faltered.  However, this is now back on the Parliamentary agenda.  Several members of the House of Lords have indicated their support for expanding the regime to allow consumers and small businesses to bring opt-out collective actions for breaches of consumer law, and potentially on other bases.

If implemented, this expansion would be very significant and would allow for many new types of class actions in the UK.  Tech companies are already prime targets as defendants to competition-related opt-out class actions.  An expansion of the regime to allow actions for breaches of consumer law, as well as competition law, would only increase their exposure further.

As there is now limited time for legislation to be passed to effect such changes before the UK Parliament is dissolved in advance of an upcoming general election, this may be an issue for the next Parliament.  It will therefore be important to assess what the UK’s main parties say on this – and any manifesto commitments – in the run-up to the election.Continue Reading UK Opt-Out Class Actions for Non-Competition Claims back on Parliamentary Agenda

On 15 January 2024, the UK’s Information Commissioner’s Office (“ICO”) announced the launch of a consultation series (“Consultation”) on how elements of data protection law apply to the development and use of generative AI (“GenAI”). For the purposes of the Consultation, GenAI refers to “AI models that can create new content e.g., text, computer code, audio, music, images, and videos”.

As part of the Consultation, the ICO will publish a series of chapters over the coming months outlining their thinking on how the UK GDPR and Part 2 of the Data Protection Act 2018 apply to the development and use of GenAI. The first chapter, published in tandem with the Consultation’s announcement, covers the lawful basis, under UK data protection law, for web scraping of personal data to train GenAI models. Interested stakeholders are invited to provide feedback to the ICO by 1 March 2024.Continue Reading ICO Launches Consultation Series on Generative AI

This quarterly update highlights key legislative, regulatory, and litigation developments in the fourth quarter of 2023 and early January 2024 related to technology issues.  These included developments related to artificial intelligence (“AI”), connected and automated vehicles (“CAVs”), data privacy, and cybersecurity.  As noted below, some of these developments provide companies with the opportunity for participation and comment.Continue Reading U.S. Tech Legislative, Regulatory & Litigation Update – Fourth Quarter 2023

Several EU data protection supervisory authorities (“SAs”) have recently issued guidance on cookies.  On January 11, 2024, the Spanish SA published guidance on cookies used for audience measurement (often referred to as analytics cookies) (available in Spanish only).  On December 20, 2023, the Austrian SA published FAQs  on cookies and data protection (available in German only).  On October 23, 2023, the Belgian SA published a cookie checklist (available in Dutch and French).

The new guidance builds on existing guidance but addresses some new topics which we discuss below.Continue Reading EU Supervisory Authorities Publish New Guidance on Cookies

Last week, Chairwoman Jessica Rosenworcel of the Federal Communications Commission (“FCC”) announced a partnership with four state attorneys general to enhance cooperation between the FCC and the participating states on privacy, data protection, and cybersecurity enforcement.Continue Reading FCC Announces Data Privacy Enforcement Partnership with State Attorneys General

Ahead of its December 8 board meeting, the California Privacy Protection Agency (CPPA) has issued draft “automated decisionmaking technology” (ADMT) regulations.  The CPPA has yet to initiate the formal rulemaking process and has stated that it expects to begin formal rulemaking next year.  Accordingly, the draft ADMT regulations are subject to change.  Below are the key takeaways: Continue Reading CPPA Releases Draft Automated Decisionmaking Technology Regulations

On October 30, 2023, days ahead of government leaders convening in the UK for an international AI Safety Summit, the White House issued an Executive Order (“EO”) outlining an expansive strategy to support the development and deployment of safe and secure AI technologies (for further details on the EO, see our blog here). As readers will be aware, the European Commission released its proposed Regulation Laying Down Harmonized Rules on Artificial Intelligence (the EU “AI Act”) in 2021 (see our blog here). EU lawmakers are currently negotiating changes to the Commission text, with hopes of finalizing the text by the end of this year, although many of its obligations would only begin to apply to regulated entities in 2026 or later.

The EO and the AI Act stand as two important developments shaping the future of global AI governance and regulation. This blog post discusses key similarities and differences between the two.Continue Reading From Washington to Brussels: A Comparative Look at the Biden Administration’s Executive Order and the EU’s AI Act