Utah’s recent passage of updates to its consumer protection law and the Artificial Intelligence Policy Act (Utah AI Policy Act), which comes into effect on May 1, 2024, could mark an important moment in AI regulation. Notably, the updates to state consumer protection law emphasize holding companies that use generative AI (GenAI)—rather than developers—accountable if they knowingly or intentionally use generative AI in connection with a deceptive act or practice.  In other words, a company may not have a defense that:  “The AI generated the output that was deceptive, so we are not res ..read more

In the two years since the Dobbs v. Jackson Women’s Health decision from the Supreme Court, state legislatures and courts have attempted to define the new post-Roe landscape in health care. That effort includes actions by states to enact health data privacy laws or to amend existing privacy laws to protect consumer health data that may not be covered by the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations. These new and revised laws, with various effective dates, present novel considerations and compliance challenges for businesses tha ..read more

The German Federal Ministry for Digital and Transport (Bundesministerium für Digitales und Verkehr – BMDV) has drawn up a new draft bill which shall introduce: (i) a statutory obligation for providers of number-independent interpersonal communication services (e.g. instant messaging services) to allow their users to use end-to-end encryption (“E2EE”), and (ii) a statutory transparency obligation for such providers to inform their users accordingly; and a statutory transparency obligation for providers of certain cloud services to inform their users about how to use continuous and secure encry ..read more

On 19 December 2023, the Information Commissioner’s Office (ICO) published its updated guide on UK Binding Corporate Rules (BCRs), introducing the UK BCR Addendum for controllers and processors (the Addendum). It will enable organisations with existing EU BCRs to include data transfers from the UK. Background Under the UK General Data Protection Regulation (UK GDPR), the transfer of personal data to a third-country recipient is restricted, given the risks presented by personal data being processed outside the UK. Restricted transfers may only take place under certain circumstances, e.g., where ..read more

With cybersecurity becoming a board-level issue, compliance officers, lawyers, board members, and business drivers are looking for official guidance or recommendations on cybersecurity measures to protect business, customers, and the wider economy. Whose guidance to use? On 14 December 2024, the Court of Justice of the European Union confirmed that, under data protection rules, it is the controller of personal data that bears the burden of proving that the security measures applied to personal data are appropriate. So, we looked at the highest fines imposed on organisations so far for failure ..read more

On Monday, January 29th, celebrate Global Data Protection Day with us as we bring you an exciting webinar highlighting the latest data protection laws and bills that might influence your business. Join Reed Smith attorneys Cynthia O’Donoghue, Elle Todd, Andreas Splittgerber, Aselle Ibraimova, Friederike Wilde-Detmering, Christian Leuthner, Joana Becker, and Florian Schwind and gain valuable insights and learn tips and tricks for successfully navigating the evolving landscape of data protection. Register today ..read more

On 26 November 2023, the US Cybersecurity and Infrastructure Security Agency (CISA), together with the UK’s National Cyber Security Centre (NCSC), published joint ‘Guidelines for Secure AI System Development’ (the Guidelines). The Guidelines were formulated by CISA and the NCSC, in cooperation with 21 other international agencies and ministries, as well as industry experts. These Guidelines aim to ensure that developers integrate cybersecurity into the development process from the outset and throughout, deploying what is known as a ‘secure by design’ approach. The Guidelines are separated into ..read more

On 17 October 2023, the First-Tier Tribunal of the General Regulatory Chamber – Information Rights (the Tribunal) handed down its decision in Clearview AI Inc v The Information Commissioner [2023] UKFTT 819, overturning the £7.5 million fine levied on Clearview AI Inc. (Clearview) by the ICO last year. The Tribunal found that, although the data processing activities carried out by Clearview constituted the monitoring of the behaviour of UK data subjects (and therefore fell within the territorial scope of Article 2 UK General Data Protection Regulation (UK GDPR).), its processing did not consti ..read more

On 26 October 2023, the UK adopted the Online Safety Act 2023, which introduces new obligations for online platforms to improve user safety online by ensuring content that is illegal and harmful is monitored and removed. We previously compared the Act in its draft form with the EU Digital Services Act here and will be updating the table soon. Scope The Act affects user-to-user services and search engines.  A ‘user-to-user service’ is an internet service by means of which content is generated directly on the service by a user of the service and may be encountered by another user of the ser ..read more

Currently there are two trends on cookie consent banner design – either (1) the “Accept All” and “Reject All” options are shown in the first layer of a cookie consent management solution, or (2) only the “Accept All” option is shown in the first layer together with a link to the second layer of the cookie consent management solution where the user can reject to the use of non-essential cookies. There is more clarity on the views of the UK data protection authority on whether a “Reject All” option in the first layer of a cookie consent management solution is required. The ICO Position On 9 Augu ..read more