Photo of Gareth Kristensen

On 15 January 2024, the UK Information Commissioner’s Office (“ICO”)[1] launched a series of public consultations on the applicability of data protection laws to the development and use of generative artificial intelligence (“GenAI”). The ICO is seeking comments from “all stakeholders with an interest in GenAI”, including developers, users, legal advisors and consultants.[2]

This first public consultation (which closes on 1 March 2024) focuses on the lawful basis for training GenAI models on web-scraped data.[3]Continue Reading The UK ICO launches consultation series on GenAI

On May 22, 2023, the Irish Data Protection Commission (the “DPC”) published its decision on Meta Platforms Ireland Limited (“Meta”).[1] The decision has wider implications for any company that routinely transfers personal data from the EEA to third countries, in particular, to the US.Continue Reading Key Takeaways from the Irish Data Protection Commission’s decision on Meta Data Transfers

On July 10, 2023, the European Commission officially adopted its adequacy decision for the new EU-U.S. Data Privacy Framework (“DPF”), concluding that the U.S. ensures an adequate level of protection for personal data transferred from the EU to U.S. organisations participating in the EU-U.S. Data Privacy Framework.[1] This allows EU organizations to freely transfer personal data that is subject to the GDPR to participating organizations in the U.S.Continue Reading EU-U.S. Data Privacy Framework

The following post was originally included as part of our recently published memorandum “Selected Issues for Boards of Directors in 2023”.

As the value of data continues to increase exponentially, so too do the associated risks, including risk of cyberattacks, data breaches or data-related litigation, as well as rising regulation throughout the world

On January 4, 2023, the Irish Data Protection Commission (the “DPC”) announced it issued two decisions that have wide relevance for the adtech industry.  The decisions focus on the extent to which businesses can rely on the GDPR legal basis of ‘performance of a contract’ to justify delivering behavioural advertising to users without separately seeking their consent. Continue Reading Irish Data Protection Commission’s decisions regarding Facebook and Instagram

On December 13, 2022, the European Commission (“Commission”) formally launched the process to adopt an adequacy decision for the EU – U.S. Data Privacy Framework and proposed a draft adequacy decision concerning personal data transfers to the U.S. (available here).Continue Reading The Draft Adequacy Decision on the EU-US Data Privacy Framework

On 24 November 2022, the UK government announced its adequacy decision for the Republic of Korea, which will allow UK organizations to share personal data with Korean organizations more freely under the UK General Data Protection Regulation (“UK GDPR”).Continue Reading The United Kingdom and the Republic of Korea Finalize Data Sharing Agreement

The Information Commissioner’s Office (“ICO”) has opened a consultation on new draft guidance on monitoring at work (the “Draft Guidance”).  The Draft Guidance applies in both the private and public sectors in respect of any worker, a term which is used to include employees as well as non-employee workers, independent contractors and volunteers.
Continue Reading UK ICO Issues Draft Guidance on Monitoring at Work