《富而德律师事务所:2025年数据法律趋势报告:引领变革(英文版)(53页).pdf》由会员分享,可在线阅读,更多相关《富而德律师事务所:2025年数据法律趋势报告:引领变革(英文版)(53页).pdf(53页珍藏版)》请在三个皮匠报告上搜索。
1、Leading the change2025 DATA LAW TRENDS22Contents01AI governance takes center stage02International data transfers are under the spotlight03A new wave of cyber threats is here04New global regulations are changing our digital operations05Tougher enforcement is reshaping data and privacy compliance06US
2、state consumer privacy laws are expanding07Asias privacy laws are maturing08New EU data access regulations are shaping the future3 3From the rise of AI governance to the tightening of data transfers,these trends reflect the new realities of doing business in a data-driven world.Each one has been car
3、efully pinpointed by our global team of experts,who are advising top tech companies on the frontlines of these changes.This report breaks down the major trends,including:1.AI governance takes center stage As AI becomes increasingly central to business,the focus on governance and accountability inten
4、sifies.2.International data transfers are under the spotlight Navigating the evolving landscape of cross-border data flows will be essential.3.A new wave of cyber threats is here Cyber threats continue to evolve,and data laws are playing a key role in shaping how businesses respond.4.New global regu
5、lations are changing our digital operations Stricter regulations around online content and transparency are set to impact businesses worldwide.5.Tougher enforcement is reshaping data and privacy compliance Expect more robust enforcement actions,including as regulators intensify their focus on AI-rel
6、ated data practices.6.US state consumer privacy laws are expanding As privacy regulations spread across US states,businesses need to adapt quickly.7.Asias privacy laws are maturing Asias data privacy landscape is evolving fast,and businesses must stay agile to remain compliant.8.New EU data access r
7、egulations are shaping the future The EUs upcoming regulations on data access will have wide-reaching implications.Our goal with this report is simple:to give you the insights you need to stay ahead of these changes.Its a guide to help you prepare your business,navigate the challenges,and seize the
8、opportunities.Dive in the future of data law is here,and its moving fast.The 2025 Data Law Trends report is here,and this years findings reveal one thing loud and clear:the pace of change in data law is accelerating,profoundly impacting businesses.Weve identified eight key trends that will shape the
9、 future,and theyre more than just legal shifts theyre strategic opportunities for those ready to act.Last year,we reported on key disruptions as new technologies and regulations began to take hold.In 2025,the stakes are even higher.Data laws are shaping everything from risk management to growth oppo
10、rtunities,and staying ahead of these shifts is critical.Data law is no longer a peripheral concern its the heartbeat of modern business strategy.As we stand on the brink of transformative change,its crucial to recognize that adapting to these emerging trends is not just about compliance;its about se
11、izing the competitive advantage in a data-driven landscape.This report equips you with the insights to not only navigate the complexities ahead but to thrive in them.Christine Lyon,Giles Pratt and Christoph WerkmeisterGlobal Co-heads of the Freshfields data privacy and security practice.Executive su
12、mmary 1.AI governance takes center stage5Increasing pressures to develop AI governance frameworksPressures to develop AI governance frameworks include:AI-specific regulatory regimesThese regimes are taking more discernible shape across the globe,with AI-specific regulation now in force across the EU
13、 and China,and planned at national level(with published draft texts)in Brazil,Canada,South Korea,Thailand and Vietnam.New(albeit narrow)AI-specific regulation was introduced to protect the integrity of Indias recent elections and is also anticipated in the UK.CHAPTER 1 AI governance takes center sta
14、ge In briefWith regulatory pressures,changing expectations from shareholders and customers,and the increasing risk of litigation,its clear that addressing AI governance is more important than ever.As a result,many organizations today are feeling the heat to show they have the right governance struct
15、ures and decision-making processes in place for their use of AI or for deciding not to use it at all.In this chapter,well dive into why a proactive AI governance framework is essential.Its not just about ticking boxes;its about taking control of AIs potential while managing its risks.Well explore th
16、e key pressures youre facing and highlight the foundational elements that can lead to successful AI governance.Richard BirdHong Kong Giles PrattLondon Adam GillertLondon Beth GeorgeSilicon ValleyGeorgina BaylyLondon Rachael AnnearLondon Theresa EhlenDsseldorf/Frankfurt Cat Greenwood-SmithLondon Lutz
17、 RiedeVienna/Dsseldorf Zofia AszendorfLondon 6A proliferation of guidance as to the application of existing regulatory regimes to the use of AIThe UK,US and other jurisdictions(including Australia,Hong Kong,India,Japan,Russia,Saudia Arabia,Singapore,South Korea and Turkey)have implemented policies a
18、imed at streamlining AI regulation at the national level.These fall short of AI-specific laws and instead direct established regulators to apply existing regimes to the use of AI.Non-regulatory government bodies are also being vocal in this space for example,the US Department of Justice,primarily a
19、law enforcement agency,has spoken about its expectations that corporate compliance programs are effective at mitigating AI-related risks.The emergence of global standards for AI governance,such as ISO/IEC JTC 1/SC 42Customers,distributors and other contractual counterparties may start expecting comp
20、liance with these types of standards as a badging of an organizations AI maturity.Increased scrutiny of company reporting with respect to use of AI from shareholdersCompanies in the US are already facing scrutiny from shareholders who view them as being insufficiently transparent about their use of
21、AI.We have seen a trend of shareholder petitions being filed at the US Securities and Exchange Commission aimed at eliciting further detail relating to a companys AI strategy.AI risks and opportunities are becoming a common theme of listed company reports;see infographic on the next page.Increasing
22、focus from NGOs on AI and the potential risks it posesFor example,Amnesty International published a report titled The State of the Worlds Human Rights in April 2024,which looked at human rights concerns from 2023.This report highlighted AI as a potential threat to human rights citing use cases such
23、as state deployment of facial recognition software to aid policing of mass events,including protests,as well as use of biometrics and algorithmic decision-making in migration and border enforcement.The Austrian privacy advocacy group noyb has been vocal in relation to the privacy implications of AI
24、technologies.Increasing risk of AI litigation and regulatory enforcementCompanies are feeling the pressure to get AI governance right not only from regulators,but also from the markets,the emergence of global standards for AI governance and third-party actors such as NGOs.Giles PrattPartnerCompanies
25、 need a framework to ensure compliance and respond to regulatory scrutiny and allow them to make the most of AI while navigating the risks associated with its use.Data-related matters will be a core component of this framework.The EU AI Act,which is the worlds first comprehensive AI-specific legisla
26、tion,imposes numerous governance and documentation-related obligations,including specific data governance obligations on providers of high-risk AI systems.Similarly,data protection regulators globally have not shied away from enforcement activity relating to the use of personal data in connection wi
27、th AI systems(we have seen activity in this space from data protection regulators in the UK,Ireland,Italy,the Netherlands,Hong Kong and elsewhere.The US Federal Trade Commission is also active in this space as part of its consumer protection remit)and are also proactively consulting on the applicati
28、on of data protection laws to AI.CHAPTER 1 AI governance takes center stage7CHAPTER 1 AI governance takes center stageWhile lawsuits and investigations concerning AI are currently based on existing regimes,we expect to see a real influx of new cases once new legislation specifically targeting AI com
29、es into effect.Cat Greenwood-SmithPartnerEmerging AI litigation and regulatory enforcement themesAs AI becomes increasingly advanced,companies face a growing risk of litigation or regulatory investigations concerning AI use or development.Governments and regulators are heightening their focus on bot
30、h the opportunities and risks posed by AI.While many new regimes specifically regulating AI are yet to be enacted and/or implemented,AI-related litigation and investigations are being brought under existing regimes governing areas such as data protection and privacy,equality and anti-discrimination,
31、intellectual property(IP),product liability and consumer protection and misrepresentation.18%of the FTSE 100 have at least one director with AI expertise.18%13%of S&P 500 have at least one director with AI expertise.This increases to 30%of S&P companies in the IT sector(and up to 60%in the automotiv
32、e space).13%30%60%S&P 500Trends in board oversight of AI:Director expertise in AI in the US*and the UK*FTSE 100The FTSE 100 companies whose annual reports mention AI expertise of directors span a number of sectors,including financial services,pharma and retail.Sources:*Deloitte and Society for Corpo
33、rate Governance:Board Practices Quarterly:Future of Tech:Artificial Intelligence(2023):ISS-Corporate AI and Board of Directors Oversight:AI Governance Appears on Corporate Radar(2024)*Data sourced by FreshfieldsAI8CHAPTER 1 AI governance takes center stageWe are also seeing regulators taking a more
34、hands-on approach to governing AI,even where specific AI regulations are yet to take effect,for example:Data protection authorities are particularly active in the AI space,showing a readiness to issue warnings,launch investigations and bring enforcement action against companies where their developme
35、nt and/or use of AI is suspected to be in breach of data protection regimes.Financial regulators,particularly in the US,are clamping down on so-called AI washing,where companies overstate their AI capabilities to investors and consumers.Several warnings and certain enforcement actions have been issu
36、ed in recent months(we anticipate other regulators will follow suit).Competition authorities are showing particular interest in tech companies position in the AI development market,with investigations into partnerships between large tech firms and AI start-ups launched in both the US and Europe.Cons
37、umer protection regulators in the US are closely scrutinizing disclosures to users,ensuring that users understanding and expectations match AI tools capabilities.These agencies are also using consumer protection standards in their attempts to require companies to recognize new or evolving rights to
38、online content that may be used for training AI systems.Regulators have already set their sights on AI,particularly in areas such as data protection and financial regulation in relation to AI washing.Companies should review their governance systems to ensure they stand up to scrutiny and be wary of
39、new requirements coming down the line.Zofia AszendorfSenior AssociateSo far,AI litigation remains at a relatively nascent stage.We anticipate a surge in AI litigation with the rapid advancement of AI systems and emergence of new regulatory regimes and potential for diverging approaches across jurisd
40、ictions.In terms of the current landscape:The US is leading the way with a number of class actions.Allegations range from unfair and discriminatory outcomes resulting from algorithmic decision making,to breach of privacy in connection with the training of AI models.Other jurisdictions will likely fo
41、llow suit.Outside the US,early cases have been brought primarily against states for their use of AI,eg in relation to alleged biases and invasion of privacy resulting from use of facial recognition software.However,the focus appears to be shifting to companies who develop and/or deploy AI.Globally t
42、here is already big-ticket IP litigation,where claimants allege their IP is being used by defendants without consent to train their own AI models,or that outputs from defendants AI models infringe IP.Mass claims alleging harms caused by AI are already being brought in the US,but we expect to see a d
43、ramatic increase in AI related mass claims both in the US and elsewhere as the development and use of AI rapidly expands.Georgina BaylyAssociate9CHAPTER 1 AI governance takes center stageKey cornerstones for successful AI governanceThe right governance around AI is important both to achieving organi
44、c growth in this area and to attracting investment(including,for early-stage companies,in the context of investor diligence).Importantly,AI governance shouldnt be seen as being limited to mitigating legal risk done well it can also help to maximize the value of a companys AI investment,setting up fu
45、ture growth.A successful AI governance framework will help mitigate AI-related risk and set up future growth.Beth GeorgePartnerA good example in the data space is the importance of appropriate governance processes in ensuring that proprietary datasets are appropriately ringfenced from use by third p
46、arties in the AI value chain(through a combination of technical measures,processes and contracting frameworks).Effective AI governance should not just be seen through the lens of regulatory necessity but also as part of the strategic imperative that builds trust and ensures integrity in decision mak
47、ing.Rachael AnnearPartner Regulatory guidance presents degrees of prescriptiveness around governance structures,including around topics such as the involvement of senior management and monitoring and reporting lines.Getting governance for AI right requires considering:(i)what the governance structur
48、es should look like;(ii)who should be staffed within them;and(iii)what those individuals should be responsible for.Governance structures key considerations Within corporations that are looking to add AI to their existing offerings,we are typically seeing a single person with general oversight an AI
49、leader supported by a cross functional AI steerco of senior leaders,including legal and compliance professionals.Consider whether the AI steerco and AI leader should report to the board.Regular reporting assists the board to carry out an effective task of holding the AI steerco and AI leader to acco
50、unt.Consider whether links should be made to any other committees or steercos we are seeing trends of cyber,risk and audit committees being involved in AI governance.Corporate groups need to consider what decisions can be made at divisional/subsidiary level and what decisions need to be centralized.
51、Staffing of the governance structure The people in the governance structure need to be appropriately qualified and ideally will come from a range of disciplines such as engineers,developers,product specialists and lawyers.The EU AI Act contains a specific requirement on providers and deployers of AI
52、 systems to ensure AI literacy of their staff and other persons dealing with the operation and use of AI systems on their behalf.Other guidance around the world also emphasizes the need for adequate training of personnel overseeing AI systems.10CHAPTER 1 AI governance takes center stageLooking ahead
53、As the litigation and regulatory landscape continues to change,its crucial for businesses to keep a close eye on these developments.Regularly evaluating the effectiveness of your governance systems will be key to mitigating AI-litigation risks.If your business is developing or deploying AI,nows the
54、time to make sure you have the right governance structures in place.This means ensuring you have the right staffing,resources,and clear terms of reference.But dont stop there.Building in flexibility will help you proactively adapt to future needs,positioning you for future success as the landscape e
55、volves.Terms of reference for the AI Leader and SteercoThese can broadly be categorized into three areas:Legal and compliance:this remit is broader than just AI-specific regulation.It needs to cover other legal obligations,for example antitrust regimes,sector-specific regulation and data regimes.It
56、also applies more broadly than just in relation to the business external roll out of AI systems eg there is a significant interface between the use of AI for internal purposes and labor law compliance,including potential works council obligations.A particularly knotty piece of the legal and complian
57、ce aspects of AI governance is determining how to approach any product liability considerations,which will depend on the businesss role in the AI value chain.AI Product Development:this will include considering the development of AI tools in line with legal and compliance obligations,including priva
58、cy by design requirements.AI Deployment:key features of deployment should include periodic(perhaps annual)systemic risk assessments and audits of the deployment of AI tools,as well as clear processes for sign-off of new use cases for developed tools.Organizations may also want to task the AI leader,
59、AI steerco and the board with considering the companys AI-related reputation and appropriate external-facing communications ie what the business wants to be saying about AI in public and how it wants to position itself with respect to AI.Businesses that can articulate this clearly will gain an advan
60、tage although they will also need to be mindful of the increased scrutiny on AI washing(see above).Underpinning these three cornerstones of a business AI governance structure needs to be a degree of flexibility and adaptability,in recognition of the fact that both the technology and the law in this
61、space is fast evolving.AI governance frameworks should be assessed for structure,staffing and terms of reference does the business have the right people,in the right place,doing the right thing but its equally important that they can adapt to the fast-evolving technology and law in this space.Lutz R
62、iedePartner2.International data transfers are under the spotlight12EU/UK data transfers to the US under threat?The DPF is a landmark mechanism negotiated between the EU and the US which entered into force in 2023 to facilitate the transfer of personal data from the European Economic Area(EEA)to elig
63、ible US companies that choose to participate in the DPF(see here for further detail).The two predecessors to the DPF were each invalidated by the Court of Justice of the EU(CJEU)following concerns raised by privacy activist Max Schrems that the schemes did not appropriately protect Europeans persona
64、l data.Max Schrems and other activists have indicated they will challenge the DPF in the CJEU given similar concerns.While 2024 did not see any actions from these privacy activists regarding the DPF,2025 may be the year for Max Schrems or others to start the third(and final?)round of battle over dat
65、a transfers from the EU to the US.CHAPTER 2 International data transfers are under the spotlight In briefIn 2025,questions around data transfers and localization requirements will still be front and center for businesses.Regulators across different jurisdictions each with varying requirements arent
66、holding back either;theyve shown theyre ready to impose hefty fines for non-compliance.This chapter outlines how 2025 could mark the beginning of a significant legal challenge to the EU-US Data Privacy Framework(DPF),potentially jeopardizing data transfers from Europe and the UK to the US.Well also
67、highlight other key developments and trends that businesses need to keep an eye on when transferring data across borders.Rachael AnnearLondonRichard BirdHong KongMadeline CiminoWashington,DC Tochukwu EgentiLondon Fan LiShanghai Christine LyonSilicon Valley Philipp RoosDsseldorf ChristophWerkmeisterD
68、sseldorf Yvonne WolskiDsseldorf 13Since the EU-US DPFs adoption,many US organizations have decided to participate:Since the DPFs implementation in July 2023,more than 2,800 enterprises have joined the framework,70 percent of which are small and medium-sized businesses.Source:Joint Press Statement:Co
69、mmissioner Didier Reynders and US Secretary of Commerce Gina Raimondo on the first periodic review of the EU-U.S.Data Privacy Framework European Commission(europa.eu)The UK agreed a UK Extension to the DPF shortly after the DPF entered force and,in 2024,Switzerland joined the UK in allowing the tran
70、sfer of personal data to US-based recipients that are certified under the DPF without the need for other transfer safeguards to be implemented under national data protection laws(see here).2025 will likely be another year with a lot of movement regarding cross-border data transfers subject to the EU
71、s GDPR.Most important,the EU-US Data Privacy Framework might be challenged by privacy activists,requiring clients to closely follow the developments.Philipp RoosPrincipal AssociateThe UK is no longer subject to the jurisdiction of the CJEU,which means any successful challenge against the DPF would n
72、ot immediately affect the UK Extension.However,any successful challenge might be considered by the UK in determining whether to amend or revoke the UK Extension or renew it when it comes up for review.Further EU and UK adequacy decisions?2025 might also see an extension of the list of adequate locat
73、ions personal data can be transferred to without the need for additional transfer safeguards under EU data protection law.In this respect,the EU Commission is currently in discussion with Brazil and California,each of which applies high privacy safeguards similar to the GDPR.The EU Commissions revie
74、w of the UKs adequacy decision is expected to be completed in June 2025 and it currently seems likely that this decision will be renewed.In August 2021,the UK government hailed its ability to make use of its new,post-Brexit,powers to issue equivalent adequacy regulations independent of the EU.Howeve
75、r,the UK government is yet to issue any new adequacy regulations in respect of countries that are not already the subject of EU adequacy decisions.2025 might see the UK government forge a separate path and issue adequacy regulations for additional countries.New SCCs and data localization requirement
76、s in the EUThe EU Commission has announced work on a new set of Standard Contract Clauses(SCCs)for international data transfers to address the situation where a data importer of GDPR personal data is in a third country but also subject to the GDPR.It remains to be seen whether and to which extent th
77、ese SCCs deviate from the existing SCCs and whether other jurisdictions might(again)follow this approach.The EU will introduce data localization requirements as part of the European Health Data Space(EHDS)Regulation.The EHDS Regulation aims to establish an EU data space for health data and includes
78、dedicated rules on the primary and secondary use of health data.In particular,given the sensitivity of health data,the EHDS Regulation proposes that certain stakeholders may only store and process health data within the EU or,as an exception,in third countries providing an adequate level of data pro
79、tection.In addition,EU Member States may impose data localization rules at a national level.The EU may apply similarly strict standards in other data spaces involving sensitive data in the future.CHAPTER 2 International data transfers are under the spotlight14CHAPTER 2 International data transfers a
80、re under the spotlightThe Executive Order marks the most significant executive action any President has ever taken to protect Americans data security.Source:FACT SHEET:President Biden Issues Executive Order to Protect Americans Sensitive Personal Data|The White HouseAsia looks both waysChinas strict
81、 data transfer regulations have proven to be a significant burden for many multinational companies.New rules relaxing certain of these requirements were introduced in March 2024 most notably,the exemption of transfers of the personal data of fewer than one million individuals a year from the require
82、ment to undergo security assessment with the Cybersecurity Administration(see here for further detail).While a large proportion of international companies operating at scale in China will still need to put in place(and file)a standard contract and security impact assessment,complete exemptions have
83、usefully also been introduced for transfers of HR data and to facilitate individual cross-border commerce.A simplified form of standard contract has also been introduced for transfers of personal data within the Greater Bay Area(also without an obligation to file an impact assessment with the contra
84、ct filing).Within the last year,Thailand and Indonesia have both either introduced or proposed cross-border data transfer mechanisms that are structurally very similar to those under the GDPR.Thailand and the Philippines(among others)are actively promoting the adoption of the Association of Southeas
85、t Asian Nations(ASEAN)model contractual clauses(ASEAN and the EU have also recently published a joint guide to their respective contractual clauses).US tightens rules for data transfersIn 2024,President Biden issued an Executive Order(EO)restricting the bulk transfer of sensitive data to certain cou
86、ntries.EO 14117,signed on February 28,2024,represents a major shift in US data regulation,particularly regarding sensitive personal and government-related data.The EO aims to address concerns about potential exploitation of such data by countries of concern through new prohibitions and restrictions.
87、By empowering the Attorney General to implement regulations,the EO seeks to prevent the transfer of bulk sensitive personal data to adversarial countries,including China,Russia and others.The scope of this regulatory framework is significant,as it targets not only data transactions but also data bro
88、kerage and vendor agreements,further strengthening the national security shield around US sensitive data.See here for further background.The proposed regulations outlined in the Advance Notice of Proposed Rulemaking highlight efforts by the US Department of Justice(DOJ)to classify certain transactio
89、ns into prohibited and restricted categories.Prohibited transactions include those involving data brokerage or access to human genomic data,while restricted transactions may proceed if security measures are in place.These rules will require companies engaged in international data transfers to review
90、 and potentially overhaul their compliance programs.For businesses involved in sensitive sectors like healthcare,finance or telecommunications,these new regulations may significantly impact their operations and necessitate additional compliance diligence.Given the far-reaching nature of these propos
91、ed regulations,businesses that handle or process large volumes of US personal data must act swiftly to assess their risk exposure.The expansive definitions of bulk sensitive personal data and data brokerage increase the number of companies that will be subject to these regulations.While certain exem
92、ptions are proposed,such as for personal communications and financial services,the overarching authority of the DOJ to regulate sensitive data transfers remains a critical concern.As this regulatory framework develops,it is likely to reshape the way US businesses engage in international data transfe
93、rs,influencing their global operations and partnerships.15CHAPTER 2 International data transfers are under the spotlightWhile most countries in Asia do provide pragmatic data transfer mechanisms,the exact requirements vary a good deal from one jurisdiction to the next.Richard BirdPartnerOn the other
94、 hand,Vietnam has adopted a modified version of Chinas process for approving personal data exports,allowing for the government to intervene based on security assessment dossiers to be filed within 60 days of the transfer.In the past few months,Australia has proposed introducing a whitelist(without S
95、CCs)while Malaysia has proposed removing its own whitelist regime(having never issued a list).The Digital Personal Data Protection Act in India will empower the government to issue a blacklist.Another proposed new Vietnamese law will restrict outbound transfers of categories of non-personal data:imp
96、ortant data and core data,with these terms defined in a way that approximates to the definitions of the synonymous concepts under Chinas Data Security Law.It appears that government approval will be required to transfer either category of data out of Vietnam.The equivalent restrictions on transfers
97、of important/core data from China have brought about pre-emptive localization of many operations and systems there.However,on this topic as well,the past few months have seen a generally more business-friendly approach being taken,especially in the catalogues of important data and approval mechanism
98、s of free trade zones(in Shanghai,Tianjin and Beijing).Some of those rules were developed with the participation of resident international businesses.The EU and China also began discussing a mechanism to facilitate flows of non-personal data in August 2024.SCCs in other jurisdictionsLike the EU and
99、UK GDPR,various international jurisdictions may require data exporters to conclude SCCs to safeguard certain transfers of personal data to data importers in third countries.For example,in 2024,the Turkish and Brazilian authorities each published a set of updated SCCs including similar provisions as
100、in the EU SCCs for data transfers.Therefore,international organizations must be prepared to both update intra-group agreements and address requests from third-party organizations to enter into such SCCs.Looking aheadBy staying informed and proactive,you can better manage risks and seize opportunitie
101、s in the ever-evolving data landscape.Its essential for businesses to be equipped to navigate the complex and rapidly changing requirements around data transfers and localization,which can differ greatly across jurisdictions.Keep a close eye on developments in cross-border transfer and localization
102、laws,especially those recently introduced in the US,China,and Vietnam.If your business is involved in data transfers from Europe,be prepared for potential legal challenges to the DPF and anticipate likely changes to the SCCs for data transfers from the EU.Planning ahead will be crucial to ensure com
103、pliance and maintain smooth operations.163.A new wave of cyber threats is here17Developments in ransomware attacksIn February 2024,several international law enforcement agencies scored a major success in the fight against cybercrime by seizing control of infrastructure used by LockBit,one of the wor
104、lds most active ransomware groups,while developing decryption keys that could enable the recovery of many LockBit-encrypted systems.However,LockBit has reportedly continued attacking companies using new servers and dark web domains,which demonstrates the persistence of cybercriminals.While law enfor
105、cement continues to pursue cybercriminals and companies continue to improve their cybersecurity measures,ransomware remains rampant and attacks are increasing in sophistication and number,not least due to:the rise of widely available generative AI;and the increasing commoditization of ransomware,par
106、ticularly through ransomware as a service CHAPTER 3 A new wave of cyber threats is here In briefAs global cybersecurity threats continue to evolve,companies are navigating an increasingly complex risk landscape.In this chapter,our cybersecurity experts dive into recent trends in ransomware attacks a
107、nd the latest regulations around incident response.They also discuss new guidance on fines and damage claims while exploring the intersection of cybersecurity and AI.Heres what well cover:The rising frequency and scale of ransomware attacks.New incident response obligations.GDPR damage claims.The ro
108、le of AI in enhancing and undermining cybersecurity.Richard BirdHong KongLana BouafyParisMadeline CiminoWashington,DCBrock DahlWashington,DC/Silicon ValleyTony GregoryLondonHanna HoffmannDsseldorfJrme PhilippeParis/BrusselsMegan KayoSilicon ValleyThomas RetireParisSatya Staes PoletBrusselsRhodri Tho
109、masLondonChristoph WerkmeisterDsseldorf18Cyberattacks,vulnerabilities or even faulty updates at vendors have resulted in significant losses for numerous customers of those vendors and highlighted the growing importance of integrating cybersecurity into a companys overall risk management.These incide
110、nts underscore the cascading effects that supply chain attacks can have,leading to regulatory penalties,breach of contract claims and potential litigation.Additionally,supply chain attacks can be more challenging to investigate as an affected customer may have limited visibility into an attack on a
111、third-party vendor and limited control over the vendors investigation.In fact,supply chain risk has become such a significant issue that the US National Institute of Standards and Technology(NIST)released its first major update of its Cybersecurity Framework,since 2014,to incorporate practices to ma
112、nage cybersecurity risks within and across organizations supply chains.Organizations must bolster their cybersecurity measures,ensure their supply chain contracts include robust security provisions and stay compliant with evolving regulations.Legal teams should prepare for complex liability issues a
113、nd the intricacies of data breach notifications that arise from such multifaceted attacks.Cybersecurity and AICybercriminals are increasingly using AI to automate and target their attacks.This allows them to carry out individualized mass phishing attacks tailored to their targets,not only greatly in
114、creasing the efficiency of the attacks,but also allowing well-organized threat actors to automatically create fake login pages that are virtually indistinguishable from the legitimate pages.Additionally,research has indicated that the use of AI will significantly improve the capability of threat act
115、ors to crack passwords.AI also allows threat actors to replicate proofs of concept or other types of successful attacks more quickly.For example,if a zero-day vulnerability is identified,the amount of time for threat actors to identify and target companies with such vulnerabilities in their systems
116、is becoming shorter.Recent developments emphasize that cybersecurity should be always higher on the agenda of the leadership of organizations.Satya Staes PoletPartnerIn 2024,ransomware demands and payments have continued to climb,reflecting the ongoing evolution and aggressiveness of cybercriminals
117、tactics.The first half of 2024 saw ransomware attacks increase in both frequency and scale,with the average ransom demand reaching over$1.5m in the second quarter of 2024 a 102 percent increase quarter over quarter.This increase is largely driven by the continued success of multiple-extortion scheme
118、s,where attackers not only encrypt data but also exfiltrate it,threatening to release sensitive information if ransoms are not paid.Attackers may also threaten to deploy distributed-denial-of-service attacks or threaten employees and customers of victims to apply additional pressure on companies.A g
119、roup of cybercriminals has even been known to lodge a complaint with a regulatory authority to denounce the failure of the company that suffered the data breach to disclose it as required by law,thereby using the law as a means of exerting pressure.The emergence of new groups and ransomware variants
120、 of cyberattacks,including rebranded ransomware groups,has also contributed to the record-breaking number of incidents and payments.Despite ongoing law enforcement efforts,the overall threat continues to grow,with 2024 potentially becoming the worst year on record for ransomware payments.Beyond rans
121、omware attacks,supply chain attacks continue to be a significant issue.Companies rely on third-party vendors,which provide systems and services critical to those companies.CHAPTER 3 A new wave of cyber threats is here19CHAPTER 3 A new wave of cyber threats is hereIf a cyber incident affects individu
122、als in several European Economic Area(EEA)countries,global companies engaged in cross-border data processing can often benefit from the so-called one-stop-shop mechanism.This allows them to deal with a single lead supervisory authority,for example when reporting a global data breach.Recently,the EDP
123、B has clarified that under the EUs GDPR,a legal entity which is the place of central administration of a group in the EEA can be considered as a main establishment only if it:takes the decisions on the purposes and means of the processing of personal data in the EEA;and has the power to implement th
124、ese decisions.In the UK,the trend is also for increasing cyber security regulation.The new government plans to introduce a new Cyber Security and Resilience Bill,which it says,will strengthen the UKs cyber defences,ensure that critical infrastructure and the digital services that companies rely on a
125、re secure.The announcement comes after a number of recent high-profile cyberattacks in the UK including on the National Health Service,Transport for London,the Ministry of Defence and the Royal Mail.While the details of the Bill remain to be seen,according to government briefing notes,the Bill will
126、update the UKs current Network and Information Security(NIS)Regulations 2018,including by:expanding their remit to protect more digital services and supply chains,beyond the essential services and digital service providers that are regulated by the current Regulations;giving greater powers to regula
127、tors to proactively investigate potential vulnerabilities,and ensuring they are better funded;and mandating increased incident reporting to give the government better data on cyberattacks,including specifically ransomware attacks.The Bill follows the entry into effect of the UKs Product Security and
128、 Telecommunications Infrastructure(Security Requirements for Relevant Connectable Products)Regulations 2023,which mandates baseline security requirements for manufacturers of consumer connectable products.The dwell time that threat actors are in a companys systems is also decreasing,as AI allows thr
129、eat actors to identify data that appears to be valuable more efficiently and thus extract that data more quickly.As generative AI decreases attackers dwell time,its increasingly important to be prepared.Megan KayoPartnerConversely,AI can also help protect companies.AI can help identify and quarantin
130、e suspicious emails that may be phishing campaigns.Additionally,AI can detect vulnerabilities as well as malicious or anomalous activity within a companys systems sooner.While AI tools and systems can benefit companies,cybersecurity plays a crucial role in ensuring that AI systems are resilient to a
131、ttempts by malicious third parties to alter the systems behavior,performance or security properties by exploiting the systems vulnerabilities.Cyberattacks against AI systems can exploit AI-specific assets,such as training data sets or trained models,but also vulnerabilities in the AI systems(underly
132、ing)digital assets or the underlying ICT infrastructure.To address these risks,the EU AI Act requires certain high-risk AI systems to meet a specific cybersecurity standard.New regulations on incident responseThe EU Digital Strategy comprises several regulations on cyber strategy(eg the Cyber Resili
133、ence Act,the latest Network and Information Security directive(NIS2)and Digital Operational Resilience Act(DORA).For specific sectors,they impose various obligations including registration obligations,specific governance measures,obligations to take technical,operational and organizational measures
134、to manage security risks and specific reporting obligations for significant incidents.Companies in scope of NIS2 must make such reports within 24 hours.20CHAPTER 3 A new wave of cyber threats is hereAdditionally,the US Federal Trade Commission(FTC)finalized updates to its Health Breach Notification
135、Rule to expand the definition of breach to include unauthorized disclosures of information and to apply to additional health and wellness apps and technologies,such as apps that track fitness,fertility,sleep or diet.The FTC also amended its Safeguards Rule to incorporate reporting obligations for da
136、ta breaches and other security events.Fining guidance and damage claimsIn recent months,the Court of Justice of the European Union(CJEU)has dealt extensively with claims for damages under Article 82 of the GDPR in connection with data breaches.In this context,the CJEU clarified that:data breaches do
137、 not lead to an irrebuttable presumption of inadequacy of security measures;claims for damages require the existence of(material or immaterial)damage,which is a separate requirement from breach of the GDPR;inconsequential losses of control over personal data do not constitute damage.However,non-mate
138、rial damages can arise if a data subject fears that their personal data could be misused by third parties as a result of the breach;and while the term damage does not provide for a certain threshold,there are two significant restrictions that in practice will impede compensation for fears as non-mat
139、erial damage:(i)fear may,but need not,constitute damage;and (ii)the burden of proof to show that the fear can be considered well-founded falls on the claimant.In the UK,the Information Commissioners Office(ICO)has published new fining guidance on how it will exercise its fining powers for breaches o
140、f the UK GDPR.The guidance replaces the sections concerning penalty notices in the ICOs Regulatory Action Policy,which was published in November 2018.While much of the guidance reflects existing practice,it includes certain clarifications relevant to UK GDPR breaches,including:In the US,the adoption
141、 by Securities and Exchange Commission(SEC)of new cybersecurity disclosure rules marks a significant shift in how public companies must manage and report cybersecurity risks.US domestic issuers are required to disclose material cybersecurity incidents within four business days of determining a cyber
142、security incident to be material(and foreign private issuers must do so promptly in certain circumstances)and provide annual disclosures on their cybersecurity risk management,strategy and governance.To ensure clarity and consistency in reporting and avoid confusion in the marketplace,the SEC clarif
143、ied that domestic issuers should only report material cybersecurity incidents under Item 1.05 of Form 8-K,and all others under other sections,such as Item 8.01.US domestic issuers must:ensure a process is in place to escalate and carefully assess the materiality of cybersecurity incidents,considerin
144、g both quantitative and qualitative factors,such as potential reputational harm and the likelihood of regulatory scrutiny;and incorporate the new disclosure requirements into their overall risk management strategies,ensuring that they meet regulatory obligations and effectively mitigate potential ri
145、sks associated with cybersecurity threats.Companies are closely monitoring the SECs evolving cybersecurity regulations,paying particular attention to emerging enforcement trends and their impact on risk management and compliance.Brock DahlPartner21CHAPTER 3 A new wave of cyber threats is here the IC
146、O will adopt a five-step approach when calculating any fines,which involves:(i)assessing the infringements seriousness;(ii)ascertaining the organizations turnover;(iii)determining a starting point for the fine having regard to seriousness and turnover;(iv)adjusting the amount for any aggravating and
147、 mitigating factors;and(v)calibrating the fine to ensure it is effective,proportionate and dissuasive;in addition to special category data and criminal convictions data,the ICO may consider affected location data,private communications,passport or driving license details and financial data to be sen
148、sitive when assessing the seriousness of the infringement,on the basis that these are likely to cause damage or distress to data subjects;and among other factors,the ICO may consider the extent to which the organization cooperated with the regulator as an aggravating or mitigating factor.Cooperation
149、 that enables the investigation to be concluded significantly more quickly or effectively,or that significantly limits the resulting harms to data subjects may be considered a mitigating factor,although simply performing the legal duty of cooperating with the ICO(for example by responding to request
150、s for information and attending meetings)will be viewed neutrally.On the other hand,persistent and repeated behavior that delays an investigation including failures to meet deadlines without a reasonable excuse may be an aggravating factor.The good news is that theres often lots that organizations a
151、nd their legal advisers can do both before and immediately after a cyberattack to mitigate the harm caused.Rhodri ThomasPartnerLooking aheadCybersecurity regulations are tightening,and penalties for non-compliance are on the rise.As cybercriminals become more sophisticated in their use of AI,the nee
152、d for companies to continually update and bolster their cybersecurity strategies has never been more urgent.Staying ahead in this rapidly changing environment requires vigilance and adaptability.A strong,proactive cybersecurity strategy can make all the difference,helping you stay ahead of threats a
153、nd minimize damage if a cyberattack occurs.224.New global regulations are changing our digital operations23The new frontier of internet regulationDigital intermediaries have long been subject to general laws and an assortment of targeted obligations.However,the EU Digital Services Act and the UK Onl
154、ine Safety Act reflect first attempts at the comprehensive regulation of online harm,as well as various other perceived risks and challenges arising from digital intermediaries related to transparency and accountability.They come at a time when lawmakers and regulators are also keenly focused on com
155、petition and consumer issues in digital ecosystems,with reforms such as the EU Digital Markets Act and UK Digital Markets,Competition and Consumers Act imposing parallel obligations on so-called digital gatekeepers.CHAPTER 4 New global regulations are changing our digital operationsIn briefOver the
156、past year,a global push to regulate the safety,accountability,and transparency of online services have begun to crystalize.In late 2023,the EU Digital Services Act came into force alongside the passage of the UK Online Safety Act,signaling a significant shift in how digital intermediaries are regula
157、ted.While the US has yet to pass federal legislation,both state and federal regulators invoking concerns about privacy and consumer rights and state lawmakers focusing on childrens safety,have worked to address the gap.Beyond the EU,UK,and US,laws like the Australian Online Safety Act are contributi
158、ng to an expanding landscape of digital regulation.The full impact both intended and unintended of these developments will unfold over the coming years.Richard BirdHong KongJanet KimWashington,DCLaura KnokeHamburg/BerlinRixa KuhmannHamburgSean QuinnWashington,DCTristan LockwoodLondonLutz RiedeVienna
159、/Dsseldorf Christina Mllnitz-DimickMunichGernot FritzViennaRachael AnnearLondon24Adopting the lexicon of Australias 2021 Online Safety Act an early,industry-led framework passed by federal lawmakers in Australia many jurisdictions are increasingly framing the issue of digital risk as a question of o
160、nline safety,especially that of children.In the US,the Kids Online Safety Act a sweeping Bill passed by the Senate that would impose a duty of care on covered platforms,along with various safeguarding,disclosure and transparency requirements reflects mounting bipartisan efforts at a federal level to
161、 regulate in this space.Despite uncertainty as to whether it has the necessary traction to pass the House,the law signals the intent with which many lawmakers are confronting the issue.The debate over online safety is just beginning;emerging technologies and processes that are being developed now ma
162、y well fundamentally change our expectations of the way we participate in life online.Rachael AnnearPartnerCHAPTER 4 New global regulations are changing our digital operationsExtra-territorial scopeYesYesYesIn forceYes requirements coming into force on a rolling basis until 2026Yes all provisions in
163、 forceYes requirements coming into force on a rolling basis Key topicsChild safety,illegal content,adult user empowerment,fraudulent advertisingIllegal content,societal risk,digital traders Child safety and illegal contentServices subject to the most extensive obligations Categorized services that m
164、eet both UK monthly active user and functionality thresholdsVery large online platforms and very large online search engines (45 million monthly active EU users)Social media,electronic messaging,search engines,app distributionRegulatorOfcom European Commission and Member State enforcement agencies e
165、Safety Commissioner Fines18m or 10%of global annual revenue6%of the worldwide annual turnoverUp to AU$782,500(2024)UK Online Safety ActEU Digital Services ActAustralia Online Safety Act25CHAPTER 4 New global regulations are changing our digital operationsA free speech challenge has also halted the e
166、nforcement of the California Age-Appropriate Design Code Act ahead of its July 2024 effective date.The law,which is modelled on the UKs Age-Appropriate Design Code,requires businesses to prioritize childrens privacy and protection when designing digital products or services likely to be accessed by
167、under-18s.Despite constitutional uncertainty surrounding age-gating and age-appropriate design requirements in the US,such laws are gaining traction elsewhere.The UK Online Safety Act and draft Codes of Practice issued by the online safety regulator,Ofcom,seek to impose potentially sweeping requirem
168、ents to enforce highly effective age assurance to prevent children accessing pornographic and other harmful content.Jurisdictions elsewhere in the world are looking to the UKs design-focused Age Appropriate Design Code as a model.For example,the Singaporean privacy regulator this year adopted Adviso
169、ry Guidelines for Childrens Personal Data that mirror many of its requirements.Likewise,the EU Digital Services Act requires online platforms to introduce measures to ensure a high level of privacy,safety and security of minors,with the European Commission planning to issue detailed guidelines outli
170、ning specific expectations in 2025.The EU Digital Services Act was a watershed moment.But with a broad interpretation of risk assessment and mitigation requirements,proactive enforcement and codes of practice and guidelines in the pipeline,its full implications remain to be seen.Lutz RiedePartner Lo
171、oking forward,the debate around the costs and benefits of such laws,especially how they may impact the free speech and other interests of adult users,looks set to intensify.While the US debates the merits and constitutionality of laws seeking to improve online safety,accountability and transparency,
172、the UK,EU and various other jurisdictions have moved forward with robust reforms that may ultimately drive global standards.Tristan LockwoodSenior AssociateAge-gating and age-appropriate designUS state lawmakers have been more successful in passing various narrower online safety reforms,with an incr
173、easing number of states adopting laws requiring age verification to access online pornography and requiring age verification and parental consent for minors to access social media.However,constitutional challenges have halted the enforcement of many such laws.In July 2024,the US Supreme Court decide
174、d to hear a challenge to a Texas law requiring age verification to access online pornography,potentially set to bring some certainty to the future of such requirements in 2025.The prospect of US federal online safety legislation,a growing number of state initiatives and mounting state and federal en
175、forcement actions make for an uncertain compliance landscape in the US.Janet KimPartner 26CHAPTER 4 New global regulations are changing our digital operationsTransparencyA common thread in the legislative efforts canvassed above are increasing requirements to provide user transparency around content
176、 moderation rules and outcomes,along with the operation of recommender systems on platforms.In various jurisdictions around the world,a lack of transparency is also increasingly being used as a hook by regulators and private litigants in privacy and consumer cases targeting online platforms.In the U
177、S,the concept of dark patterns has been formalized in several state consumer privacy laws,including prohibitions on the use of dark patterns to obtain consent.Additionally,the Federal Trade Commission has continued to express its keen interest in dark patterns through several actions,public workshop
178、s and a staff report titled Bringing Dark Patterns to Light,which argues that dark patterns are an unfair or deceptive business practice that may be subject to enforcement action.This emphasis on transparency is also apparent in the EUs AI Act,which imposes transparency obligations aimed at enabling
179、 users to understand that they are interacting with an AI system and to detect synthetically generated content and deepfakes,and deployers to understand the AI systems design and be informed of their use.This allows accountability for AI-based decisions made by companies and public authorities and e
180、nsures additional risk management and transparency of training data for very capable and impactful AI models.Mounting transparency expectations are also apparent in more traditional contexts,such as the enforcement of privacy laws,with many privacy regulators emphasizing the importance of transparen
181、cy when issuing guidance on the development and deployment on AI systems.Looking aheadAs we move forward,we anticipate that more jurisdictions will introduce laws aimed at enhancing the safety,accountability,and transparency of digital intermediaries.As these regulations evolve,we expect regulators
182、to:Leverage new laws to tackle perceived risks and address control deficiencies.Utilize transparency mechanisms to bridge the information gaps between digital service providers and consumers.Focus on service providers that fail to adhere to their terms of service and public statements,particularly r
183、egarding content moderation.With this shifting regulatory landscape,its essential for providers to consider any structural changes necessary to ensure that their product development,launch,and monitoring processes,along with compliance design and assurance frameworks,are robust and fit for purpose i
184、n the medium and long term.275.Tougher enforcement is reshaping data and privacy compliance28Increased regulatory focus on AI As AI becomes ever more ubiquitous and powerful,regulators are rushing to manage and mitigate this potentially high-risk technology.Typically,this means relying on privacy la
185、ws,including the EU and UK GDPR,where the data processing includes personal data,but consumer protection legislation and antitrust laws are also being used to put guardrails around AI.Examples of regulatory action in 2024 include:Some regulators,including several EU data protection authorities(DPAs)
186、,are actively investigating AI companies for alleged breaches of the EU GDPR.The Italian DPA issued OpenAI with a formal notice for violations of provisions of the EU GDPR,having originally banned the use of ChatGPT in Italy until OpenAI complied with a set of interim measures.CHAPTER 5Tougher enfor
187、cement is reshaping data and privacy compliance In briefThe spotlight on AI risks is intensifying,and with it comes a surge in data-related regulatory enforcement worldwide.Regulators are not only using existing laws but are also advocating for greater powers to oversee AI development and deployment
188、.In some regions,this includes calls for restrictions on AI-related processing.For organizations developing AI,its important to integrate compliance and risk management measures throughout the process.At the same time,attention should remain on existing enforcement risks around cyber issues,privacy
189、practices,and consumer and competition laws.Robert BartonNew YorkDavide BorelliMilanNina FrantWashington,DCDaniel GoldLondonMark EgelerAmsterdamTim HowardNew YorkJoseph MasonLondonSam KloosterboerAmsterdamGiles PrattLondonRachael AnnearLondonRichard BirdHong KongCat Greenwood-SmithLondon 29 In the U
190、K,the Information Commissioners Office(ICO)has been investigating Snaps My AI chatbot but,in July 2024,agreed to close its investigation on the basis that Snap appropriately remedied its alleged breaches of the UK GDPR.However,the ICO noted that its investigation had led to Snap conducting a more th
191、orough review of potential risks posed by the chatbot.Some regulators,such as the South Korean Personal Information Protection Commission(PIPC)and the UKs ICO,are aiming to mitigate AI risks through updating existing guidance and regulatory innovation.The ICO launched a consultation series in the fi
192、rst half of 2024 on the intersection of data protection and generative AI,focused on topics such as purpose limitation in the generative AI lifecycle,the accuracy of training data and model outputs and the allocation of controllership.We expect to see updates to ICO guidance in 2025 as a result.Sout
193、h Koreas PIPC has emphasized regulatory sandboxes and introduced a Prior Adequacy Review Mechanism,where it will work together with startups developing innovative AI models or services to ensure that sufficient privacy and data protection measures are embedded in the design of AI systems.Data privac
194、y regulators across the world are focused on AI.Businesses need to ensure that they are developing and deploying AI systems compliantly including,where appropriate,engaging closely with regulators as they do so.Giles PrattPartner In the US,the Federal Trade Commission(FTC)has increasingly brought in
195、vestigations and enforcement actions related to AI.In July 2023,the FTC issued a civil investigative demand(CID)to OpenAI covering a range of topics,including public disclosures about AI products,the data it used to train its models and measures taken to mitigate potential risks including false stat
196、ements about individuals.This follows a settlement with Rite Aide related to the companys use of AI-based facial recognition technology.In addition,the agency recently announced a sweep of enforcement actions concerning AI-related misrepresentations.More CIDs can be expected to be issued in AI inves
197、tigations,given the FTCs November 2023 approval of a resolution making it easier for officials to issue CIDs.The Italian DPAs bold stance against OpenAI reflects the global shift toward stricter AI regulation.AI growth must be matched by strong commitments to data protection and regulatory engagemen
198、t.Davide BorelliCounselLooking ahead to 2025,we expect privacy regulators to continue their focus on AI.In the US,the FTC should be expected to ramp up its rigorous scrutiny of AI products and businesses.The FTC has publicly stated its interest in enforcement relating to advertising claims,AI produc
199、t misuse to perpetuate fraud and scams,competition concerns and copyright/IP concerns with regards to training AI models and data privacy.The FTCs interest in investigating competition concerns has already resulted in the issuance of orders to five companies requiring them to provide information abo
200、ut recent investments and partnerships involving generative AI companies and cloud service providers.The agency has also announced an investigation into surveillance pricing,the practice of categorizing individuals using their personal information to set pricing targets for goods or services using A
201、I technology.CHAPTER 5 Tougher enforcement is reshaping data and privacy compliance30CHAPTER 5 Tougher enforcement is reshaping data and privacy complianceeffective cooperation.This partly reflects the realization that data processing is an increasingly cross-border activity,and that greater collabo
202、ration between DPAs is therefore necessary.The EU is taking the following steps to improve data regulation across the EU:Updates to the one-stop-shop mechanism(OSS):Despite being a cornerstone of the EUs GDPR,the OSS mechanism has not fully met expectations,with delays in enforcement arising when th
203、e lead DPA was unable to reach a consensus with other DPAs.The European Commission has proposed a Regulation containing new procedural rules which aim to further harmonize enforcement and improve the efficiency of cross-border cases.The regulation is currently still in the legislative pipeline.The E
204、DPB and the European Data Protection Supervisor(EDPS)jointly issued an Opinion on this proposal,welcoming many aspects aimed at improving the handling of cross-border claims.In a recent Opinion,the EDPB clarified that,in relation to the OSS:a controllers central administration can only be considered
205、 its main establishment if it makes and implements the decisions on the purposes and means of the processing of personal data;and the OSS mechanism is applicable only if one of the controllers EU establishments makes and implements those decisions;without such an establishment,the OSS cannot be appl
206、ied.There is an increased use in the regulatory toolbox by EU DPAs and an increase in the amount and height of fines(following implementation of EDPB Guidelines on the calculation of fines).In 2023 alone,DPAs collectively imposed an amount of over 1.97bn across 1,690 fines.This trend is continuing i
207、n 2024(eg a recent 290m fine for Uber by the Dutch DPA),while regulators are increasingly using other regulatory powers such as enforcement orders.Specific focus areas of EU DPAs include the use of tracking cookies(and ePrivacy in general),data trading(brokers),shadow banning and similar technologie
208、s and the use of biometric data including facial recognition.As many companies increasingly become AI companies,they will need to ensure that they are developing and deploying AI systems safely and effectively.Joseph MasonAssociateIn the UK and EU,we expect ongoing focus on AI products and services,
209、particularly those deemed to be higher risk,and companies should expect a robust approach from regulators if they suspect infringements of EU or UK GDPR.It remains to be seen how plans to reform UK data laws announced by the newly-elected UK government will impact data protection regulation as it re
210、lates to AI.Working out how to approach AI enforcement is fast becoming a global priority,reflecting a collective commitment to harnessing the power of AI responsibly.Rachael AnnearPartnerNovel regulatory approaches to match new challengesIn the EU,there is increased regulatory focus on consistent e
211、nforcement of GDPR by DPAs in cross-border cases.Following its 2024-27 strategy,the European Data Protection Board(EDPB)aims to reinforce a common enforcement culture and 31CHAPTER 5 Tougher enforcement is reshaping data and privacy compliance In April 2024,a second instance court dismissed the ICOs
212、 appeal against the first instance courts 2023 judgment,which largely overturned the ICOs 2020 enforcement action against Experian regarding its processing of user data for its marketing services.In August 2024,the UK Government announced a proposed uplift to the annual data protection fees by 37 pe
213、rcent,in what could be seen as a recognition that the ICO may need additional resources to take as much regulatory action as it might wish.Data litigation continues to developIn addition to regulatory enforcement in the EU,there is an increase in private enforcement through class action litigation a
214、s EU case law on material and non-material damages further develops.In the UK,opt-out mass claims alleging infringements of the UK GDPR have become much harder to bring since the Supreme Courts 2021 judgment in Lloyd v Google.However,case law in this area is still embryonic and several funders and p
215、laintiffs are testing this,including by using alternative collective redress mechanisms,such as the opt-in Group Litigation Order and the antitrust-specific Collective Proceedings model.Plaintiffs in the US continue to bring class action claims arising from data breaches.Questions remain about wheth
216、er such claims give rise to standing to sue in federal court under recent US Supreme Court jurisprudence,but companies may face pressure to settle such claims rather than prolong litigation by disputing plaintiffs alleged injuries or damages.Earlier this year,Cash App and its parent company reached
217、a$15m class settlement arising from data breaches that took place in 2021 and 2023,exposing customers personal information.Similarly,US regulators have interpreted their existing investigative authority in novel ways to allow it to address new data privacy issues.The US Department of Justice(DOJ)con
218、tinues to bring actions under its Civil Cyber-Fraud Initiative against federal contractors that fail to implement appropriate security controls required by government contracts,including one recent settlement of over$10m against consulting companies associated with New York States implementation of
219、federal COVID-19 Emergency Rental Assistance programs.The US Securities and Exchange Commission(SEC)has had mixed success in attempting to broaden an existing rule that requires companies to maintain sufficient accounting controls to apply in the data privacy and cybersecurity context.The agency rec
220、ently secured a settlement of over$2m in part on the basis of this broader interpretation of the rule.But just one month later,a court dismissed similar claims in a separate lawsuit,holding that the rule did not provide the SEC with authority to regulate data privacy and security.The FTC continues t
221、o investigate and(in coordination with the DOJ)sue for alleged infractions of federal law protecting childrens digital privacy.In August 2024,following an investigation,the DOJ sued TikTok and affiliates for allegedly failing to obtain parental consent before collecting childrens personal informatio
222、n,in violation of a federal statute.While the UKs ICO is continuing to take regulatory action for alleged data privacy infringements,it has suffered several recent adverse decisions.In October 2023,Clearview AI successfully appealed against the ICOs 7.55m fine and processing ban,with the court holdi
223、ng that the processing of UK data subjects photos by non-UK/EU criminal law enforcement and national security agencies was outside the material scope of both the EU and UK GDPRs.32CHAPTER 5 Tougher enforcement is reshaping data and privacy complianceLooking aheadAs we look to 2025 and beyond,compani
224、es should brace for an intensified regulatory focus on data enforcement,particularly concerning the development and deployment of AI systems.Regulators have shown a readiness to take strong actions against suspected privacy law violations,including halting the launch of AI solutions or pausing ongoi
225、ng AI development.However,these regulatory measures also serve as valuable guidance for safe and effective AI deployment.To navigate this landscape,companies should:Ensure they maintain comprehensive documentation,including detailed data protection impact assessments for high-risk processing.Stay in
226、formed about the latest guidance from DPAs,such as the UKs ICO and the EUs EDPB.Prioritize the integration of privacy protections into their AI systems from the outset of the development process.Beyond AI,changes to the EU GDPRs OSS mechanism are likely to facilitate more enforcement of cross-border
227、 processing within the EU.We also anticipate an uptick in global enforcement actions related to alleged breaches of privacy,cybersecurity,and consumer protection laws.336.US state consumer privacy laws are expanding34Current status of state consumer privacy lawsCalifornia was the first state to pass
228、 a comprehensive consumer privacy law,called the California Consumer Privacy Act(CCPA),in 2018.Since then,other states started to pass their own laws and the first half of 2024 saw a surge of states passing these laws;at one point,a new state law seemed to pass weekly.These state consumer privacy la
229、ws are either in effect or shortly coming into effect through 2026.CHAPTER 6US state consumer privacy laws are expandingIn briefConsumer privacy legislation in the US has reached a critical turning point.With no comprehensive nationwide privacy law in place,individual states have begun enacting thei
230、r own laws to safeguard consumer privacy.Currently,over 40 percent of US states have implemented consumer privacy laws,and momentum continues to grow as additional states propose and consider their own legislation.While these new state laws share some commonalities,their unique obligations contribut
231、e to a complex compliance landscape.Furthermore,certain states are also introducing specialized privacy laws,such as those focused on consumer health data.In this chapter,we explore the current status of US state consumer privacy laws,highlight key areas of alignment and divergence,and offer predict
232、ions regarding upcoming enforcement priorities.ChristineChongSilicon Valley Christine LyonSilicon Valley 35CACaliforniaC0ColoradoCTConnecticutSEDelawareFLFloridaINIndianaIAIowaKYKentuckyMDMarylandMNMinnesotaMTMontanaNENebraskaNHNew HampshireNJNew JerseyOROregonRIRhode IslandTNTennesseeTXTexasUTUtahV
233、AVirginiaAs of the end of August 2024,20 states had passed consumer privacy laws,and two further states had passed consumer health data laws.Notably,these laws have gained support on both sides of the political aisle,from both Democrat and Republican legislators.The chart below shows the degree of b
234、ipartisan support for these privacy laws,reflecting,in blue,the states with consumer privacy laws with Democratic-party affiliated governors,and red for states with Republican-party affiliated governors.CHAPTER 6 US state consumer privacy laws are expandingWAORNVMTUTCONETXFLMNINVARICTNHKYTNIACANJDEM
235、DDSDSConsumer health data specific lawsKey1.2.Nevada Act Relating to Data PrivacyWashington My Health My Data ActDemocraticRepublicanConsumer health data specificState consumer privacy lawsDSLaws passed as of August 31,2024Consumer Privacy Laws36CHAPTER 6 US state consumer privacy laws are expanding
236、Applicability ThresholdsThe laws generally apply to companies that conduct business in that state or produce goods or services that are targeted to residents of that state and meet certain thresholds,such as the number of consumers whose personal information they process each year and the level of r
237、evenue(if any)they derive from sale of personal information.For example,the Virginia Consumer Data Protection Act(the Virginia law)applies to businesses that produce products or services that are targeted to Virginia residents and(i)during a calendar year,control or process personal information of a
238、t least 100,000 consumers,or(ii)control or process personal information of at least 25,000 consumers and derive over 50 percent of gross revenue from the sale of personal information.In contrast,other laws apply only to companies that reach an annual revenue threshold(such as the CCPA)or exclude sma
239、ll businesses as defined by the US Small Business Administration.These laws also may apply to varying degrees to non-profit organizations.Scope of Covered IndividualsMost of the laws apply only to consumers acting in an individual or household context and exclude individuals acting in an employment
240、or professional/B2B context.However,the CCPA applies to all California residents,including those acting in an employment or professional/B2B context.Sensitive Data Opt-in versus Opt-out;Health DataThe laws provide heightened protections for a wide range of data defined as sensitive under these laws,
241、such as:government issued identification numbers (eg Social Security Number);precise geolocation;data revealing racial or ethnic origin;genetic or biometric information;and personal information concerning a known child.Certain laws include additional types of data as sensitive,for example,under the
242、CCPA,sensitive personal information includes union membership,as well as the contents of a consumers mail,email and text messages(unless the business is the intended recipient of the communication).While there initially appeared to be momentum in Congress toward a federal privacy bill,including for
243、the American Privacy Rights Act of 2024(APRA)being deliberated in this 118th Congress,support for the APRA has appeared to cool and commentators now think its unlikely that the APRA will pass in its current form in this legislative session.We have reached a turning point in US privacy regulation,and
244、 there is no going back:the future involves greater regulation and protection for consumers.Christine LyonPartnerThis means that,for the foreseeable future,the state-level privacy laws are here to stay.Notoriously,the US has 50 different state data breach laws,and in principle,we could potentially e
245、nd up with 50 different state consumer privacy laws as well.Where do the laws align or differ?The state consumer privacy laws share many core elements,including requirements related to:notice(eg additional detailed notices required in certain states);consumer rights(eg access,correction and deletion
246、 rights,as well as rights to limit processing of sensitive personal information and to opt out of certain activities,such as sale or sharing/use of personal information for targeted advertising);oversight of service providers/processors;and governance and accountability(eg data protection assessment
247、s,training and record-keeping).While the state consumer privacy laws have started aligning in certain areas,none of these laws are exact duplicates,and the detailed requirements vary from state to state.Below,we highlight a few of the key areas where the laws differ more fundamentally in approach.37
248、CHAPTER 6 US state consumer privacy laws are expandingCalifornias CCPA also includes training requirements for personnel handling privacy-related inquiries or requests.Predictions on enforcement prioritiesState attorneys general and regulatory agencies can initiate investigations and enforcement act
249、ions against both controllers and processors.For example,the CCPA regulations provide that the California Privacy Protection Agency(CPPA)may audit a business,service provider,contractor or person,and that the audit may be announced or unannounced as determined by the CPPA.The Virginia Law also expli
250、citly states that the Attorney General has authority to enforce the provisions of the law on controllers and processors.Regulators,including attorneys general and privacy enforcement agencies,have newfound powers under these state consumer privacy laws and they are prepared to exercise those powers.
251、Christine ChongAssociateAs the state privacy laws are relatively new,we focus on predictions,including based on past actions from enforcement activities and guidance on the oldest of the state privacy laws.2025 will come with more enforcement actions and continued sweeps.State attorneys general and
252、regulators have initiated investigative sweeps of certain industries under these laws,in which the regulator sends information requests to companies and may initiate further investigations based on their responses.Examples include Californias CPPA launching investigative sweeps with letters to busin
253、esses with popular streaming apps and devices,as well as on topics such as employers and HR-related data,mobile applications and loyalty programs.In July 2023,the CPPA initiated an inquiry into privacy practices of connected vehicles and related technologies,which is understood to be understood to b
254、e ongoing.The Oregon Consumer Privacy Act includes a consumers status as transgender or nonbinary,or status as a victim of crime,as sensitive data.While some may assume that Californias CCPA has the highest requirements among the state privacy laws,the CCPA takes a less restrictive approach to sensi
255、tive data than many of the later state consumer privacy laws:the CCPA requires businesses to allow California residents to limit the processing of their sensitive personal information(similar to an opt-out approach),while many of the other state consumer privacy laws require businesses to obtain opt
256、-in consent to process a consumers sensitive personal information.New health data laws,have novel requirements for consumer health data,with distinct notice and consent requirements.For example,the Washington My Health My Data Act requires that businesses provide a separate and distinct link to a Co
257、nsumer Health Privacy Policy that may not contain additional information not required under the law.Sale of Personal Information;Use for Targeted AdvertisingThe laws give consumers varying rights to opt out of the sale of their personal information,and to opt out of the use of their personal informa
258、tion for targeted advertising.Californias CCPA obligations are particularly broad-reaching and administratively burdensome,given the CCPAs expansive definition of sale and requirement to include a specific do not sell or share my personal information link if a company engages in covered sales or sha
259、ring.Differing definitions of sale among these laws also can complicate attempts to take a cohesive approach across states.GovernanceThe laws generally require that businesses conduct a data protection assessment for processing activities that present a heightened risk of harm to a consumer.The Minn
260、esota Consumer Data Privacy Act goes further and requires that companies maintain an inventory of personal information,and separately document and maintain a description of policies and procedures to comply with the law,including where applicable,the name and contact information for the chief privac
261、y officer or other individual with primary responsibility.38CHAPTER 6 US state consumer privacy laws are expanding 2025 enforcement actions will focus on processing of sensitive data.Colorado has announced an investigative sweep focused on collection and use of sensitive data,including on the requir
262、ements to obtain consent prior to collecting sensitive data,and allow consumers to opt out of targeted advertising and profiling.Additionally,the Texas Attorney General launched a major data privacy and security initiative earlier this summer to establish a team that is focused on aggressive enforce
263、ment of Texas privacy laws.The statement noted that the data privacy enforcement team will focus on several privacy laws to protect Texans sensitive data.2025 enforcement actions will be responsive to consumer complaints.State attorneys general and regulators have emphasized that they are listening
264、to consumer complaints and taking action informed by these complaints.For example,the CPPA has detailed its process to review and evaluate every complaint that it receives,and over 2,000 consumer complaints were received from July 6,2023 to June 30,2024.The California Attorney General also noted tha
265、t one of its major recent CCPA actions arose in part from a consumers complaint on social media about the companys processing of their personal information.The volume of complaints will likely increase over time,as a number of the state consumer privacy laws now require a business to provide the con
266、sumer with a mechanism or information through which the consumer may contact the Attorney General to submit a complaint if the business has denied the consumers request even in part.Looking aheadAs the number of US state consumer privacy laws continues to grow,its crucial for companies to take proac
267、tive steps to navigate this evolving landscape.Here are three key actions to consider:1.Develop a Compliance Strategy:Collaborate with your business teams to create a comprehensive approach for complying with state privacy laws.With new legislation emerging regularly,having a robust privacy complian
268、ce strategy will help you establish sustainable policies and procedures.2.Review Consumer Rights Mechanisms:Take a close look at the rights mechanisms available to consumers.This includes evaluating the methods you have in place and ensuring youre ready to respond effectively.Keep in mind:This area
269、is under high scrutiny,with significant volumes of complaints reported by the CPPA.Consumer rights mechanisms are highly visible to regulators,making it easy for them to spot potential deficiencies(for example,companies receiving CCPA notices of violation for failing to include a Do Not Sell or Shar
270、e My Personal Information link on their sites).Prioritizing these mechanisms is essential,as they are a focal point of US state privacy laws and play a crucial role in building customer trust.3.Educate and Engage Your Team:Share updates on new privacy laws and provide training for employees on how t
271、o handle data subject requests and the importance of compliance.Keeping your team informed and engaged is vital for fostering a culture of privacy within your organization.397.Asias privacy laws are maturing40Common themes in Asian privacy laws Consent remains the primary legal basis for processing
272、personal data in China,India and Vietnam.In addition,Australia,China,Malaysia,Philippines,Taiwan and Thailand all require consent for the collection of sensitive personal data(and this will require a separate reputational assessment to be made under Vietnams new Personal Data Protection Law).Deemed
273、consent is also a permitted legal basis in Singapore(subject to certain constraints),and to a more limited degree in India as well.Indonesia,the Philippines,Singapore and Thailand permit data processing based on an organizations legitimate interests.China,Indonesia,Korea,Malaysia,the Philippines,Sin
274、gapore,Taiwan and Thailand allow processing where necessary for the performance of a contract with the data subject.Clarification is needed whether Vietnam will also allow processing on this basis under the new law,in particular for online services.Neither legal basis is available for the processing
275、 of sensitive personal data in those countries that require consent.CHAPTER 7Asias privacy lawsare maturingIn briefIn recent years,many countries across Asia have either rolled out new comprehensive privacy laws or made significant amendments to existing regulations.Notable examples include China,In
276、dia,Indonesia,Japan,Malaysia,South Korea,Sri Lanka,Thailand,and Vietnam.Currently,Indonesia,India,and Malaysia are working toward the full implementation of their newly amended laws.Additionally,Australia has announced the first phase of a comprehensive reform of its Privacy Act after a thorough gov
277、ernment review.Harshavardhan GanesanSingaporeRichard BirdHong KongFan LiShanghai 41CHAPTER 7 Asias privacy laws are maturingExamples of Asia-Pacific data privacy developments1Extensive amendments to South Koreas Personal Information Protection Act in 2023.2China:Cyber Security Law Personal Informati
278、on Protection Law Data Security Law3Digital Personal Data Protection Act in India passed in August 2023.Not yet in force.4Limited amendments to Malaysias Personal Data Protection Act pending.5Sri Lankas Personal Data Protection Act enacted March 2022.6Amendments to the Act on Protection of Personal
279、Information in Japan effective April 1,2022.7Personal Data Protection Law in force January 1,2026 in Vietnam(Decree 13 in force).8Multiple data protection guidelines have been issued to supplement the Personal Data Protection Act in Thailand,which became fully effective on June 1,2022.9New Personal
280、Data Protection Law introduced in Indonesia with a two-year transition period ending in October 2024.10Major overhaul of privacy law in Australia underway following the Attorney-Generals report.2134567108942 While South Korea also permits processing based on legitimate interests,the GDPR standard(an
281、d that adopted elsewhere in Asia)it flipped by instead requiring that the organizations legitimate interests clearly override an individuals rights in order for this legal basis to be relied upon.GDPR-style data subject rights have been widely adopted across Asia,particularly the rights to access an
282、d rectification,erasure and cessation of processing.The right to object to automated processing(China,Indonesia,Philippines and Vietnam(pending)and the rights of data portability are less well cemented at this point in time.Only China,the Philippines and South Korea grant both(the portability right
283、is not yet in force in Korea).Singapore and Malaysia have also recently extended their data subject rights to include a right of portability,although neither amendment is in effect yet.Privacy impact assessments are either required or recommended in many Asian countries although the specific trigger
284、s for these assessments vary.Mandatory breach reporting obligations are the norm across the region(as discussed further below),with an additional annual security incident reporting requirement in the Philippines.Reporting timelines typically follow the GDPR standard of 72 hours.Several countries req
285、uire organizations to implement formal security incident management processes(eg China,Indonesia and Malaysia)as a specific organizational measure to protect personal data,and this has been proposed in Australia as well.Maximum penalties range quite considerably across the region,although with maxim
286、um penalties set as a percentage of revenue/turnover having recently been introduced in several countries(eg China,India,Indonesia and Singapore)and proposed in Australia.Overall,both maximum and awarded penalties are trending markedly upwards.Varied rules on cross-border data transfers are also inc
287、reasing compliance burdens on multinational companies(see Chapter 2 for recent developments in the related rules in Asia).New privacy rules have been taking shape across Asia the past few years.While there is a good degree of conceptual alignment with the GDPR,no country has taken a copy and paste a
288、pproach either,and in some areas there is significant departure.Richard BirdPartnerYet significant divergence in Asian privacy laws,too While Asias privacy laws reflect a relatively high degree of general consensus in approach(as outlined above),each has its unique requirements and idiosyncrasies.Th
289、ese points of difference can have significant practical impacts on compliance programs.The absence of any true harmonization in the permitted legal basis for processing,and the greater reliance on consent as the primary and preferred basis for processing creates a significant impediment by itself to
290、 organizations taking a single regional approach to privacy compliance.It is important that international companies maintain awareness of all important local requirements in those Asian jurisdictions in which they operate,given the significant penalties that attach to non-compliance in many,and the
291、generally increasing levels of enforcement also.For examples,while it was noted above that most countries in Asia have either introduced or are proposing(ie Malaysia)mandatory data breach reporting requirements,the basis for reporting may vary significantly from one jurisdiction to the next.CHAPTER
292、7 Asias privacy laws are maturing43CHAPTER 7 Asias privacy laws are maturingGiven the pace of change in privacy laws in Asia,international companies active in the region should make it a priority to stay updated.Fan LiSenior AssociatePractical implications for businesses Given the rapid evolution of
293、 privacy laws in Asia,it is advisable for organizations to take stock of the increasing compliance burden by conducting a gap analysis and updating existing data protection notices and policies and their internal technical and organizational controls,especially if these have not been reviewed in the
294、 past few years.Many of the new or amended laws in the region also require a data protection officer(DPO)to be appointed.Conducting regular staff training will be another important measure to take to ensure that the requirements of new laws and internal policies are well understood and embedded in o
295、rganizational processes.Whereas in the past Asia may not always have been at the forefront of companies minds in their global privacy compliance programs,increasing fines and enforcement call for a sharpened focus on the region.Harshavardhan GanesanAssociateThere are notable differences in data inci
296、dent reporting thresholds across the region harm or scale standards are often set up differently,for example,or with differing deeming criteria.In other jurisdictions,reporting requirements can be triggered depending on the nature of the incident,for example whether it involves unauthorized access f
297、rom outside the organization.Specific sectoral reporting obligations may also apply.The assessment of reporting requirements for data security incidents that implicate personal data that was either collected in or relates to the residents of multiple countries/territories is made more complex still
298、by the large amount of variability in the jurisdictional basis for the application of local law to data that is processed in another country or for purposes related to activities in another country(eg an overseas purchase or booking).Mandatory(ie standard form)contractual mechanisms for cross-border
299、 data transfers may include their own reporting obligations on either transferor or transferee(or both).These assessments also need to be made against relatively strict reporting deadlines,typically within a reporting window of 72 hours or less.The prevailing standard for reporting to privacy author
300、ities and for notifying individuals can be different within a single jurisdiction.An early report in one country reflecting a more limited understanding of the incident available at the time may impact the reporting strategy in another country where the report is due later.Reporting may precipitate
301、a privacy authority to start an investigation before reports have been filed in other countries.Those earlier filed reports and regulatory submissions may also be discoverable in the context of investigatory processes and court proceedings in other countries around the world.Risk calculations may th
302、erefore need to be made.44CHAPTER 7 Asias privacy laws are maturingLooking aheadExciting changes are on the horizon across several countries in Asia.In India,the Digital Personal Data Protection Act(DPDP)passed in August 2023 and is set to be enforced soon now that the general elections have conclud
303、ed.One key aspect to watch is how the government will define significant data fiduciaries.These organizations will face additional responsibilities,including conducting regular privacy impact assessments,undergoing external audits,and appointing a DPO who must be based in India.This DPO will report
304、directly to the board and act as the main contact for grievance redressal under the DPDP.The government will determine which data fiduciaries are deemed significant based on factors like the volume and sensitivity of personal data processed and the associated risks.Additionally,keep an eye out for t
305、he governments forthcoming blacklist of countries where organizations wont be allowed to transfer personal data.Malaysias parliament approved substantial updates to the Personal Data Protection Act in July 2024.The government is also working on new rules regarding data breach reporting,DPO appointme
306、nts,and the right to data portability.Vietnam has recently announced a draft Data Law.This law takes cues from Chinas regulations,including stricter protections for core and important data,along with a security assessment process for data exports.A new Personal Data Protection Law is also set to tak
307、e effect on January 1,2026,reinforcing most provisions from the existing Decree 13 while adding several new requirements.In Japan,the Act on Protection of Personal Information is under a three-year review.The Personal Information Protection Commission shared an interim summary in June 2024,hinting a
308、t proposed reforms concerning biometric and childrens data.They plan to ban certain improper uses of personal data and expand individuals rights to request the suspension of their data usage.Australia has taken the first steps toward implementing a series of changes to its Privacy Act.The first roun
309、d of amendments was introduced in mid-September 2024,and the government is expected to roll out many of the 166 reforms suggested in the Attorney-Generals 2023 review of the law.458.New EU data access regulations are shaping the future46CHAPTER 8New EU data access regulations are shaping the futureI
310、n briefThe European Commissions Data Strategy 2020 has paved the way for new data access regulations that will significantly impact businesses across Europe.In this chapter,we dive into the data access rights established by the EUs Data Act,along with two pivotal Common European Data Spaces:the Euro
311、pean Health Data Space(EHDS)and the Financial Data Access(FIDA)framework.These new regulations are set to affect many businesses operating in the EU market.If you offer connected products in the EU(eg smart devices)or software that connects to devices being used there and that enables the devices to
312、 perform their functions(eg certain apps),the Data Act applies to you,regardless of where your organization is based.The EHDS and FIDA introduce complex obligations for various stakeholders in the health data and financial services ecosystems.Well explore the challenges and opportunities these data
313、access regulations present for businesses and provide practical advice to help you navigate the new compliance landscape.Estella DannhausenVienna Enrico De JongAmsterdam Daniel KlingenbrunnNew York/FrankfurtJulia UtzerathDsseldorf What the Data Act,FIDA and EHDS have in commonThe primary objective o
314、f the new data access rights under the Data Act,EHDS and FIDA is to foster the development of a unified data market in the EU.This entails making all data produced in this unified data market,whether personal or non-personal,accessible to all market participants,irrespective of their size or influen
315、ce,in accordance with fair,transparent,proportionate and non-discriminatory access rules.Entities and individuals possessing data,such as data generated via connected products or digital services,will be empowered to share this data for reuse,either freely or for compensation.Davide BorelliMilanMark
316、 EgelerAmsterdamTheresa EhlenDsseldorf/Frankfurt Gernot FritzViennaChristoph WerkmeisterDsseldorf47CHAPTER 8 New EU data access regulations are shaping the futureHowever,while all three laws contribute to a major shared objective,the Data Act aims to enhance data access across sectors,particularly f
317、or Internet of Things(IoT)-generated data,while the Common European Data Spaces create a framework for data sharing in key areas like health(EHDS)and finance(FIDA).New obligations that come with the new data access rightsData Act obligationsThe Data Act,being a key pillar of the European Data Strate
318、gy,aims to create a horizontal framework for the access to,and sharing of,data generated through smart products and digital services.It also introduces new requirements for redistributing data access and use.Data access by design Manufacturers must ensure that connected products and digital services
319、 in relation to the connected products are designed to allow users easy and secure access to product data.Such data needs to be provided in a comprehensive,structured,commonly used and machine-readable format.Manufacturers may decide to make product/digital services data directly available,ie so tha
320、t the user is able to access the data without the intervention of any other party.Data access by request While manufacturers must design their connected products to provide direct access to data,the Data Act recognizes this may not always be feasible.When direct access is unavailable,businesses that
321、 have lawfully obtained the data,(ie data holders)must promptly make it available to users of relevant products or services upon request,at the same quality as they receive it themselves.Users of relevant products or services are prohibited from utilizing the data to create a competing product or sh
322、aring it with third parties for that purpose.They must also refrain from using the data to gain insights into the economic status,assets or production methods of the manufacturer or the data holder.Data sharing by request The Data Act requires businesses to share data with third parties,even competi
323、tors,if a user of a relevant product or service requests so,highlighting the EUs aim to promote a competitive digital environment.However,so-called gatekeepers are excluded from receiving such data.When both the data holder and the third party are businesses,they must establish a contract that gover
324、ns the data-sharing arrangement under fair,reasonable and non-discriminatory(FRAND)terms.The data holder may charge a non-consumer data recipient a fee for accessing data.The fee should be FRAND,possibly varying based on the datas volume,format and nature,and may include a margin.B2G data sharing In
325、 cases of exceptional need,businesses will be required to make data available to a national public sector body or an EU body.This covers data from connected products,related services and any other business data.In general,the data will have to be made available free of charge,but under certain condi
326、tions businesses are entitled to fair compensation.Right RequirementsWith the Data Act,the EU addresses the rapid growth in the use of connected products,leading to enhanced data utilization,flexibility in service selection,and new business opportunities.Gernot FritzCounsel48CHAPTER 8 New EU data ac
327、cess regulations are shaping the futureEHDS obligationsThe EHDS imposes a complex array of obligations on various actors within the health data ecosystem,including health data holders and users,and manufacturers,importers and distributors of Electronic Health Records(EHR)systems.Key requirements in
328、relation to data access rights include:Health data holders Health data holders such as hospitals,healthcare providers,public health authorities,pharmaceutical companies and research organizations will have certain responsibilities under the EHDS.Upon request,they must provide relevant electronic hea
329、lth data to designated health data access bodies,which are public sector organizations designated by each EU Member State that are responsible for the operationalization and oversight of the EHDS within their respective jurisdictions.Data holders are required to supply the requested data within a pe
330、riod not exceeding three months from the date of the request.Regardless of data permits or data requests,data holders are also required to proactively disclose to the health data access body a detailed catalogue of all the datasets they maintain.Health data users Health data users such as academic r
331、esearch institutions,public health authorities,governmental agencies,private sector entities involved in health research and innovation and non-governmental organizations focused on public health are also subject to various obligations under the EHDS.They may only access and process electronic healt
332、h data for secondary use,like research or innovation,after they have obtained data permits,data requests or data access approvals.Upon obtaining access,health data users are required to make public the results,findings or outputs derived from their secondary use of electronic health data.They must n
333、otify the relevant health data access body immediately of any significant findings or results that have the potential to impact the health of individuals whose data was included in the analysis.In addition to these specific obligations,health data users must also comply with a range of privacy and data protection requirements and cooperate with health data access bodies.ActorRequirements49CHAPTER