Individuals have the right to receive meaningful information about solely automated decisions with significant effects under the General Data Protection Regulation (GDPR). This includes decisions that will impact an individual’s finances or employment. But how much information are individuals entitled to receive? Should they be given the underlying algorithm, or merely a high-level explanation, or
Latest from Data Protection Report
Prohibited practices under the AI Act: Answered and unanswered questions in the Commission’s guidelines
The EU AI Act’s prohibitions came into effect on 2 February 2025 and carry fines of 7% worldwide annual turnover for non-compliance. The prohibitions at Article 5 and accompanying recitals (particularly recitals 28-44) set out a complex set of provisions. The guidelines published by the Commission on 4 February 2025 (the guidelines) were welcome for
Federal government announces latest National Cyber Security Strategy
On February 6, the Government of Canada announced its latest National Cyber Security Strategy (the NCSS), detailing the federal government’s plan to help Canadian organizations prepare for and respond to the rapidly evolving and increasingly sophisticated cyber security threats of today and tomorrow.
The NCSS seeks to build off of the success of the prior
Happy Information Governance Day
Happy February 20th and Information Governance Day! Today is an opportunity to reflect on the evolution of information governance and, more importantly, its future. In our view, information governance is in its ascendency and is only becoming more and more important to our clients.
We have been providing legal advice on information governance (IG) to
New York changes data breach law—in December and February
New York just finished a series of adjustments to its data breach notification requirements. Effective immediately, organizations must notify impacted individuals of a data breach within 30 days of its discovery instead of “in the most expedient time possible and without unreasonable delay.” Moreover only entities regulated by the New York Department of Financial Services
FTC settlement requires disconnection of hardware from all no longer supported software
On January 16, 2025, the FTC announced a proposed complaint and consent agreement with one of the largest hosting companies in the world: GoDaddy. According to the complaint, the FTC found GoDaddy’s security practices “unreasonable for a company of its size and complexity.” The proposed complaint requires GoDaddy to undertake a number of security measures,
The Commission’s guidelines on AI systems – what can we infer?
The EU’s AI Act imposes extensive obligations on the development and use of AI. Most of the obligations in the AI Act look to regulate the impact of the specific use cases on health, safety, or fundamental rights. These sets of obligations apply to ‘AI systems’. A tool will fall out of scope of much
CJEU Advocate General clarifies when pseudonymised data falls outside the definition of personal data
On 5 February 2025, the Advocate General of the Court of Justice of the European Union (CJEU) issued its opinion in the case of C 413/23 P European Data Protection Supervisor (EDPS) v Single Resolution Board (SRB) (Opinion). The Opinion takes the view that personal data which has been pseudonymised and shared with a third-party
US Dept of Health proposes Security Rule amendments that includes new deadlines
On December 27, 2024, the United States Department of Health and Human Services (HHS), through its Office for Civil Rights (OCR), issued a proposed rule to improve data protection measures in the healthcare sector.
Learn more about the proposed rule on our legal update on nortonrosefulbright.com.
Online Safety Act: Protecting Children from Harmful Content Online – Ofcom’s Guidance on Age Assurance for Part 3 Services
Ofcom has published its guidance for implementing age assurance measures for regulated service providers. User-to-user (U2U) services and search services take note: a decision not to implement highly effective age assurance measures means that your service may be deemed by Ofcom to be accessible by children.