In this Insight article, Marton Domokos, Partner at CMS Cameron McKenna Nabarro Olswang LLP, explores the complexities of joint controllership under the General Data Protection Regulation (GDPR), focusing on the legal intricacies and shared liabilities in data processing scenarios.
On February 5, 2024, the Personal Information Protection Commission (PIPC) released the revised 'Guidelines for Processing Pseudonymous Data' (the Guidelines). This revision addresses the limitations of the existing guidelines, which only provided processing standards for structured data. The Guidelines aim to establish pseudonymization standards for unstructured data - such as images, videos, audio, and text - which are crucial for the development of artificial intelligence (AI) technologies.
In the Guidelines, the PIPC provides methods and specific examples of pseudonymization regarding unstructured data. In addition, the PIPC explains in more detail the important points to consider for each phase of pseudonymization (pre-preparation, risk review, pseudonymization, appropriateness review, and safe management). As it is not practically possible to eliminate all the various risks that may arise in the course of AI development and use, the Guidelines also focus on post-management. Timothy Dickens, from DR & AJU LLC, explores the different scenarios discussed in the Guidelines where unstructured data was successfully pseudonymized.
On June 25, 2024, the Governor of Rhode Island transmitted House Bill 7787 and Senate Bill 2500 for the Rhode Island Data Transparency and Privacy Protection Act (collectively referred as RIDTPPA) without signature to become law. The RIDTPPA will enter into effect on January 1, 2026. In this Insight article, OneTrust DataGuidance breaks down the key provisions and requirements of the RIDTPPA.
Kentucky has joined the growing count of states to enact a comprehensive data privacy law. The law, passed as House Bill 15 and titled the Kentucky Consumer Data Protection Act (KCDPA), was passed by the Kentucky legislature on March 27, 2024, and signed by Governor Andy Beshear on April 4, 2024. The KCDPA comes into effect on January 1, 2026.
The requirements of the KCDPA should look familiar to those who have tracked other US state comprehensive privacy laws. This is no accident: Kentucky legislators stated during the legislative process that the KCDPA was modeled after neighboring Virginia's comprehensive privacy law. In this Insight article, Jonathan Ende, Partner at McDermott Will & Emery, examines the KCDPA and its key requirements.
In this Insight article, Albert Yuen and Jasmine Yung, from Linklaters, discuss the increasing pace of regulatory developments across APAC jurisdictions, particularly focusing on Hong Kong's new Model AI Framework.
Every year on January 28, data protection is commemorated across the world. This day marks the anniversary of the Council of Europe's Convention 108 on the protection of personal data. It is considered to be the first legally binding international law in the field of data protection. Whilst the celebration of this day was introduced in 2006, Convention 108 was opened for signature on January 28, 1981, and with its potential to be applied internationally it has been recognized for providing legal certainty on the protection of personal data.
In Africa, the history of data protection traces back to 2001, when Cabo Verde rose to the occasion and became the first country to enact a data protection law. 10 years later in 2011, only nine countries had enacted data protection laws. In 2011 alone, there was a notable increase in adoption. For the first time, three African countries enacted data protection laws that year. Little did we know that this was the beginning of tremendous progress. The following decade was marked by an exponential rate of enactment. Unlike in the previous decade, 22 countries enacted data protection laws increasing the number of African countries with data protection laws to 32. The rate of increase was a remarkable 68.75%. Since 2021 until now, four countries have enacted data protection laws. Senwelo Modise and Phenyo Kedisitse, of Bookbinder Business Law, discuss the key legal developments in the African data protection legal landscape in the last 12 months.
The Data Protection Act, 2023 (the Act) was introduced by the Department of Information Communications Technology on March 16, 2023, and approved by the Cabinet of Seychelles on June 22, 2023. The Act subsequently entered into force on December 22, 2023, replacing the Data Protection Act, 2003.
The Act provides controllers and processors 18 months from its effective date to bring their data processing activities in compliance with the provisions of the Act. OneTrust DataGuidance Research provides an overview of the Act, highlighting data subject rights and controller and processor obligations.
We are currently seeing a vast development and deployment of artificial intelligence (AI)-based systems and solutions across sectors and society as a whole. At the time of writing, these deployed AI systems are about to become subject to a detailed and comprehensive regulatory burden in and of itself as the EU is about to roll out its newly finished AI Act.
While the AI Act will introduce new obligations on AI developers and deployers, it should not be forgotten that medical sector technology is already subject to its own rules. Particularly, the EU Medical Devices Regulation (MDR) and In Vitro Diagnostic Medical Devices Regulation (IVDR) have already been established to reform the European medical device (MD) regulatory framework and set high safety and performance standards for medical devices in the EU. As AI is increasingly being deployed in the medical sector, one may ask, how do the sector-agnostic AI Act and the sector-specific MD regulations coincide? Otto Lindholm, Counsel at Dottir Attorneys Ltd, looks at the overlap between the different legislation and provides some key takeaways for navigating these.
On July 1, 2024, state privacy legislation in Florida, Texas, and Oregon will enter into effect, joining those laws already in force including, California, Connecticut, Colorado, Virginia, and Utah. 2024 will also see the entrance into effect, on October 1, 2024, of a state privacy law in Montana. Each law builds on trends seen in other US state privacy legislation, though each has distinct provisions. OneTrust DataGuidance breaks down some of the key provisions of the Florida, Texas, Oregon, and Montana laws.
Artificial intelligence (AI) is rapidly transforming Africa, but harnessing its potential responsibly requires strong governance. The African Union (AU) has made great strides in formulating frameworks and structures to govern the digital and technological space, such as the AU Convention on Cybersecurity and Data Protection (the Malabo Convention). The AU Digital Transformation Strategy 2020-2030 and the AU Data Policy Framework are also notable and both provide for Member States to nationalize and make adequate provisions for online security, data protection, and overall tech governance systems.
In this Insight article, Rachel Magege, from Pollicy, sheds light on current trends in AI governance in Africa, specifically what lies at the heart of the continent's current digital and business ventures. Rachel provides a breakdown of a few components in the African AI governance space as well as key recommendations on best practices that will serve the interests of the African people in a time of great technological advancements.
Send us your Feedback!
Please let us know what you think of DataGuidance! It will only take 60 seconds and help us make the site better for you.
