In 2022, the UK ICO published the International Data Transfer Agreement (“IDTA”) and the International Data Transfer Addendum to the European Commission’s Standard Contractual Clauses (“the Addendum”). In short, the UK’s answer to the EU’s Standard Contractual Clauses for helping legitimise cross-border transfers of personal data. When announced, businesses were told that the EU SCCs would no longer be deemed…

On January 17, 2024, the New York State Department of Financial Services (the “NYDFS”) issued a Proposed Insurance Circular Letter regarding the Use of Artificial Intelligence Systems and External Consumer Data and Information Sources in Insurance Underwriting and Pricing (the “Proposed Circular” or “PCL”). The Proposed Circular is the latest regulatory development in artificial intelligence (“AI”) for insurers, following the…

Key takeaways from December include: Concept of non-material damage under GDPR: In an expansive reading of the right to compensation under GDPR, a data subject’s fear that their personal data may be misused can qualify as recoverable “non-material damage”, according to a new ruling from the CJEU. Businesses should keep this finding, and the court’s wider reasoning behind it, in…

On Monday, February 12, 2024 from 11:00 am to 12:00 pm EST, Erez Liebermann and Martha Hirst from the Debevoise Data Strategy and Security Group will host the next in the series of webcasts connected with the release of our inaugural Cybersecurity Desk Guide for Counsel. They will be joined by special guests. The second webcast in the series will…

We have previously written about the legal risks that companies face if they oversell the capabilities of their AI systems, known as “AI washing.” In particular, the FTC and the SEC have each recently made clear they are focused on AI washing as a priority for investigations and enforcement. First, the FTC warned businesses that it may use its authority…

The following scenario is no longer science fiction: An employee receives an email from the CEO asking her to join a video call. The CEO directs the employee to send confidential documents to a third party. The request is unusual, but the employee saw the CEO with her own eyes, so she complies. It turns out, however, that it was…

As we approach the end of the year, here are the Top 10 posts on the Debevoise FinReg and FinTech Blog in 2023. If you are not already a Blog subscriber, click here to sign up. 1. Basel III Endgame Proposal Released Over Dissent (July 28, 2023) After several years of anticipation, the Federal Reserve Board (“FRB”), Federal Deposit Insurance Corporation…

On December 19, 2023, the Federal Trade Commission (the “FTC”) announced a complaint and a proposed stipulated order against a large drugstore chain (the “Company”) in connection with the Company’s alleged unfair use of facial recognition technology in retail stores to identify persons who had previously engaged in shoplifting or other wrongful activities (the “Action”). The Action provides a roadmap…

As we approach the end of the year, here are the Top 10 SEC cyber posts on the Debevoise Data Blog in 2023 by page views. If you are not already a Blog subscriber, click here to sign up. 1. SEC Adopts New Cybersecurity Rules for Issuers (July 28, 2023) On July 26, 2023, the SEC adopted the long-anticipated final…

Key takeaways from November include: AI Regulation: Businesses utilizing AI in the EU, particularly those in healthcare and generative AI, should keep in mind that European authorities and regulators continue to stress pre-existing obligations relating to AI in technology-neutral regulations, notwithstanding the recently reached political agreement on the EU AI Act; Employee monitoring: Businesses with employees in France should be…