INTRODUCTION Contributed by: Christian Schröder and Odey Hardan, Orrick
The AI Act complements the GDPR by set - ting forth additional obligations for high-risk AI systems to ensure responsible data process - ing. While the GDPR mandates lawful, fair and transparent data processing, the AI Act imposes further restrictions on high-risk AI applications, such as social scoring and real-time facial recog - nition, to prevent discrimination and protect pri - vacy. The AI Act emphasises reducing bias and ensuring transparency, particularly for high-risk AI systems, by requiring that users are informed when interacting with AI and understand how decisions are made. Regarding the relationship between the GDPR and AI models, a number of questions remain unanswered. Most recently, the European Data Protection Board (EDPB) issued an opinion that looks at relevant legal problems like when and how AI models can be considered anonymous, whether and how legitimate interest can be used as a legal basis for developing or using AI mod - els, and what happens if an AI model is devel - oped using personal data that was processed unlawfully. The role of data protection authorities Data protection authorities (DPAs) play a crucial role in enforcing data privacy laws and ensuring compliance. These authorities are responsible for monitoring data processing activities, con - ducting investigations and imposing penalties for non-compliance. They also provide guidance to organisations on best practices for data pro - tection and facilitate co-operation among inter - national regulators. In the EU, the EDPB co-ordinates the activities of national DPAs, ensuring consistent applica - tion of the GDPR across member states. The EDPB issues guidelines and recommendations on various aspects of data protection, helping
to harmonise interpretations of the GDPR and address emerging privacy issues. Challenges in cross-border data transfers Cross-border data transfers present significant challenges for data privacy regulation, and con - tinue to be a hot topic. The Schrems II decision by the Court of Justice of the European Union (CJEU) in 2020 highlighted the complexities of cross-border data transfers, invalidating the EU-U.S. Privacy Shield Framework (DPF) and emphasising the need for robust safeguards. In response, the European Commission adopted a new adequacy decision for the DPF in 2023, allowing data transfers to US organisations that self-certify under the framework. Recent developments involve not only increased regulation of non-personal data transfers and the adoption of laws mandating data localisation, but also a trend in privacy litigation. Courts are increasingly awarding damages to individuals for violations of data transfer rules, thereby focus - ing not only on high-risk contexts. This trend necessitates companies to carefully assess and consider risks when using services provided by foreign vendors. Earlier this year, the General Court of the Euro- pean Union made a significant ruling, awarding damages for the transfer of an IP address to the United States during the time when there was no DPF. The court held that the website opera - tor was liable for data transfers made through a third-party API embedded on the website, even though the website operator had not conduct - ed the transfer itself. Such decisions may have implications for companies operating in both low-risk and high-risk contexts, as they could face mass tort litigation for using third-party services that transfer non-sensitive and device- related data to third countries.
8
CHAMBERS.COM
Powered by FlippingBook