There's rarely a quiet week in data protection — and this one was no exception. Below are two developments from the past seven days that caught my eye.
Story #1: The EU's AI Act comes into force...
You may have heard that the European Union's AI Act came into force on Thursday (1 August 2024).
That sounds important — but what does it mean in practice? Is the Act now enforceable? Should you already be in compliance? And what's next?
Helpfully, the provisions of the Act apply in stages across the next two years. The first big milestone — relating to "prohibited" AI — comes in February 2025, and the obligations that will affect most organisations kick in 18 months later, in August 2026.
Ropes & Gray has prepared an infographic covering all of the key dates. Click here for preview of where a significant proportion of your organisation's AI efforts will likely be spent in the coming months and years.
Also on Thursday, the UK government announced that its proposed AI law will "exclusively focus on ChatGPT-style foundation models", according to a story in the Financial Times. The UK and Europe are separated by 21 miles of water but, for now, an ocean in their respective approaches to AI regulation.
Story #2: ... but don't forget about the GDPR
Amid a relentless focus on AI globally (see Story #1), and an alphabet soup of other technology laws in Europe, it is sometimes easy to forget about the GDPR.
Earlier this month the European Commission issued its second report on the application of the GDPR. I've focused on two features of the report that will affect organisations outside the EU.
New Standard Contractual Clauses
When the "new" SCCs were introduced, in June 2021, the Commission made clear that they could only be used to send personal data to non-EEA parties that were not directly subject to the GDPR. At the time the Commission said that it was "in the process of developing" an additional set of SCCs for transfers to parties whose processing is directly subject to the GDPR, but those never materialised.
In the meantime, organisations within and outside Europe continue use the new 2021 for all transfers — even in cases where the importer is directly subject to the GDPR. However, in its report the Commission says that it is developing the additional SCCs, which will "fully take into account" the requirements that already apply directly to data importers under the GDPR. Let's refer to these as the "2025 SCCs".
Most organisations do not want to repeat the exercise of moving to the SCCs that they undertook in 2021. Will the Commission allow organisations to use the 2021 SCCs for existing transfers and only enter the 2025 SCCs for new transfers? Or will there be a grace period — as was the case for the 2021 SCCs — during which organisations must move to the 2025 SCCs? We will hope for pragmatism on the part of the Commission, but time will tell.
Extra-Territorial Enforcement
Another consideration for organisations that are subject to the GDPR on an extra-territorial basis is the extent to which they are, in practice, out of the reach of European regulators. That assessment is supported by the fact that there have been only a small number of low-level enforcement actions taken against non-EU based organisations, albeit with a few high-profile examples involving Clearview AI that skew the sample size.
In an effort to increase enforcement against non-EU based organisations, the Commission says that it will seek authorisation to "conclude enforcement cooperation agreements" with relevant foreign authorities, including in G7 countries and/or countries that benefit from adequacy decisions, as well as putting in place mutual assistance agreements.
Lastly, the Commission recommends that existing enforcement avenues — including the use of Art. 27 GDPR representatives — should be "pursued more vigorously". The fact that many non-EU companies have not appointed a representative will make this harder, but going forward those organisations should start to factor into their risk analysis a more aggressive approach to enforcement by European regulators.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.