As companies slowly ramp up the depth and breadth of their AI adoption, one of the most difficult challenges they face is managing third-party risk. Most companies contemplating AI adoption will look to third-party vendors to provide AI-enabled products or services for their businesses. Companies often struggle when deciding what diligence to perform for these vendors and how to mitigate…

In the UK, unannounced inspections of businesses’ premises, or “dawn raids”, are most often associated with authorities such as the Serious Fraud Office, National Crime Agency, Competition and Markets Authority and Metropolitan Police. However, data controllers and processers should be aware that the UK’s Information Commissioner’s Office (“ICO”) can also carry out dawn raids as part of investigations into compliance…

On September 23, 2024, the U.S. Department of Justice updated its guidance to federal prosecutors related to the “Evaluation of Corporate Compliance Programs” (the “ECCP”).[1] This revision, the first since March 2023, addresses how companies manage risks associated with new and emerging technology, including artificial intelligence, and expands on preexisting guidance regarding employee reporting channels, whistleblower protection, post-acquisition compliance integration,…

Our top-five European data protection developments from August are: Uber fined for personal data transfer: The Dutch Data Protection Authority fined Uber €290 million for the unlawful transfer of European drivers’ personal data to the U.S., following Uber’s move away from relying on the standard contractual clauses (“SCCs”) in 2021. Businesses may wish to assess their own cross-border data transfer…

On November 14-15, 2024, the University of Texas School of Law and McCombs School of Business will host a groundbreaking event limited to public company directors and C-suite executives — the Director-Executive Summit. Debevoise partner Erez Lieberman will be moderating the Cybersecurity panel, which is scheduled for the morning of Friday, November 15. To learn more about the event, please click here.…

Our top five European data protection developments from July are: EU AI guidance: Businesses should consider reviewing their AI policies and practices following guidance from the French CNIL and the Irish DPC recommending that businesses conduct AI risk assessments and prepare AI policies and procedures, alongside the EDPB’s statement supporting the appointment of DPAs as the national authorities responsible for…

The European Commission has published a draft regulation containing further detail on the “technical and methodological” security measures, and cybersecurity incident reporting threshold triggers, under the incoming NIS2 directive (the “NIS2 Regulation”). Once finalised, the regulation will apply from 18 October 2024 in line with member states’ deadline for NIS2 implementation. NIS2: a recap The second Network and Information Systems…

On July 29, 2024, the Standing Committee on Ethics and Professional Responsibility of the American Bar Association (“ABA”) published Formal Opinion 512, providing guidance on the ethical use of generative AI tools by legal professionals (the “Opinion”). The Opinion is the latest of several similar ethical guidelines published by various state courts and bar ethics committees, including the September 2023…

Our top five European data protection developments from June are: Non-material damage under GDPR: The CJEU clarified the scope of compensation for non-material damage in the context of identity theft and data subjects’ fear that their personal data had been exposed. Businesses may wish to review their policies and procedures for responding to compensation requests for non-material damage to ensure…

When drafting policies on the use of artificial intelligence, one challenge that many businesses face is how to define AI, and relatedly, when should AI governance and compliance programs apply to models that do not meet the definition of AI. Choosing a Regulatory Definition of AI One common approach is to adopt the definition that is used in a regulation…