With last week’s political deal in European Parliament to advance the European Union’s groundbreaking AI Act (the “EU AI Act”), Europe is one step closer to enacting the world’s first comprehensive AI regulatory framework. Yet while the EU is poised to become the first jurisdiction to take this step, other countries are not far behind. In recent months, the U.S.,…

Key takeaways this March include: Fairness in AI: Businesses utilising AI may want to assess fairness principles in accordance with the latest UK ICO guidance, which includes clarification around AI design and use; Notification timelines: Businesses may want to revisit their incident response plans to ensure they envisage breach notifications being made even when investigations remain ongoing; Data Processing Agreements:…

Debevoise & Plimpton LLP announced today that Matthew Kelly has joined the firm’s New York office as counsel and a member of its award-winning Data Strategy & Security Group. Mr. Kelly will help lead the Group’s AI advisory work, an area where the firm is a recognized market-leader according to a recent feature in The American Lawyer, and advise on complex, high-impact cybersecurity matters,…

Back in November 2022, we highlighted the enactment of the EU’s Digital Operational Resilience Act (“DORA”) that will impose far-reaching operational resilience requirements and Board oversight requirements on almost all financial services firms regulated in the EU – including banks, insurers, payment services providers, crypto asset custodians, fund managers, among many others.  DORA also regulates critical service providers that, for…

Agenda recently interviewed Avi Gesser on the legal risks associated with generative AI tools, whether company boards need AI experts, and which board committee should be responsible for overseeing AI risk and compliance. Here are some of the relevant quotes: “AI has lots of beneficial commercial uses, but it can also create reputational risks, operational risk, and legal risks. For…

Following recent enforcement action by the UK Prudential Regulation Authority (“PRA”) against Wyelands Bank, which was partly based on its failure to retain business-related messages exchanged by senior executives and directors, regulated firms may want to review how they handle employees’ use of personal devices for work purposes. The PRA strongly criticised Wyelands’ lack of record-keeping policies and procedures to…

The New York City Department of Consumer and Worker Protection (the “DCWP”) has adopted final rules (the “Final Rules”) regulating the use of artificial intelligence for hiring practices. The DCWP’s Automated Employment Decision Tool Law (the “AEDT Law” or the “Law”) requires covered employers to conduct annual independent bias audits and to post public summaries of those results. To recap,…

Last month, we wrote about how many companies were implementing a pilot program for ChatGPT, as a follow up to our article about companies adopting a policy for the work-related uses of generative AI tools like ChatGPT, Bard and Claude (which we collectively refer to as “Generative AI”). We discussed how a pilot program often involves designating a small group…

Key takeaways from this February include: Enforcement: Businesses that use third party data to conduct marketing should review the lawful basis on which each party relies to collect and process the data in light of a UK tribunal’s limiting of the ICO’s enforcement notice to Experian on appeal; Digital Services Act: Covered entities should ensure they are adhering to reporting…

In a new piece for The Drawdown magazine, Robert Maddox and Tristan Lockwood in our London office explore how the EU’s Digital Operational Resilience Act (“DORA”) is likely to be a game changer for fund managers in Europe. DORA is likely to impose prescriptive technology-focused business continuity requirements for the first time, and will cover almost all large EU-regulated financial services…