The General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') and the Health Insurance Portability and Accountability Act of 1996 ('HIPAA') are two of the most important data protection regimes in place today. The former is a comprehensive data protection regime that applies generally to any information relating to an identified or identifiable natural person and the wide variety of organisations that collect and process the personal data of individuals in the EEA. In contrast, HIPAA is a much narrower US-based regime that only applies to protected health information ('PHI') and certain specified healthcare entities.
Christiana State and Brandon C. Ge, from Crowell & Moring LLP, explore key differences and similarities between the two jurisdictions' approaches to data protection with regard to health-related data.
On 24 February 2023, the Cyberspace Administration of China ('CAC') released the final form of its key transfer mechanism for data exports - the long-awaited Personal Information Export Standard Contract ('the Standard Contract') and its accompanying Measures on the Standard Contract ('the Measures'), which set out the principles governing the use of the Standard Contract. While the Standard Contract comprises one of three transfer mechanisms under China's data protection law - the Personal Information Protection Law of the People's Republic of China ('PIPL') - the Standard Contract is anticipated to be the most popular approach for international businesses seeking to export personal information out of mainland China.
Alex Roberts, from Linklaters, and Roger Li and Tiantian Ke, from Zhao Sheng Law Firm, look at the key aspects of the Standard Contract and compare them to the EU 2021 Standard Contractual Clauses ('EU SCCs').
The first article in this series looked at what synthetic data is and how it is generated, and the second article examined the use cases of synthetic data. In this article, Dr. Khaled El Emam, SVP and General Manager of Replica Analytics Ltd. looks at a number critical success factors ('CSF') for the implementation of synthetic data generation ('SDG') in an enterprise.
Some of these CSFs apply to any artificial intelligence ('AI') technology implementation, but they are still worth emphasising, and some are particular or amplified in the context of SDG implementation projects. The article will close with an actual case study that illustrates the implementation of SDG for a highly sensitive dataset on opioid users.
Last year in the US, the American Data Privacy and Protection Act ('ADPPA') was approved by the House Committee on Energy & Commerce and sent to the US House of Representatives. In Canada, Bill C-27 for the Digital Charter Implementation Act 2022 was introduced by the Federal Government. If enacted, Bill C-27 would produce three statutes: the Consumer Privacy Protection Act ('CPPA'); the Personal Information and Data Protection Tribunal Act; and the Artificial Intelligence and Data Act.
Part one of this series touched upon the general requirement of consent when disclosing personal information in regards to the CPPA and the ADPPA. In part two of this series, Martin E. Aquilina and Vicky Li, from Aquilina Law, discuss disclosure without consent under the CPPA and the ADPPA, along with other topics such as enforcement and access to information.
As advancements in technology continue to grow at a rapid pace, more and more organisations are turning to artificial intelligence ('AI') for various uses. Whilst AI has the potential to benefit society in countless ways, its use does not come without various risks (e.g. bias, discrimination, or lack of explainability) – this may eventually lead to a lack of public trust. And distrust can kill innovation.
Organisations preparing to develop or use AI systems should therefore carefully consider the mitigations they will implement to reduce risks associated with its use. Developing and adhering to a risk management plan will help ensure that organisations use this technology in a responsible manner and will greatly reduce the likelihood of potential legal liability associated with its use.
In this article, Mary Jane Wilson-Bilik, Philip James, and Lorna Doggett, from Eversheds Sutherland, consider five selected recent AI policies, principles, and frameworks internationally that organisations can use as a guide as they develop their own risk management programs and policies for their uses of AI.
The protection of children's online data has emerged as one of the most important data privacy issues both in the US and EMEA. In the last quarter of 2022, California joined the list of jurisdictions that have enacted regulations in the space with its passage of the Age-Appropriate Design Code Act ('CA AADC'), which goes into effect on 1 July 2024. The CA AADC was modelled closely after the UK's Age Appropriate Design Code ('UK AADC') which came into force on 2 September 2020 with a 12 month grace period. Goli Mahdavi, Counsel at Bryan Cave Leighton Paisner LLP, compares the CA AADC with the UK AADC, looking specifically at the scope of application, covered entities, obligations, and enforcement and penalties in case of non-compliance.
Artificial intelligence ('AI') is now all around us, but are there areas where we should limit if, and how, AI is used? The development of AI across sectors that require particularly high moral and ethical standards (such as healthcare, education, and defence) has led to important questions around AI ethics as a whole: how can machine learning be, and stay, transparent, fair, moral, and unbiased?
In this Insight article, Charlotte Kingman, Associate at Ashfords LLP, gives an overview of ethical challenges arising from the use of AI and highlights key considerations businesses should take into account for a responsible use of this technology.
In today's data-driven world, the protection of personal data has become a critical issue for individuals, businesses, and governments alike. As a result, numerous countries have introduced comprehensive privacy laws which establish data protection authorities ('DPAs') tasked with regulating and enforcing the law's provisions.
Since the entry into effect of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') in 2018, DPAs in EU Member States have been required to publicly report their activities on an annual basis, and many other DPAs globally also do the same in a bid to remain both transparent and accountable.
The first article in this series on synthetic data looked at what this type of data is and how it is generated. In this article, Dr. Khaled El Emam, SVP and General Manager of Replica Analytics Ltd, will examine some of the use cases of synthetic data in a bit more detail.
It is no secret; the future is data-driven. While the massive use of data has sparked a wave of regulation worldwide, advances in artificial intelligence ('AI') and machine learning ('ML') demand sizable datasets. Technological progress raises privacy and ethical challenges. One technology offers promising solutions, although not without risk: synthetic data.
Iara Griffith, Lawyer at Fasken, explores definitions, perks, and challenges of synthetic data, as well as possible solutions to mitigate risks.
Synthetic data is data that has been generated artificially, rather than being real-world data. In part one of this series on synthetic data, Dr. Khaled El Emam, SVP and General Manager of Replica Analytics Ltd, discusses what exactly this type of data is and how it is created. Future articles will discuss the specific use cases for synthetic data in more detail and provide examples from various industries.
Both in the US and in Canada, a highly anticipated reform of data privacy legislation made significant progress last year. In the US, the American Data Privacy and Protection Act ('ADPPA') was approved by the House Committee on Energy & Commerce and sent to the US House of Representatives. In Canada, Bill C-27 for the Digital Charter Implementation Act 2022 was introduced by the Federal Government. If enacted, Bill C-27 would produce three statutes: the Consumer Privacy Protection Act ('CPPA'); the Personal Information and Data Protection Tribunal Act; and the Artificial Intelligence and Data Act.
In part one of this series, Martin E. Aquilina and Vicky Li, from Aquilina Law, take a comparative approach while presenting an overview of the ADPPA and the CPPA, highlighting the changes brought forward that would likely be of interest to a multinational doing business in Canada and in the US.