CINXE.COM

<!DOCTYPE html> <html lang="en"> <head> <title> Data revolutions and privacy scares | International Bar Association</title> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=no"> <meta name="title" content="Data revolutions and privacy scares "> <meta name="keywords"> <meta name="description" content="In-house counsel have been kept on their toes over the past year by numerous global data protection and privacy challenges, least among them the growth of artificial intelligence. In-House Perspective takes stock of what’s on the agenda."> <meta name="robots" content="index,follow"> <meta property="og:title" content="Data revolutions and privacy scares " /> <meta property="og:description" content="In-house counsel have been kept on their toes over the past year by numerous global data protection and privacy challenges, least among them the growth of artificial intelligence. In-House Perspective takes stock of what’s on the agenda." /> <meta property="og:url" content="https://www.ibanet.org/Data-revolutions-and-privacy-scares" /> <meta property="og:type" content="Website" /> <meta property="og:image" content="https://www.ibanet.org/medias/ihp-september-2024-3.jpg?context=bWFzdGVyfGltYWdlc3wxNDUzMDB8aW1hZ2UvanBlZ3xhR1kxTDJnMk1TODVNVFE1TURZd01qZzBORFEyTDJsb2NDMXpaWEIwWlcxaVpYSXRNakF5TkMwekxtcHdad3xmZDAzYzQzNTQwMWQzNWIzYzcyZjkxMWU3YzAyZGY0YmY1Y2Q5ZGMxZjQ3ODE3NmM2NDM0ZjljMjA3NmNiNmFm" /> <meta name="twitter:card" content="summary_large_image" /><link rel="shortcut icon" type="image/x-icon" media="all" href="/_ui/responsive/theme-alpha/images/favicon.ico" /> <link rel="stylesheet" type="text/css" media="all" href="/wro/base_responsive.css?v=948153693" /> <link rel="stylesheet" type="text/css" media="all" href="/wro/addons_responsive.css?v=948153693" /> <link rel="stylesheet" type="text/css" media="all" href="/_ui/responsive/theme-alpha/css/owl.carousel.css" /> <link rel="stylesheet" type="text/css" media="all" href="/_ui/responsive/theme-alpha/assets/css/fonts-icons/fontawesome.css" /> <link rel="stylesheet" type="text/css" href="/_ui/responsive/theme-alpha/css/printing.css?v=948153693" media="print"> <link rel="stylesheet" type="text/css" media="all" href="/configurable-style/FlexTemplate2V1/stylesheet.css?v=948153693" />  <script src="https://cdn-ukwest.onetrust.com/consent/01905a83-279f-78f3-85a7-62a38ca23783/OtAutoBlock.js" type="text/javascript" ></script> <script src="https://cdn-ukwest.onetrust.com/scripttemplates/otSDKStub.js" type="text/javascript" charset="UTF-8" data-domain-script="01905a83-279f-78f3-85a7-62a38ca23783" ></script> <script type="text/javascript"> function OptanonWrapper() { } </script>  <script src="/_ui/shared/js/analyticsmediator.js"></script> <script async src="https://www.googletagmanager.com/gtag/js?id=UA-195227663-1"></script> <script> window.dataLayer = window.dataLayer || []; function gtag() { dataLayer.push(arguments); } gtag('js', new Date()); if (true) { // Set default consent settings gtag('consent', 'default', { 'ad_storage': 'denied', 'analytics_storage': 'denied', 'personalization_storage': 'denied', 'security_storage': 'granted', 'ad_user_data': 'denied', 'ad_personalization': 'denied', 'wait_for_update': 500 }); } gtag('config', 'UA-195227663-1'); function trackLogin() { gtag('event', 'login'); } function trackAddToCart(productCode, quantityAdded) { gtag('event', 'add_to_cart', { items: [{ id: productCode, quantity: quantityAdded }] }); } function trackRemoveFromCart(productCode, initialQuantity) { gtag('event', 'remove_from_cart', { items: [{ id: productCode, quantity: initialQuantity }] }); } window.mediator.subscribe('trackLogin', function() { trackLogin(); }); window.mediator.subscribe('trackAddToCart', function(data) { if (data.productCode && data.quantity) { trackAddToCart(data.productCode, data.quantity); } }); window.mediator.subscribe('trackRemoveFromCart', function(data) { if (data.productCode && data.initialCartQuantity) { trackRemoveFromCart(data.productCode, data.initialCartQuantity); } }); </script>  <script> (function(w, d, s, l, i) { w[l] = w[l] || []; w[l].push({ 'gtm.start' : new Date().getTime(), event : 'gtm.js' }); var f = d.getElementsByTagName(s)[0], j = d.createElement(s), dl = l != 'dataLayer' ? '&l=' + l : ''; j.async = true; j.src = 'https://www.googletagmanager.com/gtm.js?id=' + i + dl; f.parentNode.insertBefore(j, f); })(window, document, 'script', 'dataLayer', 'GTM-NB67BL3'); </script>  </head> <body class="page-cmsitem-00267014 pageType-ContentPage template-pages-layout-flexTemplateLayoutPage2 pageLabel--Data-revolutions-and-privacy-scares smartedit-page-uid-cmsitem_00267014 smartedit-page-uuid-eyJpdGVtSWQiOiJjbXNpdGVtXzAwMjY3MDE0IiwiY2F0YWxvZ0lkIjoibWV4Q29udGVudENhdGFsb2ciLCJjYXRhbG9nVmVyc2lvbiI6Ik9ubGluZSJ9 smartedit-catalog-version-uuid-mexContentCatalog/Online language-en">  <noscript><iframe src="https://www.googletagmanager.com/ns.html?id=UA-195227663-1" height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript>  <div class="branding-mobile hidden-md hidden-lg"> <div class="js-mobile-logo"> </div> </div> <main data-currency-iso-code="GBP"> <div class="yCmsContentSlot"> </div><nav class="navbar top-nav header"> <div class="header__site-logo-mobile hidden-lg hidden-xl"> <div class="banner__component simple-banner logo"> <a href="/" aria-label="Home"> <img title="" alt="" src="/medias/logo.png?context=bWFzdGVyfGltYWdlc3wyMTU5NnxpbWFnZS9wbmd8YUdJekwyZzVOUzg0TnprMk1qazNNREF6TURNNEwyeHZaMjh1Y0c1bnw5ZjkyNGYwY2U3MTQ1NDk0NTRmMmExNzNmM2EzYzI3MTMxZWI2ZTgyMGIxZGFjNDVkMDkyNzRjYzIyMjQ1MmVk" class=""> </a> </div> </div> <div class="container"> <div class="header__left-side col-md-4 hidden-xs hidden-sm hidden-md"> <div class="banner__component simple-banner logo"> <a href="/" aria-label="Home"> <img title="" alt="" src="/medias/logo.png?context=bWFzdGVyfGltYWdlc3wyMTU5NnxpbWFnZS9wbmd8YUdJekwyZzVOUzg0TnprMk1qazNNREF6TURNNEwyeHZaMjh1Y0c1bnw5ZjkyNGYwY2U3MTQ1NDk0NTRmMmExNzNmM2EzYzI3MTMxZWI2ZTgyMGIxZGFjNDVkMDkyNzRjYzIyMjQ1MmVk" class=""> </a> </div> </div> <div class="header__right-side d-flex align-items-center col-md-8"> <div class="form-inline my-2 header__search-bar col-md-8"> <div class="ui-front search-bar"> <form action="/search/" id="globalSearchForm"> <div class="floating-labels"> <div class="form-group search-section"> <input type="text" name="text" class="form-control js-site-search-input" id="site-search-input" value="" data-options="{ "autocompleteUrl" : "/search/autocomplete", "minCharactersBeforeRequest" : "3" }" maxlength="100"> <label for="site-search-input" class="site-search-input">Search...</label> <button class="btn header-search-btn input-group-btn js_search_button" aria-label="Search" type="submit"> <span class="searchIcon"><i class="fas fa-search"></i></span> </button> </div> </div> </form> </div> </div> <div class="my-account js-my-account-avatar"> <a href="/login" class="btn btn-primary btn-primary__sign-in my-2 my-sm-0"> Sign in</a> </div> <div class="nav-cart mini-cart"> <a href="/cart" data-toggle="tooltip" title="Your cart is empty"> <i class="fas fa-shopping-cart fa-xl"></i> </a> </div></div> <button class="navbar-toggler p-0 on-mobile" type="button" data-toggle="offcanvas" aria-label="Browse through the navigation bar"> <div class="hamburger"> <span></span> <span></span> <span></span> <span></span> </div> </button> </div> </nav> <nav class="navbar navbar-expand-lg bg-dark"> <div class="container"> <div class="navbar-collapse offcanvas-collapse"> <ul class="navbar-nav mr-auto"> <li class="navbar-nav__account nav-item hidden-lg hidden-xl"> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="#" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">About</a> <div class="dropdown-menu" aria-labelledby="dropdown01"> <a class="dropdown-item" href="/Contact-the-IBA" >Contact the IBA</a> <a class="dropdown-item" href="/About-the-IBA" >About the IBA</a> <a class="dropdown-item" href="/governance-and-management" >Governance, leadership and management</a> <a class="dropdown-item" href="/Task-Forces" >Task forces</a> <a class="dropdown-item" href="/Special-Projects-Fund" >Special projects fund</a> <a class="dropdown-item" href="/Charitable-trusts" >Charitable trusts</a> <a class="dropdown-item" href="/past-presidents" >Past presidents</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="#" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">IBA Presidency</a> <div class="dropdown-menu" aria-labelledby="dropdown01"> <a class="dropdown-item" href="/IBA-Presidency-Blog" >IBA Presidency</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="#" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">Committees / Divisions</a> <div class="dropdown-menu" aria-labelledby="dropdown01"> <a class="dropdown-item" href="/lpd" >Legal Practice Division</a> <a class="dropdown-item" href="/PPID" >Public and Professional Interest Division</a> <a class="dropdown-item" href="/Bar-Associations-Home" >Bar Issues Commission - Bar Associations</a> <a class="dropdown-item" href="/committees" >Committee index</a> <a class="dropdown-item" href="/committees/divisions/legalPractice/lpdSections" >Section index</a> <a class="dropdown-item" href="/unit/Regional+Fora/section/Regional+Fora/218" >Regional fora</a> <a class="dropdown-item" href="/Diversity-and-Inclusion-Council" >Diversity & Inclusion Council</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="#" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">Outreach</a> <div class="dropdown-menu" aria-labelledby="dropdown01"> <a class="dropdown-item" href="/IBAHRI" >Human Rights Institute</a> <a class="dropdown-item" href="/IBAHRIsecretariat" >High Level Panel - Media Freedom</a> <a class="dropdown-item" href="/LPRU" >Legal Policy and Research Unit</a> <a class="dropdown-item" href="https://www.eyewitness.global" target="_blank" >eyeWitness</a> <a class="dropdown-item" href="" >Education and Internships</a> <a class="dropdown-item" href="/IBA-Foundation" >IBA Foundation</a> <a class="dropdown-item" href="/Scholarships-and-Awards" >Scholarships and Awards</a> <a class="dropdown-item" href="/Podcast-series-Sustainable-law-in-action" >Sustainable law podcast series </a> <a class="dropdown-item" href="/IBA-Barbri-Negotiation-Skills-Course" >IBA/Barbri Negotiation Skills Course</a> <a class="dropdown-item" href="/ICC-ICL-Programme" >ICC & ICL Programme</a> <a class="dropdown-item" href="/ICC-Moot-Court-Competition" >IBA ICC Moot Court Competition</a> <a class="dropdown-item" href="/articles?type=NEWS_RELEASE" >News releases</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="#" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">Membership</a> <div class="dropdown-menu" aria-labelledby="dropdown01"> <a class="dropdown-item" href="/Join" >Join the IBA</a> <a class="dropdown-item" href="/my-account/memberDirectory" >Membership directory</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="#" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">Conferences / Events</a> <div class="dropdown-menu" aria-labelledby="dropdown01"> <a class="dropdown-item" href="/conferences" >Conference diary</a> <a class="dropdown-item" href="/Advertising-and-Sponsorship/Specialist-Conference" >Specialist conference sponsorship</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="#" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">Digital Content</a> <div class="dropdown-menu" aria-labelledby="dropdown01"> <a class="dropdown-item" href="/IBA-Digital-Content" >Digital Content home</a> <a class="dropdown-item" href="/IBA-Global-Insight" >Global Insight</a> <a class="dropdown-item" href="/articles?type=NEWS_ANALYSIS" >News analysis</a> <a class="dropdown-item" href="/articles?type=PODCASTS" >Global Insight podcasts</a> <a class="dropdown-item" href="/articles?type=FILMS" >Films</a> <a class="dropdown-item" href="/IHP" >In-House Perspective</a> <a class="dropdown-item" href="/Journals" >Journals</a> <a class="dropdown-item" href="/committee-content" >Committee content</a> <a class="dropdown-item" href="/resources" >Guides and reports</a> <a class="dropdown-item" href="/Books" >Books</a> <a class="dropdown-item" href="/e-News-Advertising" >e-News advertising</a> <a class="dropdown-item" href="/Advertising-and-Sponsorship/Leaderboard-Advertising" >Leaderboard advertising</a> </div> </li> <li class="navbar-nav__sign-out nav-item hidden-lg hidden-xl"> </li> </ul> </div> </div> </nav> <div class="main__inner-wrapper"> <div class="container-fluid"> <div class="yCmsContentSlot row"> </div></div> <div class="container"> <div class="yCmsContentSlot row"> <div class="yCmsComponent col-12"> <div class="container articleSection"> <div class="row"> <div class="col-12 col-md-12"> <div> <h1 class="articleTitle">Data revolutions and privacy scares </h1> <div class="authorDate"><strong class="authorName">Sophie Cameron</strong>Tuesday 20 August 2024</div></div> <img src="/medias/ihp-september-2024-3.jpg?context=bWFzdGVyfGltYWdlc3wxNDUzMDB8aW1hZ2UvanBlZ3xhR1kxTDJnMk1TODVNVFE1TURZd01qZzBORFEyTDJsb2NDMXpaWEIwWlcxaVpYSXRNakF5TkMwekxtcHdad3xmZDAzYzQzNTQwMWQzNWIzYzcyZjkxMWU3YzAyZGY0YmY1Y2Q5ZGMxZjQ3ODE3NmM2NDM0ZjljMjA3NmNiNmFm" class="custom-banner-img articleBanner"> </div> </div> <p> </p> <div class="title-bar"> <ul class="sub-links d-sm-none d-none include-chevron"> <li> <a href="/IHP">Return to home</a></li> <li> <a href="/IHP/editors-picks">Editor's Picks</a></li> <li> <a href="/Publications/in-house-perspective-archive">Previous issues</a></li> </ul> </div>  <p> </p>  <p><strong>In-house counsel have been kept on their toes over the past year by numerous global data protection and privacy challenges, least among them the growth of artificial intelligence. <em>In-House Perspective</em> takes stock of what’s on the agenda.</strong></p> <p>The EU’s General Data Protection Regulation (GDPR) has become the international standard on privacy. Yet in the six years since its implementation, the global data protection landscape hasn’t necessarily become easier to navigate. The challenges posed by new technologies, the cybersecurity threats inherent to a digital economy and evolving legal requirements mean that the debate about how best to navigate and protect citizens’ data continues.</p><p>‘The global privacy landscape is very complex,’ says Elisa Henry, Vice Chair of the IBA Technology Law Committee and Director of Global Privacy at WSP Global in the Netherlands. ‘To be properly navigated, a good understanding of the underlying technology and a true risk-based approach are necessary, since total compliance with all privacy laws is extremely complicated to achieve and requires true specialists, dedicated to this particular area of law.’</p> <h3 style="font-weight: bold; font-size: medium;">The coming revolution</h3> <p>The past year has seen artificial intelligence (AI) dominate the global data protection and privacy landscape. As AI has evolved, presenting both opportunities and risks, companies, governments and regulators have responded.</p><p>Given that AI technology is trained on huge amounts of data, including personal data, the output of AI models will have a bearing on the privacy and data protection rights of individuals. As a result, in-house lawyers will have to get to grips with the interplay between data privacy and AI laws, as well as their own internal company policies on the use of the technology. Henry explains that a top priority for in-house counsel is quickly adapting compliance frameworks to reflect the specific challenges AI brings.</p><p>The AI revolution has dominated the privacy discussion in the past year, says Matthias Orthwein, a partner at SKW Schwarz in Munich. He outlines the issues involved, which include the use of personal data for training AI models and systems; its use for automatic or automatically supported decision making; potential infringements of privacy rules caused by the output of AI applications; the need for more explainable AI in order to fulfil the legal rights of data subjects to transparency and control of the use of their personal data; and the use of AI tools for GDPR compliance work. ‘All of these discussions have primarily evolved since December 2022 and during the past year,’ explains Orthwein.</p><p>In terms of how legislators and regulators are responding to AI, the EU Artificial Intelligence Act, which aims to foster the responsible development and deployment of AI in a manner that respects fundamental rights, entered into force on 1 August 2024. Several years in the making, it’s considered to be the first piece of AI-focused legislation in the world. The EU Council believes that the legislation is capable of setting a new global standard for AI regulation, while promoting the European approach to tech regulation on a global scale.</p><p>The AI Act seeks to address potential risks to citizens’ fundamental rights, including the rights to privacy and to the protection of personal data, by setting out obligations concerning specific uses of AI and the requirements placed on providers, importers and users of such systems related to the level of risk posed.</p><p>Elsewhere, in July Brazil’s National Data Protection Authority ordered Meta to temporarily suspend the training of its AI models with the personal data of Brazilian users, after the regulator found preliminary indications of violations of the country’s General Personal Data Protection Law. In response, Meta described the Authority’s decision as ‘a step backwards for innovation, competition in AI development and further delays bringing the benefits of AI to people in Brazil the company’. It added that its approach complies with local privacy laws.</p><p>Also in July, the European Data Protection Board (EDPB) adopted Statement 3/2024, which relates to the role of data protection authorities in the AI Act framework. It makes clear that EU data protection law is fully applicable to the processing of personal data involved in the lifecycle of AI systems and that the EDPB has already begun an examination of AI’s interplay with EU data protection law. To develop an enforcement framework, the EDPB requests that the national data protection authorities (DPAs) of each Member State are also designated as the competent national authorities within the meaning of the AI Act, given their experience and expertise in developing guidelines and best practices and carrying out enforcement actions on AI-related issues with respect to the processing of personal data at both national and international level.</p><p>More specifically, the EDPB recommends that DPAs should be designated by Member States as market surveillance authorities (MSAs) within the meaning of the AI Act for the high-risk AI systems mentioned in Article 74(8) of the legislation, as well as for those listed in its Annex III. The EDPB Statement also highlights the need for the EU AI Office, which is part of the European Commission, to cooperate with national DPAs and the EDPB on issues relating to the processing of personal data.</p> <p>Lisandro Frene, Chair of the IBA Platforms, E-Commerce and Social Media Subcommittee and a partner at Richards, Cardinal, Tutzer, Zabala & Zaefferer in Buenos Aires, says that all companies are technology companies now and that data is the fuel for such technology. ‘Thus, in-house counsel will have to look beyond data privacy laws and start diving into other fields of law that combine with data privacy laws when dealing with data in particular industries,’ he says.</p> <div class="blockquote my-4"> <h3 class="text-dark">“In-house counsel will have to start diving into other fields of law that combine with data privacy laws when dealing with data in particular industries</h3> <p><br /> <strong>Lisandro Frene<br /> </strong>Chair, IBA Platforms, E-Commerce and Social Media Subcommittee</p> </div> <p>This view is reiterated by the EDPB’s Statement 3/2024, where it says, ‘in fact, the processing of personal data (which is often strictly intertwined with non-personal data) along the lifecycle of AI systems ‒ and particularly along the lifecycle of those AI systems presenting a high risk to fundamental rights ‒ clearly is (and will continue to be) a core element of the various technologies covered under the umbrella of the AI definition, as enshrined in Article 3(1) AI Act.’</p> <h3 style="font-weight: bold; font-size: medium;">Picking up the Shield</h3> <p>Another notable privacy-related development is the adoption of the new EU–US Data Privacy Framework to normalise transfers of personal data between the two jurisdictions. The Framework was created to rectify issues identified by the Court of Justice of the European Union (CJEU) when it declared the European Commission’s Privacy Shield invalid in a ruling in 2020.</p><p>The European Commission finalised its much-anticipated Implementing Decision pursuant to Regulation (EU) 2016/679 on the adequacy of data privacy arrangements between the EU and the US in summer 2023, specifically addressing the shortcomings in protection against surveillance by US intelligence and providing judicial redress for EU residents. Notably, the new Framework places limits on the ability of US intelligence agencies to access the data of EU citizens when it’s transferred to the US and provides EU citizens with scope to raise complaints about the way their data is handled before a data protection review court.</p><p>The EDPB published an information note on data transfers to the US under the GDPR after the adoption of the adequacy decision, seeking to provide clarity on the implications for data subjects in the EU and entities transferring data from the bloc. The information note addresses five broad questions on the practicalities of the new regime and the redress mechanism, as well as details of the first review of the effectiveness and implementation of the decision a year after its entry into force.</p><p>‘Luckily, we have gained the final and long-awaited piece of clarity and assurance for users and providers of cloud-based solutions that privacy is not meant to block innovation and new business models,’ says Orthwein. ‘The introduction of the EU–US Data Privacy Framework has cleared up the issues and ended a lot of discussions pertaining to the transfer of personal data to the US.’ He adds that while there are still a number of questions to be answered, the debate has substantially calmed down.</p> <div class="blockquote my-4"> <h3 class="text-dark">“The introduction of the EU–US Data Privacy Framework has cleared up the issues and ended a lot of discussions pertaining to the transfer of personal data to the US</h3> <p><br /> <strong>Matthias Orthwein<br /> </strong>Partner, SKW Schwarz</p> </div> <h3 style="font-weight: bold; font-size: medium;">Cybersecurity and other tales</h3> <p>With numerous elections taking place around the world in 2024, the interplay between democracy and data protection and cybersecurity measures has been highlighted. In July, the UK Information Commissioner’s Office (ICO) issued a reprimand to the Electoral Commission for an incident that took place in 2021, in which hackers gained access to servers containing the personal data of approximately 40 million people. The ICO’s statement explains that the hackers had access to the data for over a year, after exploiting a known software vulnerability in the Electoral Commission’s Microsoft Exchange Server that had not been secured. The ICO’s investigation found that the Electoral Commission didn’t have ‘appropriate security measures in place’ to protect the personal information it held, didn’t ensure that the latest security updates were implemented and didn’t have sufficient password policies in place at the time of the attack. The Electoral Commission, the ICO added, has undertaken numerous remedial steps to improve their security since, including implementing a plan to modernise their infrastructure, as well as password policy controls and multi-factor authentication for all users.</p><p>‘Cybersecurity incidents are affecting almost all companies worldwide,’ says Frene. ‘You have the hacked companies and the ones that will be hacked: it is almost a certainty that it will happen to your company. The position of in-house counsel is crucial because, when a cybersecurity incident happens, they have to decide the course of action in a matter of hours.’</p> <div class="blockquote my-4"> <h3 class="text-dark">“The position of in-house counsel is crucial because, when a cybersecurity incident happens, they have to decide the course of action in a matter of hours</h3> <p><br /> <strong>Lisandro Frene<br /> </strong>Chair, IBA Platforms, E-Commerce and Social Media Subcommittee</p> </div> <p>The ongoing threats faced by companies and governments are relentless and increasing in number and sophistication. In the UK in July, the new government announced during the King’s Speech – which opens parliament – a Cyber Security and Resilience Bill, which aims to strengthen the UK’s defences against cyber threats and keep critical infrastructure and digital services secure. The background notes to the King’s Speech highlight that in the last 18 months, hospitals, universities, local authorities, democratic institutions and government departments have been targeted in cyberattacks.</p><p>Also in the UK, the country’s Data Protection and Digital Information (DPDI) Bill, which was due to update the UK GDPR and the Data Protection Act 2018, had been nearing the final stage of its passage through Parliament. However, the draft legislation didn’t pass during the two-day ‘wash-up’ period, which enables the government to push through the bills it deems essential before Parliament is dissolved in readiness for a general election. The DPDI Bill was intended to simplify obligations, in what was believed to be a move away from the EU’s more onerous requirements on data protection. Notably, the introduction of ‘smart data’ provisions that would open up consumer data flows in various sectors was proposed.</p><p>The future of the DPDI Bill now rests with the new government, who had been opposed to many of the Bill’s provisions, and its absence from the King’s Speech is significant.</p><p>On the horizon for businesses and in-house counsel is the EU’s Data Act, which will apply as of 12 September 2025. It aims to improve access to data in the EU market for individuals and businesses. Significantly, the Act will enable the public sector to access and use data held by private industry to help respond to emergencies. Another key provision involves additional protection for European businesses from unfair contractual terms in data sharing contracts. Orthwein explains that ‘the use and sharing of product related data (which will include personal data as well as non-personal data) will need to be considered and caution should be taken with regard to the design of future products and services’.</p><p>The EU’s Digital Operational Resilience Act (DORA), meanwhile, will apply as of 17 January 2025 and is aimed at bolstering the IT security of financial entities. In addition to this, EU Member States must implement Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union (known as ‘NIS2’) by the end of 2024. NIS2 aims to improve cybersecurity including by increasing the level of harmonisation of security requirements and reporting obligations; encouraging Member States to introduce new areas of interest such as supply chain, vulnerability management, core internet and cyber hygiene into their national cybersecurity strategies; and expanding the types of sectors covered, meaning that more entities will be obliged to take measures to bolster their cybersecurity. These new rules will increase the pressure on data controllers to improve the security of personal data and will require in-house counsel to make the relevant changes within their company’s processes and documentation.</p><p>‘The new regulations, such as the EU Data Act, AI Act and the IT security regulations (DORA and NIS2) are very much linked to the compliant use of personal data,’ says Orthwein. ‘Unfortunately, the wording and concepts in these new regulations are not aligned with the privacy requirements in the GDPR. This creates a number of uncertainties, unclear and even opposing requirements, as well as room for misunderstandings. Privacy professionals will continue to be very busy trying to keep track of all the requirements.’</p> <h3><strong>Zeroing in on key concerns</strong></h3> <p>For Frene, the key issues related to data protection faced by in-house counsel currently are cybersecurity, employee data and AI. ‘Employee data privacy is particularly important at present,’ he says. ‘New technologies processing employees’ biometric data and pre-existing technologies like video surveillance are being used as never before to monitor employees’ behaviour. This forces in-house lawyers to deal with data protection law, labour law and sometimes with other laws that regulate these technologies.’</p><p>A particular challenge is presented by the collection and use by companies of employee data, for example where technological devices process this data and monitor the behaviour of staff. ‘In-house counsel are often in a unique and uncomfortable position,’ says Frene. ‘On one hand, they need to defend and provide grounds for the company concerning the use of such technologies’, while, on the other hand, there are many applicable data privacy and labour laws that prevent or restrict the use of such technologies, particularly in instances where they affect and/or invade the privacy and/or other related rights of employee, he explains.</p><p>For Henry, a significant challenge comes from implementing a true privacy by default and by design approach and, generally, developing and implementing new processes related to privacy, which aren’t always seen as a priority for many businesses operating in the business-to-business (B2B) space. ‘Coordinating with multiple stakeholders internally and externally, who do not always have a clear understanding of how important privacy is for the organisation and see it as an impediment to quick innovation/business operations, can also be difficult,’ she adds. ‘Finally, in the B2B space, securing the necessary budget to automate compliance efforts and to retain external counsel can be tricky, as well.’</p> <div class="blockquote my-4"> <h3 class="text-dark">“In the B2B space, securing the necessary budget to automate compliance efforts and to retain external counsel can be tricky</h3> <p><br /> <strong>Elisa Henry<br /> </strong>Vice Chair, IBA Technology Law Committee</p> </div> <p></p> <div class="row flex-row"> <div class="col-md-6"> <div class="ihp-article-contact"> <p><strong>Sophie Cameron</strong> is a freelance journalist and can be contacted at <a href="mailto:sophiecameron2@googlemail.com">sophiecameron2@googlemail.com</a></p> </div> </div>   <div class="col-md-6"> <div class="ihp-related-links"> <h3>Related links</h3> <ul class="include-chevron"> <li><a href="https://www.ibanet.org/article/FF397017-0CED-4111-8361-27E2C21E0A5B">Data’s ever-increasing value</a></li> <li><a href="https://www.ibanet.org/the-next-eu-us-data-transfer-regime">The next EU-US data transfer regime</a></li> <li><a href="https://www.ibanet.org/article/C2238C90-D0AF-400E-A97E-A8DA76D2EB8F">Employee privacy rights at work</a></li> <li><a href="https://www.ibanet.org/ai-generates-step-change">AI generates a step change</a></li> </ul> </div> </div>  </div> <div class="row"> <div class="col-md-12"> </div> </div> </div> <ul class="share"> <li> <a data-href="https://twitter.com/intent/tweet?url=https://www.ibanet.org/Data-revolutions-and-privacy-scares" target="_blank" class="fab fa-twitter"></a> </li> <li> <a href="https://www.facebook.com/sharer/sharer.php?u=https://www.ibanet.org/Data-revolutions-and-privacy-scares" target="_blank" class="fab fa-facebook-f"></a> </li> <li> <a href="https://www.linkedin.com/shareArticle?mini=true&url=https://www.ibanet.org/Data-revolutions-and-privacy-scares" target="_blank" class="fab fa-linkedin-in"></a> </li> </ul> </div></div></div> <div class="container-fluid"> <div class="yCmsContentSlot row"> </div></div> <div class="container"> <div class="yCmsContentSlot row"> </div></div> <div class="container-fluid"> <div class="yCmsContentSlot row"> </div></div> <div class="container"> <div class="yCmsContentSlot row"> </div></div> </div> <div class="bg-light border-top printOff"> <footer class="py-5"> <div class="container"> <div class="row"> <div class="yCmsContentSlot"> <div class="yCmsComponent w-100"> <div class="content"><style type="text/css">footer, .footer-bottom {background: #01277a !important;} .footer-bottom p, footer p, footer address ,footer li, footer a, .footer-bottom a {color: #FFFFFF!important; text-align:left;} .footer-bottom a#ot-sdk-btn.ot-sdk-show-settings{color:#FFFFFF !important;} </style> <div class="col-12 px-0"> <div class="row"> <div class="col-12 col-md-3 footerLogoAddress"> <div class="d-inline-flex d-md-block justify-content-cetner align-items-center"><img class="footer-logo mr-4 mr-md-0 mb-md-4" src="/document?id=IBA-logo-white" /> <div> <address> International Bar Association<br /> Chancery House<br /> 53-64 Chancery Lane<br /> London WC2A 1QS<br /> +44 (0) 20 7842 0090 </address> <a class="font-weight-bold mb-3" href="/Contact-the-IBA">Contact the IBA</a><br /> <a class="font-weight-bolder" href="/recruitment">Recruitment</a></div> </div> </div> <div class="col-12 col-md-9 footerMenus"> <div class="row"> <div class="col-12 col-md-4 d-flex justify-content-center"> <ul> <li><a href="/login" style="padding: 0.5rem 0.75rem; border-radius: 0.25rem;border: 1px solid rgba(255,255,255,0.5);">Sign in</a></li> <li><a href="/join">Join the IBA <i class="fas fa-arrow-right pl-1"> </i></a></li> <li><a href="/conferences">Conferences & events</a></li> <li><a href="/conference-details/CONF2510">Toronto 2025</a></li> </ul> </div> <div class="col-12 col-md-4 justify-content-center d-none d-md-flex"> <ul> <li class="mb-0" style="border-bottom:1px solid rgba(255,255,255,0.5);padding-bottom: 7.5px;"><span style="font-size:0.85rem">Global Insight</span></li> <li> <ul style="margin-top: 1rem;padding-left: 0rem;"> <li><a href="/IBA-Global-Insight">Magazine</a></li> <li><a href="/articles?type=PODCASTS">Podcasts</a></li> <li><a href="/articles?type=FILMS">Films</a></li> <li><a href="/IBA-Digital-Content">All Digital Content</a></li> </ul> </li> </ul> </div> <div class="col-12 col-md-4 justify-content-center d-none d-md-flex"> <ul> <li class="mb-0" style="border-bottom:1px solid rgba(255,255,255,0.5);padding-bottom: 7.5px;"><span style="font-size:0.85rem">Outreach</span></li> <li> <ul style="margin-top: 1rem;padding-left: 0rem;"> <li><a href="https://www.eyewitness.global/" target="_blank">eyeWitness</a></li> <li><a href="/IBAHRI">Human Rights Institute</a></li> <li><a href="/LPRU">Legal Policy & Research Unit</a></li> <li><a href="/ICC-ICL-Programme">ICC & ICL Programme</a></li> </ul> </li> </ul> </div> </div> </div> <div class="col-12 footerSocials"> <ul class="d-inline-flex w-100 justify-content-center" style="list-style-type:none;"> <li class="px-2 mb-0 d-flex align-items-center"><a href="https://twitter.com/IBAnews"><img class="img-fluid" src="/document?id=Twitter-X-logo-white" style="width: 22.5px; max-width: 22.5px" /></a></li> <li class="px-2 mb-0 d-flex align-items-center"> <h5 class="border-0 mb-0 pb-0"><a href="https://www.facebook.com/internationalbarassociation/"><i class="fab fa-facebook-f"> </i></a></h5> </li> <li class="px-2 mb-0 d-flex align-items-center"> <h5 class="border-0 mb-0 pb-0"><a href="https://www.linkedin.com/company/international-bar-association"><i class="fab fa-linkedin-in"> </i></a></h5> </li> <li class="px-2 mb-0 d-flex align-items-center"> <h5 class="border-0 mb-0 pb-0"><a href="https://www.youtube.com/channel/UCFBdK6L4YDBKKL225HciTtA"><i class="fab fa-youtube"> </i></a></h5> </li> <li class="px-2 mb-0 d-flex align-items-center"> <h5 class="border-0 mb-0 pb-0"><a href="https://vimeo.com/ibafilms"><i class="fab fa-vimeo-v"> </i></a></h5> </li> </ul> </div> <div class="d-inline-flex flex-wrap justify-content-center w-100" id="footerCards"><img alt="VISA" class="CardPayment" src="https://checkoutshopper-live.adyen.com/checkoutshopper/images/logos/visa.svg" /> <img alt="MasterCard" class="CardPayment" src="https://checkoutshopper-live.adyen.com/checkoutshopper/images/logos/mc.svg" /> <img alt="American Express" class="CardPayment" src="https://checkoutshopper-live.adyen.com/checkoutshopper/images/logos/amex.svg" /> <img alt="Maestro" class="CardPayment" src="https://checkoutshopper-live.adyen.com/checkoutshopper/images/logos/maestro.svg" /> <img alt="China Union Pay" class="CardPayment" src="https://checkoutshopper-live.adyen.com/checkoutshopper/images/logos/cup.svg" /> <img alt="Diners Club" class="CardPayment" src="https://checkoutshopper-live.adyen.com/checkoutshopper/images/logos/diners.svg" /> <img alt="Discover" class="CardPayment" src="https://checkoutshopper-live.adyen.com/checkoutshopper/images/logos/discover.svg" /> <img alt="JCB" class="CardPayment" src="https://checkoutshopper-live.adyen.com/checkoutshopper/images/logos/jcb.svg" /></div> </div> </div> </div></div></div></div> </div> <div class="container"> <div class="row"> <div class="col-md-6 col-xs-18 "> <div class="yCmsContentSlot"> </div></div> <div class="col-md-6 col-xs-18 "> <div class="yCmsContentSlot"> </div></div> </div> </div> </footer> <div class="yCmsContentSlot"> <div class="yCmsComponent footer-bottom printOff pb-4"> <div class="content"><div class="container"> <div class="row"> <div class="col-12 text-center"> <p class="mb-0 mt-4"> <span class="d-block d-md-inline" style="font-size:0.9rem;">International Bar Association 2024 ©</span> <a class="d-block d-md-inline my-2 my-md-0 mx-0 mx-md-2" href="/privacy-policy">Privacy policy</a> <a class="d-block d-md-inline my-2 my-md-0 mx-0 mx-md-2" href="/terms-and-conditions">Terms & conditions</a> <a class="d-block d-md-inline my-2 my-md-0 mx-0 mx-md-2 ot-sdk-show-settings" id="ot-sdk-btn">Cookie Settings</a> <a class="d-block d-md-inline my-2 my-md-0 mx-0 mx-md-2" href="/IBA-Harassment-Policy">Harassment policy</a></p> <p class="mt-4" style="font-size:0.75rem;">International Bar Association is incorporated as a Not-for-Profit Corporation under the laws of the State of New York in the United States of America and is registered with the Department of State of the State of New York with registration number 071114000655 - and the liability of its members is limited. Its registered address in New York is c/o Capitol Services Inc, 1218 Central Avenue, Suite 100, Albany, New York 12205.</p> <p style="font-size:0.75rem;">The London office of International Bar Association is registered in England and Wales as a branch with registration number FC028342.</p> </div> </div> </div> <style type="text/css"> footer.py-5{padding-bottom:1rem !important;} footer ul{ list-style-type: none; width: 100%} footer ul li{padding-bottom:15px;} footer ul li ul li:last-child{margin-bottom:0px !important;padding-bottom: 0px !important;} footer ul li a, .footer-bottom a{ font-weight: 400;} .footer-bottom a#ot-sdk-btn.ot-sdk-show-settings{color:#FFFFFF !important;} footer address{font-size:0.9rem;} footer .yCmsContentSlot, footer .row {width: 100%;margin: 0px !important;} img.footer-logo{width:100px;} #footerCards{order:4} #footerCards img.CardPayment{width: 50px; margin: 7.5px;border-radius: 4px;} @media screen and (max-width: 992px) { .footerMenus{order:1; padding: 0px !important;} .footerLogoAddress{order: 3;justify-content: center;display: flex;border: 1px solid rgba(255,255,255,0.5);border-radius: 0.25rem;padding: 0.75rem 1rem;} .footerSocials{order:2;padding: 0px !important;} footer ul{padding-left: 0px !important; margin-bottom: 0px;} #footerCards img.CardPayment {width: calc(14.2% - 15px);margin: 25px 2.5px 0px;} } </style> <style type="text/css"> .main__inner-wrapper{min-height: calc(100vh - 146px);} .account-link.manage-conference:before {content: '\f073' !important;} .my-account__links a {white-space: nowrap;} span.addToFavourites, span.removeFromFavourites {margin-top:3px}} span.addToFavourites a, span.removeFromFavourites a{background: #01277a; padding: 10px 20px; font-size: 1rem; font-weight: 400;line-height: 1.5;border-radius: 0.25rem; color: #FFFFFF !important;text-decoration: none !important;cursor:pointer;} .sessionInformation .locationDetails .title { margin: 0px !important;padding-bottom: 0px !important;} .sessionInformation .sessionDescription{ display: none !important;} @media screen and (max-width: 767px){span.addToFavourites, span.removeFromFavourites {margin-top:15px}} .calendarSection{flex-direction: column !important;} .calendarSection .dropdown-menu, .calendarSection .dropdown-menu.show{position: relative !important;transform: none !important; top: auto !important;width: auto !important;margin: 0px 0px 0px 10px !important;display: inline-flex !important; border: none;} .calendarSection .saveCalendar{display: block !important;cursor: auto;text-decoration: none;color: #333;margin-left: 0px !important;font-weight: 500;} .dropdown .saveCalendar::after{content:none !important;display:none} .calendarSection .dropdown-menu{border: none !important;margin: 12px 0px 0px 0px !important;} .calendarSection .dropdown .dropdown-item {padding: 0px !important;margin-right: 5px;border-width: 1px ; border-style:solid;padding: 5px 7.5px !important;border-radius: 4px;} .calendarSection .dropdown .dropdown-item:nth-child(1):before{content: '\f0e0';font-family:'Font Awesome 5 Free';color: #0F9D58;} .calendarSection .dropdown .dropdown-item:nth-child(3):before{content:'\f0e0';font-family:'Font Awesome 5 Free'; color:#430297;} .calendarSection .dropdown .dropdown-item:nth-child(4):before{content:'\f0e0';font-family: 'Font Awesome 5 Free';color:#7D7D7D} .calendarSection .dropdown .dropdown-item:nth-child(1){border-color: #0F9D58;} .calendarSection .dropdown .dropdown-item:nth-child(2){border-color: #0072C6;} .calendarSection .dropdown .dropdown-item:nth-child(3){border-color: #430297;} .calendarSection .dropdown .dropdown-item:nth-child(4){border-color: #0072C6;} .calendarSection .dropdown .dropdown-item:hover{background: none; color: #01277a;opacity: 0.8;} .page-articleList .committee-box .card .card-body .card-title, #myCommittees .card .card-body .card-title {display: flex!important} .badge-details .guest{color:#70ff07;} .compliantIframe .cookieDisclaimer, #CompliantIframe .cookieDisclaimer{z-index: 2; position: absolute; left: 0px; right: 0px;top: 0px; bottom: 0px;width: 100%;height: 100%;background: #f5f5f5; display: flex; align-items: center;justify-content: center;} .compliantIframe iframe[src], #CompliantIframe iframe[src]{z-index: 3;} .compliantIframe iframe[data-src], #CompliantIframe iframe[data-src]{z-index: 1;} .fa-triangle-exclamation:before{content: "\f071"} .ot-sdk-show-settings{border: none !important; background: none !important;font-size: inherit !important;padding:0px !important;color:#00287a !important;} . </style> </div></div></div></div> </main> <form name="accessiblityForm"> <input type="hidden" id="accesibility_refreshScreenReaderBufferField" name="accesibility_refreshScreenReaderBufferField" value=""/> </form> <div id="ariaStatusMsg" class="skip" role="status" aria-relevant="text" aria-live="polite"></div> <script> /*<![CDATA[*/ var ACC = { config: {} }; ACC.config.contextPath = ''; ACC.config.encodedContextPath = ''; ACC.config.commonResourcePath = '\/_ui\/responsive\/common'; ACC.config.themeResourcePath = '\/_ui\/responsive\/theme-alpha'; ACC.config.siteResourcePath = '\/_ui\/responsive\/site-mex'; ACC.config.rootPath = '\/_ui\/responsive'; ACC.config.CSRFToken = '9935efd0-f1bf-4e0e-9d5e-ceb622eeee1d'; ACC.pwdStrengthVeryWeak = 'Very weak'; ACC.pwdStrengthWeak = 'Weak'; ACC.pwdStrengthMedium = 'Medium'; ACC.pwdStrengthStrong = 'Strong'; ACC.pwdStrengthVeryStrong = 'Very strong'; ACC.pwdStrengthUnsafePwd = 'password.strength.unsafepwd'; ACC.pwdStrengthTooShortPwd = 'Too short'; ACC.pwdStrengthMinCharText = 'Minimum length is %d characters'; ACC.accessibilityLoading = 'Loading... Please wait...'; ACC.accessibilityStoresLoaded = 'Stores loaded'; ACC.telephoneCodePrefixSymbol = ' '; ACC.config.googleApiKey=''; ACC.config.googleApiVersion='3.7'; ACC.config.registration = {}; ACC.config.registration.countryDetailUrl='/registration/checkout/multi/organisation-information/ajax/countrydetail'; ACC.config.registration.addToCartAjaxUrl='/ajax/cart/add'; ACC.config.registration.addSocialEventsToCartAjaxUrl='/ajax/cart/social-events/add'; ACC.config.registration.noOfGuestsAjaxUrl='/registration/checkout/multi/socials-and-events/ajax/noOfGuests'; ACC.config.registration.guestListAjaxUrl='/registration/checkout/multi/socials-and-events/ajax/guestList'; ACC.config.registration.assignGuestAjaxUrl='/registration/checkout/multi/socials-and-events/ajax/assignGuest'; ACC.config.registration.changeGuestProductAjaxUrl='/registration/checkout/multi/registration-fees/ajax/changeGuestProduct'; ACC.config.registration.guestAttendingCheckAjaxUrl='/registration/checkout/multi/registration-fees/ajax/guestAttendingCheck'; ACC.config.registration.assignGuestToSocial='/registration/checkout/multi/socials-and-events/ajax/assignGuestToSocial'; ACC.config.registration.searchOrganisation='/registration/checkout/multi/organisation-information/asm/ajax/search-organisation'; ACC.config.registration.prePaymentCheckUrl='/registration/checkout/multi/payment-details/ajax/prepayment-check'; ACC.config.registration.product = {}; ACC.config.registration.product.basketSummaryRemoveCartEntryAjaxUrl='/registration/checkout/multi/basket-summary/ajax/cart/removeCartEntry'; ACC.config.registration.conferenceInterestEmailUrl='/interest-registration/ajax/validate-email'; ACC.config.registration.customerRegistrationEmailUrl='/customer-registration/ajax/validate-email'; ACC.config.timeToShowAsmStockReleasePopup=''; ACC.config.asmStockReleaseTime=''; ACC.config.address = {}; ACC.config.address.updateUrl='/registration/checkout/multi/payment-details/updateBillingAddress'; ACC.config.address.resetUrl='/registration/checkout/multi/payment-details/resetFirmAddress'; ACC.config.account = {}; ACC.config.account.autoRenewMembershipAjaxUrl='/my-account/ajax/auto-renew-membership'; ACC.autocompleteUrl = '\/search\/autocompleteSecure'; ACC.config.loginUrl = '\/login'; ACC.config.authenticationStatusUrl = '\/authentication\/status'; ACC['gigyaUserMode'] = 'raas'; ACC.config.onetrustEnabled = true; /*]]>*/ </script> <script> /*<![CDATA[*/ ACC.addons = {}; //JS namespace for addons properties ACC.addons['mexassistedservice'] = []; ACC.addons['mexassistedservice']['asm.timer.min'] = 'min'; ACC.addons['gigyaloginaddon'] = []; ACC.addons['smarteditaddon'] = []; ACC.addons['mexgigyaaddon'] = []; /*]]>*/ </script> <script src="/_ui/shared/js/generatedVariables.js"></script> <script src="/wro/js_responsive.js?v=948153693"></script> <script src="/wro/addons_responsive.js?v=948153693"></script> <script src="https://cdns.eu1.gigya.com/JS/gigya.js?apikey=3_H2S1xzEqSB5FObU6B4UNmvhiX58luRXkck3E1opy36oRFclz72Bz1BBzCCdsaU7b&lang=en"></script> </body> </html>