Photo of Charles Helleputte

Charles Helleputte

On October 9, 2024, the European Data Protection Board (EDPB) unveiled its much-anticipated Guidelines on using legitimate interest (Article 6.1(f) of the GDPR) as a lawful basis for processing personal data. These guidelines set out clear criteria for data controllers, and will therefore be most welcome.

For years, legitimate interest has been among the go-to option for organizations, with the idea that it offers more flexibility (as long as you comply with the inherent requirements of its use). High-profile cases, like the Court of Justice of the European Union’s (CJEU) decision in Royal Dutch Tennis Association (KNLTB), acknowledged that commercial interests may qualify as legitimate, but also crystalized the tension on its uses from supervisory authorities and privacy advocates.Continue Reading Balancing the Scales: How to Use “Legitimate Interest” to Process Personal Data “Fairly”

2024 was an active year for regulation of customer contracts with “negative option” features. Generally, a “negative option” provision in an offer to sell products or provide services means that a customer’s silence or failure to take action to reject the terms of the offer is deemed by the seller as the customer’s acceptance of the offer terms.

Earlier in 2024, three states updated laws related to negative option provisions in customer contracts (together, the 2024 State Autorenewal Laws)

  1. Utah enacted its Automatic Renewal Contracts Act on March 13, 2024, with an in-force date of January 1, 2025. (Utah ARCA)
  2. Virginia amended its consumer protection law related to automatic renewal and continuous service offers (which was effective on July 1, 2024) (Virginia AR Law).
  3. California amended its Automatic Purchase Renewals law on September 24, 2024 with the amendments in force on July 1, 2025 (California AR Law).

Then, on October 16, 2024, the Federal Trade Commission (FTC) issued the final version of its “Rule Concerning Recurring Subscriptions and Other Negative Option Programs” (FTC Final Rule). (We previously covered the FTC’s notice of proposed rulemaking for negative options on Privacy World here.)  The Federal Register publication date for the FTC Final Rule is November 15, 2024. Whether the FTC Final Rule will survive the change in Administration is an open question, as discussed below.

Both the 2024 State Autorenewal Laws and FTC Final Rule include new or expanded obligations. When effective, the FTC Final Rule will preempt the 2024 State Autorenewal Laws (and the other similar state laws) to the extent they are “inconsistent” with its requirements. State laws that afford greater protection than the FTC Final Rule are not inconsistent with the FTC Final Rule. In other words, the FTC Final Rule sets a national “floor,” and states may add more consumer-protective obligations, as reflected in certain aspects of the 2024 State Autorenewal Laws described below.Continue Reading Cancel Culture: New Requirements for Automatic Renewal and Other Negative Option Offers

Shortly after the publication of the Artificial Intelligence (AI) Act, the EU Commission published the AI Pact’s draft commitments with a view of anticipating compliance with high-risk requirements for AI developers and deployers.

Publication and timeline for the AI Act

The EU AI Act was published in the Official Journal of the European Union on July 12, 2024, as “Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonized rules on artificial intelligence.”  We have presented the main provisions and purposes of the AI Act in our publication here.

The EU AI Act will enter into force across all 27 EU Member States on August 1, 2024, but has variable transition periods depending on the relevant parts of the AI Acts; starting with February 2, 2025, at which point, prohibited AI practices must be withdrawn from the market, and with the enforcement of the majority of its provisions commencing on August 2, 2026.

The call for participation on the AI Pact by the EU commission

In this context, the EU Commission issued a press release on July 22, 2024, promoting the “AI Pact”, seeking the industry’s voluntary commitment to anticipate the AI Act and to start implementing its requirements ahead of the legal deadline.  The press release can be found here.

The AI Pact was first launched in November 2023, obtaining responses from over 550 organizations of various sizes, sectors, and countries.

The AI Office has since initiated the development of the AI Pact, which is structured around two pillars:Continue Reading The EU Commission’s Draft AI Pact anticipating compliance with newly published AI Act

We are pleased to announce the launch of our firm’s AI Law & Policy Hub, a thought leadership resource focused exclusively on the legal and policy issues around AI. It is a single destination containing all our global multidisciplinary insights, blogs, podcasts and videos including data privacy, intellectual property, competition/antitrust, regulatory, policy and other

Op-ed on what we know of the EDPB opinion on Pay or OK

April 17, 2024, 5:15 p.m. (Brussels)

Today, the EDPB plenary had a moment. It discussed an opinion on the Pay or OK models for social media. It was not its role, but it was likely trapped to do, as Art. 64(2) GDPR didn’t consider that national data protection authorities would sometimes use tactics similar to privacy activists to weaponize fundamental rights in a fight that has very little to do with privacy at its core. The discussion is much more about the Internet we want (or not).

“In most cases, it will not be possible for large online platforms to comply with the requirements for valid consent if they confront users only with a binary choice between consenting to processing of personal data for behavioral advertising purposes and paying a fee” says the opinion (according to the leak from POLITICO).Continue Reading When the EDPB is Weaponized, It Is Our Privacy That Is at Risk

1. Introduction

The Framework Convention on Artificial Intelligence, Human Rights, Democracy and the Rule of Law has been concluded by the Council of Europe (CoE) Committee on Artificial Intelligence on March 24, 2024, finally landing a decisive blow with a provisional agreement on the text of a treaty on artificial intelligence and human rights (Treaty).

This Treaty is the first of its kind and aims to establish basic rules to govern AI that safeguard human rights, democratic values and the rule of law among nations. As a CoE treaty, it is open for ratification by countries worldwide. It is worth noting that in this epic battlefield, apart from the CoE members in one corner of the global arena, on the opposite corner, representing various nations like the US, the UK, Canada and Japan, we have the observers, eyeing the proceedings, ready to pounce with their influence. Although lacking voting rights, their mere presence sends shockwaves through the negotiating ring, influencing the very essence of the Treaty.Continue Reading Heavyweight Fight, Did the US or EU KO the AI Treaty?

On 2 April 2024, the Italian Data Protection Authority (Garante) announced that on 21 March 2024, it issued a warning to Worldcoin Foundation regarding its intention to collect biometric data (via iris scanning) for digital identification, claiming that such data processing would violate the Regulation (EU) 2016/679 (GDPR).

Worldcoin Foundation supports the Worldcoin project, launched in 2019 by Sam Altman, the CEO of OpenAI LLC (OpenAI). The project is based on iris scanning to verify the identity of users and on linking such processing to the “financial instrument” market, specifically the cryptocurrency called WLD. The iris is scanned by a biometric device named Orb, which scans the face and iris of users to create a unique identification code (the so-called “World ID”) worldwide for each user. The Orb is not yet available in many countries (and is not offered in the EU).Continue Reading The Italian DPA Has Its Eyes on Biometric IDs – Another Fight on Tech or a Win for Privacy?

On February 13, 2024, the European Data Protection Board (EDPB) released its opinion on the notion of the main establishment of a controller in the EU under article 4(16)(a) GDPR and the criteria for the application of the “one-stop shop” mechanism, in particular, regarding the notion of a controller’s “place of central administration” (PoCA) in

The Digital Services Act (DSA) entered into full force on 17 February 2024. This is a monumental EU regulation, containing 93 articles and 156 recitals, which is intended to impose:

  • A framework for the conditional exemption from liability of providers of online intermediary services (i.e. companies that are conduits for, cache or host third-party online

Whether to and how to integrate AI into business operations remains a real challenge for companies considering the adoption of the technology. We have released “Ten Things About Artificial Intelligence (AI) for GCs in 2024” providing 10 key insights as a helpful guide on the issues around AI. Our global team stands ready