Photo of Malcolm Dowden

Malcolm Dowden

The UK government has published its “adequacy decision” to allow transfers of personal data from the UK to U.S. businesses that have completed certification to the EU-U.S. Data Privacy Framework (DPF). The UK’s adequacy decision creates a “UK Extension” to the DPF that takes effect on October 12, 2023, a little more than three months after the EU’s adoption of DPF. (Please see our DPF FAQS for more information about DPA.)Continue Reading The UK Adequacy Decision for the EU-U.S. Data Privacy Framework

On 11 August 2023, after close to a decade since its initial conception, India’s Digital Personal Data Protection Act (Act) received presidential assent, formalising the nation’s first ever comprehensive data protection law.


There are several key definitions and references adopted in the Act, as follows:

  • “Data fiduciary” means
  • On July 10, the European Commission formally adopted the EU-U.S. Data Privacy Framework (DPF). The Commission’s adequacy decision (and the documentation package accompanying it, including the FAQ) brings welcome news: for certified DPF participants, personal data can flow between the European Economic Area (EEA) and the United States (U.S.

    The Law Commission for England and Wales has published its recommendations for reform of the law on “digital assets”, covering digital files, digital records, email accounts, domain names, in-game digital assets, digital carbon credits, crypto-tokens/cryptocurrencies and non-fungible tokens (NFTs).

    The Law Commission’s project reflected concerns that some digital assets do not fit readily within traditional

    ChatGPT is a powerful tool for work and study purposes. From an enterprise perspective, being able to find answers to complex questions by simply typing in a prompt is attractive. However, it is essential to consider the veracity of the information obtained. A recent paper published by OpenAI – the developer of ChatGPT – explores

    The scale, pace and far-reaching consequences of technological change present significant challenges to lawmakers and regulators around the world. The transformative economic and commercial potential of artificial intelligence and the real-world impact of autonomous and connected vehicles and the internet of things come with significant implications for privacy, intellectual property rights and cybersecurity. To help

    The EU adequacy decision in favour of the UK allows the free flow of personal data between the UK and the European Economic Area (the EU member states plus Iceland, Liechtenstein and Norway). Both before and since expiry of the Brexit implementation period businesses have emphasised the crucial importance of maintaining that adequacy decision, pointing

    This article was originally published on Privacy World on April 11, 2023 and was updated on June 1, 2023.

    Artificial intelligence (AI) depends on the use of “big data” to create and refine the training models from which the AI “learns”. Although concerns have tended to focus on questions such as inherent bias within the

    On 8 March 2023 the UK government heralded its new Data Protection and Digital Information (No 2) Bill (the Bill) as a “new common-sense-led version of the EU’s GDPR” that would save the UK economy more than £4 billion over the next 10 years and ensure that privacy and data protection are securely protected”.

    The UK’s Electronic Communications (Security Measures) Regulations 2022 (the Regulations) came into force on 1 October 2022, together with the Telecommunications Security Code of Practice (the Code of Practice). The Regulations reflect the increased risk of cyber-attack and data breaches, whether for criminal purposes or by potentially hostile states. They supplement general duties imposed on providers of public electronic communications networks and services by the Communications Act 2003, sections 105A and 105C, and provide Ofcom with new powers to monitor and enforce enhanced obligations affecting:

    • providers of public electronic communications networks (“network providers”); and
    • providers of public electronic communications services (“service providers”).

    Continue Reading Protecting Electronic Communications Networks and Services from Cyber-Attack and Data Breach: Enhanced Obligations and Board-level Accountability