0
Logo for the European Commission.

The Digital Services Act: EU’s new gold standard for regulating online services and search engines

EEA & UK, GDPR, Resource, Social Media
On October 19, 2022, the Digital Services Act (DSA) was published in the Official Journal of the European Union, thereby triggering its entry into force.[1] The DSA creates a first-of-its-kind regulatory framework that, like the General Data Protection Regulation (GDPR), could set an international benchmark for regulating intermediary services such as search engines, e-commerce platforms, hosting services, and more. [2] To achieve these regulatory goals, the DSA creates a pyramid-like, category-based approach to applying obligations to intermediary services, with those at the bottom of the pyramid having the least obligations. If an intermediary service falls into a higher category, then the service has stricter obligations in addition to those services in the lower category. Given that the DSA could apply internationally and introduces a plethora of onerous obligations, it is important to review its scope, requirements, and what these could mean for businesses around the world. Background On March 1, 2018, the European Commission published the non-binding Commission Recommendation 2018/314, calling for the need to address “illegal online content” and its “serious negative consequences for users.”[3] On July 16, 2019, Ursula von der Leyen, then-candidate for President of the European Commission, announced her political guidelines for the 2019-2024 Commission, in which she called for a “new Digital Services Act” to upgrade liability and safety rules for digital platforms, services, and products.[4] To this end, the Commission launched a public consultation process to gather comments and evidence regarding how online platforms should be regulated.[5] Then, the Commission published the proposal for the Digital Services Act on December 15, 2020, alongside an evidence-based impact assessment.[6] On April 22, 2022, European policymakers in Brussels reached an agreement after 16 hours of negotiations,[7] and a few months later the European Parliament approved the DSA along with the Digital Markets Act.[8] And finally, four years after its conception by Ursula von der Leyen, the DSA was published in the Official Journal of the European Union on October 19, 2022, thereby marking its entry into force. To whom does the DSA apply? The DSA applies to any intermediary service offered to natural or legal persons that have their place of establishment or are located in the EU, irrespective of whether the provider of that intermediary service is established in the EU. The DSA broadly defines “intermediary service” to include a number of service categories, including:
  • Mere conduits of transmissions, such as top-level domain name registries, DNS services and resolvers, certificate authorities that issue digital certificates, and more.
  • Caching services, such as the provision of content delivery networks and reverse proxies.
  • Hosting services, such as cloud computing, web hosting, file storage, and more.
  • Online platforms, which is a subcategory of hosting services:
    • Online platforms are hosting services that are primarily used, at the request of a recipient of the service, to store and disseminate information to the public, such as e-commerce marketplaces, app stores, social media platforms, and more.
  • Search engines, such as Google, Bing, and other online services that allow users to input queries to perform searches.
  • Very large online platforms and search engines, which is a special designation given to online platforms or search engines that reach at least 45 million recipients in the EU.
Recital 29 of the DSA states that whether a specific intermediary service constitutes a mere conduit, a caching service, or a hosting service — which is the first question a business should consider — depends solely on the service’s technical functionalities and should be assessed on a case-by-case basis. And this analysis is important, because the category in which a service lands will determine the number of obligations required under the law. And there are many obligations. Can the DSA apply to companies outside of the EU? Yes. The DSA applies to any intermediary service offered to natural or legal persons that have their place of establishment or are located in the EU, irrespective of whether the intermediary service is established in the EU. However, while this scope may appear overly broad, the law clarifies in Article 3 and Recitals 7 – 8 that the intermediary service must have a “substantial connection to the Union” to be covered. Such a substantial connection results from:
  1. Having an establishment in the EU; or
  2. Having a significant number of recipients of the service in a Member State; or
  3. Targeting activities toward a Member State, which can result from:
    1. the use of a Member State’s language or currency;
    2. the possibility of EU recipients ordering products or services;
    3. the use of a relevant top-level domain;
    4. the availability of an app in a relevant national app store;
    5. advertising in a Member State or in a language used by a Member State;
    6. providing customer services in a language generally used in a Member State.
While the law requires a substantial connection, the possibility of falling into the extraterritorial scope, much like the GDPR, requires companies to take care in considering how they advertise or offer their intermediary service and whether such advertising or offerings could place them squarely in the scope of the law. Does the DSA treat all online intermediary services equally? No. The DSA uses a tiered, pyramid-like approach to impose cumulative obligations on the various categories of intermediary services.

Obligations for all providers of intermediary services

The bottom of this pyramid-like framework includes all providers of intermediary services. The DSA imposes on this category a substantial list of due diligence and transparency obligations. These include:
  1. Designating a single point of contact for communicating with Member State authorities (Article 11).
  2. Designating a single point of contact for communicating with recipients of the service (Article 12).
  3. Providing information in the terms and conditions about any policies, procedures, measures, and tools used for content moderation, algorithmic decision-making, and the handling of internal complaints (Article 14).
  4. Making publicly available a yearly content moderation report (Article 15).
  5. And for providers which do not have an establishment in the EU yet fall within the law’s extraterritorial scope: designate a legal representative in a Member State and ensure the representative can be held liable for non-compliance with obligations under the DSA (Article 13).

Additional obligations for hosting services and the subcategory of online platforms

In addition to the above obligations, providers of hosting services and providers of online platforms must satisfy the following obligations:
  1. Creating a mechanism through which any individual or entity can notify the provider about the presence of information on the service that the individual or entity considers illegal (Article 16).
  2. Providing a clear and specific statement of reasons to recipients affected by restrictions imposed on the basis of information provided by the recipient is illegal or incompatible with the provider’s terms and conditions (Article 17).
  3. Notifying law enforcement or judicial authorities if the provider becomes aware of information giving rise to certain legally-prescribed criminal offenses (Article 18).

Additional obligations just for providers of online platforms

In addition to the two lists of obligations above, providers of online platforms — the subcategory of hosting services — must also satisfy the following obligations:
  1. Creating an internal complaint-handling system through which recipients can, free of charge, lodge complaints against the provider, and provide recipients with access to the system for at least six months following certain decisions that may affect the recipient (Article 20).
  2. Allowing recipients to select any out-of-court dispute settlement body certified under the DSA to resolve disputes relating to Article 20 decisions (Article 21).
  3. Implementing technical and organizational measures to ensure notices submitted by trusted flaggers — that is, entities awarded this role by a Member State’s Digital Services Coordinator — are prioritized, processed, and decided upon without undue delay (Article 22).
  4. Suspending recipients that frequently provide manifestly illegal content (Article 23).
  5. Making publicly available a yearly content moderation report that, in addition to the Article 15 requirements, shall detail the number of disputes submitted to out-of-court dispute settlement bodies pursuant to Article 21 and the number of recipients suspended pursuant to Article 23 (Article 24).
  6. Designing, organizing, and operating the online platform’s interfaces in a way that does not deceive or manipulate recipients so as to materially distort or impair their ability to make free and informed decisions (Article 25).
  7. Ensuring that each advertisement presented to recipients via the online platform’s interface contains certain legally-prescribed disclosures (Article 26).
  8. Implementing measures to ensure a high level of privacy, safety, and security for minors, if the online platform is accessible to minors (Article 28).
It is important to note that most of these obligations do not apply to providers of online platforms that qualify as micro or small enterprises. A micro enterprise is one that employs fewer than 10 people and whose annual turnover and/or annual balance sheet total does not exceed EUR 2 million. A small enterprise is one that employs fewer than 50 people and whose annual turnover and/or annual balance sheet does not exceed EUR 10 million.

Additional obligations for very large online platforms and online search engines

The DSA imposes even more obligations on providers of “very large” online platforms or search engines. To be given this designation, the online platform or search engine must have at least 45 million monthly active EU recipients and been recognized as “very large” by the European Commission. Once given such a designation, the very large online platform or search engine has four months before the following obligations apply:
  1. Conducting yearly risk assessments of its service and systems, including algorithmic systems (Article 34).
  2. Implementing mitigation measures tailored to the specific risks identified by the yearly risk assessment (Article 35).
  3. Taking actions specified by the European Commission in response to a crisis (Article 36).
  4. Paying for independent audits on a yearly basis to ensure compliance with the DSA (Article 37).
  5. Creating a searchable repository of legally-specified information relating to advertisements on the online platform or search engine (Article 39).
  6. Providing the European Commission or the Digital Services Coordinator with information necessary to monitor and assess compliance with the DSA (Article 40).
  7. Establishing a compliance function, giving it sufficient authority, statute, resources, and access to management to monitor compliance with the DSA (Article 41).
  8. Making publicly available the Article 15 content moderation report every six months (Article 42).
  9. Paying an annual supervisory fee for their designation as “very large” (Article 43).
Are the enforcement penalties harsher than the GDPR? Yes. The DSA requires Member States to lay down rules on penalties for infringements of the law by providers of intermediary services. The DSA requires Member States to ensure that the maximum amount of fines that may be imposed for a failure to comply with any obligation under the DSA shall be 6% of the annual worldwide turnover of the provider’s preceding financial year. However, less serious infringements under the DSA, such as supplying misleading information or failing to submit to an inspection, shall result in a fine of up to 1% of the provider’s annual income or worldwide turnover in the preceding financial year. By contrast, GDPR violations could result in a fine of up to EUR 20 million or 4% of a company’s worldwide annual revenue from the preceding financial year, whichever is higher. What are the next steps for the DSA? The bulk of the DSA’s obligations shall apply starting February 17, 2024. However, by February 17, 2023 and at least once every six months thereafter, all providers of intermediary services must publish information on the service’s average monthly active recipients in the Union.
[1] https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32022R2065&qid=1666966938325 [2] https://www.euractiv.com/section/digital/news/digital-agenda-autumn-winter-policy-briefing/ [3] https://eur-lex.europa.eu/eli/reco/2018/334/oj/eng [4] https://op.europa.eu/en/publication-detail/-/publication/43a17056-ebf1-11e9-9c4e-01aa75ed71a1 [5] https://techcrunch.com/2020/06/02/europe-asks-for-views-on-platform-governance-and-competition-tools/ [6] https://digital-strategy.ec.europa.eu/en/library/impact-assessment-digital-services-act [7] https://www.nytimes.com/2022/04/22/technology/european-union-social-media-law.html [8] https://www.europarl.europa.eu/news/en/press-room/20220701IPR34364/digital-services-landmark-rules-adopted-for-a-safer-open-online-environment
0
Picture of the word "AI" surrounded by stars.

What the EU’s Artificial Intelligence Act will mean for the global AI industry

AI & Algorithms, EEA & UK, GDPR
On April 21, 2021, the European Commission proposed the Artificial Intelligence Act (AIA), a regulatory and legal framework for artificial intelligence systems.[1] On December 5, 2022, the Council of the European Union adopted its general approach to the AIA, which incorporated changes to the regulation.[2][3] Germany announced support for the AIA, but “sees some need for improvements.”[4] In similar fashion, the Federal Trade Commission (FTC) published an article on April 19, 2021, calling for the integration of truth, fairness, and equity into the use of AI.[5] Later that year, the FTC announced its consideration to initiate rulemaking to, in part, ensure that algorithmic decision-making does not result in unlawful discrimination.[6] Given this growing international interest in regulating AI systems, it is important to note that the AIA was drafted to have an extraterritorial effect much like the EU’s General Data Protection Regulation (GDPR). The GDPR became a global model for data protection laws across the world, including the California Consumer Privacy Act (CCPA), and the AIA could similarly establish a worldwide standard for AI regulation – especially if the FTC is considering initiating rulemaking for algorithmic systems. So, while the draft AIA will likely see more changes, the proposed regulation appears sufficiently settled for analysis of its requirements and potential global effects. This article provides an overview of the major legal takeaways from the AIA, including which AI systems are outright prohibited and which are less regulated. Background As early as 2017, the European Council called for a “sense of urgency to address emerging trends,” including “issues such as artificial intelligence . . ., while at the same time ensuring a high level of data protection, digital rights and ethical standards.”[7] On July 16, 2019, Ursula von der Leyen, then-candidate for President of the European Commission, announced her political guidelines for the 2019-2024 Commission, in which she called for legislation for a coordinated EU approach on the human and ethical implications of AI. [8] Following this announcement, the Commission published a white paper on AI, “A European approach to excellence and trust.”[9] This paper sets out policy options for how to achieve the goal of promoting AI adoption while also addressing the risks associated with certain uses of AI. The AIA draft proposed on April 21, 2021, delivers on now-President von der Leyen’s political commitments announced in 2019 and the white paper’s stated objectives. The result is a legal framework presenting a balanced, proportionate regulatory approach that seeks to address the risks and problems with AI, without unduly constraining or hindering AI development on the market. To whom does the AIA apply? Like the GDPR’s territorial scope in Article 3, the AIA’s scope in Article 2 covers providers that place AI systems on the EU market, or put them into service in the EU, irrespective of whether those providers are established within the EU. A “provider” is any natural or legal person, public authority, agency, or other body that develops an AI system or that has an AI system developed. An AI is “put into service” by a provider when the provider supplies an AI system for first use directly to a user or for the provider’s own use on the EU market. An AI is placed “on the market” by a provider when the AI is distributed or used on the EU market in the course of a commercial activity, whether in return for payment or free of charge. Taken together, this means that the AIA does not apply to private, non-professional use, but anyone supplying, using, or distributing, AI systems on the EU market to users or for their own purposes may fall within the regulation’s scope. Can the EU’s proposed AI regulation apply to AI creators and companies outside of the EU? Yes. The AIA applies to AI systems used by natural or legal persons, including public authorities, agencies, or other bodies, who are physically present or established within the Union. However, the regulation’s reach extends beyond the EU’s borders. The AIA covers natural or legal persons, including public authorities, agencies, or other bodies, who are physically present or established “in a third country, where the output produced by the system is used in the Union.” The AIA also applies to any natural or legal person that makes an AI system available on the EU market. This extraterritorial scope, like the GDPR’s, means companies outside of the EU should take care in considering how and where their AI systems are used. Does the EU’s proposed AI regulation provide data subjects with additional rights? No. The AIA does not provide additional rights to data subjects. Instead, as a piece of product regulation, the AIA takes aim at the AI systems themselves, by either prohibiting a particular AI system or requiring it to conform to a list of obligations. That said, the AIA recognizes the need for new AI technologies to be “developed and functioning according to Union values, fundamental rights, and principles.” This includes rights provided under the GDPR, such as an individual’s right to restrict processing (Article 18) and the right of deletion / erasure (Article 17). Furthermore, a controller using an AIA-covered AI system must satisfy their GDPR notice obligations to data subjects (Articles 12 – 14). Does the EU’s proposed AI regulation cover all algorithm-based systems? No. The AIA draft proposed on April 21, 2021, defined “AI system” so broadly that it seemed to encompass most software, which prompted EU Member States to propose a narrower definition.[10] The version adopted by the Council of the EU on December 5, 2022, recognizes the need to more narrowly define “AI system” to “provide sufficiently clear criteria for distinguishing AI from more classical software systems.” Thus, the current AIA draft defines “AI system” to target systems developed through machine learning and logic- and knowledge-based approaches. In addition, an AI system using one of these approaches must operate with elements of autonomy and, based on machine and/or human-provided data and inputs, infer how to achieve a given set of objectives. This definition is recognized by the Council as a “compromise” between those calling for a broader definition and those calling for a narrower one, and as such, it remains subject to change. Does the proposed AI regulation treat all covered AI systems equally? No. The regulation uses a risk-based approach to separate covered AI systems into four categories: Unacceptable Risk The AIA contains a limited list of particularly harmful AI systems found to contravene EU values. Because the risk of harm is unacceptably high, these AI systems are prohibited under the regulation. This list includes:
  1. An AI system that subliminally manipulates a person, thereby materially distorting the person’s behavior in a manner that causes or is reasonably likely to cause physical or psychological harm.
  2. An AI system that exploits the vulnerabilities of individuals due to age, disability, or socioeconomic status, resulting in physical or psychological harm.
  3. An AI system that analyzes individuals to create a social score, which leads to detrimental or unfavorable treatment unrelated to the contexts in which the data was originally generated or collected.
  4. Some uses of remote biometric identification for law enforcement purposes in publicly accessible spaces (e.g., facial recognition technology).
A full list of prohibited AI systems can be found in Article 5 of the AIA. High-Risk Most of the AIA’s legal obligations and burdens fall on AI systems deemed to be “high-risk” under the regulation. An AI system is considered “high-risk” under the AIA if the AI system is itself a product or is intended to be used as a safety component of a product, and the product is subject to an existing third-party conformity assessment (e.g., medical devices, machinery, engine-powered vehicles, certain stand-alone AI systems in employment, education, and immigration, etc.). A high-risk AI system can only be used in the EU or put on the EU market if the AI system complies with the AIA’s legal obligations. This includes:
  1. A risk management system (Article 9).
  2. Adherence of training, validation, and testing data to quality criteria (Article 10).
  3. Technical documentation describing how the AI system complies with applicable rules, including law enforcement purposes (Article 11).
  4. Record-keeping requirements to ensure traceability of the AI system’s functions (Article 12).
  5. Transparency requirements to enable users to understand the system’s output and use (Article 13).
  6. Providing adequate human oversight of the AI system’s operations (Article 14).
  7. Ensuring the AI system achieves appropriate levels of accuracy, robustness, and cybersecurity (Article 15).
The AIA provides further obligations on AI system developers, which include:
  1. Maintaining a quality management system (Article 17).
  2. Ensuring the system undergoes a conformity assessment procedure (Article 19).
  3. Maintaining automatically generated logs (Article 20).
  4. Taking corrective actions if the system is found not to conform with the AIA (Article 21).
  5. A duty to notify serious incidents or malfunctions to national competent authorities (Article 22).
Limited Risk Title IV of the AIA creates new transparency obligations for certain AI systems. For example, users of emotion recognition systems or biometric categorization systems must be informed of the operation of the system. In addition, users of an AI system that generates deep fake images or content must be informed that the content has been artificially generated or manipulated. Similar to the GDPR, these disclosures must be provided to the user in a clear and distinguishable manner no later than the user’s first interaction or exposure to the AI system. Minimal / No Risk If an AI system does not fall into one of the above categories, then it can be developed and used in the EU subject to existing regulation without any additional legal obligations under the AIA. That said, the Council encourages developers of AI systems in this category to “create codes of conduct intended to foster the voluntary application of the requirements applicable to high-risk AI systems, adapted in light of the intended purpose of the systems and the lower risk involved.”[11] Are the enforcement penalties harsher than the GDPR? Yes. Non-compliance with the AIA’s list of prohibited AI systems in Article 5 could be subject to an administrative fine of up to €30 million or, if the offender is a company, up to 6% of its worldwide annual turnover for the preceding financial year, whichever is higher. By contrast, serious GDPR violations can result in a fine of up to €20 million or 4% of a company’s worldwide annual revenue from the preceding financial year, whichever is higher. For less serious infringements under the AIA, the offender could be subject to administrative fines of up to €20 million or, if the offender is a company, up to 4% of its total worldwide annual turnover for the preceding financial year, whichever is higher. This too is higher than the GDPR’s fines for less severe infringements. What are the next steps for the AIA? The Parliament is scheduled to vote on the current draft of the AIA by the end of March 2023. After this, Member States, the Parliament, and the European Commission will begin discussions of the AIA in April 2023. This timeline could lead to an adoption of the AIA by the end of 2023.
[1] https://artificialintelligenceact.eu/wp-content/uploads/2022/05/AIA-COM-Proposal-21-April-21.pdf [2] https://www.consilium.europa.eu/en/press/press-releases/2022/12/06/artificial-intelligence-act-council-calls-for-promoting-safe-ai-that-respects-fundamental-rights/ [3] https://data.consilium.europa.eu/doc/document/ST-14954-2022-INIT/en/pdf [4] https://data.consilium.europa.eu/doc/document/ST-14954-2022-ADD-1/en/pdf [5] https://www.ftc.gov/business-guidance/blog/2021/04/aiming-truth-fairness-equity-your-companys-use-ai [6] https://www.reginfo.gov/public/do/eAgendaViewRule?pubId=202210&RIN=3084-AB69 [7] https://www.consilium.europa.eu/media/21620/19-euco-final-conclusions-en.pdf [8] https://op.europa.eu/en/publication-detail/-/publication/43a17056-ebf1-11e9-9c4e-01aa75ed71a1 [9] https://commission.europa.eu/publications/white-paper-artificial-intelligence-european-approach-excellence-and-trust_en [10] https://www.wired.com/story/artificial-intelligence-regulation-european-union [11] https://artificialintelligenceact.eu/wp-content/uploads/2022/05/AIA-COM-Proposal-21-April-21.pdf
0
A minimalistic picture of a human brain being digitized into technological lines that also look like a human brain.

Guidance on Artificial Intelligence and Data Protection

AI & Algorithms, EEA & UK, Resource, United States
[Updated: March 7, 2024] For many of us, Artificial Intelligence (“AI”) represents innovation, opportunities, and potential value to society. For data protection professionals, however, AI also represents a range of risks involved in the use of technologies that shift processing of personal data to complex computer systems with often opaque processes and algorithms. Data protection and information security authorities as well as governmental agencies around the world have been issuing guidelines and practical frameworks to offer guidance in developing AI technologies that will meet the leading data protection standards. Below, we have compiled a list* of official guidance recently published by authorities around the globe. Canada
  • 1/17/2022 – Government of Ontario, “Beta principles for the ethical use of AI and data enhanced technologies in Ontario” https://www.ontario.ca/page/beta-principles-ethical-use-ai-and-data-enhanced-technologies-ontario The Government of Ontario released six beta principles for the ethical use of AI and data enhanced technologies in Ontario. In particular, the principles set out objectives to align the use of data enhanced technologies within the government processes, programs, and services with ethical considerations being prioritized.
China
  • 3/1/2023 – National Information Security Standardization Technical Committee, Technical Document on Basic Requirements for Security of Generative Artificial Intelligence https://www.tc260.org.cn/upload/2024-03-01/1709282398070082466.pdf (in Chinese) The Technical Document provides security requirements for the use of generative AI services. These requirements include conducting a security assessment before collecting data for a generative AI model, entering legally binding contracts with generative AI service providers, and acquiring consent for certain use cases of generative AI services.
  • 12/12/2022 – Cyberspace Administration of China, Regulations on the Administration of Deep Synthesis of Internet Information Services http://www.cac.gov.cn/2022-12/11/c_1672221949354811.htm (in Chinese) and http://www.cac.gov.cn/2022-12/11/c_1672221949570926.htm (in Chinese) The Regulations target deep synthesis technology, which are synthetic algorithms that produce text, audio, video, virtual scenes, and other network information. The accompanying Regulations FAQs state that providers of deep synthesis technology must provide safe and controllable safeguards and conform with data protection obligations.
  • 9/26/2021 – Ministry of Science and Technology (“MOST”), New Generation of Artificial Intelligence Ethics Code http://www.most.gov.cn/kjbgz/202109/t20210926_177063.html (in Chinese) The Code aims to integrate ethics and morals into the full life cycle of AI systems, promote fairness, justice, harmony, and safety, and avoid problems such as prejudice, discrimination, privacy, and information leakage. The Code provides for specific ethical requirements in AI technology design, maintenance, and design.
  • 1/5/2021 – National Information Security Standardisation Technical Committee of China (“TC260”), Cybersecurity practice guide on AI ethical security risk prevention https://www.tc260.org.cn/upload/2021-01-05/1609818449720076535.pdf (in Chinese) The guide highlights ethical risks associated with AI, and provides basic requirements for AI ethical security risk prevention.
Denmark:
  • 3/5/2024 – Datatilsynet, New regulatory sandbox for AI https://www.datatilsynet.dk/presse-og-nyheder/nyhedsarkiv/2024/mar/ny-regulatorisk-sandkasse-for-ai The Danish Data Protection Authority, in collaboration with the Danish Agency for Digitalisation, established a regulatory sandbox for AI, where companies and entities can access relevant expertise and GDPR guidance when they develop or use AI.
  • 2/29/2024 – Danish Ministry of Business and Industry, Recommendations on tech development and use of artificial intelligence https://em.dk/Media/638447961317309808/Tech-ekspertgruppens%20anbefalinger.pdf (in Danish) The Danish Government’s expert group announced recommendations on tech giants’ development and use of AI, which aims to explore the potential of AI while negating its potential harmful effects. The recommendations focus on regulation of unauthorized use of copyrighted material, imposing responsibility on tech giants for the credibility of information, and default standards for chatbots.
E.U.:
  • 2/21/2024 – European Commission, Creation of AI Office https://digital-strategy.ec.europa.eu/en/policies/ai-office The European Commission announced the creation of the European AI Office, which is established within the Commission and will play a key role in implementing the EU’s AI Act. The AI Office will work with public and private entities to promote cooperation and adoption of the EU’s AI Act.
  • 1/20/2022 – European Institute of Innovations & Technology (“EIT”), AI Maturity Tool https://ai.eitcommunity.eu/ai-maturity-tool/ The EIT published a web-based AI maturity tool which allows businesses to assess how prepared they are for the use of AI, and which will allow businesses to compare their maturity level to that of other organizations in the future.
  • European Telecommunication Standards Institute (“ETSI”) Industry Specification Group Securing Artificial Intelligence (“ISG SAI”) https://www.etsi.org/committee/1640-sai The ISG SAI has published standards to preserve and improve the security of AI. The works focus on using AI to enhance security, mitigating against attacks that leverage AI, and securing AI itself from attack.
  • 7/14/2021 – European Commission’s Joint Research Center (“JRC”), Report https://publications.jrc.ec.europa.eu/repository/handle/JRC125952 Most recently, the JRC published this report on the AI standardization landscape. The report describes the ongoing standardization efforts on AI and aims to contribute to the definition of a European standardization roadmap.
  • 4/21/2021 – European Commission, “Proposal for a Regulation of the European Parliament and of the Council Laying Down Harmonised Rules on Artificial Intelligence (Artificial Intelligence Act) and Amending Certain Union Legislative Acts” https://ec.europa.eu/newsroom/dae/document.cfm?doc_id=75788 The EU Commission proposed a new AI Regulation – a set of flexible and proportionate rules that will address the specific risks posed by AI systems, intending to set the highest global standard. As an EU regulation, the rules would apply directly across all European Member States. The regulation proposal follows a risk-based approach and calls for the creation of a European enforcement agency.
France: Germany: Hong Kong:
  • 8/18/2021 – Office of the Privacy Commissioner for Personal Data (“PCPD”), “Guidance on the Ethical Development and Use of Artificial Intelligence” https://www.pcpd.org.hk/english/resources_centre/publications/files/guidance_ethical_e.pdf This guidance discusses ethical principles for AI development and management while also highlighting recent development in AI governance around the globe. The guidance further includes a helpful self-assessment checklist in its appendix concerning businesses’ AI strategy and governance, risk assessment and human oversight, development and management of AI systems as well as communication and engagement with stakeholders.
India:
  • 9/28/2021 – INDIAai, “Mitigating Bias in AI – A Handbook For Startups” https://indiaai.s3.ap-south-1.amazonaws.com/docs/AI+Handbook_27-09-2021.pdf INDIAai, a government-based initiative, published this formalized framework for startups. The handbook identifies different risk factors that may lead to bias in AI.
  • 7/15/2021 – Data Security Council of India (“DCSI”), “Handbook on Data Protection and Privacy for Developers of Artificial Intelligence in India” https://www.dsci.in/sites/default/files/documents/resource_centre/AI%20Handbook.pdf The handbook establishes guidelines for responsible and ethical AI development in line with the applicable legal data protection framework. While the handbook does not provide technical solution but instead focuses on the ethical and legal objectives to pursue when designing AI systems, it does provide for a checklist of questions and good practices which developers shall keep in mind while in the design process.
  • 2/24/2021 – National Institution for Transforming India (“NITI Aayog”), “Responsible AI” http://www.niti.gov.in/sites/default/files/2021-02/Responsible-AI-22022021.pdf In this paper, the Government think tank highlights the ethical and legal framework for AI technology management. The paper further includes a self-assessment guide for AI usage in its annex.
International:
  • 3/5/2024 – Organisation for Economic Co-operation and Development (“OECD”), Explanatory Memorandum on the Updated OECD Definition of an AI System https://www.oecd-ilibrary.org/docserver/623da898-en.pdf?expires=1709828184&id=id&accname=guest&checksum=B906C1E98329EC8C1E539374B37DF045 The OECD published a memorandum that revisits the definition of an artificial intelligence system contained within the 2019 OECD Recommendation on AI, by redefining and expanding the term. However, the memorandum recognizes that the new definition, even though it is broader, nonetheless may require additional criteria to tailor the definition to a specific use case or context.
  • 9/28/2023 – OECD, Catalogue of Tools & Metrics for Trustworthy AI https://oecd.ai/en/ The OECD published a catalogue of tools and metrics for building and deploying trustworthy AI systems. This catalogue provides users with a one-stop-shop for tools that can mitigate bias, measure performance, audit systems, and create procedural processes to oversee the system.
  • 8/1/2023 – Future of Privacy Forum (“FPF”), Generative AI for Organizational Use: Internal Policy Checklist https://fpf.org/wp-content/uploads/2023/07/Generative-AI-Checklist.pdf To help organizations initialize the process of regulating the use of generative AI, FPF released a checklist to help organizations revise policies and procedures governing generative AI. The checklist provides a non-exhaustive list of topics to consider when revising such policies and procedures.
  • 5/31/2023 – EU-US Terminology and Taxonomy for Artificial Intelligence https://digital-strategy.ec.europa.eu/en/library/eu-us-terminology-and-taxonomy-artificial-intelligence To align EU and US risk-based approaches to regulating AI, a group of experts created this document to provide a unified approach to AI terminologies and taxonomies. A total number of 65 terms were identified with reference to key documents from the EU and US.
  • International Organization for Standardization (“ISO”) – ISO/IEC 23894:2023 Information technology — Artificial intelligence — Guidance on risk management https://www.iso.org/standard/77304.html This document provides guidance on how organizations that develop, produce, deploy or use products, systems and services that utilize AI can manage risk specifically related to AI. The guidance also aims to assist organizations to integrate risk management into their AI-related activities and functions. It moreover describes processes for the effective implementation and integration of AI risk management.
  • ISO – ISO/IEC 38507:2022 https://www.iso.org/standard/56641.html Together with the International Electrotechnical Commission (“IEC”), ISO has published a number of AI standards in recent years. The newest standards published in April 2022, called “Governance implications of the use of artificial intelligence by organizations”, provides guidance for the governing body of organizations regarding the use and implications of AI.
  • ISO – ISO/IEC JTC 1/SC 42  Standards https://www.iso.org/committee/6794475/x/catalogue/p/1/u/0/w/0/d/0 These standards published in March of 2021 provide background about existing methods to assess the robustness of neural networks. Additional AI standards are currently under development.
  • 9/15/2022 – Information Technology Industry Council (“ITI”), Policy Principles for Enabling Transparency of AI Systems https://www.itic.org/documents/artificial-intelligence/ITIsPolicyPrinciplesforEnablingTransparencyofAISystems2022.pdf The ITI published guidance for policymakers, emphasizing the need for transparency as a critical part of developing accountable and trustworthy AI systems.
  • 2/22/2022 – Organization for Economic Co-operation and Development (‘OECD’), Framework for the Classification of AI Systems https://www.oecd-ilibrary.org/science-and-technology/oecd-framework-for-the-classification-of-ai-systems_cb6d9eca-en;jsessionid=lWU_vM8LQfX-wAZgVIjj31FS.ip-10-240-5-181 In the Framework, the OECD has developed a tool to evaluate AI systems from a policy perspective, by providing a baseline to characterize the application of an AI system deployed in specific contexts. The Framework contributed to the OECDS “AI in Work, Innovation, Productivity, and Skills” (“AI-WIPS”) program.
  • 1/26/2022 – Information Technology Industry Council (“ITI”), Recommendations on NIST AI Risk Management Framework https://www.itic.org/documents/artificial-intelligence/ITICommentsonAIRMFConceptPaperFINAL.pdf In response to the AI Risk Management Framework concept paper released by NIST, the ITI has published a series of recommendations in order to improve the framework and encourage NIST to align the framework with prior works as well as standards that are currently under development in international standards bodies.
  • 1/18/2022 – Information Technology Industry Council (“ITI”), Recommendations on AI-enabled Biometric Technologies https://www.itic.org/documents/artificial-intelligence/ITICommentsBiometricTechRFIFINAL.pdf ITI released a series of recommendations addressed to the U.S. Government regarding the use of AI and biometric technologies, elaborating on governance programs and practices that may be useful to consider in the context of biometric technologies, including with regard to performance auditing and post-deployment impact assessment.
Japan:
  • 4/8/2022 – Ministry of Economy, Trade, and Industry (“METI”), Artificial Intelligence Introduction Guidebook for Small and Medium Sized Companies https://www.meti.go.jp/policy/it_policy/jinzai/AIutilization.html (in Japanese) The Guidebook provides SMEs with guidance on how to prepare for and begin utilization of AI in their enterprises, providing practical steps for decision-making.
  • 2/15/2022 – Ministry of Internal Affairs and Communications (“MIC”), Guidebook on Cloud Services Using AI https://www.soumu.go.jp/main_content/000792669.pdf (in Japanese) The Guidebook summarizes the steps to keep in mind when developing and providing AI cloud services while gaining the trust of users and considering data collection requirements.
  • 1/28/2022 – METI, Governance Guidelines for Implementation of AI Principles https://www.meti.go.jp/shingikai/mono_info_service/ai_shakai_jisso/pdf/20220128_2.pdf The METI has released an updated version of its Guidelines for the Practice of Artificial Intelligence Principles, outlining AI governance rules which include risk analysis, systems design, implementation and evaluation, along with providing practical examples.
  • 8/4/2021 – MIC, AI Network Society Promotion Council Report https://www.soumu.go.jp/main_content/000761967.pdf (in Japanese) The report highlights recent trends in AI utilization as well as efforts to promote secure and reliable social implementation of AI.
Jordan
  • 8/5/2022 – Ministry of Digital Economy and Entrepreneurship, National Charter of Ethics for Artificial Intelligence https://tinyurl.com/w4e3acdy The charter provides an ethical baseline to regulate the development of AI technologies. The charter includes a set of principles that include accountability, transparency, impartiality, respect for privacy, promotion of human values, and other such principles that promote democratic values, human rights, and diversity.
Mexico
  • 6/1/2022 – National Institute for Access to Information and Protection of Personal Data (“INAI”), Recommendations for the Processing of Personal Data derived from the Use of Artificial Intelligence https://home.inai.org.mx/wp-content/documentos/DocumentosSectorPublico/RecomendacionesPDP-IA.pdf (in Spanish) The INAI released its recommendations concerning regulation of personal data and AI technology. In particular, the recommendations focus on such topics as AI and its implication in public security, AI in the education sector, AI and privacy by design, AI and cloud computing, and more.
Saudi Arabia:
  • 4/27/2022 – Saudi Food and Drug Authority (‘SFDA’), “Guidance on Review and Approval of AI and Big Data based Medical Devices” https://beta.sfda.gov.sa/sites/default/files/2021-04/SFDAArtificial%20IntelligenceEn.pdf The Guidance sets out the requirements for obtaining a Medical Devices Marketing Authorization for AI-based medical devices within the KSA. It applies to the standalone software type of medical devices, which diagnose, manage, or predict diseases by analyzing medical Big Data using AI, as well as to AI software that is configured with hardware.
Senegal: Singapore: South Korea: Spain: Sweden:
  • 2/28/2024 – Swedish Authority for Privacy Protection, Guidance on the GDPR and AI https://www.imy.se/verksamhet/dataskydd/innovationsportalen/vagledning-om-gdpr-och-ai/ (in Swedish) The guidance discusses artificial intelligence from two viewpoints: technical and legal. The technical portion includes explanations of AI, machine learning, and deep leaning, along with professional insights into AI training models. The legal portion focuses on how to determine when the GDPR applies to the development and use of AI.
Turkey: U.K.:
  • 2/26/2024 – Information Commissioner’s Office (“ICO”), Generative AI second call for evidence: Purpose limitation in the generative AI lifecycle https://ico.org.uk/about-the-ico/what-we-do/our-work-on-artificial-intelligence/generative-ai-second-call-for-evidence/ The ICO launched a consultation series on generative AI, which, in part, focuses on how the data protection principle of purpose limitation should be applied at different stages in the generative AI life cycle. The consultation highlights the importance for AI developers to sufficiently set out clear purposes for each stage of the AI and to explain what personal data is processed in each stage.
  • 6/7/2023 –  Department for Science, Innovation and Technology (“DSIT”), “Find out about artificial intelligence (AI) assurance techniques” https://www.gov.uk/ai-assurance-techniques Following up on the UK government’s AI Regulation White Paper (see next bullet), DSIT created a portfolio of use cases illustrating various AI assurance techniques being used in the real-world to support the development of trustworthy AI. The portfolio includes case studies from across multiple sectors and features a range of technical, procedural, and educational approaches to promote responsible AI.
  • 3/29/2023 –  DSIT, “A pro-innovation approach to AI regulation” https://www.gov.uk/government/publications/ai-regulation-a-pro-innovation-approach/white-paper The DSIT published a white paper introducing an AI regulation framework underpinned by five principles: Safety, security, and robustness; appropriate transparency and explainability; fairness; accountability and governance; and contestability and redress. Rather than recommend specific AI legislation, the white paper recommends that existing regulators incorporate these principles into their enforcement efforts.
  • 3/15/2023 – ICO, Guidance on AI and data protection https://ico.org.uk/for-organisations/guide-to-data-protection/key-dp-themes/guidance-on-ai-and-data-protection/ The ICO published guidance clarifying requirements for fairness in AI. The document includes guidance on solely automated decision-making and technical approaches to mitigating algorithmic bias.
  • 5/4/2022 – ICO, AI and Data Protection Risk Toolkit https://ico.org.uk/for-organisations/guide-to-data-protection/key-dp-themes/guidance-on-ai-and-data-protection/ai-and-data-protection-risk-toolkit/ ICO recently launched its updated AI and Data Protection Risk Toolkit, which contains risk statements to help organizations using AI to correctly assess the risk of their processing practices. The toolkit provides suggestions and practical steps for technical and organizational measures used to mitigate risks and demonstrate compliance with applicable data protection laws. It further includes references to other core resources.
  • 1/12/2022 – Department for Digital, Culture, Media & Sports (“DCMS”) and Office for Artificial Intelligence (“OAI”), AI Standards Hub Pilot https://www.gov.uk/government/news/new-uk-initiative-to-shape-global-standards-for-artificial-intelligence The DCMS and OAI announced the pilot of a new AI Standards Hub as part of the UK’s National AI Strategy. In its pilot phase, the Hub will focus on creating tools and guidance for education, training, and professional development to help businesses engage with creating AI technical standards, and bringing the AI community together through workshops, events, and a new online platform to encourage more coordinated engagement in the development of standards around the world.
  • 9/22/2021 – UK Secretary of State for Digital, Culture, Media & Sport (“DCMS”), “National AI Strategy” https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/1020402/National_AI_Strategy_-_PDF_version.pdf The UK Government announced its National AI Strategy, which aims to invest and plan for the long-term needs of the AI ecosystem, support the transition to an AI-enabled economy, and ensure the UK governs AI effectively.
  • 5/5/2020 – ICO, “Explaining Decisions Made with AI” https://ico.org.uk/for-organisations/guide-to-data-protection/key-data-protection-themes/explaining-decisions-made-with-ai/ This detailed guidance released by the ICO in cooperation with the lan Turing Institute gives businesses practical advice to explain the legal framework and effects of AI decision-making processes and the necessary considerations for compliance with existing data protection laws.
U.S.:
  • 10/31/2023 – National Institute of Standards and Technology (“NIST”), “Executive Order FAQs” https://www.nist.gov/artificial-intelligence/executive-order-safe-secure-and-trustworthy-artificial-intelligence/executive-order-faqs The Biden Administration’s EO on Safe, Secure, and Trustworthy Artificial Intelligence issued on October 30, 2023, charges multiple agencies – including NIST – with producing guidelines and taking other actions to advance the safe, secure, and trustworthy development and use of artificial intelligence. In response, NIST released a short series of FAQs addressing the agency’s role in developing guidelines under the EO.
  • 10/30/2023 – The White House, “Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence” https://www.whitehouse.gov/briefing-room/presidential-actions/2023/10/30/executive-order-on-the-safe-secure-and-trustworthy-development-and-use-of-artificial-intelligence/ The Biden Administration issued an Executive Order that establishes new safety and security standards for the use of AI. This whole-of-government approach requires numerous agencies to develop standards for what constitutes “responsible” uses of artificial intelligence.
  • 10/30/2023 – The White House, “FACT SHEET: President Biden Issues Executive Order on Safe, Secure, and Trustworthy Artificial Intelligence” https://www.whitehouse.gov/briefing-room/statements-releases/2023/10/30/fact-sheet-president-biden-issues-executive-order-on-safe-secure-and-trustworthy-artificial-intelligence/ This is the accompanying Fact Sheet for the Biden Administration’s Executive Order regarding the development of safe, secure, and trustworthy development and use of AI (immediately above).
  • 03/09/2023 – U.S. Chamber of Commerce, “CTEC AI Commission 2023″ https://www.uschamber.com/assets/documents/CTEC_AICommission2023_Report_v5.pdf The U.S. Chamber of Commerce published a report calling for the regulation of AI and outlining five key principles that stakeholders should consider when drafting a regulatory framework. In contrast to the White House Office of Science and Technology Policy’s Blueprint for an AI Bill of Rights, the Chamber’s report seeks to regulate AI without hindering economic development.
  • 1/26/2023 – NIST, “AI Risk Management Framework” https://nvlpubs.nist.gov/nistpubs/ai/NIST.AI.100-1.pdf On January 26, 2023, the National Institute of Standards and Technology (NIST) released the first version of the Artificial Intelligence Risk Management Framework (AI RMF). The AI RMF is a voluntary resource meant to help organizations manage the many risks of AI and promote trustworthy and responsible development and use of AI systems. As a flexible framework designed to adapt to a wide range of systems, products, and organizations, the AI RMF provides a list of characteristics that must be balanced based on the AI system’s context of use.
  • 10/4/2022 – White House Office of Science and Technology Policy, “Blueprint for an AI Bill of Rights” https://www.whitehouse.gov/wp-content/uploads/2022/10/Blueprint-for-an-AI-Bill-of-Rights.pdf The White House Office of Science and Technology Policy published a non-binding white paper detailing a list of principles that, if incorporated into the development and use of AI technologies, should protect the American public during the age of artificial intelligence. The document calls upon policymakers to adopt these principles when considering how to regulate AI technologies.
  • 5/13/2022 – Department of Justice Civil Rights Division, “Algorithms, Artificial Intelligence, and Disability Discrimination in Hiring” https://beta.ada.gov/resources/ai-guidance/ The guidance explains how use of algorithms and AI in hiring can lead to disability discrimination and legal consequences. The guidance details how employers can avoid such disability discrimination when using AI technology.
  • 3/16/2022 – National Institute of Standards and Technology (“NIST”), “Towards a Standard for Identifying and Managing Bias in Artificial Intelligence” https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1270.pdf In this Special Publication, NIST analyzes the challenges of AI bias, aiming to provide some detailed socio-technical guidance for identifying and managing AI bias.
  • 12/14/2021 – NIST, “AI Risk Management Framework Concept Paper” https://www.nist.gov/system/files/documents/2021/12/14/AI%20RMF%20Concept%20Paper_13Dec2021_posted.pdf NIST has developed for public review a concept paper for the Artificial Intelligence Risk Management Framework (“AI RMF”), intended for voluntary use and to address risks in the design, development, use, and evaluation of AI products, services, and systems. NIST stated that it intends to release the AI RMF 1.0 in early 2023.
  • 7/30/2021 – Department of Homeland Security (“DHS”), “Artificial Intelligence and Machine Learning Strategic Plan” https://www.dhs.gov/sites/default/files/publications/21_0730_st_ai_ml_strategic_plan_2021.pdf The strategic plan of DHS’ Science and Technology Directorate (“S&T”) outlines its goals that are committed to ensuring that AI/ML research, development, test, evaluation, and departmental applications comply with statutory and other legal requirements, and sustain privacy protections and civil rights and liberties for individuals. It further advises stakeholders on recent developments in AI/ML and the associated opportunities and risks.
  • 5/5/2021 – Electronic Privacy Information Center (“EPIC”), New National Artificial Intelligence Initiative Office Website. https://www.ai.gov/ The White House launched its new website, AI.gov, featuring policy priorities, reports, and news regarding AI.
  • 4/19/2021 – Federal Trade Commission (“FTC”), “Aiming for Truth, Fairness, and Equity in Your Company’s Use of AI” https://www.ftc.gov/news-events/blogs/business-blog/2021/04/aiming-truth-fairness-equity-your-companys-use-ai In this blog post, the FTC offers guidance for companies in their use of AI, specifically instructing them to show transparency and accountability when employing new algorithms.
  • 4/8/2020 – FTC, “Using Artificial Intelligence and Algorithms” https://www.ftc.gov/news-events/blogs/business-blog/2020/04/using-artificial-intelligence-algorithms In this blog post, the FTC outlines best practices when relying on algorithms and highlights key principles such as transparency, fairness, accuracy, and accountability.
  • 9/9/2019 – NIST, “U.S. Leadership in AI: A Plan for Federal Engagement in Developing Technical Standards and Related Tool” https://www.nist.gov/artificial-intelligence/ai-standards-federal-engagement Following an executive order directing federal agencies to develop international standards to promote and protect innovation and public confidence in AI technologies, NIST published this plan. The plan intends to provide guidance regarding priorities and appropriate levels of engagement in matters of AI standards.
*While extensive, this list is not meant to be exhaustive. We will do our best to update this list from time to time, and add new guidance as it becomes available.
0
An image of the flag of Europe, which consists of twelve golden stars forming a circle on a blue field.

EU-US Data Transfers After Schrems II: European Commission Publishes New Draft Standard Contractual Clauses

Data Transfers, EEA & UK, GDPR
**Update: On June 4, 2021, the European Commission formally adopted the new standard contractual clauses (“SCCs”) for international personal data transfers. Businesses will have a grace period of 18 months from the effective date of the European Commission’s decision to update all existing SCCs for transfers outside the European Union with the new SCCs. In the meantime, businesses will be allowed to keep using the old SCCs for “new” data transfers over a transition period of three months from the effective date of the European Commission’s decision — giving organizations the chance to make any changes necessary for compliance with the new SCCs before incorporating them into their contracts. Such contracts, however, will also need to be updated within the 18-month-grace period. On November 12, 2020, roughly four months after the European Court of Justice’s “Schrems II” decision which invalidated the EU-US Privacy Shield, the EU Commission released a draft set of new Standard Contractual Clauses (“SCCs” or “model clauses”). These updated SCCs allow transfers of personal data from the EU to third countries, as well as a transfers by controllers when engaging processors located inside the EU. (For a further analysis of the Schrems II judgment, and the motivation for these new clauses, see our prior blog post). Who can use the new SCCs? The Commission’s draft, which includes the new SCCSs in its Annex, covers two new types of international transfers and contains important updates in order to bring the text of the model clauses in line with the General Data Protection Regulation (“GDPR”). The current SCCs, approved by the Commission in 2001 and 2010, only addressed two data flow scenarios:
  • An EU-based controller exporting data outside of the EU to other controllers (controller-controller SCCs)
  • An EU-based controller exporting data outside of the EU to processors (processor- processor SCCs).
In this new draft, the Commission addressed a gap which frequently occurred in practice: EU processors exporting data to controllers and processors outside of the EU. This addition further reflects the expanded territorial scope of the GDPR. Finally, the structure of the draft SCCs allows for modular contract clauses. The updated clauses also allow additional parties to accede to the clauses, either as data exporter or data importer, by way of executing a specific annex. Previously, new parties were forced to use a wraparound framework of data transfer agreements which incorporated the SCCs in order to implement them as an appropriate safeguard for international transfers. All of these changes bring welcomed flexibility to these contracts. What else is new? The new draft SCCs are the first of their kind issued under the GDPR and, as such, reflect the GDPR’s requirements, whereas the old SCCs were drafted under the GDPR’s predecessor. Accordingly, the new SCCs impose more comprehensive transparency and notification obligations on the parties. In particular, a data importer will be required to notify the data exporter and, where possible, the affected data subjects if:
  • The data importer receives a legally binding request by a public authority, or,
  • The data importer becomes aware of any direct access by public authorities to personal data transferred pursuant to the SCCs.
Furthermore, the data importer will be obliged to exhaust all available remedies to challenge the access request if, after careful assessment, it concludes that there are grounds under the local laws to do so. In line with this new requirement of an assessment of the local laws following an access request, the new SCCs reiterate the need for a comprehensive assessment to determine whether the data transfer to a third country can reach an adequate level of data protection as required under the GDPR. According to the new clauses, the parties must take into account the specific circumstances of the transfer, any relevant prior instances of requests for disclosure by public authorities received by the data importer, as well as the laws of the third country of destination, particularly laws that require disclosure of data to public authorities or allow access by such authorities. What does this mean? While the new draft SCCs provide for specific safeguards in light of Schrems II, the new clauses do not relieve the parties from their obligation to assess and address the likely consequences of the third country’s laws. In effect, the draft SCCs thereby require the parties to perform a mini adequacy determination to evaluate whether the third country’s laws would prevent the data importer from complying with the SCCs in practice. This approach has already been criticized by stakeholders and practitioners alike as unwieldy, effectively placing the burden of adequacy decisions on private parties rather than government bodies. As only few legal possibilities remain for companies to secure their cross-border data transfers following Schrems II, the draft SCCs have been eagerly awaited. The EU Commission has provided this modernization of the old model clauses in order to better reflect recent developments in the digital economy as well as the widespread use of new and more complex processing chains. Whether the new draft SCCs can provide an adequate, as well as practical solution for businesses around the globe remains to be seen. What are the next steps? The draft clauses are subject to consultation with the European Data Protection Board (“EDPB”),  and are currently open for public consultation until December 10, 2020. Once formally adopted, the new SCCs will replace the previous clauses used by organizations for international transfers under the GDPR. Businesses will have twelve months from the date the new SCCs enter into force to replace any existing SCCs currently relied upon. As a result, businesses will need to assess their data transfer arrangements in the next year and replace their existing framework of standard contractual clauses with the new SCCs in order to continue making international transfers of personal data to affiliates and third parties located outside of the EEA. A Footnote on Article 28 Clauses Along with the new draft SCCs, the European Commission has also published draft standard contractual clauses between controllers and processors located in the EU. This draft contains clauses that a controller can impose on the processor in order to satisfy the contractual requirements that the controller is obliged to impose under Article 28 GDPR. The use of the European Commission approved Article 28 Clauses will not be compulsory and businesses may continue to use their data processing agreements between controllers and processors to satisfy the requirements of Article 28 GDPR.
1 2