Data Dive

On Tuesday, December 13, the European Commission initiated its long-awaited process towards the adoption of an adequacy decision for the European Union (EU)-U.S. Data Privacy Framework (EU-U.S. DPF), which aims to address the concerns raised by the Court of Justice of the EU when it struck down the European Commission’s adequacy decision underlying the EU-U.S. Privacy Shield framework in 2020.

On November 20, 2022, the Saudi Data and Artificial Intelligence Authority (SDAIA) launched a public consultation (which is open until December 20, 2022) on its proposed amendments to the Personal Data Protection Law (PDPL). Previously, on September 24, 2021, the Kingdom of Saudi Arabia published the long-anticipated PDPL pursuant to Royal Decree M/19 of 9/2/1443H, constituting the country’s first comprehensive national data protection legislation; although the PDPL was due to become effective on March 23, 2022, on March 22, 2022, SDAIA announced that it had decided to postpone the full enforcement of the PDPL to March 17, 2023, and, in collaboration with the National Data Management Office, further issued the Draft Executive Regulations supplementing the PDPL. The issuance of these draft regulations on March 10, 2022, was followed by a period of inactivity (and it is likely such regulations will be updated once the amendments to the PDPL are finalized) such that the launch of the public consultation now revives focus on the PDPL. The proposed amendments (the “Amendments”) contain significant changes to the prior version of the PDPL, including:

The European Parliament has reached agreement on the text of the Digital Services Act (DSA). The DSA is new legislation that will require certain providers of online services to comply with new obligations in order to ensure online safety and to prevent the spread of illegal content. The practical effects of the legislation will likely include increased compliance costs for businesses, possible organisational/personnel changes at a compliance level and increased accountability to relevant authorities.

The U.S. Department of Commerce implemented new U.S. export controls applicable to “cybersecurity items” based on an interim final rule published by BIS. The change introduces new, narrowly tailored restrictions designed to minimize disruptions to legitimate cybersecurity activities. This post summarizes the key takeaways for affected companies.

The ground-breaking draft European Union Act on Artificial Intelligence (AI), which has far-reaching implications beyond Europe (see here), is currently going through the legislative procedure of the European Parliament and Council. The draft AI Act is extraterritorial, sector-agnostic, carries steep noncompliance penalties and applies to multiple stakeholders across the AI value chain, including users and providers. It is the world’s first attempt at comprehensive regulation of AI and it may well become the global standard. Adopting the AI Act is one of the priorities of the European Commission.