Feb. 5, 2025

AI Meets GDPR: EDPB Weighs In on AI Models

Responding to a request from the Irish Data Protection Commission, the European Data Protection Board (EDPB) issued an opinion late last year addressing data protection concerns in the development and deployment of AI models (Opinion). In its densely packed Opinion, the EDPB reviewed whether AI models trained with personal data can be considered anonymous, notably not taking a hard line on the answer, and instead emphasizing the need for a case-by-case assessment. This first article in a two-part series, including insights from Bird & Bird, McDermott Will & Emery, Morrison Foerster and Steptoe, examines the Opinion’s key determinations and their implications for entities subject to the GDPR. Part two will address legal risks and best practices for controllers related to the processing of personal data in the context of AI development and deployment. See “Can GDPR Hinder AI Made in Europe?” (Jul. 10, 2019).

California’s Pending Automated Decision-Making Technology Regulations Will Further Focus Consumers’ Attention on AI

Legislators, including in California, had a busy 2024, enacting laws intended to get ahead of some of the negative consequences of widespread use of AI. Several state AGs have been busy issuing AI-related guidance to their residents and businesses as well. In California, less than two weeks into the new year, AG Rob Bonta issued two legal advisories reminding California’s consumers of their rights and reminding businesses that develop or use AI about their legal obligations under California law. Only a few weeks before Bonta issued the advisories, the California Privacy Protection Agency initiated the formal rulemaking process for proposed regulations for insurance, cybersecurity audits, risk assessments and automated decision-making technology. In this guest article, Thompson Coburn partner Luke Sosnicki examines the advisories and proposed regulations, discusses what businesses can expect when the drafts are made final, and offers practical advice to help businesses assess and prepare to comply with the final rules. See “Navigating Ever-Increasing State AI Laws and Regulations” (Jan. 15, 2025).

How the 2025 Cybersecurity Executive Order Affects Business

On January 16, 2025, then-President Biden signed Executive Order 14144 on Strengthening and Promoting Innovation in the Nation’s Cybersecurity (EO). It calls for cybersecurity enhancements in government and business and its intent is to use the power of public procurements to encourage businesses to boost precautions. The EO was issued just before the start of the current administration but was not among those revoked by President Trump in his opening days. This article examines the EO with insights from industry, law firms and government. See “Preparing to Comply With the Protecting Americans’ Data From Foreign Adversaries Act” (Jun. 5, 2024).

Cybersecurity Partner Joins Nelson Mullins in Washington, D.C.

Nelson Mullins has welcomed Kenya Dixon as a partner in its cybersecurity & data breach response and litigation practices in Washington, D.C. Dixon joins from TechCentrics.