By: Claude-Etienne Armingaud, Thomas Nietsch, Ludovico Lugnanin, Nóirín McFadden, and Sophie Verstraeten
The UK’s major post-Brexit reform of the UK General Data Protection Regulation (UK GDPR), the Data Use and Access Act (DUAA), became law on 19 June 2025.
Read MoreBy: Dr. Thomas Nietsch and Andreas Müller
In proceedings initiated by a Consumer Protection Agency for a preliminary injunction against the operator of a social network to prohibit the use of publicly accessible user data for AI training, the competent court ruled that using such data is permissible under the General Data Protection Regulation (GDPR.)
Read MoreBy: Dr. Thomas Nietsch and Andreas Müller
In a recent ruling (I ZR 161/24, 22 May 2025), the German Federal Court of Justice (BGH) clarified the scope of § 312k German Civil Code (BGB) regarding the obligation to provide a ‘cancellation button’ on websites if traders enable consumers to conclude continuing performance contracts (Dauerschuldverhältnis) via their website.
Read MoreBy: Claude-Étienne Armingaud and Josefine Beil
In a significant ruling on 14 February 2025, the First Instance Court of Nanterre, France ordered a company to suspend the deployment of several artificial intelligence tools until proper consultation with its Works Council has been completed.
Read MoreBy: Claude-Étienne Armingaud and Josefine Beil
The European Data Protection Board recently published its draft Guidelines 02/2025, which remain open to consultation until 09 June 2025. Stakeholders in the blockchain industry are encouraged to submit any observations before the finalization of these Guidelines.
Read MoreBy: M. Claire Healy, Kathleen D. Parker, and Erinn L. Rigney
Effective 1 January 2026, Illinois House Bill 3773 (HB 3773) amends the Illinois Human Rights Act, (IHRA) to expressly prohibit employers from using artificial intelligence (AI) that “has the effect of subjecting employees to discrimination on the basis of protected classes.” Specifically, Illinois employers cannot use AI that has a discriminatory effect on employees, “[w]ith respect to recruitment, hiring, promotion, renewal of employment, selection for training or apprenticeship, discharge, discipline, tenure, or the terms, privileges, or conditions of employment.”
Read MoreBy: Claude-Etienne Armingaud, and Josefine Beil
On 11 February 2024, the European Data Protection Board (EDPB) adopted a new statement on age assurance. This statement, while not legally binding, will guide the enforcement of age-gating methods across the EU. Age assurance refers to the methods used to determine an individual’s age or age range with varying levels of confidence or certainty.
Read MoreBy Eric F. Vicente Flores and Whitney E. McCollum
On 9 January, 2024, the Federal Trade Commission (FTC) issued its first settlement prohibiting a data broker from sharing or selling sensitive location data, and required deletion of all location data collected deceptively. The FTC alleged that X-Mode Social (“X-Mode”), and Outlogic, LLC (“Outlogic”), X-Mode’s successor firm, failed to implement reasonable and appropriate safeguards on the use of such information by third parties. X-Mode/Outlogic collected personal information, including location data via its mobile applications, which it would then sell to third parties.
Read MoreBy Whitney E. McCollum and Eric F. Vicente Flores
The Federal Trade Commission (FTC) issued a first-of-its-kind proposed order prohibiting Rite Aid Corporation from using facial recognition technology for surveillance purposes for five years.
The FTC alleged that Rite Aid’s facial recognition technology generated thousands of false-positive matches that incorrectly indicated a consumer matched the identity of an individual who was suspected or accused of wrongdoing. The FTC alleged that false-positive matches were more likely to occur in Rite Aid stores located in “plurality-Black” “plurality-Asian” and “plurality-Latino” areas. Additionally, Rite Aid allegedly failed to take reasonable measures to prevent harm to consumers when deploying its facial recognition technology. Reasonable measures include: inquiring about the accuracy of its technology before using it; preventing the use of low-quality images; training or overseeing employees tasked with operating the facial recognition technology; and implementing procedures for tracking the rate of false positive matches.
Read MoreCopyright © 2025, K&L Gates LLP. All Rights Reserved.