Sam Jungyun Choi

Recognized by Law.com International as a Rising Star (2023), Sam Jungyun Choi is an associate in the technology regulatory group in Brussels. She advises leading multinationals on European and UK data protection law and new regulations and policy relating to innovative technologies, such as AI, digital health, and autonomous vehicles.

Sam is an expert on the EU General Data Protection Regulation (GDPR) and the UK Data Protection Act, having advised on these laws since they started to apply. In recent years, her work has evolved to include advising companies on new data and digital laws in the EU, including the AI Act, Data Act and the Digital Services Act.

Sam's practice includes advising on regulatory, compliance and policy issues that affect leading companies in the technology, life sciences and gaming companies on laws relating to privacy and data protection, digital services and AI. She advises clients on designing of new products and services, preparing privacy documentation, and developing data and AI governance programs. She also advises clients on matters relating to children’s privacy and policy initiatives relating to online safety.

Follow:

EU AI Act Update: The European Commission Publishes Draft Guidelines on HRAIs

By Dan Cooper, Marty Hansen, Jadzia Pierce, Anna Sophia Oberschelp de Meneses, Sam Jungyun Choi, Marianna Drake, Madelaine Harrington & Alix Bertrand on June 8, 2026

Posted in Artificial Intelligence (AI), European Union, European Union, Technology

On 19 May 2026, the European Commission published its long-awaited draft, non-binding guidelines on the classification of high-risk AI systems (“HRAIs”) under the EU AI Act (the “Guidelines”). Across three documents—covering general principles, high-risk classification in the context of regulated products (Annex I), and high-risk use cases (Annex III)—the Commission sets out its approach to one of the AI Act’s central questions: when does an AI system fall within the high-risk regime (and, just as importantly, when does it not)?

Rather than restating every aspect of the Guidelines, this post highlights a number of interpretative points likely to matter most in practice.

Singapore Issues Governance and Security Guidance for Agentic AI

By Jadzia Pierce, Sam Jungyun Choi & Mingxin Liu on April 23, 2026

Posted in Artificial Intelligence (AI), Asia

As agentic AI systems move from research labs to enterprise workflows, regulators worldwide are grappling with how to address the potential risks these systems may pose (as discussed in prior blog posts here and here). In January 2026, Singapore’s Infocomm Media Development Authority (“IMDA”) launched a non-binding Model AI Governance Framework for Agentic AI (“Framework”), just a few months after the Cyber Security Agency released a discussion paper titled “Securing Agentic AI” (“Discussion Paper”).

Together, these documents provide organizations with a structured, operational roadmap to consider when navigating some of the potential security and governance challenges posed by agentic AI. This blog post highlights some of their key points.

Ofcom and ICO Issue Joint Statement on Age Assurance

By Claudia Berg, Jadzia Pierce & Sam Jungyun Choi on March 27, 2026

Posted in Children's Privacy, EU Data Protection, GDPR, Online Safety, Uncategorized

On March 25, 2026, the UK’s Office of Communications (“Ofcom”) and the Information Commissioner’s Office (“ICO”) published a joint statement setting out their common expectations for age assurance on online services (“Joint Statement”). The Joint Statement is aimed at services likely to be accessed by children that fall within the scope of the Online Safety Act 2023 (“OSA”) and UK data protection legislation, and is designed to help providers comply with both their online safety and data protection obligations when deploying age assurance.

The Joint Statement arrives alongside a broader push from both regulators—including Ofcom’s recent call to action directed at major tech firms, an open letter from the ICO urging platforms to strengthen their age checks, and several enforcement actions by both regulators.

UK Government Launches Consultation on Children’s Online Experiences, Including New Obligations for AI

By Sam Jungyun Choi, Jadzia Pierce & Dan Cooper on March 13, 2026

Posted in Children's Privacy, Dark Patterns, Data Privacy, EMEA Tech Regulation, Entertainment, Online Safety, Social Media, UK Government, United Kingdom, United Kingdom

On March 2, 2026, the UK Department for Science, Innovation and Technology (“DSIT”) launched its consultation, titled “Growing up in the online world: a national conversation”. The consultation is open until 26 May 2026, after which the government will publish a summary of responses and its proposed approach. DSIT has indicated that it intends to move quickly on the consultation’s findings, drawing on newly granted powers that allow for accelerated implementation of online safety measures.

The consultation seeks views on a wide range of potential measures to strengthen children’s safety and wellbeing online, including more robust age‑assurance mechanisms, a statutory minimum age for social media, raising the UK’s age of digital consent, restrictions on certain features (such as livestreaming and disappearing messages), and new obligations for AI chatbots and generative‑AI services.

DSIT’s proposals could significantly expand regulatory expectations beyond the Online Safety Act 2023 (“OSA”)—including potential age‑based access limits (including differing safeguards as between teens and younger children), feature‑level restrictions, and enhanced duties for AI‑enabled services. Early engagement will be important to ensure that the government takes account of the views of affected service providers and understands the operational and technical implications of the measures proposed.

UK Court of Appeal Rules on the Concept of Personal Data in the Context of Data Security

By Sam Jungyun Choi, Jadzia Pierce & Paul Maynard on February 25, 2026

Posted in Data Privacy, GDPR, Privacy & Data Security

On February 19, 2026, the UK Court of Appeal handed down its decision in DSG Retail Limited v The Information Commissioner [2026] EWCA Civ 140. The Court ruled that a controller’s data security duty applies to all personal data for which it acts as controller – irrespective of whether the information would constitute personal data in the hands of a third party (in this case, an attacker). Note that the case is concerned with events before the GDPR came into force, so the legal context is provided by UK Data Protection Act 1998 (“DPA 1998”), although the Court did take into account more recent jurisprudence, including CJEU case law.

The case adds useful colour to ongoing debates surrounding the definition of “personal data.” The Court of Appeal confirmed that a controller’s duty to implement appropriate measures to protect personal data applies to data that is “personal” from the perspective of the controller —even if a third-party attacker could not identify individuals from the exfiltrated dataset. This dovetails with the SRB v EDPS’s clarification that whether data is “personal” can depend on the context, while a controller’s obligations (such as transparency) must be assessed from the controller’s perspective at the relevant time (which, for the transparency principle, is at the time of collection of the data). (For more information on SRB v EDPS, see our prior post here.)

EDPB Publishes Report on Stakeholder Event on Anonymisation and Pseudonymisation

By Sam Jungyun Choi, Jadzia Pierce & Kristof Van Quathem on February 23, 2026

Posted in Data Privacy, European Union, GDPR

On February 18, 2026, the European Data Protection Board (“EDPB”) published its Report on Stakeholder Event on Anonymisation and Pseudonymisation of 12 December 2025 (the “Report”). The Report summarises feedback from a remote stakeholder event convened to inform the EDPB’s ongoing work on Guidelines 01/2025 on Pseudonymisation (version for public consultation available here) and forthcoming guidance on anonymisation. The event gathered input from 115 participants spanning industry, NGOs, academia, law firms, and public sector bodies.

The objective of the Report is to capture stakeholder insights on how the General Data Protection Regulation (“GDPR”) applies to anonymisation and pseudonymisation, particularly following the Court of Justice of the European Union’s (“CJEU”) judgment in EDPS v SRB (C‑413/23 P). (See our previous blog post here.)

European Commission Publishes Apply AI Strategy to Accelerate Sectoral AI Adoption Across the EU

By Dan Cooper & Sam Jungyun Choi on October 27, 2025

Posted in Artificial Intelligence (AI), European Union, Policy and Legislation, Technology

On 8 October 2025, the European Commission published its Apply AI Strategy (the “Strategy”), a comprehensive policy framework aimed at accelerating the adoption and integration of artificial intelligence (“AI”) across strategic industrial sectors and the public sector in the EU.

The Strategy is structured around three pillars: (1) introducing sectoral flagships to boost AI use in key industrial sectors; (2) addressing cross-cutting challenges; and (3) establishing a single governance mechanism to provide sectoral stakeholders a way to participate in AI policymaking.

The Apply AI Strategy is accompanied by the AI in Science Strategy, and it will be complemented by the Data Union Strategy (which is anticipated later this year).

European Parliament Committee Recommends Commission to Propose EU Directive on Algorithmic Management

By Dan Cooper, Antonio Michaelides, Sam Jungyun Choi & Matthieu Coget on July 25, 2025

Posted in Algorithmic Management, Artificial Intelligence (AI), European Union

On June 26, 2025, the European Parliament’s Committee on Employment and Social Affairs published a draft report (“Draft Report”) recommending that the Commission initiate the legislative process for an EU Directive on algorithmic management in the workplace. The Draft Report defines algorithmic management as the use of automated systems—including those involving artificial intelligence—to monitor, assess, or make decisions affecting workers and solo self-employed persons.

This Draft Report follows a Commission study published in March 2025 (“Commission Study”), which found that while existing EU legislation, such as the GDPR, addresses some risks to workers from algorithmic management, others remain. The Commission Study also recognizes that the AI Act does not establish specific rights for workers in the context of AI use, which is noted as a concern.

The Draft Report encloses the proposed text for a new Directive on algorithmic management in the workplace (“Proposed Directive”). The Draft Report has not yet been endorsed by the European Parliament.

European Commission Guidelines on the Definition of an “AI System”

By Madelaine Harrington, Sam Jungyun Choi & Lisa Peets on June 4, 2025

Posted in Artificial Intelligence (AI), European Union

In February 2025, the European Commission published two sets of guidelines to clarify key aspects of the EU Artificial Intelligence Act (“AI Act”): Guidelines on the definition of an AI system and Guidelines on prohibited AI practices. These guidelines are intended to provide guidance on the set of AI Act obligations that started to apply on February 2, 2025 – which includes the definitions section of the AI Act, obligations relating to AI literacy, and prohibitions on certain AI practices.

This article summarizes the key takeaways from the Commission’s guidelines on the definition of AI systems (the “Guidelines”). Please see our blogs on the guidelines on prohibited AI practices here, and our blog on AI literacy requirements under the AI Act here.

European Commission Guidelines on Prohibited AI Practices under the EU Artificial Intelligence Act