On May 30, 2023, one day before the Measures on the Standard Contract for the Cross-Border Transfer of Personal Information (“Measures”) were scheduled to take effect, the Cyberspace Administration of China (“CAC”) released a first edition of its guidance on how organizations should complete the filing procedure for Standard Contracts (“CAC Guidance”). (See our prior blog posts on the Standard Contract here.)

Nicholas Shepherd
Nicholas Shepherd is an associate in Covington’s Washington, DC office, where he is a member of the Data Privacy and Cybersecurity Practice Group, advising clients on compliance with all aspects of the European General Data Protection Regulation (GDPR), ePrivacy Directive, European direct marketing laws, and other privacy and cybersecurity laws worldwide. Nick counsels on topics that include adtech, anonymization, children's privacy, cross-border transfer restrictions, and much more, providing advice tailored to product- and service-specific contexts to help clients apply a risk-based approach in addressing requirements in relation to transparency, consent, lawful processing, data sharing, and others.
A U.S.-trained and qualified lawyer with 7 years of working experience in Europe, Nick leverages his multi-faceted legal background and international experience to provide clear and pragmatic advice to help organizations address their privacy compliance obligations across jurisdictions.
Nicholas is a member of the Bar of Texas and Brussels Bar (Dutch Section, B-List). District of Columbia bar application pending; supervised by principals of the firm.
China Proposes Draft Measures to Regulate Generative AI
On April 11, 2023, the Cyberspace Administration of China (“CAC”) released draft Administrative Measures for Generative Artificial Intelligence Services (《生成式人工智能服务管理办法(征求意见稿)》) (“draft Measures”) (official Chinese version available here) for public consultation. The deadline for submitting comments is May 10, 2023.
The draft Measures would regulate generative Artificial Intelligence (“AI”) services that are “provided to the public in mainland China.” These requirements cover a wide range of issues that are frequently debated in relation to the governance of generative AI globally, such as data protection, non-discrimination, bias and the quality of training data. The draft Measures also highlight issues arising from the use of generative AI that are of particular concern to the Chinese government, such as content moderation, the completion of a security assessment for new technologies, and algorithmic transparency. The draft Measures thus reflect the Chinese government’s objective to craft its own governance model for new technologies such as generative AI.
Further, and notwithstanding the requirements introduced by the draft Measures (as described in greater detail below), the text states that the government encourages the (indigenous) development of (and international cooperation in relation to) generative AI technology, and encourages companies to adopt “secure and trustworthy software, tools, computing and data resources” to that end.
Notably, the draft Measures do not make a distinction between generative AI services offered to individual consumers or enterprise customers, although certain requirements appear to be more directed to consumer-facing services than enterprise services.
This blog post identifies a few highlights of the draft Measures.…
Continue Reading China Proposes Draft Measures to Regulate Generative AI
China Finalizes Standard Contract for Cross-Border Transfers of Personal Information
On February 24, 2023, the Cyberspace Administration of China (“CAC”) released the final version of the Measures on the Standard Contract for the Cross-border Transfer of Personal Information (“Measures”) (only available in Chinese here), including a template contract (“Standard Contract”) accompanying the Measures. The Measures will take effect on June 1, 2023, but are subject to a 6-month grace period to allow companies time to bring their activities into compliance.
The finalization of the Measures marks another important step forward in the establishment of China’s cross-border data transfer framework. With implementing rules for all three lawful transfer mechanisms now in place, China appears to be entering into a new phase where cross-border transfer activities will be more closely regulated and enforcement actions are more likely to arise for non-compliance. …
Brazil’s Senate Committee Publishes AI Report and Draft AI Law
On December 1, 2022, a committee of the Brazilian Senate presented a report (currently available only in Portuguese) with research on the regulation of artificial intelligence (“AI”) and a draft AI law (see pages 15-58) (“Draft AI Law”) that will serve as the starting point for deliberations by the Senate on new AI legislation. When preparing the 900+ page report and Draft AI Law, the Senate committee drew inspiration from earlier proposals for regulating AI in Brazil and its research into how OECD countries are regulating (or planning to regulate) in this area, as well as inputs received during a public hearing and in the form of written comments from stakeholders. This blog posts highlights 13 key aspects of the Draft AI Law.…
Continue Reading Brazil’s Senate Committee Publishes AI Report and Draft AI Law
European Commission Publishes Directive on the Liability of Artificial Intelligence Systems
On September 28, 2022, the European Commission published its long-promised proposal for an AI Liability Directive. The draft Directive is intended to complement the EU AI Act, which the EU’s institutions are still negotiating. In parallel, the European Commission also published its proposal to update the EU’s 1985 Product Liability Directive. If adopted, the proposals will change the liability rules for software and AI systems in the EU.
The draft AI Liability Directive establishes rules applicable to non-contractual, fault-based civil claims involving AI systems. Specifically, the proposal establishes rules that would govern the preservation and disclosure of evidence in cases involving high-risk AI, as well as rules on the burden of proof and corresponding rebuttable presumptions. If adopted as proposed, the draft AI Liability Directive will apply to damages that occur two years or more after the Directive enters into force; five years after its entry into force, the Commission will consider the need for rules on no-fault liability for AI claims.
As for the draft Directive on Liability of Defective Products, if adopted, EU Member States will have one year from its entry into force to implement it in their national laws. The draft Directive would apply to products placed on the market one year after it enters into force.…
Brazil’s ANPD Launches Public Consultation on the Processing of Minors’ Personal Data
On September 8, 2022, the Brazilian Data Protection Authority (“ANPD”) launched a public consultation on the processing of minors’ personal data (encompassing children under 12-years-old and adolescents between the ages of 12- and 18-years-old). The consultation will conclude on October 7, 2022. According to the ANPD, the purpose of the consultation is to resolve divergent interpretations among public authorities, academics, privacy professionals, and representatives of civil society regarding the Brazilian Data Protection Law’s (“LGPD”) provision on the processing of minors’ personal data (Article 14). The Authority will use the feedback it receives to draw up guidelines on the topic and, possibly, amend the LGPD.…
China Imposes $1.2 Billion Fine for Data Violations
On July 21, 2022, the Cyberspace Administration of China (“CAC”) – the country’s primary regulator for cybersecurity and privacy – imposed a fine of RMB 8.026 billion (around $1.2 billion USD) on China’s largest ride-hailing company for violating data protection laws, including the Cybersecurity Law, Data Security Law and Personal Information Protection Law. …
EU Consumer Protection and Data Privacy Authorities Adopt 5 Key Principles for Fair Advertising to Children
On June 14, 2022, representatives of the EU’s Consumer Protection Cooperation (CPC) Network, together with several national data protection authorities in the EU and the secretariat of the European Data Protection Board (“EDPB”), endorsed five key principles for fair advertising to children (see press release here). These recommendations are based on relevant requirements…
Irish DPC Publishes Child-Facing Privacy Guides
On May 25, 2022, the Irish Data Protection Commission (“DPC”) issued 3 short guides for children, with the objective of raising awareness among adolescents about data protection and their privacy rights, as well as serving as a resource “for parents, educators and anyone [else] interested in children’s safety and wellbeing online”. The 3 guides…
EDPB Publishes Draft Guidelines on the Use of “Dark Patterns” in Social Media Interfaces
On March 21, 2022, the European Data Protection Board (“EDPB”) published its draft Guidelines 3/2022 on Dark patterns in social media platform interfaces (hereafter “Guidelines”, available here), following the EDPB’s plenary session held on March 14, 2022. The stated objective of the Guidelines is to provide practical guidance to both designers and users of social media platforms about how to identify and avoid so-called “dark patterns” in social media interfaces that would violate requirements set out in the EU’s General Data Protection Regulation (“GDPR”). In this sense, the Guidelines serve both to instruct organizations on how to design of their platforms and user interfaces in a GDPR-compliant manner, as well as to educate users on how certain practices they are subject to could run contrary to the GDPR (which could, as a result, lead to an increase in GDPR complaints arising from such practices). The Guidelines are currently subject to a 6-week period of public consultation, and interested parties are invited to submit feedback directly to the EDPB here (see “provide your feedback” button).
In this blog post, we summarize the Guidelines and identify key takeaways. Notably, while the Guidelines are targeted to designers and users of social media platforms, they may offer helpful insights to organizations across other sectors seeking to comply with the GDPR, and in particular, its requirements with respect to fairness, transparency, data minimization, purpose limitation, facilitating personal data rights, and so forth.…