Digiphile

If you are looking for the DEFINITIVE copy of the AI Act as a reference, then look no further. The Digiphile elves have taken the AI Act and: 👉 Added cross-references (with hyperlinks) from each recital to its related articles, 👉 Added cross-references (with hyperlinks) from each article to its related recitals, and 👉 Added hyperlinks out to all externally-referenced EU legislation in the AI Act - enabling you to understand (for example) what products and systems fall within the scope of high risk AI under Annex I. You can download our fully cross-referenced, fully hyperlinked version by clicking on the image below, and then selecting the download option. We're already using it, and it makes the AI Act much easier to follow and understand. This was a massive job, and we owe a hat tip to Kai Zenner whose AI cross-referencing table (here: https://lnkd.in/esyvGwSM) was the inspiration for this effort and a huge help to us in preparing this. Two final points: (1) If we've missed a hyperlink or you find any broken hyperlinks, let us know - we don't promise to have fully picked up every last one of the (literally) thousands of hyperlinks involved. (2) While we've used the OJEU text to create this version, it's not an official source and we're providing it simply "as is" for convenience purposes. So always check the official source if you're relying on this in any important contexts.

How often do data protection advisers see data processing systems they can honestly claim to be in complete "compliance" with the GDPR? "Compliance" is a difficult word to use, because of ambiguities that exist in the law (what are "appropriate measures", for example), differences in regulatory interpretation across Member States, evolving CJEU case law, and business tolerance to risk. This could, however, become a hot topic for the AI Act - under Article 47 (https://lnkd.in/edAtyGpX), providers of high risk AI systems must draw up a "declaration of conformity", containing certain mandatory details about their system specified in Annex V (https://lnkd.in/ejk2fGSB). This includes not only a commitment that the system in question is in "conformity" with the AI Act itself, but also that it "complies" with the GDPR. The data protection professional giving that sign-off will presumably either be very nervous or very bold - meaning privacy professionals could wield a lot of power here, while simultaneously finding themselves under a lot of pressure...

When deciding on an appropriate retention period for organisational emails, the possibility of email data being used in future litigation often drives internal decision-making, with thinking commonly splitting along binary lines - EITHER: 👉 "We need to keep emails forever, in case we need to use them in future litigation", OR 👉 "We need to get rid of emails as soon as possible, in case we need to disclose them in future litigation". So, for some simple - and not very scientific - benchmarking, what do you consider to be an acceptable retention period for emails (and similar internal chat data - like Slack etc.)?

🥁🥁 The final, official version of the #AIAct has just been published in the #OJEU (Official Journal of the EU) 🥁🥁 This means it will enter into force in 20 days' time and begin applying in phases after that: banning prohibited AI from 2 February 2025, starting to apply to GPAI models from 2 August 2025, and applying (mostly) in full to everything else from 2 August 2026. Link here and final text below: https://lnkd.in/eAJwqHBm and text below. Kudos to Digiphile Side-Loading Lawyer (Senior Consultant) Michael Brown for spotting this news just before the weekend.

The #AIAct is coming and you want to get into compliance - but where do you begin? Here's a very simple roadmap to get you started. 👇

Today’s post is a deep dive into the key requirements of #NIS2 and how they impact your business. 🔐 Cybersecurity 🔐 #NIS2 mandates a comprehensive risk management strategy that requires Essential and Important entities to assess cyber risks, run cybersecurity audits, have a business continuity plan to mitigate potential disruptions, verify the security of their supply chain, and much more. 📣 Incident reporting 📣 #NIS2 requires Essential and Important entities to be on the lookout for ‘significant incidents’ and ‘cyber threats’. The former must be reported to competent authorities within 24h by submitting an early warning, and from there there is a strict timeline to follow to keep the authorities apprised. 📬 Customer Notifications 📬 #NIS2 also requires to promptly inform their customers of both significant incidents and cyberthreats without undue delay. If you’re new to #NIS2, then be sure to also check out our earlier #NIS2 posts, which provide a brief overview of #NIS2 and its aims here: https://lnkd.in/eMkkWt8C and explain the types of entities it applies to here: https://lnkd.in/eJRyP6P5 Thanks to our #NIS2 expert Marco Piana for his insights in preparing this post!

#EDPB elects a new Deputy Chair - Zdravko Vukić, Director of the Croatian Personal Data Protection Agency. Mr. Vukić will join fellow Deputy Chair Irene Loizidou Nikolaidou, and work closely with EDPB Chair, Anu Talus. https://lnkd.in/eGgpWGue

Step up, step up - understand your #AIAct incident reporting responsibilities here 👇

Are you interested in the likely trajectory of UK policy-making and law on data protection, AI and digital regulation? I expect the answer is a resounding yes! Therefore, here's a quick and hopefully helpful overview of the Labour Party’s general election manifesto (https://lnkd.in/ecf4r2db) on these issues. The manifesto was published on Friday and, according to almost all polls, the party is expected to form a majority government following the general election on 4 July. 1. Data Protection – the manifesto is mostly silent on the topic. For example, it makes no reference to resurrecting the Data Protection and Digital Information Bill, which failed to be enacted prior to the dissolution of Parliament. That said, the document does flag that “regulators are currently ill-equipped to deal with the dramatic development of new technologies” and so proposes the creation of a new “Regulation Innovation Office” which will “help regulators update regulation, speed up approval timelines, and co-ordinate issues that span existing boundaries”. Given the consistent and rapid development of data-driven technologies, it seems likely that the UK Information Commissioner’s Office will work closely with this new governmental office. The manifesto also suggests the creation of a new “National Data Library” to combine existing research programmes, enable access to public sector data and assist in the delivery of data-driven public services.   2. AI – the Labour Party seems reasonably bullish on AI-related opportunities e.g. by discussing the removal of planning barriers for the building of new data centres and highlighting the transformative impact of AI on ill health detection and diagnosis. Notably, the manifesto highlights the party’s intent to introduce “binding regulation on the handful of companies developing the most powerful AI models”.  No mention is made of any deeper or more cross-cutting AI legislation, equivalent to the EU AI Act. The document also proposes a prohibition on the creation of sexually explicit deepfakes. 3. Digital regulation – the manifesto describes the party’s plans to “build on” the Online Safety Act, accelerating the implementation of its provisions and exploring further measures to enable online safety, especially in relation to social media. The Labour Party further plans to provide coroners with “more powers to access information held by technology companies after a child’s death.”