The proposed Regulation will be the first EU legal framework specifically focused on the rapidly accelerating landscape of AI.

By Deborah J. Kirk, Elisabetta Righini, Laura Holden, Luke Vaz, and Amy Smyth

The feedback period for the European Commission (EC) proposal for the Regulation of artificial intelligence (AI) (COM (2021)206) (proposed Regulation) closed on 6 August 2021, during which time 304 pieces of feedback were received, marking another milestone in pursuit of the first EU

A Call for Input reveals that the FCA is planning for a post-EU future and examining ethics with regard to MAR.

By Rob Moulton

On 9 March 2020, the Financial Conduct Authority (FCA) issued a Call for Input on the way that wholesale market participants access and use data in the UK. A Call for Input is an opportunity for the FCA to raise whatever questions it likes without having to commit to a view, in order to enable it (at a later stage) to make policy proposals without surprising market participants. This paper largely covers matters already subject to review at the European level, and therefore indicates that the FCA is preparing to make its own policies after the end of the current transitional period.

Research participants must identify which data sets constitute personal data to ensure compliance with the GDPR.

By Frances Stocks Allen and Mihail Krepchev

The UK Medical Research Council (MRC) has published a useful guidance note on the identifiability, anonymisation, and pseudonymisation of personal data in the context of research activities (the Guidance). The Guidance reminds research organisations that the General Data Protection Regulation (GDPR) applies to health data used in research and contains a number of recommendations that participants in the research process, particularly clinical trial sponsors, should bear in mind. The Guidance has been developed with the participation of the UK privacy regulator, the Information Commissioner’s Office (ICO).

Update confirms the introduction of an active “duty of care” and a dedicated regulator, as part of a comprehensive new online regulatory regime.

By Alain Traill, Rachael Astin, Gail E. Crawford, and Patrick Mitchell

Following a wave of commentary from industry, the social sector, and other organisations, on 11 February 2020 the UK government set out preliminary details of a new regulatory regime to govern content posted on online platforms. The details were released in an initial response to last year’s online harms white paper, with a full response expected this spring. While some changes have been made to the white paper proposals, seemingly in response to concerns raised by industry and other stakeholders, the government has confirmed that it will introduce an active “duty of care” on organisations to prevent certain content from appearing on their platforms.

The proposed new regime mirrors similar steps taken in other jurisdictions, e.g., Australia, to protect against harmful content online. It is also in-line with the direction of travel of platform regulation at a European level, taking into account, for example, changes to the AVMS Directive (EU) 2018/1808 (AVMSD) to regulate video-sharing platform services (VSPs) in relation to protection of minors and harmful content, and the planned EU Digital Services Act, which is likely to introduce changes to EU law regarding the liability of platform providers for content posted using their services.

How can private equity firms identify and mitigate inherited liability risk from vulnerable portfolio companies?

By Tom Evans, Gail Crawford, Fiona Maclean, David Walker, Katie Peek, Catherine Campbell, and Amy Smyth

Ongoing big ticket regulatory fines coupled with high profile corporate veil cases indicate that private equity deal teams must remain alert to the risk of buyout firms inheriting liabilities from vulnerable portfolio companies. Increasing GDPR fine activity, including the UK Information Commissioners’ intention to fine British Airways £183 million and an international hotel group £99 million for GDPR failings, is of particular concern. In parallel, the UK Supreme Court recently examined the circumstances in which a parent company can be held accountable for its subsidiary’s actions. In our view, private equity firms should take careful but active steps to identify and mitigate this inherited liability risk; there is no doubt that PE funds are increasingly in the firing line.


By Gail Crawford, Hayley Pizzey, Mark Sun, and Calum Warren

Click for larger image.

As European data protection regulators prepare to enforce the General Data Protection Regulation (GDPR) from May 2018, private equity firms must act to minimise the risk of becoming financially liable for the data protection failings of portfolio companies. After a recent spate of high-profile data breaches, the risks for financial sponsors are high.

Why is a Data Protection Failing at Portfolio Company Level a Serious Concern for a Buyout Firm?

The GDPR sets out defined obligations and extends EU data protection law’s territorial reach, catching any business that operates in the EU, or offers goods and services to — or monitors the behaviour of — EU data subjects (whether in the EU or not). Fines for noncompliance can be substantial — up to the higher of €20 million or 4% of an undertaking’s global annual turnover. The regime defers to the EU antitrust concept of “undertaking”, which in our view means fines may be calculated by reference to the combined revenue of an offending portfolio company and the buyout firm (including the firm and all other portfolio companies within its group). This leaves open the possibility of data protection regulators directly fining buyout firms for the failures of portfolio companies.

Data Protection - FingerprintBy  Gail Crawford and Danielle van der Merwe

Following the commencement of the Brexit negotiations earlier this week, the Queen announced in her speech on Wednesday a new law that will “ensure the United Kingdom retains its world-class regime protecting personal data”.

This bill will replace the current Data Protection Act 1998 in the UK. One of the bill’s main reported benefits is the implementation of the General Data Protection Regulation (GDPR) (and the new directive applying to law enforcement data processing), meeting the UK’s obligations while it remains an EU Member State. Crucially, the intention is for the bill to help put the UK in the best position to maintain its ability to share data with other EU Member States,  and internationally after the UK leaves Europe.

By Gail Crawford

After over four years of debate, the General Data Protection Regulation (GDPR) recently came into force, taking effect after a two year transition period, i.e. from 25 May 2018. The GDPR introduces a rigorous and far-reaching privacy framework, which will impact many M&A transactions.

The GDPR sets out defined obligations and substantial fines for non-compliance. The new regime will extend the territorial reach of EU data protection law, catching any business that operates in the EU, or offers goods and services to – or monitors the behaviour of – EU data subjects. In the M&A context, a non- EU entity that targets or monitors EU individuals will be subject to the GDPR.

MnAViewsDataProtection imageAug2016The GDPR imposes mandatory data breach notifications and much stronger sanctions for non- compliance. Fines of up to 4% of annual worldwide turnover or €20 million, whichever is higher, can be imposed. This has rightly concerned business – a survey by Ovum in 2015 showed that 94% of IT decision makers are concerned about the GDPR and 52% of respondents thought that the GDPR would result in fines for their company.