The recently published research paper “Estimating the Success of Re-identifications in Incomplete Datasets Using Generative Models” shows how the likelihood of a specific individual to have been correctly re-identified can be estimated with high accuracy even when an anonymized dataset is heavily incomplete. The presented results reject the claims that, first, re-identification is not a practical risk and, second, sampling or releasing partial datasets provide plausible deniability. Moving forward, the results also question whether current de-identification practices satisfy the anonymization standards of modern data protection laws such as GDPR and CCPA and emphasize the need to move, from a legal and regulatory perspective, beyond the de-identification release-and-forget model.
“As technology seeps into practically every aspect of our daily lives, it is increasingly critical that we do everything we can to ensure the information that companies are trusted with is secure,” Governor Cuomo said. “The stark reality is security breaches are becoming more frequent and with this legislation New York is taking steps to increase protections for consumers and holding these companies accountable when they mishandle sensitive data.”
As AI gains strategic importance, it is essential to shape global rules for its development and use. In promoting the development and uptake of AI, the European Commission has opted for a human-centric approach, meaning that AI applications must comply with fundamental rights. In this context, the rules laid down in the GDPR provide a general framework and contain specific obligations and rights that are particularly relevant for the processing of personal data in AI.
The FCC proposes that ISPs obtain affirmative opt-in consent for the use and sharing of customer data that has not been specifically collected for the purpose of providing broadband Internet related services.
The EU Data Protection Directive 95/46/EC (the “Directive”) creates the legal framework for national data-protection laws in each EU member state.
One of the more controversial portions of the EU’s forthcoming General Data Protection Regulation is a provision restricting the ability of EU businesses to comply with demands from non-EU courts for the production of documents containing personal data. However, following a recent announcement by the UK government, these restrictions will not apply to businesses in the UK.
Many companies purchase cyber liability insurance to help cover their risk of computer fraud or attack. However, if not properly negotiated, some cyber insurance policies may not fully protect against all risks.
To strengthen data protection enforcement, the German legislature recently passed a law that permits registered consumer-protection organizations (called Verbände) to bring suits on behalf of consumers to enjoin data-protection violations.