From De-Identification to Re-Identification: Considering Personal Data Protection

The recently published research paper “Estimating the Success of Re-identifications in Incomplete Datasets Using Generative Models” shows how the likelihood of a specific individual to have been correctly re-identified can be estimated with high accuracy even when an anonymized dataset is heavily incomplete. The presented results reject the claims that, first, re-identification is not a practical risk and, second, sampling or releasing partial datasets provide plausible deniability. Moving forward, the results also question whether current de-identification practices satisfy the anonymization standards of modern data protection laws such as GDPR and CCPA and emphasize the need to move, from a legal and regulatory perspective, beyond the de-identification release-and-forget model.


The SHIELD is Now Up: New Legislation To Protect New Yorkers Against Data Security Breaches

“As technology seeps into practically every aspect of our daily lives, it is increasingly critical that we do everything we can to ensure the information that companies are trusted with is secure,” Governor Cuomo said. “The stark reality is security breaches are becoming more frequent and with this legislation New York is taking steps to increase protections for consumers and holding these companies accountable when they mishandle sensitive data.”


EU Data Protection and Policy: Considering Artificial Intelligence

As AI gains strategic importance, it is essential to shape global rules for its development and use. In promoting the development and uptake of AI, the European Commission has opted for a human-centric approach, meaning that AI applications must comply with fundamental rights. In this context, the rules laid down in the GDPR provide a general framework and contain specific obligations and rights that are particularly relevant for the processing of personal data in AI.

New Restrictions on Disclosures of Personal Data to Non-EU Courts Will Not Apply in the UK

One of the more controversial portions of the EU’s forthcoming General Data Protection Regulation is a provision restricting the ability of EU businesses to comply with demands from non-EU courts for the production of documents containing personal data. However, following a recent announcement by the UK government, these restrictions will not apply to businesses in the UK.


How Can That Not Be Covered? I Have Cyber Insurance!

Many companies purchase cyber liability insurance to help cover their risk of computer fraud or attack. However, if not properly negotiated, some cyber insurance policies may not fully protect against all risks.


Germany’s Christmas Present: Data-Protection Class Actions

To strengthen data protection enforcement, the German legislature recently passed a law that permits registered consumer-protection organizations (called Verbände) to bring suits on behalf of consumers to enjoin data-protection violations.