What is new in data, law & technology? - A weekly overview
Week 12 of 2025
In this week's roundup, I'm gathering some of the most important and interesting data and technology law and tech news from the past week.
Legal and regulatory developments
The European Parliamentary Research Service (EPRS) published a brief summary of the challenges to the renewal of the adequacy decisions for the United Kingdom (UK). (At the same time, the European Commission proposed a six-month extension of the deadline for renewing the adequacy decisions.)
Why is this important? The UK adequacy decisions are due to expire on June 27, 2025, unless the European Commission reaffirms that the UK continues to provide an “essentially equivalent” level of data protection to that in the EU. Critics raised concerns that recent and ongoing UK reforms could jeopardise the renewal of these decisions.
The European Data Protection Board (EDPB) adopted a statement on the implementation of the Passenger Name Record Directive (PNR) in light of the CJEU´s (Court of Justice of the EU) judgment in case no. C-817/19.
Why is this important? The EDPB provides further guidance to the Passenger Information Units (PIUs) on the necessary adaptions and limitations to the processing of PNR data. The statement includes practical recommendations for the national laws transposing the PNR Directive in order to give effect to the findings of the CJEU in the PNR judgment. The recommendations cover some of the key aspects of the PNR judgement, such as how European countries should select the flights from which PNR data are collected, or how long PNR data should be retained.
An open access book “Trustworthy AI - African Perspectives” (editors: Damian Okaibedi Eke, Kutoma Wakunuma, Simisola Akintoye, George Ogoh; Springer, 2025) is available for those who want to explore the African interpretations of Trustworthy AI and its component requirements. The book provides a reasoned understanding of how to consider Trustworthy AI systems in African contexts.
Why is this important? Most of the discussions about AI in general and regarding trustworthy AI in particular do not cover the African context. This book provides a unique perspective and covers key aspects of trustworthy AI in Africa.
A federal appeals court in Washington, D.C. affirmed that a work of art generated by AI without human input cannot be copyrighted under U.S. law.
Why is this important? As the amount of AI-generated content grows rapidly, it's a critical question from an intellectual property perspective how copyright rules apply to works created without human intervention.
The Dutch Data Protection Authority (AP) is developing a practical tool for meaningful human intervention in algorithmic decision-making. To ensure that this document is in line with real-world practices, the AP has invited companies, organizations, experts, and stakeholders to provide input through a consultation. (Feedback can be submitted until April 6, 2025)
Why is this important? The document is intended as a tool for those within an organization who design and implement human intervention. The document will provide a very useful reference point for the design of human intervention procedures for automated decision-making processes and perhaps beyond, in any case where human oversight of the operation of algorithms is required.
The European Data Protection Board (EDPB) published a report on the use of Support Pool of Experts (SPE) in 2024.
Why is this important? The report provides an overview of the main initiatives that will be continued or launched in 2024 in the context of the SPE. It also summarizes the activities of the SPE contact points and the procedures used for the call for expressions of interest to external experts and for launching a project. (Nine new projects were launched in 2024 and four of these nine new projects were completed in 2024).
The EDPB published a document on “Setting Forth a Co-Operation procedure for the approval of Binding Corporate Rules for controllers and processors”.
Why is this important? The objective of this document is to update the former Article 29 Working Party Document on setting forth a procedure for the approval of Binding Corporate Rules (i.e., WP263rev.01) on the basis of the practical experience gained in its application, and to identify smooth and effective cooperation procedures in line with the GDPR, whilst taking full advantage of the previous fruitful experience of the supervisory authorities in dealing with the approval of BCRs.
The European Commission has launched a public consultation on the implementing regulation of the Cyber Resilience Act. The Cyber Resilience Act (CRA) requires the Commission to specify the technical description of the categories of important and critical products with digital elements listed in the CRA. The Commission is expected to adopt the measure sometime in the third quarter of 2025.
Why is this important? The technical description of the categories of important and critical products with digital elements is a crucial point for the application of the CRA. It would be important to shape the technical description in a way that would facilitate the application of the CRA in practice.
ENISA (the EU Agency for Cybersecurity) launched a new product, NIS360 that assesses the maturity and criticality of sectors of high criticality under the NIS2 Directive, providing both a comparative overview and a more in-depth analysis of each sector. The NIS360 is designed to help Member States and national authorities identify gaps and prioritize resources.
Why is this important? Compliance with the requirements of NIS2 Directive is a critical issue to ensure a high common level of cybersecurity across all Member States within the EU. Organisations and Member State authorities need support in complying with NIS2, and to meet this need, ENISA has already developed comprehensive awareness materials and now, this new initiative is added as an important resource for organizations and authorities.
The Norwegian Data Protection Authority (Datatilsynet) published a decision to issue a compliance order, impose a reprimand on and an administrative fine against Telenor ASA for failing to comply with the data protection officer (DPO) requirements and the organisational requirements set out in the GDPR.
Why is this important? The decision provides a very detailed overview of how the requirements of the GDPR regarding the DPO and efficient organizational measures for GDPR compliance should be applied in practice.
Luxembourg's Administrative Court (le tribunal administratif) issued a judgment upholding a fine of EUR 746 million imposed by the National Commission for Data Protection (CNPD) on Amazon in 2021 for violating several provisions of the GDPR in the context of its processing of personal data for the purposes of interest-based advertising. The judgment can still be appealed.
Why is this important? The fine imposed on Amazon was the first truly large administrative fine under the GDPR.
Data & Technology
Baidu launched two new versions of its AI model Ernie (Ernie 4.5, the latest version of the company’s foundational model and a new reasoning model, Ernie X1). According to Reuters´news report, “ERNIE X1 delivers performance on par with DeepSeek R1 at only half the price […]” ERNIE 4.5 has “excellent multimodal understanding ability. It has more advanced language ability, and its understanding, generation, logic, and memory abilities are comprehensively improved. It also has "high EQ", and it is easy to understand network memes and satirical cartoons…”
Why is this important? The price and capability race among AI service providers (and consequently between the US and China)
Meta has started to roll out its Meta AI offering across 41 European countries, including those in the European Union, marking the largest global expansion of Meta AI to date.
Why is this important? MetaAI rolled out in the US in September 2023, followed by India and the UK in 2024, however its expansion in Europe was halted last year due to “regulatory unpredictability”.
NVIDIA is also investing in quantum computing and it announced that it will build a research center in Boston to provide cutting-edge technologies to advance quantum computing (the NVIDIA Accelerated Quantum Research Center).
Why is this important? Big tech companies are investing heavily in quantum computing, and it appears that NVIDIA is moving into more and more areas of technology based on its recent success as a leading provider of hardware and software for AI.
Alphabet (Google´s parent company) is buying startup Wiz for about USD 32 billion in its biggest deal ever as it focuses on cybersecurity.
Why is this important? This deal could sharpen Alphabet's edge in the cloud computing race against Amazon and Microsoft.
International Telecommunication Union (ITU) published a report on “State of digital development and trends in the Europe region: Challenges and opportunities“.
Why is this important? The publication provides an overview of the state of digital connectivity in the Europe region and showcases impactful case studies from the region.
We talk a lot about Large Language Models, but for certain use cases, Small Language Models (SLMs) may be preferable to LLMs. A comprehensive survey of SLMs was published late last year: “A Comprehensive Survey of Small Language Models in the Era of Large Language Models: Techniques, Enhancements, Applications, Collaboration with LLMs, and Trustworthiness” (Wang et. al).
Why is this important? Small Language Models (SLMs) are increasingly favored because of their low inference latency, cost-effectiveness, efficient development, and easy customization and adaptability. These models are particularly well-suited for resource-limited environments and domain knowledge acquisition, addressing LLMs’ challenges and proving ideal for applications that require localized data handling for privacy, minimal inference latency for efficiency, and domain knowledge acquisition through lightweight fine-tuning.
Italian newspaper, Il Foglio published the world’s first fully AI-generated edition.
Why is this important? The experiment can show the impact of AI technology on the way of working and our daily routines, such as reading the newspaper.
The Tow Center for Digital Journalism conducted tests on eight generative search tools with live search features to assess their abilities to accurately retrieve and cite news content, as well as how they behave when they cannot. (This is a follow-up to a test of ChatGPT search in last November.)
Why is this important? As AI search tools are rapidly gaining in popularity, often replacing traditional search engines, their reliability and accuracy is a crucial issue. From the test results, it seems that such AI search tools still have a lot of work to do to improve their accuracy.
McKinsey published a report on “The state of AI - How organizations are rewiring to capture value.“ (The online survey was conducted from July 16 to July 31, 2024, and garnered responses from 1,491 participants in 101 nations.)
Why is this important? The report provides key insights into how companies are trying to address the challenges of AI within their organizations, how they are adapting, and what organizational changes are being considered.