Incident response
The UK Government’s consultation on proposals for new ransom payment prevention and reporting regime
Since the government’s announcement last year, Kennedys has been closely monitoring proposals to introduce a new ransom payment prevention and reporting regime for businesses. The three-part plan is unsurprisingly stirring up plenty of heated discussions amongst businesses, incident response providers and insurers alike.
The evolving ways in which cybercriminals are leveraging AI in early 2025
In our recent webinar covering emerging trends in cyber and data, Kennedys’ global cyber team shared their predictions for 2025.
One such prediction was an evolution in the way AI will be leveraged by cybercriminals in order to increase the effectiveness of social engineering methods as a mechanism to secure access to an organisation’s systems.
Data privacy
Training AI models – European Data Protection Board’s opinion and recent developments
The rapid integration of artificial intelligence (AI) across various sectors raises a pivotal question: How can organisations ensure that their AI models comply with the stringent requirements of the General Data Protection Regulation (GDPR)?
On 17 December 2024, the European Data Protection Board (EDPB) issued Opinion 28/2024 on personal data processing in the context of AI models, providing crucial guidance in response to four main queries raised by the Irish Data Protection Commission (DPC) in September 2024.
The Data (Use and Access) Bill: Latest amendments and legal implications
The Data (Use and Access) Bill (DUAB) continues to evolve as it progresses through Parliament. Key amendments were introduced during the House of Lords debates in January and February 2025, and currently awaits a date for Report stage in the House of Commons.
On 10 February 2025, the Information Commissioner's Office (ICO) issued an updated response to the Bill, broadly supporting the Bill while raising concerns about children's data protection rights and the clarity needed on Automated Decision-Making (ADM).
Additionally, DUAB introduces new ICO responsibilities, including ensuring specific protections for children’s personal data, overseeing web crawler use, and developing new codes of practice.
Why complying with DORA may be beneficial for your business in the EU and the UK
On 17 January 2025, the Digital Operational Resilience Act (DORA) – took effect across the EU. DORA is designed to streamline ICT (Information and Communication Technology) risk management, introducing sweeping changes for both EU financial entities and ICT service providers, including those based outside the EU.
Following the EU AI Act coming into force in August 2024, additional key provisions relating to prohibited AI practices and AI literacy requirements came into force on 2 February 2025.
This was the first of a number of implementation milestones for the Act’s requirements, which are set to continue through to full implementation by August 2027. Alongside these provisions coming into force, the European Commission has published guidance regarding the factors to be considered as to when a system will amount to a prohibited system as defined under the Act. The Commission also released guidance concerning the definition of an AI system and the key components system providers will need to consider in determining whether a software system constitutes an AI system. These are currently draft guidelines which, although approved, are still to be formally adopted by the Commission.
Case developments
A catalyst for collective redress and the future of EU data transfers
Bindl v European Commission [08.01.25]
In a striking turn for GDPR enforcement, this seemingly benign case could precipitate a wave of collective redress class actions against big tech.
The decision by the EU General Court has sent ripples across the data protection landscape. Although the €400 compensation awarded may seem nominal, its legal and practical implications could fundamentally reshape how data breaches and cross-border data transfers are handled within the EU. The judgment touches upon crucial aspects of enforcement under EU data protection law, including non-material damages and regulatory compliance in cross-border data transfers, raising significant questions about the road ahead.
The Second Circuit’s Salazar v. NBA decision: expanding liability under the VPPA
The Second Circuit’s long-awaited decision has set a new precedent that broadens the scope of liability under the Video Privacy Protection Act (VPPA). By significantly expanding the definition of a “subscriber,” the ruling introduces fresh compliance challenges for businesses offering video content on their websites.