INTERNATIONAL 

EUROPEAN UNION

6. Guidelines issued on Definition of ‘AI System’ under AI Act[8]

The European Commission has released guidelines to clarify the definition of an ‘AI system’ under the AI Act, which came into force on August 1, 2024. These guidelines aim to assist AI developers, businesses, and regulators in determining whether a system qualifies as an AI system under Article 3(1) of the AI Act, ensuring effective application and enforcement of the law.

The AI Act defines an AI system as a machine-based system designed to operate with varying levels of autonomy and, in some cases, adaptiveness. The guidelines outline 7 core elements that determine whether a system qualifies as ‘AI’, covering aspects like autonomy, inference capabilities, and interaction with the environment. While the definition of an AI system became applicable on February 2, 2025, the guidelines are yet to be adopted. However, they serve as an essential reference for AI providers and regulatory bodies across the EU. These guidelines also work alongside the European Commission’s guidelines on prohibited AI practices, ensuring clarity on the types of AI systems and their compliance obligations.

By providing a structured interpretation of AI, these guidelines help businesses assess whether their AI models are subject to regulatory oversight. This ensures greater legal certainty for AI developers while promoting responsible innovation. Companies operating in the AI sector must now carefully evaluate their systems against these criteria to determine regulatory obligations under the AI Act.

7. EU Parliament highlights Legal Uncertainty over AI Bias Detection under GDPR & AI Act[9]

A recent EPRS report highlights legal challenges in addressing AI bias due to conflicting provisions in the AI Act and GDPR. The conflict between the AI Act and GDPR arises from how each regulation treats the processing of special categories of personal data, such as ethnicity, biometric data, and racial origin, which are crucial for detecting and mitigating AI bias.

While the AI Act allows data processing to correct bias, the GDPR imposes heavy restrictions, making it legally uncertain when and how AI systems can process sensitive data. The core issue is whether AI bias correction qualifies as a ‘substantial public interest’ exception under GDPR, as no clear legal basis currently exists. This ambiguity could create legal risks for businesses deploying AI systems while trying to comply with both laws. As such, the report suggests that guidance from regulators or legislative reforms may be needed to clarify how AI developers can legally process sensitive data for bias detection without violating GDPR.

8. CJEU clarifies Pseudonymisation and GDPR Applicability in EU Institutions^[10]

In European Data Protection Supervisor v. Single Resolution Board [Case C-413/23 P], CJEU examined whether pseudonymised data remains ‘personal data’ under GDPR when different entities hold the key to re-identification. The dispute arose over whether pseudonymised information processed by one entity ceases to be personal data if another entity retains the means to reverse the pseudonymisation.

The CJEU ruled that pseudonymised data remains personal data if any entity—whether the processor or another party—can re-identify it. The court emphasized that pseudonymisation enhances data security but does not remove the data from GDPR’s scope if re-identification is feasible.

9. Guidelines for Use of Cookies Released[11]

In Switzerland, Guidelines on Data Processing Using Cookies (“Guidelines”) were released to establish a proper framework on the use of cookies for data collection and data processing. The Guidelines apply to website operators and third-party services handling user data and emphasize compliance with principles such as transparency, proportionality, and informed consent.

Key provisions require clear disclosures on cookie usage, distinguishing between essential and non-essential cookies, and mandating opt-in consent and assessment through DPIA for high-risk profiling or sensitive data processing. Additionally, to counter dark patterns, websites must ensure that rejecting cookies is as simple as accepting them, preventing misleading user interface elements such as pre-ticked checkboxes, that manipulate user choices. Further, a ‘two-click solution’ is recommended to block third-party tracking scripts before user approval.

10. Preliminary Ruling holds that Companies must balance AI Transparency and Trade Secret Protections under GDPR[12]

In CK Interested parties: Dun & Bradstreet Austria GmbH [Case C-203/22], the CJEU examined the balance between GDPR transparency obligations and trade secret protections. The case arose after a consumer was denied a mobile contract based on a credit rating and requested access to the logic behind the decision under Article 15(1)(h) GDPR, which grants individuals the right to access their personal data and understand how automated decisions affecting them are made. However, the company refused, citing trade secrets, and the matter was eventually referred to CJEU.

The CJEU’s opinion, issued on September 12, 2024, states that companies must disclose key parameters, weighting factors, and personal data used in automated decisions but may withhold technical algorithmic details if they qualify as trade secrets. However, businesses cannot refuse transparency entirely and must provide sufficient explanation for individuals to assess the decision’s fairness. However, this is a preliminary ruling, and the final judgement is yet to come.

11. Class Action against Amazon over Alleged Unlawful Geolocation and Health related Data Collection[13]

A class action lawsuit has been filed against Amazon.com, Inc. and Amazon Advertising, LLC (“Amazon”), accusing the tech giant of unlawfully collecting and monetizing users’ location data that also unveiled users’ visits to medical facilities or health service providers, thereby revealing potential health conditions or concerns without their consent. The lawsuit alleges that Amazon’s Ads Software Development Kit (“SDK”)—integrated into thousands of third-party mobile apps—secretly collected users’ real-time location data, which, in turn, enabled access to sensitive health-related information such as visits to a cancer clinic, fitness routines, dietary habits, and even social determinants of health by indicating where a person lives and works.

The complaint alleges that Amazon used this data for targeted advertising and also sold it to third parties for profit, all without properly informing users. It further alleges that Amazon failed to provide transparency regarding its data collection practices, misleading users into believing their personal information was secure and as a result, has violated multiple state and federal laws. The lawsuit seeks monetary damages, restitution, and injunctive relief to prevent further data collection without consent.

This case could have far-reaching implications for data privacy in digital advertising, particularly regarding the use of SDKs by major tech companies to track user behaviour. If the court rules in favour of the plaintiffs, it may set a new precedent for stricter data privacy regulations and enforcement. Companies relying on user data for targeted advertising may need to reassess their data collection practices to ensure compliance with evolving legal standards.

12. Home Depot loses Appeal over Insurance Coverage for Data Breach Losses[14]

The U.S. Court of Appeals for the Sixth Circuit has ruled against Home Depot (the “Company”), a leading home improvement retailer, in Home Depot, Inc. v. Steadfast Insurance Company and Great American and Assurance Company [No. 23-3720]. The case involved Company’s attempt to claim insurance coverage for financial losses resulting from a massive data breach that exposed millions of customers’ payment card details.

Back in 2014, the Company suffered a cyberattack when hackers stole customer payment card information from its self-checkout terminals. Financial institutions were forced to cancel, and reissue compromised cards, monitor fraud risks, and compensate for fraudulent transactions, leading to substantial losses. After settling these claims for USD 170 million, Company’s cyber insurance covered USD 100 million, but the Company sought additional coverage under its commercial general liability policies (“Policy”) with Steadfast and Great American. The insurers denied coverage, arguing that the Policy excluded losses related to electronic data breaches and only applied to tangible property damages. They also refused to defend the Company in lawsuits filed by banks, prompting the Company to challenge the decision in court.

The court agreed with the insurers that electronic data does not qualify as tangible property under the policy terms, making the loss of customer payment information ineligible for coverage. Additionally, the court found that the Policy explicitly excluded damages resulting from electronic data breaches, including claims related to the loss of use of such data. As a result, since the claim fell outside the scope of coverage, the insurers had no legal obligation to defend the Company in lawsuits filed by financial institutions seeking compensation for fraud-related losses.

13. Data Law Amendment mandates 15 days’ Notification for Breach[15]

New York State Senate amends Section 899-aa of the General Business Law, 2012, strengthening data breach notification requirements for businesses handling personal information of New York residents. Businesses are now required to notify affected individuals within 15 days of discovering a breach, replacing the previous requirement of notifying ‘in the most expedient time possible’. This amendment also applies to third-party data holders.

In addition to data breach notifications to affected individuals, businesses must now report data breaches to four state agencies: the New York Attorney General, the Department of State, the Division of State Police, and the Department of Financial Services. The bill also clarifies that reporting to authorities must not delay notifications to affected individuals.

14. Lawsuit over Unauthorized Sale of Consumer Driving Data[16]

The State of Arkansas, has filed a lawsuit against General Motors LLC (“GM”) and OnStar LLC (“OnStar”) in the Circuit Court of Phillips County, alleging violations of the ADTPA. The lawsuit accuses GM and OnStar of secretly collecting and selling consumer driving data to third-party data brokers without proper consent. The complaint states that GM’s telematics system tracked data such as trip start and end times, speed, high-speed driving percentage, late-night driving, acceleration and braking habits, and location information, even for drivers who did not enrol in OnStar services. This data was allegedly sold to brokers, including Verisk, LexisNexis, and Wejo, who then resold it to insurance companies, potentially affecting consumers’ insurance premiums, coverage decisions, or policy cancellations. GM reportedly continued these practices for years before ending its agreements with LexisNexis and Verisk due to an investigation by the New York Times on the matter.

The lawsuit alleges multiple legal violations, including deceptive trade practices, failure to disclose material facts, unconscionable business practices, and unjust enrichment. It claims that GM misled consumers by failing to clearly disclose in its lengthy privacy policies—some over 36 pages long—that their driving data could be sold to third parties. Additionally, GM is accused of using deceptive interface designs to obscure its data collection practices. The complaint seeks an injunction to stop GM and OnStar from collecting and selling driver data without informed consent, civil penalties of up to USD 10,000 per violation under the ADTPA, and the disgorgement of profits obtained from the sale of consumer driving data.

15. Western Australia enacts Privacy and Information Sharing Law[17] 

The Privacy and Responsible Information Sharing Act 2024 (“PRIS Act”) has been enacted in Western Australia, introducing a legal framework for handling personal information by public entities, ministers, and service providers. It aims to balance privacy protection with responsible data sharing, ensuring secure and transparent management of personal data. It establishes a ‘Chief Data Officer’ to oversee data governance and privacy safeguards, ensuring compliance with the law.

The PRIS Act also mandates data de-identification measures to protect individuals’ privacy when sharing personal information. Additionally, it amends ‘Freedom of Information’ laws to enhance public access to Government-held data, promoting transparency while maintaining strong privacy protections.

Australia is rapidly advancing its cybersecurity and data governance framework, demonstrating a commitment to stronger regulatory oversight. Following the introduction of three new cyber law bills, the passage of the PRIS Act marks another step toward enhancing data privacy, transparency, and responsible information use. By creating structured policies for data sharing, security, and public access, Australia is positioning itself as a well-regulated jurisdiction, balancing innovation with privacy protections to safeguard citizens’ data in an evolving digital landscape.

16. AML/CFT Regulations amended to Tighten Oversight of Digital Asset Transactions[18]

Australia has passed the Anti-Money Laundering and Counter-Terrorism Financing Amendment Bill 2024 to enhance its financial crime prevention framework. The amendment expands AML/CTF obligations to previously unregulated sectors, including lawyers, accountants, and real estate agents. Key reforms introduce stricter customer due diligence, enhanced reporting structures, and increased AUSTRAC enforcement powers. The amendment also tightens rules on VASPs and information-sharing mechanisms.

Key legal changes also focus on implementing the ‘Travel Rule’ which mandates the sharing of transaction information between parties for digital asset transfers, ensuring better transparency and monitoring. Additionally, the scope of ‘digital assets’ has expanded to include Non-fungible Tokens (NFTs), stablecoins, and governance tokens, requiring VASPs to apply AML/CTF measures to a broader range of assets. These amendments align with international standards and aim to combat illicit activities such as money laundering and terrorism financing in the rapidly evolving digital asset space. The implementation will be phased, with major provisions taking effect between 2026 and 2027.

17. Updated Guidelines on Employment Data Collection and Retention Released[19]

The UK Information Commissioner’s Office has issued Employment practices and data protection: keeping employment records (“Guidelines”) on collecting and maintaining employment records under UK GDPR and the DPA. The Guidelines outline employers’ responsibilities regarding the lawful collection, processing, storage, and retention of employee data. Covered data includes personnel records, payroll details, performance evaluations, disciplinary records, and health-related information, with additional safeguards required for sensitive categories such as biometric and criminal records data.

The Guidelines apply to all UK employers including public organizations, requiring them to establish a lawful basis for data collection, limit retention periods, ensure transparency, and implement security measures to protect employee privacy. Employers must also grant employees’ rights over their data including access, correction, and erasure requests. The Guidelines emphasize responsible data management, pushing organizations to review internal policies and avoid potential regulatory penalties.

18. UK Draft Guidelines addressing ‘Online Gender-Based Harms’ Released

Ofcom’s draft guidance, A Safer Life Online for Women and Girls[20] (“Draft Guidelines”) published on February 25, 2025, is part of the implementation of the Online Safety Act 2023 (“OS Act”) and sets out mandatory and recommended actions for online service providers to tackle online gender-based harms. The Draft Guidelines identifies 4 main categories of online gender-based harms – ‘Online Misogyny’, ‘Pile-ons and Harassment’, ‘Online Domestic Abuse’, and ‘Image-based Sexual Abuse’ and outlines 9 key actions for service providers covering risk assessments, safer platform design, reporting mechanisms, and enforcement against violators. The Draft Guidelines take a safety-by-design approach, requiring companies to implement pre-set security measures, AI-based content moderation, and effective reporting tools. Once finalized, companies will be assessed for compliance 18 months after implementation, with enforcement actions where necessary. This regulatory framework marks a major shift in accountability for online platforms, setting new safety standards to address gender-based harms.

The public consultation period remains open until May 23, 2025.

19. Court rules on DAO Governance and emphasized on Liability of Companies in matters of Financial Oversight[21]

The Hong Kong Court of First Instance, in Mantra DAO Inc. & RioDefi Inc. v. John Mullin and Others [HCA 749/2022 [2024] HKCFI 2099], ruled on a dispute concerning financial control, governance, and asset misappropriation within a Decentralized Autonomous Organization (“DAO”) finance platform. The plaintiffs accused the defendants of unlawfully taking control of the DAO, withholding financial records, and misusing project funds. The defendants argued that DAO governance is decentralized and managed by token holders, not a single entity. The central issue was whether the defendants breached contractual and fiduciary duties by withholding financial records and misusing project funds.

The court acknowledged the complex governance structure of DAOs but held that decentralization does not exempt entities from financial accountability. It granted an ‘Accounts Disclosure Order’, requiring the defendants to provide financial records from January 1, 2021, onwards. The ruling sets a key precedent, reinforcing that DAOs, despite their decentralized nature, are still subject to legal and financial oversight.