Hong Kong New PCPD Guidance on Handling Data Breaches

On June 30, 2023, Hong Kong’s data protection authority (the Office of the Privacy Commissioner for Personal Data, or PCPD) issued an updated version of its Guidance on Data Breach Handling and Data Breach Notifications (the Guidance, accessible here), which aims to guide companies on how they respond to data breaches. In particular, the Guidance contains a new recommendation for companies to adopt written data breach response plans.


Australian Government Commences Public Consultation on National Regulatory Framework for the “Safe and Responsible” Use of AI

On 1 June 2023, the Australian Government published the Safe and Responsible AI in Australia: Discussion Paper (“Discussion Paper”) to seek public feedback on identifying the potential gaps in the existing domestic governance landscape and possible additional AI governance mechanisms to support the “safe and responsible” development of AI. As noted in the Discussion Paper, although AI has been identified as a “critical technology in Australia’s national interest”, AI adoption rates across Australia remain relatively low. A key aim of the Discussion Paper is to inform the Australian Government on the steps that should be taken on AI regulation in order to increase “community trust and confidence in AI”. The Discussion Paper addresses a broad range of AI technologies and techniques, such as self-driving cars and generative pre-trained transformers (also known as GPT), and notes that any AI regulatory framework would need to consider existing as well as possible future uses of AI and any ensuing risks. The Discussion Paper has an eight (8) week consultation period ending on 26 July 2023.


SEC Delays Enactment of Cyber Rules Related to Investment Adviser and Public Companies to October 2023, Updates Timeline to April 2024 for Recently Proposed Cybersecurity Rules

On June 13, 2023, the Office of Management and Budget released its Spring 2023 Unified Agenda of Regulatory and Deregulatory Actions, which includes updates on Securities and Exchange Commission (“SEC”) proposed rules.  The SEC pushed back  its estimate for the final action date to October 2023 for its proposed cybersecurity rules related to public companies, as well as for its investment advisers and funds proposal.  Notably, the SEC’s timelines are typically estimates for implementation, and the proposed rules could be introduced sooner or later than these dates. However, the updated timeline indicates that the SEC is prioritizing finalizing its cybersecurity rules related to public companies and investment advisers and funds.


European Parliament Adopts AI Act Compromise Text Covering Foundation and Generative AI

On 14 June 2023, the European Parliament adopted – by a large majority – its compromise text for the EU’s Artificial Intelligence Act (“AI Act”), paving the way for the three key EU Institutions (the European Council, Commission and Parliament) to start the ‘trilogue negotiations’. This is the last substantive step in the legislative process and it is now expected that the AI Act will be adopted and become law on or around December 2023 / January 2024. The AI Act will be a first-of-its-kind AI legislation with extraterritorial reach.


UK Sets Out It’s “Pro-Innovation” Approach To AI Regulation

On 29 March 2023, the UK’s Department for Science Innovation and Technology (“DSIT”) published its long awaited White Paper on its “pro-innovation approach to AI regulation” (the “White Paper”), along with a corresponding impact assessment. The White Paper builds on the “proportionate, light touch and forward-looking” approach to AI regulation set out in the policy paper published in July 2022. Importantly, the UK has decided to take a different approach to regulating AI compared to the EU, opting for a decentralised sector-specific approach, with no new legislation expected at this time. Instead, the UK will regulate AI primarily through sector-specific, principles based guidance and existing laws, with an emphasis on an agile and innovation-friendly approach. This is in significant contrast to the EU’s proposed AI Act which is a standalone piece of horizontal legislation regulating all AI systems, irrespective of industry.


How the China Personal Information Protection Law Applies to Foreign Asset Managers

Since China’s Personal Information Protection Law (PIPL) came into effect in November 2021, there has been widespread uncertainty amongst offshore fund managers and investors with entities outside Mainland China as to how and whether the regime applies to them. Given the potential for foreign asset managers to overlook or misinterpret PIPL, this brief update outlines some guidance as to how PIPL can apply, and to whom, in a practical context.


EU Moving Closer to an AI Act – Key Areas of Impact for Life Sciences/MedTech Companies

The European Union is moving closer to adopting the first major legislation to horizontally regulate artificial intelligence. Today, the European Parliament (Parliament) reached a provisional agreement on its internal position on the draft Artificial Intelligence Regulation (AI Act). The text will be adopted by Parliament committees in the coming weeks and by the Parliament plenary in June. The plenary adoption will trigger the next legislative step of trilogue negotiations with the European Council to agree on a final text. Once adopted, according to the text, the AI Act will become applicable 24 months after its entry into force (or 36 months according to the Council’s position), which is currently expected in the second half of 2025, at the earliest.


New EU Cyber Law for the Financial Services Industry with Significant Impact on ICT Service Providers

The new EU Regulation on Digital Operational Resilience for the Financial Sector (DORA) recently entered into force. DORA establishes cybersecurity requirements for information and communication technology (ICT) systems supporting the business processes of financial entities and represents a paradigm shift for the ICT sector.  Critical ICT third-party service providers, who are providing services to regulated financial entities, will also be directly regulated under DORA and subject to regulatory supervision by a regulator to be established under DORA (a so-called ‘Lead Overseer’).


Upcoming Events



Meet the Team

<a target=‘_blank’ href="">Kwaku A. Akowuah</a>

Kwaku A. Akowuah

Washington, D.C.
<a target=‘_blank’ href="">Sheila A.G. Armbrust</a>

Sheila A.G. Armbrust

San Francisco
<a target=‘_blank’ href="">Francesca Blythe</a>

Francesca Blythe

<a target=‘_blank’ href="">Colleen Theresa Brown</a>

Colleen Theresa Brown

Washington, D.C.
<a target=‘_blank’ href="">John M. Casanova</a>

John M. Casanova

<a target=‘_blank’ href="">Thomas D. Cunningham</a>

Thomas D. Cunningham

<a target=‘_blank’ href="">Tomoki Ishiara</a>

Tomoki Ishiara

<a target=‘_blank’ href="">Amy P. Lally</a>

Amy P. Lally

Century City
<a target=‘_blank’ href="">David C. Lashway</a>

David C. Lashway

Washington, D.C.
<a target=‘_blank’ href="">William RM Long</a>

William RM Long

<a target=‘_blank’ href="">Joan M. Loughnane</a>

Joan M. Loughnane

New York
<a target=‘_blank’ href="">Geeta Malhotra</a>

Geeta Malhotra

<a target=‘_blank’ href="">Alan Charles Raul</a>

Alan Charles Raul

Washington, D.C., New York
<a target=‘_blank’ href="">Jennifer B. Seale</a>

Jennifer B. Seale

Washington, D.C.
<a target=‘_blank’ href="">Yuet Ming Tham</a>

Yuet Ming Tham

Singapore, Hong Kong
<a target=‘_blank’ href="">John K. Van De Weert</a>

John K. Van De Weert

Washington, D.C.
<a target=‘_blank’ href="">Jonathan M. Wilan</a>

Jonathan M. Wilan

Washington, D.C.
<a target=‘_blank’ href="">John W. Woods Jr.</a>

John W. Woods Jr.

Washington, D.C.


To receive email alerts when we post a blog entry, please provide your name and email address.