Data

Using AI in healthcare: Helping to Stay HIPAA compliant

Wed, 08 Apr 2026 19:29:00 Z

Healthcare providers are rapidly adopting AI for clinical and operational uses, often involving protected health information that is governed by HIPAA’s Privacy Rule.

Financing data centers in Türkiye: Legal and financial landscape

Utku Ünver, Ezgi Alkım — Mon, 30 Mar 2026 13:21:21 Z

With growing demand and government support for data center development in Türkiye, we explore the key legal and financial considerations.

Data centres and AI infrastructure: Expectations for Australian developers

Ka-Chi Cheung, Peter Mulligan, Lisa Fitzgerald, Michael Muratore — Mon, 30 Mar 2026 13:08:52 Z

The Australian Government will prioritise proposals based on national interest, the energy transition, water usage, workforce development, and research and innovation.

Regulating AI in Australian financial services: Practical guidance for compliance

Lisa Fitzgerald, Peter Mulligan, Ka-Chi Cheung, Bernard O'Shea — Mon, 09 Mar 2026 14:02:18 Z

This article examines how Australian financial regulators approach artificial intelligence, summarising key guidance from ASIC, APRA, OAIC and AUSTRAC and setting out practical compliance considerations for firms, boards and executives.

Privilege challenges in the era of generative AI

Ellen Blanchard, Marc B. Collier, Susana Medeiros, Ethan Glenn, Susan Linda Ross — Wed, 04 Mar 2026 15:33:00 Z

Generative AI is quickly becoming part of everyday legal work, but recent court decisions show it can also create real risks for attorney client privilege.

Video gaming: Navigating cybersecurity legal and technological challenges

Jasper Geerdes, Jurriaan Jansen — Tue, 25 Nov 2025 14:07:17 Z

The video gaming industry is an alluring target for cyber criminals. In response, regulators in various jurisdictions have sought to bring video gaming into scope of critical infrastructure legislation or have adopted sector-specific rules.

Financing data centres: European overview

Joris Ravelli, Daniel Metcalfe, Christian Lambie — Tue, 28 Oct 2025 11:16:08 Z

Once considered a niche segment within real estate and infrastructure, data centres have rapidly matured into a fully established asset class in their own right, driven by their role as critical digital infrastructure.

Banks outsourcing to the cloud: The economic drivers and regulatory implications

James Russell, Kerri Gevers, Kelsey Oosthuizen, Rosie Nance — Mon, 15 Sep 2025 13:27:45 Z

The financial services sector is becoming increasingly reliant on cloud service providers (CSPs) to fulfil its growing data processing and storage needs. Financial services providers in the United States have reportedly had the highest levels of adoption, operating 54 percent of their workloads in the cloud; and according to the European Central Bank, banks spent 13.5 percent more on cloud outsourcing in 2024 than in 2023.

Another contract remediation exercise for EU financial entities?

Kerri Gevers — Wed, 10 Sep 2025 10:04:30 Z

The European Banking Authority (EBA) is currently consulting on its draft guidelines on the sound management of third party risk (Draft Guidelines), which are intended to replace the 2019 guidelines on outsourcing arrangements (2019 Guidelines).

Can you access your outsourced data?

Kerri Gevers — Mon, 01 Sep 2025 13:03:29 Z

Financial regulators globally emphasise the importance of financial entities being operationally resilient, which includes the ability to manage and recover from disruptions caused by their service providers. The topic receives significant attention in the financial services sector because the sector is regulated, with the aim of promoting financial system stability.

Do your technology and outsourcing contracts properly address liability for cyber incidents?

James Russell, Kerri Gevers — Tue, 01 Jul 2025 14:48:34 Z

Most incidents handled by our Norton Rose Fulbright cyber team originate from the customer’s service provider. In many cases it is the service provider’s systems, infrastructure and environment which proves to be the most vulnerable to cyber breaches and security issues.

Navigating regulatory challenges in data centres

Thu, 01 May 2025 13:59:34 Z

Businesses investing in, financing or operating data centres face a complex matrix of laws and regulatory requirements. Ensuring compliance is important for lender and investor due diligence and is crucial to avoiding fines, penalties and contractual or regulatory breaches that can significantly impact the business and any investment in, or financing of, data centres.

12th Annual European Data Protection Conference

Marcus Evans, Christoph Ritzer, Jurriaan Jansen, Nadège Martin — Tue, 30 Jul 2024 12:16:57 Z

Please join us at our 12th Annual European Data Protection Conference.

Ontario government introduces new bill for strengthening cybersecurity and for responsible AI

Imran Ahmad, Domenic Presta — Wed, 19 Jun 2024 10:36:00 Z

The Government of Ontario recently introduced the Strengthening Cyber Security and Building Trust in the Public Sector Act, 2024 (Bill 194) seeking to strengthen cybersecurity programs in the public sector and provide the groundwork for the responsible use of artificial intelligence (AI) among various public sector entities. If passed, Bill 194 will enact the Enhancing Digital Security and Trust Act, 2024 (the Act) and significantly amend the Freedom of Information and Protection of Privacy Act (FIPPA).

Singapore proposes Governance Framework for Generative AI

Marcus Evans, Wilson Ang, Jeremy Lua — Sun, 04 Feb 2024 16:47:00 Z

On 16 January 2023, Singapore’s Infocomm Media Development Authority (IMDA), in collaboration with the AI Verify Foundation, announced a public consultation on its draft Model AI Governance Framework for Generative AI (Draft GenAI Governance Framework), showing the areas where future policy interventions relating to generative AI may take place and options for such intervention.

UK Information Commissioner’s Office Publishes Final Guidance On Employee Monitoring

Thu, 12 Oct 2023 14:59:00 Z

The UK Information Commissioner’s Office (ICO) published its final guidance on monitoring workers on 3 October 2023 (the Guidance).

An overview of the European digital strategy

Polina Maloshchinskaia — Tue, 26 Sep 2023 16:08:00 Z

We have published an article, EU: An overview of the European digital strategy, explaining the aims and key components of the EU digital strategy, outlining at a high-level key legislation that has been published in this space in the past three years and highlighting the way in which the various legislative instruments interact with each other and with European data privacy rules.

Privilege, privacy and confidentiality; unlike confidentiality, reasonable expectation of privacy is not a precursor to privilege

Farah Mukaddam — Wed, 08 Feb 2023 12:02:32 Z

The Commercial Court in Jinxin Inc v Aser Media Pte Ltd and others & Others has ruled that an employer’s right to monitor and access private information of an employee held on its systems does not extend to a loss of confidentiality in those documents, and therefore a loss of privilege, as against the employer.

The servant of two masters: ICO and OFCOM Joint Statement on Online Safety and Data Protection – coordination so service providers can comply with both

Marcus Evans — Tue, 06 Dec 2022 09:49:19 Z

On 25 November 2022, the UK Information Commissioner’s Office (ICO) and the Office of Communications (OFCOM) (together, the Regulators) released a joint statement setting out their shared views on the interactions between online safety and data protection (the Statement).

The proposed EU Cyber Resilience Act: what it is and how it may impact the supply chain

Polina Maloshchinskaia — Mon, 17 Oct 2022 15:12:23 Z

On 15 September 2022, the European Commission published its proposal for a new Regulation which sets out cybersecurity related requirements for products with “digital elements”, known as the proposed Cyber Resilience Act (the CRA).

EU Vehicle Data Consultation and the evolving EU regulatory landscape for connected vehicles

Jay Modrall — Tue, 12 Apr 2022 08:41:16 Z

In the coming years, data collected by vehicles will be subject to a new EU regulatory regime consisting of horizontal rules applicable across many industries and vertical rules designed specifically for the automotive sector. In February 2022, the EU Commission adopted a proposal for a new Data Act, which sets out overall principles for data access to connected products, introducing user rights to access and share data, contractual principles for business-to-business data exchange, and switching principles for cloud services. However, according to the Commission, the Data Act may not go into sufficient detail for the provision of data-dependent services in the automotive sector.

High Court rejects claim blockchain developers owe duties to users

Adam Sanitt — Tue, 29 Mar 2022 15:10:00 Z

The latest instalment in the Tulip Trading v Bitcoin Association litigation has been greeted with relief by many in the blockchain community, after the High Court threw out a claim that bitcoin developers (including several bitcoin forks) owed a duty of care or a fiduciary duty to an alleged owner of bitcoin. But the Court did not rule out duties being owed in other circumstances – distributed ledger technology developers, miners and users should all beware that the risk of unexpected liability has not been completely eliminated.

Copyright protection for AI-created work?

Maya Medeiros, David Yi, William Chalmers — Mon, 21 Mar 2022 16:04:00 Z

Artificial intelligence (AI) systems are capable of creating a wide range of artistic, musical, and literary works and inventions without human involvement. These AI creations raise challenges to intellectual property (IP) frameworks.

Digital Health 2022

Roger Kuan, Jason Novak — Tue, 08 Mar 2022 15:08:50 Z

Norton Rose Fulbright lawyers Roger Kuan and Jason Novak contributed several chapters to Digital Health 2022 International Comparative Legal Guide, published by GLG, which is a leading global platform for legal reference, analysis and news. Kuan also served as a contributing editor for the publication.

Facebook data "scraping" claim lacks some basis in fact

Randy Sutton — Fri, 25 Feb 2022 12:16:00 Z

The Supreme Court of British Columbia recently dismissed an attempt to certify a class action lawsuit against Facebook after the court found the plaintiffs failed to provide some “basis in fact” for their central allegation – that Facebook engaged in unauthorized data scraping.

Intellectual property rights in the Metaverse

Daniel Daniele — Mon, 21 Feb 2022 17:00:00 Z

The metaverse will offer an immersive digital world that feels physical and tangible in nature. Interacting with metaverse has the opportunity to shift the internet in a new direction and pose new intellectual property rights for developers, contributors, and users.

Privacy in a parallel digital universe: The Metaverse

Imran Ahmad, Tiana Corovic — Fri, 28 Jan 2022 12:22:00 Z

For many years, the immersive three-dimensional digital world has been left to the cinematic experience. However, the emergence of the metaverse presents an opportunity to translate everyday activities – working, attending a concert, travelling, shopping, socializing – into a parallel digital universe.

Meta: Cracking the door open for data-related class actions?

Helen Fairhead, Emilia Radley — Thu, 27 Jan 2022 17:17:00 Z

The announcement on 14 January 2022 of a proposed competition collective action against Meta (formerly Facebook) is the latest in a number of collective actions against the tech giants, including Apple and Google, and is of particular interest owing to the subject matter – namely data collection practices.

Where data meets IP - protecting business data in a commercial context

Imran Ahmad — Mon, 15 Nov 2021 11:15:47 Z

In this publication we give some some practical tips that businesses transacting with data should consider when licensing their data to third parties.

Good news for data controllers: Lloyd v Google Supreme Court decision

Thu, 11 Nov 2021 10:30:00 Z

On 10 November 2021, the UK Supreme Court handed down the much anticipated judgment in Lloyd v Google LLC [2021] UKSC 50, unanimously allowing Google’s appeal and reversing the decision of the Court of Appeal.

Where Data Meets IP

Imran Ahmad — Mon, 08 Nov 2021 11:29:12 Z

One key strategy to protect your business’ data is to characterize, and protect, that data as intellectual property.

The UK National AI Strategy: Regulation, data protection and IPR in the mix

Marcus Evans, Michael Sinclair — Mon, 27 Sep 2021 15:29:11 Z

The UK Government has published its National AI Strategy.

Digital transformation: Key technology, cybersecurity and privacy risks

Imran Ahmad — Thu, 09 Sep 2021 08:19:48 Z

In this blog we discuss the risks associated with digital transformation from technology, cybersecurity and privacy perspectives.

OSFI releases updated cyber security self-assessment: Part 2

Imran Ahmad, Katherine Barbacki, Roxanne Caron — Mon, 06 Sep 2021 08:44:41 Z

Part two of this update tackles OSFI’s Self-Assessment tool, which is seeing its first update since 2013.

OSFI announces new requirements for reporting technology and cyber incidents: Part 1

Imran Ahmad — Thu, 26 Aug 2021 16:06:23 Z

The OSFI has released an updated Technology and Cyber Security Incident Reporting Advisory and new requirements for the Cyber Security Self-Assessment. Part one of this update will discuss the changes that have been made.

EU’s possible Data Act

Jay Modrall — Thu, 01 Jul 2021 11:53:06 Z

Response to to the Consultation and Inception Impact Assessment are bound to shape the future of EU’s digital economy.

Max Schrems’ NGO, noyb, submits mass cookie law compliance complaints

Mon, 14 Jun 2021 08:32:56 Z

Max Schrems’ privacy NGO, noyb, submits hundreds of draft complaints to companies across the Europe about their cookie law compliance.

Top practical tips on the preservation, collection and review of mobile data in investigations

Andrew Reeves, Claudia Van Gruisen, David Harris — Thu, 03 Jun 2021 13:49:18 Z

In this blog we outline practical tips for the preservation, collection and review of mobile data in investigations, which has become particularly important as remote working has accelerated the merger of work and private data.

Technology joint ventures: Partnering for the future

Jill Gauntlett, Victoria Birch, Mike Knapper, Dominic Stuttaford — Thu, 06 May 2021 13:04:00 Z

This article examines the key aspects of joint ventures in the technology sector and the particular issues and challenges that these joint ventures raise.

Think Before You App

Daniel Daniele — Wed, 05 May 2021 09:00:00 Z

As we increase our app use we need to think about the risks to privacy.

Privacy commissioners take position on using facial recognition technology

Imran Ahmad, Sara A. Levine, KC, Alexis Kerr, John Cassell — Thu, 11 Mar 2021 17:11:23 Z

In a joint investigation report, the Privacy Commissioner of Canada, together with the commissioners of BC, Alberta, and Quebec concluded that Clearview AI violated Canadians’ privacy rights under federal and provincial privacy laws by scraping billons of images of people available online to be continually used in what amounted to a virtual “police lineup.”

Proposals for the ePrivacy Regulation: A telecommunications focus

Oliver Stacey, Mark Maurice, Fiona Bundy-Clarke — Wed, 10 Mar 2021 14:48:32 Z

We consider some relevant areas of interest of the recently agreed position on the ePrivacy Regulation for telecommunications companies.

Shaken, not stirred: EU mixes big tech regulation and antitrust

Jay Modrall — Fri, 08 Jan 2021 11:03:15 Z

Jay Modrall discusses the Digital Markets Act (DMA), the European Commission’s regulatory agenda and ongoing antitrust reform agenda in a recent article published by InformaConnect.