Ireland data protection newsletter - Issue 21
Welcome to our latest Data Protection Newsletter, where we explore key data protection and AI developments. This edition covers essential updates and insights to help your organisation stay compliant and informed.
In this issue, we cover:
EDPB Guidance on Privacy Risks in LLMs
On 10 April 2025, the European Data Protection Board (EDPB) published guidance on privacy and data protection risks in Large Language Models (LLMs). This guidance, researched by an international pool of experts, identifies 11 key risks and provides controls and mitigations for developers and deployers.
AI Act Enforcement
The EU's Artificial Intelligence Act (AI Act) came into force on 1 August 2024, with phased enforcement beginning on 2 February 2025. The first phase prohibits using AI systems deemed to be of "unacceptable risk" and mandates AI literacy for all organisations using AI systems. Organisations must document AI systems, design tailored training materials, and conduct AI impact assessments to ensure compliance.
Pseudonymisation Guidance
The EDPB has issued draft guidance on pseudonymisation, a technique that enhances data protection by processing personal data so that it cannot be attributed to a specific individual without additional information. This guidance outlines the standards the EDPB expects and provides practical steps for implementing pseudonymisation effectively, ensuring that personal data is protected and compliance is maintained.
Meta's AI Training Practices
Meta has recommended training its AI models using public data from Facebook and Instagram. This includes posts, comments, and photos, but excludes messaging. Users will be notified through in-app notifications and can opt out. This development highlights the importance of transparency and compliance with data protection regulations in AI training practices.
TikTok's Data Transfer Fine
The Data Protection Commission (DPC) has fined TikTok €530 million for failing to comply with data transfer requirements to China. This enforcement action underscores the importance of conducting thorough Data Transfer Impact Assessments and ensuring compliance with GDPR. TikTok's case serves as a reminder of the critical need for robust data protection measures in international data transfers.
EU-US Data Privacy Framework
Following the Schrems II decision, the Data Privacy Framework (DPF) was introduced to protect EU citizens' data in the US. However, recent developments indicate potential challenges to the framework's viability. Organisations are advised to maintain strong privacy programs and standard contractual clauses to ensure compliance and protect personal data amidst evolving regulatory landscapes.
Want to know more?
David O'Sullivan Director, Consulting - Dublin
Data privacy & GDPR
Forvis Mazars supports you in achieving and maintaining data protection & privacy compliance.
AI GenAi
End of the era of technology self regulation
Outsource Data Protection officer (DPO)
Forvis Mazars provides outsourced data protection officer (DPO) services to organisations that do not wish to directly employ a DPO