Data is typically needed to train and fine-tune modern artificial intelligence (AI) models. AI can use data—including personal information—to recognize patterns and predict results.

The GDPR permits controllers to process personal information if one (or more) of the following six lawful processing purposes applies:[1]

  1. Consent. A company may process personal information if it collects

Attorneys familiar with the European GDPR are acquainted with the bifurcation of the world into controllers and processors. For purposes of European data privacy, a “controller” refers to a company that either jointly or alone “determines the purposes and means” of how personal data will be processed.[1] A “processor” refers to a company (or

Data is typically added to an AI to explain a problem, situation, or request (“input data”). Some popular AI models refer to input data by the term “prompt” as the user is prompting the AI to initiate an action, or to create additional information. Prompts can take different forms such as text prompts or image

Data is typically needed to train and fine-tune modern artificial intelligence models. AI can use data – including personal information – in order to recognize patterns and predict results.

Companies that utilize personal information to train an AI may either be acting as a controller or a processor depending on the degree of discretion they

Data typically is needed to train and fine-tune modern artificial intelligence models. AI can use data – including personal information – in order to recognize patterns and predict results.

The EU’s General Data Protection Regulation (GDPR) permits controllers to process personal information if one (or more) of the following six lawful processing purposes applies:[1]

Data protection authorities worldwide, including France’s Commission Nationale de l’Informatique et des Libertés (CNIL), the California attorney general (CAG), and the U.S. Federal Trade Commission (FTC), recently have indicated their intention to increase privacy enforcement efforts against mobile apps. As the digital landscape continues to evolve, data protection and privacy concerns remain

The following is part of Greenberg Traurig’s ongoing series analyzing cross-border data transfers in light of the new Standard Contractual Clauses approved by the European Commission in June 2021.

  • Background. Company A is an EEA controller that utilizes Company Z, a processor based in Country Q. Company Z does not have a legal presence

The following is part of Greenberg Traurig’s ongoing series analyzing cross-border data transfers in light of the new Standard Contractual Clauses approved by the European Commission in June 2021.

Visual Description and Implications
Transfers from a European Data Subject: Data Subject→Controller (US)→Controller (non-EEA)
  • The EDPB has taken the position that a data subject “cannot be considered a controller or processor,”1 and, as a result,

The following is part of Greenberg Traurig’s ongoing series analyzing cross-border data transfers in light of the new Standard Contractual Clauses approved by the European Commission in June 2021.

Visual Description and Implications
Transfers from a European Data Subject: Data Subject→Controller (US)→Controller (US)
  • The EDPB has taken the position that a data subject “cannot be considered a controller or processor,”[1] and, as a result,

The following is part of Greenberg Traurig’s ongoing series analyzing cross-border data transfers in light of the new Standard Contractual Clauses approved by the European Commission in June 2021.

Visual Description and Implications
Transfers from a European Data Subject - Data Subject→Controller (US)
  • The EDPB has taken the position that a data subject “cannot be considered a controller or processor.”1 As a result, the