Paul Sutton, Author at HSP Group

The EU AI Act: Understanding the World’s Strictest AI Law

Paul Sutton — Fri, 08 Aug 2025 20:08:44 +0000

The EU AI Act (AIA) is the European Union’s landmark artificial intelligence law—widely considered the strictest AI regulation in the world. Several of the EU AI Act’s risk-based obligations will take effect by August 2026, especially for high-risk HR uses of AI such as hiring and promotions—meaning companies must start assessments, transparency measures, and governance processes now to avoid costly penalties.

It is designed to heavily regulate how companies develop, deploy, and use AI systems that impact EU citizens. The law categorizes AI systems by risk level, from minimal risk to prohibited, and imposes corresponding compliance obligations.

If your company operates in the EU—or even outside the EU but serves EU customers—understanding the EU AI Act is essential to avoid fines that can reach €35 million or 7% of global revenue.

Which companies must comply with the EU AI Act?

Simply put, if your company is using AI tools that affect people living in the EU—directly or indirectly—you are subject to the EU AI Act. This applies whether your company operates within the EU or is based outside the EU (including the US) but uses AI in ways that impact EU residents.

Let’s take a look at what that means in more depth. For starters, a company operating inside the EU is bound by the new law. For example, a US company that offers an AI-driven app to EU residents falls under the AIA. If, however, a US company only operates in the US, the EU AI Act wouldn’t apply.

How does the EU AI Act work?

The application of the AIA depends on a variety of factors, including:

The specifics of the AI technology involved
How AI is used
The role of the individual using that AI.

The law also prohibits the use of certain types of AI systems that present an unacceptable risk to EU citizens. The EU AI Act classifies AI systems into categories based on their potential risk to health, safety, or fundamental rights:

1. Prohibited AI systems under the AIA include:

Certain AI systems for biometric categorization and identification
AI systems that deploy subliminal techniques, exploit vulnerabilities or manipulate human behavior
AI systems for emotion recognition in law enforcement, border management, the workplace and education
AI systems for the social scoring evaluation or classification of natural persons over a period of time based on their social behavior

2. High-Risk AI systems (HRAIS):

The EU considers these systems to pose a high-risk to the health, safety, or fundamental rights of EU citizens. Therefore, they carry the most robust obligations.

Examples of high-risk AI systems include:

AI systems used to determine prospective students’ access to institutions of higher learning, or in assessing students. This includes screening prospective students or using AI to grade exams.
AI systems used in the insurance and banking sectors
AI systems used by HR teams for the recruiting and hiring of employees. Examples include placing job ads, scoring candidates, screening or reviewing job applications, and using AI for decisions related to employee performance, promotions or terminations.

Compliance requirements for high-risk AI systems:

The requirements for companies or individuals using HRAIS are robust. For example, they can require that a company using HRAIS include accompanying instructions for its use of that AI. These instructions may need to cover topics such as record-keeping, transparency, human oversight, accuracy, robustness, and cybersecurity (the requirement for resilience to cyber-attacks). Other requirements may include the obligation to carry out fundamental rights impact assessments and other requirements.

3. Limited risk AI systems:

This category covers risks associated with the lack of transparency about AI usage. It requires companies to be explicit and transparent in their use of AI.

Examples of limited-risk AI systems include:

AI-driven chatbots that interact with customers
Automated decision-making tools to aid HR professionals in screening resumes
AI-powered content generation tools used to create marketing materials

Compliance requirements for limited-risk AI systems:

Requirements focus on ensuring that EU citizens are aware of AI’s role as they interact or are affected by these systems. Requirements could include:

Clearly informing users when they are interacting with AI (rather than a human).
Providing documentation that explains how AI-driven decisions are made and allowing users to contest AI-driven decisions with a human being.
Indicating that content was generated with the use of AI.

4. Minimal-risk AI systems:

The minimal-risk category comprises using AI systems to perform relatively simple tasks for convenience or efficiency that involve no interaction with EU citizens.

Examples of minimal-risk AI systems include:

AI spelling and grammar checkers
AI-powered recommendations (algorithms) for suggesting content, like movies or articles
AI chat assistants that simply provide general information (no decision-making ability)

Compliance requirements for minimal-risk AI systems:

While the minimal-risk category does not have any compliance requirements, the law does offer recommendations for responsible use (for example, ensuring that the content or algorithm doesn’t spread misinformation, providing user transparency, and maintaining privacy and security when processing personal data, to name a few).

5. General purpose AI systems (GPAI):

Apart from the prohibited or high-risk categories, general purpose AI models (GPAI) are the category with the most rigorous requirements. These requirements chiefly focus on documentation and transparency. For larger systems however, there are also requirements for risk mitigation.

This category covers General Purpose AI Systems (GPAI), which are AI models designed for broad applications across multiple sectors. These systems (including foundation models from which other systems can be built) and generative AI, can be integrated into various industries, from healthcare to finance and machine learning. Examples of these AI systems include:

Large language models (LLMs) that generate text, images, or provide translations. Examples of these include Gemini and ChatGPT and Google Translate or DeepL.
AI image or video generators
Speech recognition models used for voice assistants or automated transcription services

Compliance requirements for general purpose AI systems (GPAI):

These requirements generally center around providing technical documentation to show how the model functions and providing training data (for transparency). There are many other requirements, ranging from adhering to copyright laws to rigorous testing, reporting, and risk mitigation for more powerful models.

Which area of the EU AI Act is most likely to affect your company?

No matter the industry, most companies are likely to be affected by the high-risk AI category under the AIA. This is because the law explicitly classifies common HR activities as high-risk, meaning they will be subject to strict compliance requirements.

For example, AI systems used in recruitment and hiring—common HR responsibilities—would be classified as high-risk. Tasks such as placing targeted job ads, filtering and screening potential employee applications all use AI to assist in evaluating candidates in some form—thus falling into the high-risk s category. Similarly, AI tools that influence decisions on promotions, task assignments, terminations, or performance monitoring based on personal traits or behaviors are also considered high-risk by the AIA.

There’s a good chance that your company is already using (or will use) AI in some of these ways. If your company’s AI systems affect or interact with EU citizens, you’ll now need to ensure that you meet the AIA’s strict obligations for transparency, reporting, and accountability. Fines for non-compliance range from €7.5 million or 1.5% of global annual turnover (whichever is higher) for lower tier infractions and up to €35 million or 7% of global annual turnover (whichever is higher) for higher tier infractions.

Who should oversee EU AI Act Compliance within your organization?

As you’ve probably seen, the topic of AI governance and the people responsible for it is still in its nascent stages. Despite the fact that this is a relatively new field of compliance, there are considerable similarities and overlap between data privacy compliance and AI governance.

Thus, if your company already has a Data Protection Officer (or even an external third party fulfilling this role), consider using this person to oversee AI compliance as well. If that’s not a possibility, you can assign this to someone with the necessary technical skills and appropriate seniority and ability to understand the operation of the AI system in your business.

3 Steps to Prepare

If you are currently using AI to interact with EU citizens (or are considering doing so), here are three steps that you can take immediately to avoid the AIA’s strict penalties:

Become familiar with the law immediately and review your systems closely to identify any that may fall within the AIA’s risk categories.
Make sure that you have assigned an expert individual or third party to oversee AI compliance and make the necessary changes to meet the requirements based on your current usage of AI systems.
Leverage proven legal expertise to help you understand the impact of the law on your company’s current and future use of AI systems. HSP’s team of legal and global expansion experts can quickly help you assess your exposure to these new AI regulations in the EU.

How HSP Can Help with EU AI Act Compliance

The EU AI Act introduces several risk-based obligations that will take effect by August 2026—and these will have an immediate impact on companies using AI in high-risk HR activities such as hiring, promotions, and employee evaluations. These requirements include formal assessments, transparency measures, risk mitigation strategies, and documented governance processes to ensure compliance.

HSP helps you prepare now—before the deadlines hit—by:

Assessing your AI systems and classifying them under the EU AI Act’s risk categories
Designing governance and compliance frameworks tailored to high-risk HR AI applications
Implementing transparency protocols, risk assessments, and ongoing monitoring procedures
Ensuring alignment with GDPR, data privacy laws, and other applicable EU regulations

Don’t wait until August 2026 to react. The compliance work for high-risk AI systems takes time—starting now will reduce risk, protect your operations, and prevent costly penalties.

Contact us today to schedule your EU AI Act readiness assessment and get a clear, actionable plan for compliance.

HSP is an end-to-end global expansion solutions provider focused on helping companies scale their operations overseas effectively and efficiently. We are the only global expansion expert to offer growing companies a full suite of end-to-end solutions designed to help them scale to any size and country.

The post The EU AI Act: Understanding the World’s Strictest AI Law appeared first on HSP Group.

New US-EU Data Transfer Agreement Boosts Global Expansion

Paul Sutton — Wed, 19 Jul 2023 18:22:44 +0000

Introduction

As a leading provider of global expansion solutions, HSP is committed to keeping our customers informed about the latest developments that shape the international business landscape.

Today, we are excited to share significant news regarding the new EU-US Data Privacy Framework. Recently adopted by the European Commission, this agreement marks a crucial milestone in data transfers between the EU and the US.

At HSP, we understand the importance of staying ahead of the curve. This groundbreaking decision ushers in a new era of data privacy and transatlantic collaboration.

Background

The adoption of the EU-U.S. Data Privacy Framework (Privacy Shield v.3) comes after extensive negotiations between the EU and the US. Negotiations followed the invalidation of the previous EU-U.S. Privacy Shield (v.2) by the Court of Justice of the European Union (“ECJ”) in the Schrems II case.

This ruling created uncertainty and challenges for companies transferring personal data between the EU, the UK, and the US.

The Adequacy Decision

The European Commission’s Adequacy Decision affirms that, in principle, the US provides adequate data protection comparable to the EU/UK.

It introduces a new framework that enables EU/UK companies to transfer personal data to US companies. This applies if the company is accepted as a member of the Privacy Shield without additional transfer safeguard mechanisms.

It allows them to rely upon the Privacy Shield to validate their deemed compliance with the complex EU/UK rules under the ‘General Data Protection Regulation’ (the “GDPR”) for transatlantic data transfers back to the US.

Without the introduction of this Adequacy Decision, transatlantic data transfers back to the U.S. from the EU/UK ran a serious risk of being in fundamental breach of the stringent rules under the GDPR for cross-border data transfers.

This could put companies invalidly transferring personal data from the EU/UK to the US at risk of financial sanctions. Sanctions could be as high as EUR 20 million, or 4% of an infringing organization’s global turnover if more than EUR 20 million.

Key Elements of the Adequacy Decision

Self-Certification: U.S. companies adhering to the Adequacy Decision, as well as committing to a detailed set of privacy obligations, can receive EU personal data without needing additional transatlantic transfer safeguards. Membership acceptance is a prerequisite.

When collecting personal data, for example, individuals are required to delete it once it is no longer necessary. Another is the requirement to ensure continuity of protection when personal data is shared with third parties.

Addressing Concerns: The EU-U.S. Data Privacy Framework resolves concerns raised by the ECJ, including U.S. intelligence services’ access to EU/UK data. Additionally, new rules introduced by the U.S. Executive Order address the issues raised by the ECJ in the Schrems II judgment. Notably, U.S. intelligence agencies can only access data deemed necessary and proportionate for protecting national security.

Enhanced Redress Mechanisms: European citizens are provided with improved avenues for seeking redress regarding collecting and using their data. This includes the newly established Data Protection Review Court. The Court will independently investigate and resolve complaints from Europeans, including by adopting binding remedial measures.

Streamlined Self-Certification Process: Companies currently certified under the EU-U.S. Privacy Shield Framework will benefit from a simplified procedure for self-certification under the new EU-U.S. Data Privacy Framework.

Periodic Reviews: The EU-U.S. Data Privacy Framework will undergo regular reviews by the European Commission, European data protection authorities, and competent U.S. authorities. The first review will take place within one year after the entry of the Adequacy Decision into force.

Implications for Global Expansion

By adopting this Adequacy Decision, HSP recognizes the immense value it brings to our clients and their global expansion strategies. The new agreement ensures that personal data can flow freely and safely from the EU to the U.S. without imposing burdensome conditions or additional authorizations. This facilitates smoother business operations, and fosters trust between transatlantic partners.

Challenges and Opportunities

While the Adequacy Decision has garnered widespread support, including from U.S. President Joe Biden, it has also faced criticism. Privacy activist Max Schrems and his non-profit group noyb (“None of Your Business”) have expressed concerns and intend to challenge the decision. However, EU Justice Commissioner Didier Reynders remains confident in the solidity of the framework and its ability to withstand legal scrutiny.

As a trusted partner, HSP will closely monitor any developments related to legal challenges and keep our clients informed of any potential implications. Our commitment to providing the most up-to-date information and supporting our clients’ compliance efforts remains unwavering.

Conclusion

The new EU-U.S. Data Privacy Framework/Privacy Shield is a significant step forward in fostering data protection, as well as facilitating global expansion for businesses between the EU/UK and the United States. HSP is excited about this agreement’s opportunities for our clients. The agreement allows them to navigate the complexities of international data transfers with greater confidence and efficiency.

As we continue to serve as your trusted global expansion partner, we will ensure that our clients are well informed about the evolving regulatory landscape and equipped with the necessary tools to thrive in the global market.

Following the introduction of the new (v.3) Privacy Shield, this is a critical opportunity for HSP’s clients doing business between the EU/UK and the US to review their data compliance practices as a matter of urgency to ensure that they are in a position to apply for certification of the Privacy Shield where relevant and generally to review their overall data compliance position to ensure their risk of regulatory or other breaches is minimized so they are not potentially facing regulatory financial penalties for non-compliance.

HSP’s data compliance and privacy team has many years of experience advising organizations from small to very large on global data compliance requirements and issues. We have experience advising on data requirements in over 140 countries globally. We will be happy to advise you on the huge advantages that certifying to the Privacy Shield will bring to your organization and assist you in putting together the appropriate application.

For more information

For more information about the Privacy Shield and its impact on global expansion and why it is so vital that you consider applying to be certified to the Privacy Shield as soon as possible, please contact Paul Sutton, who heads up HSP’s data privacy team globally (details below) or your regular HSP contact to arrange to discuss this further.

We look forward to assisting you in expanding your business across borders.

Disclaimer: The information provided in this article is for general informational purposes only and should not be considered legal advice. We recommend consulting with HSP’s data privacy professionals to understand the specific implications of the EU-U.S. Data Privacy Framework for your business.

The post New US-EU Data Transfer Agreement Boosts Global Expansion appeared first on HSP Group.

Data Security: Zellis Breach and Ensuring Regulatory Compliance

Paul Sutton — Wed, 14 Jun 2023 14:30:00 +0000

Data breaches once again made the headlines last week. In late May, we saw the GDPR rule-breaking of Meta (Facebook), leading to the imposition of a €1.2 billion fine (subject to an appeal), and now there is a potentially disastrous breach of private information held by companies in the UK (United Kingdom).

To date, several major household name companies, including the BBC, BA (British Airways), and Boots, have all reported data breaches that link to their relationship with popular payroll provider Zellis. Russian cybercrime group Clop claims to have perpetrated the breach. They did so by exposing a vulnerability in the file transfer software used by Zellis.

In addition to the companies mentioned, Aer Lingus, The University of Rochester, and the Government of Nova Scotia all claim to be implicated in this breach. Estimates suggest that the hackers will access the records of hundreds of thousands of employees tied to these organizations.

Clop has threatened to publish the hacked data if their financial demands are not met and are understood to have said they have “downloaded a lot of your data from hundreds of companies.” Clop is looking for a “price to delete.” Experts believe that financially motivated criminals, rather than a group tied to the Russian state, are behind Clop.

The Importance of Data Compliance

(more…)

The post Data Security: Zellis Breach and Ensuring Regulatory Compliance appeared first on HSP Group.

Meta/Facebook fined $1.3 Billion for Breaches of the GDPR

Paul Sutton — Thu, 25 May 2023 19:28:12 +0000

2 Key Steps to Take to Avoiding a Similar Fate

The complications of avoiding breaches relating to the European Union GDPR were again laid bare this week. Meta’s platform Facebook received a record-breaking fine totaling $1.3 billion (1.2 billion EURO) imposed this week by Ireland’s Data Protection regulator, sending shockwaves around global business circles.

Regulators have given Meta five months to implement the suspension of Facebook data transfers from the EU to the US. Additionally, regulators gave them six months to cease processing (including storage) in the US of personal EU data already transferred.

The regulators imposed this substantial punishment after finding violations of EU privacy laws. Other major multinational companies have violated these laws. In 2021, Amazon faced charges and fines amounting to $805.7 million (746 million EURO) for similar breaches.

Meta’s EU base is in Ireland, and the company claimed that an Irish regulator had wrongly “singled out” Meta. Meta asserted that Facebook was sanctioned for relying upon the same data transfer mechanism used by thousands of other companies. The Irish regulator has now said that SCCs give insufficient protection for data transferred to the US. They assert that US intelligence agencies do not sufficiently protect European users’ data when it is transferred across the Atlantic. Additionally, regulators cited concerns arising from the Edward Snowden revelations.

Meta is launching an appeal against the penalty and the regulator’s findings.

Let’s examine two key steps to help avoid falling into the traps Meta has faced this week.

Step 1: Don’t drop the homework.

Since the passing of the EU’s signature GDPR law on May 25, 2018, compliance issues around data protection in the EU and any country receiving EU residents’ data have become a slippery slope. There are 98 articles outlining the framework in place for the GDPR. GDPR is a highly complex and detailed law. In fact, GDPR is one of the most extensive pieces of legislation of any nature the EU has passed in the past 50 years. The requirement from policymakers is that you are fully aware of and compliant with every aspect of the GDPR and are ready to maintain its many internal and external data policies and other legal compliance requirements from the word go.

The GDPR legislation is so complex and voluminous that achieving compliance without specialist input and assistance is impossible. HSP is well-positioned to advise on all aspects of GDPR (and other global data protection frameworks). HSP’s specialist in-house privacy counsel has advised extensively on every aspect of the GDPR since its inception in 2018 and has experience advising on data protection issues in over 140 countries worldwide.

Step 2: Act as if your headquarters are in the EU.

The jurisdiction of the EU in enforcing GDPR is not location-exempt. The GDPR has “extra-territorial jurisdiction,” which means that the EU regulators can pursue infringements of the GDPR against any organization in the world, even if that organization has no presence and no employees in the EU. Suppose you collect (or “process’) any EU residents’ personal information/data. In that case, you are subject to the full compliance requirements (and potentially the full range of sanctions) of the GDPR, no matter where you are located.

Meta emphasized the importance of data sharing between the US and EU. They consider a “global open internet” as vital for offering goods and services worldwide, referring to progress made in addressing EU concerns over US data surveillance.

These may or may not be valid geopolitical points. As of now, they remain separate from the absolute requirement for strict compliance with the GDPR within the EU. You, too, could potentially be subject to draconian penalties if you collect the data of any EU residents and are not FULLY compliant with all aspects of the GDPR. Organizations must review their position and take urgent steps to address any current non-compliance with the GDPR.

Work with experts

HSP Group offers the expertise you need to stay compliant with GDPR across all your organizational practices to help avoid the operational, commercial, financial, and reputational damage that will result from sanctions for infringements. We specialize in helping companies just like yours expand internationally with ease. Whether you need GDPR advice for the EU or UK or any other data protection service for other countries globally, we tailor our engagement to your needs. We will be happy to discuss any aspect of that service with you.

About the author: Paul Sutton is an HSP General Counsel and one of the UK’s most experienced data privacy lawyers. He has advised on data protection requirements and compliance in around 140 countries. Contact Paul at psutton@hsp.com

The post Meta/Facebook fined $1.3 Billion for Breaches of the GDPR appeared first on HSP Group.

Are You Absolutely Sure Your Payroll Is GDPR Compliant?

Paul Sutton — Mon, 06 Feb 2023 17:50:30 +0000

The EU/UK GDPR (universally accepted worldwide as the gold standard for data protection and privacy) demands a lot more than many US companies realize.

It may sound like an exaggeration, but it’s a fact: no company can handle GDPR compliance without specialist assistance. The EU’s most significant legislation leaves no room for error. You’re either compliant, or you’re not. And noncompliance can be a business-ending event.

(more…)

The post Are You Absolutely Sure Your Payroll Is GDPR Compliant? appeared first on HSP Group.

GDPR explained for Global Businesses

Paul Sutton — Fri, 25 Jun 2021 16:08:03 +0000

What is GDPR?

The General Data Protection Regulation 2016/679 (GDPR) is a directive under European Union (EU) law addressing data protection and privacy in the EU and the wider European Economic Area (EEA) linking the EU member states with the three European Free Trade Association states (Iceland, Liechtenstein, and Norway), as well as the transfer of personal data outside the EU and EEA. Regulators generally consider GDPR to be the toughest privacy and security law in the world. The GDPR framework came into force on 25 May 2018, and it applies equally in all EU Member States. Since its departure from the EU, known broadly as Brexit, the UK incorporated a near-identical data protection regime, commonly referred to as the UK GDPR. For the purposes of this blog, we refer to both the EU and the UK regimes jointly as GDPR.

(more…)

The post GDPR explained for Global Businesses appeared first on HSP Group.