Hello and welcome back to the Pinsent Masons podcast as we kick off another year of news and analysis of the most important developments in global business law every second Tuesday. I'm Matthew Magee and I'm a journalist here at Pinsent Masons. And this week, we explore the spider's web of sanctions law governing increasing numbers of companies’ activity as the world gets geopolitically just a little bit more complex with every passing day. We'll look at an upcoming EU law change, which could be a boon for AI developers.
But first, here's some business law news from around the world.
EU and US launch joint AI principles for medicines industry
UK scales back digital ID plans amid rising right to work checks and
Data centre energy efficiency duties in Germany set to change
Ten principles agreed by US and European medicines chiefs concerning good governance of artificial intelligence use in the industry will help shape usage across the continent, according to experts. The European Medicines Agency and the American Food and Drug Administration have identified ten principles covering areas such as evidence monitoring and risk assessment. The principles say that AI use should be human-centric by design, take a risk-aware approach, adhere to defined standards, be clear in the context of their usage and require multidisciplinary expertise in overseeing the technology and its implementation.
As plans for a new mandatory digital ID card in the UK are significantly watered down, the continued expansion of right to work checks in 2026 could bring additional compliance costs for employers, an expert has said. Immigration expert Shara Pledger was commenting after the UK government confirmed it was scrapping the proposed mandatory digital ID scheme aimed at cutting down illegal working in the UK.
The scheme, which was announced in September, would have made it mandatory by 2029 for all people to hold a digital ID to prove their right to work in the UK. The government said it would have made it tougher to work illegally in this country and that employers would also be legally required to carry out the checks. Pledger warned that the government's intention to expand digital checks more broadly could result in additional compliance costs for employers unless a free service similar to the Home Office tool for migrant workers is made available.
The duties that data centre operators face under Germany's Energy Efficiency Act look set to be watered down, according to reports. Dr. Marc Salevic and Dr. Benedikt Beierle, experts in data centres and digital infrastructure, said the package of reforms that appears to be under consideration by Germany's coalition government would move the legislation in a more pragmatic direction if it's implemented. They were commenting after details of a draft bill providing for amendments to the Energy Efficiency Act were leaked and published by media outlets. The changes are relevant to data centre developers, operators and investors, as well as cloud and IT providers and large industrial heat consumers. The law contains strict requirements around power usage effectiveness or PUE values and reuse of waste heat, but it appears that the existing rules will be relaxed a little. PUE value is a measure of the energy efficiency of building technology. The law sets threshold values that data centres must meet, and those thresholds get stricter over time for existing data centres whose operations start before the 1st of July this year.
One of the measures that countries use to try to control or limit the behaviour of other countries is making life hard for the target country through sanctions. These are laws designed to make economic, military and even social life harder for countries which are doing things that other countries don't want them to. It's a massive escalation of inter-country tension, but it obviously stops well short of trying to change a country by military means. It also imposes a massive burden on the private sector saying that European countries shouldn't facilitate a trade in Russian oil and gas while its invasion of Ukraine is ongoing is one thing, but the mechanism for that trade is private companies, so they have to be compelled to behave in a certain way. As conflict and tension in Russia, Iran and recently Central America have heated up, Western countries have leaned ever more heavily on sanctions. It's a fiendishly complicated business, restricting behaviour based on where the business activity takes place, where the company is headquartered, the nationality of the people doing business and even the currency being used. But we have Glasgow-based sanctions expert Stacy Keen to guide us. She started by outlining what we actually mean by sanctions.
Stacy Keen: Sanctions are essentially packages of restrictions that target dealings with certain countries, certain individuals and certain sectors. There's three common types. There's a financial, which looks at who you are dealing with. There's a trade, so it's what you do, and there's the third, what sectors are you dealing with. Historically, sanctions have impacted financial sectors, defence sectors, to a degree the energy sector and targeted those countries that we commonly see in the press that are engaging in nefarious actions. Russia, Iran, North Korea, Syria, the non-government-controlled regions of Ukraine and the US had targeted regimes on Cuba and Venezuela.
Matthew: The world is a much less certain place for politicians, generals and business people than it has been for a very long time and this is reflected in sanctions activity. More countries are producing more sanctions, affecting more people than ever, says Stacy.
Stacy: The world is getting smaller from a sanctions perspective, and what we are seeing is sanctions bite in different ways. So to take Russia as one example, we've seen rafts and rafts and rafts of sanctions packages imposing further prohibitions and further restrictions on dealings with individuals and entities in Russia. And the most recent sanctions packages have targeted those outside of Russia that are continuing to deal with or support Russia. So examples of that we've seen recently a Chinese importer of Russian LNG be targeted under the Russian regime, an Indian refiner of Russian-origin crude oil. The Chinese entity and the Indian entity in that scenario have been targeted under the Russian regime even though they have no operations or footprints in Russia themselves. And what this is driving is a shift in identifying and assessing sanctions risk. We're also seeing a shift in the nature of the prohibitions. What are they targeting? Historically, defence items, items that can be used to support the energy sector for example, in Russia, have been targeted. But the restrictions have been ramped up in relation to the categories of items that they are targeting. They're considerably more broad now. This isn't just about energy and defence items. The sanctions packages have gone as far as prohibiting luxury goods such as luxury handbags or luxury foodstuffs into Russia.
Matthew: This expansion of the sanctions universe means that more companies and people than ever will have to be thinking about staying on the right side of sanctions law, even companies and people who would traditionally not really be touched by it. You might be dealing in something far removed from oil or weapons. You might never have done business in Russia in your life, but the tendrils of sanctions law could well already be touching your business. So Stacy outlines how you can go about getting and staying on top of things.
Stacy: Where does that leave organisations that haven't historically had sanctions risk as one of their top key risks on their risk registers? What would we advocate or what do we suggest they do? The first step is to identify applicable sanctions regimes. Most sanctions regimes operate in a similar way, so they apply to the nationals of the country or the bloc, such as the EU. They apply to the entities that are incorporated under those laws or they apply to activities that take place within the relevant country or bloc. So that's your primary regime, the one that you are required to comply with as a matter of law, and the key sanctions regime that will sit alongside your country regime on your risk appetite perspective is the US. US sanctions laws applying an extraterritorial way. And what that means is that the US can penalise those that act in a manner that's contrary to US sanctions, even if there's no US nexus to that activity. So there's no US entity or no activities within the US. Assess exposure to countries of concern. There are comprehensive sanctions targeting countries such as Russia, Belarus, Iran, but sanctions risk is broader than just those countries. There are other countries that have been targeted by less restrictive sanctions packages. The spider effect of sanctions means that for those that you are dealing with who are continuing to trade with Russia, there is an enhanced risk that those counterparties can be designated in the future, meaning that you could be essentially cut off from dealing with them under the direct laws that apply to you.
Matthew: Stacy said that it isn't just direct laws that should govern your behaviour if you're at risk of falling foul of sanctions. The people you do business with also get a say.
Stacy: Your banks may require you to comply with sanctions regimes that you are not required to as a matter of law, and this is a really important point. Your trade may be lawful, but if the risk appetite of your bank is that they won't transact in countries of concern, if you are transacting with a Belarusian company lawfully, there's no restrictions that require you to not transact or to stop dealings with them. Ultimately, can you get paid? What is the risk appetite of your bank? Will they allow you to accept the payment? Your bank will also undoubtedly require you to comply with additional sanctions regimes. So if we look at most UK banks, they require their customers to comply with UK, US sanctions and EU sanctions in addition to UK sanctions, even if you are not required to comply as a matter of law with those other two regimes.
Matthew: So if one of the keys to compliance is increased due diligence so that you have a more concrete idea of who you're dealing with, how do you actually go about that? The UK, US, EU and Japan have a list of higher-risk items, and we know which countries they consider higher risk. So if this covers some of your trade, how do you go about enhanced due diligence? Stacy says it involves several actually quite ordinary steps.
Stacy: You're dealing in one of these countries, you're supplying these listed items. What should you do? One, do they have a business presence, active operations in the country in which they say the items will be utilised? How do you go about doing that? Check if they have accounts, check if they have manufacturing facilities, check if they have auditors, accountants, lawyers in that country or are they simply a front for movements into Russia? Does the trade fit with the counterparties’ commercial activity? Are you providing advanced electronics to a textile company that doesn't sit with the fit of that counterparties’ commercial activity? Looking up the supply chain, is the counterparty a subsidiary, branch or JV partner of an organisation sitting in Russia? Those are the types of practical checks that you can carry out to look behind the scenes and ensure there's no unappreciated risk behind the scenes of your direct counterparty.
We know that one of the ways AI systems learn how to operate is by ingesting enormous quantities of data, lots of it just scraped from the public internet by them or by a data supplier. The trouble is that the internet contains things like people's names, ages, addresses, and information about them. Personal data, in other words, the use of which is regulated more tightly in Europe than anywhere else. Because you can't just say I found it on the internet and process the data anyway, this means that AI developers should be either stripping out personal data or treating it in line with regulations, which means things like giving the people it's about a right of access, rectification and erasure, or putting in place safeguards for the use of especially sensitive data or information about criminal offences. A 2024 ruling by Europe's top court involving banking supervisor, the Single Resolution Board, said that if a company using the data can't identify a person and no one else can either, the data falls outside of data protection law. The European Commission now wants to write this principle into law through the Digital Omnibus Regulation and the Digital Omnibus on AI Regulation. London-based data protection expert Malcolm Dowden explained the change.
Malcolm Dowden: The proposed change in EU law stems from a European Court of Justice ruling that found that information that's masked or pseudonymised so that it's not immediately identifiable may not be personal data in the hands of the recipient and if that's the case, then it wouldn't be covered by the protections in GDPR and that court ruling is being adopted and enshrined in legislation by the European Commission if the digital omnibus proposals go ahead. Under GDPR, if information is hashed or masked or otherwise obscured, then it's referred to as pseudonymised data and pseudonymised data that can be reidentified has to be treated as though it's fully personal data. But if pseudonymisation is so strong that data cannot be reidentified, then we refer to that as anonymised data and if data has been fully anonymised and irreversibly anonymised, then the protections in GDPR do not apply. So the major impact of both the European Court ruling and the proposed legislative encapsulation of that ruling is that at the moment, if personal data is pseudonymised in the hands of one party and is transferred to another, then it remains personal data in the hands of both. Under the proposed changes, or indeed under the European Court ruling, the status of the data can differ. So in the hands of one party it may be pseudonymised but identifiable and therefore covered by GDPR. In the hands of the recipient it may be pseudonymised but not reidentifiable by them, and therefore in the hands of the recipient not covered by GDPR.
Matthew: The change hangs on whether data is anonymised, meaning that whoever is using or seeing it can identify who it's about. It's more complicated than just that the person's name isn't there. To be fully anonymised, it must be impossible to find out, even using other sources, who the person is. Currently, data isn't considered to be anonymised if the original source can still identify the person. The proposed change would allow AI developers to use scraped data as long as neither they nor the public can identify the person. But the change wouldn't apply to data a company had scraped or gathered itself, because it wouldn't yet have been pseudonymised. Only data acquired by and pseudonymised by a third party counts. Malcolm says that this could give some kinds of developers more freedom.
Malcolm: What neither the European Court ruling nor the proposed legislative wording do is really lower the bar when it comes to determining whether information has been so strongly pseudonymised that it can be regarded as anonymous in the hands of the developer. So if there is any realistic means available to the recipient here, a sophisticated AI developer through which they can reidentify individuals from the data, then they would still have to treat it as personal data and therefore subject to GDPR. One of the key implications of the ruling for AI developers is that it potentially opens the way for them to acquire bulk data sets that are already pseudonymised by a provider or an intermediary. And then the AI developer would be able to claim that in their hands, the information is anonymous, i.e. so strongly pseudonymised that it can't be reidentified, and that as a result the AI developer doesn't have to comply with GDPR. The area where this is likely to have the greatest effect is the development of AI for gaming purposes, where developers quite often acquire bulk pseudonymised data sets from intermediaries rather than scraping that data themselves.
Matthew: If enacted, the new law is likely to be challenged by privacy campaigners, and any developer changing its approach might have to defend its actions in court when a challenge is likely to hang on the question of whether the data really is anonymised.
Malcolm: So the question of whether there'll be a real-world effect depends firstly on whether AI developers do perceive this as part of a pattern of relaxation and facilitation that opens the way for pretty much untrammelled large-scale acquisition of data for training AI models and it depends on the degree of challenge that's brought by prominent campaigning groups like NOYB, the organisation associated with Max Schrems. And of course, once we have AI developers being challenged by campaigning groups of that type, then the outcome is going to depend first on the stance that's taken by supervisory authorities and then ultimately by a court deciding on where the threshold lies in that particular case. I think it's being viewed very much as an area where litigation is likely to emerge over the next couple of years. It is a clear battleground in the overall arena of data privacy. It goes right to the question of whether AI developers should be permitted, as a matter of law, to simply acquire and use data without paying any obvious regard to privacy.
Thank you once again for rejoining us in 2026, for listening and hopefully for sharing, and even more hopefully for putting people you know and might be interested onto the Pinsent Masons Podcast. You don't have to wait for every second Tuesday. Remember, every day our crack team of reporters provides up-to-the-minute updates, news and analysis of business, law and regulations all around the world. Or you can sign up for a weekly personalised update at pinsentmasons.com/newsletter. We really appreciate you spending your time and attention with us. Until next time, thank you and goodbye.
The Pinsent Masons Podcast was produced and presented by Matthew Magee for international law firm Pinsent Masons.
