Photo of Jadzia Pierce

Jadzia Pierce

Jadzia Pierce advises clients developing and deploying technology on a range of regulatory matters, including the intersection of AI governance and data protection. Jadzia draws on her experience in senior in house leadership roles and extensive, hands on engagement with regulators worldwide. Prior to rejoining Covington in 2026, Jadzia served as Global Data Protection Officer at Microsoft, where she oversaw and advised on the company’s GDPR/UK GDPR program and acted as a primary point of contact for supervisory authorities on matters including AI, children’s data, advertising, and data subject rights.

Jadzia previously was Director of Microsoft’s Global Privacy Policy function and served as Associate General Counsel for Cybersecurity at McKinsey & Company. She began her career at Covington, advising Fortune 100 companies on privacy, cybersecurity, incident preparedness and response, investigations, and data driven transactions.

At Covington, Jadzia helps clients operationalize defensible, scalable approaches to AI enabled products and services, aligning privacy and security obligations with rapidly evolving regulatory frameworks across jurisdictions—with a particular focus on anticipating enforcement trends and navigating inter regulator dynamics.

Contact:Read more about Jadzia PierceEmail

On June 3, the European Commission published its Tech Sovereignty Package, a set of legislative and policy initiatives designed to address what the Commission characterizes as Europe’s technological dependencies on non-European suppliers. The Package marks a further step in the evolution of the EU’s technology policy, with initiatives spanning the full tech stack—from chips and infrastructure to software, cloud, and artificial intelligence. Through this “ecosystem” approach, the Commission seeks to reduce supply-side dependencies by strengthening domestic capabilities in Europe and stimulating demand in downstream sectors.

The Package comprises four components: two legislative proposals—(i) the Cloud and AI Development Act (CADA), and (ii) the Chips Act 2.0—as well as two non-legislative initiatives—(iii) the EU Open Source Strategy and (iv) a Strategic Roadmap for Digitalisation and AI in Energy.

Continue Reading EU Tech Sovereignty Package

On 7 May 2026, negotiators from the Council of the European Union, the European Parliament, and the European Commission reached a provisional agreement on the terms of the Digital Omnibus on AI, marking the first set of amendments to the EU AI Act since its adoption in June 2024. The

Continue Reading EU AI Act Update: Timeline Relief, Targeted Simplification, and New Prohibitions

On 7 May 2026, negotiators from the Council of the European Union, the European Parliament, and the European Commission reached a provisional agreement on the terms of the Digital Omnibus on AI, marking the first set of amendments to the EU AI Act since its adoption in June 2024. The final package of amendments reflects a mix of pragmatic timeline extensions, focused simplification measures, and a small number of substantive policy changes.

Continue Reading EU AI Act Update: Timeline Relief, Targeted Simplification, and New Prohibitions

On May 8, 2026, the European Commission (“Commission”) published draft guidelines (“Guidelines”) on the implementation of the transparency obligations under Article 50 of the EU Artificial Intelligence Act (“AI Act”), opening a targeted consultation that runs until June 3, 2026.

The Guidelines are non-binding, but they are the first Commission instrument to provide interpretive guidance across the full scope of Article 50. They were prepared in parallel with the related, but more narrowly scoped, Code of Practice on Transparency of AI-Generated Content (“Code of Practice” or “Code”), the second draft of which was published on March 5, 2026.

Continue Reading 10 Takeaways: European Commission Draft Guidelines on AI Transparency under the EU AI Act

On 31 March 2026, the UK’s Information Commissioner’s Office (“ICO”) launched a public consultation on draft updated guidance on automated decision-making (“ADM”), including profiling (“Draft Guidance”) and simultaneously published a report on the use of ADM in recruitment (“Recruitment Report”).

The Draft Guidance is the ICO’s first detailed interpretation of the Data (Use and Access) Act’s (“DUAA”) changes to the UK GDPR’s ADM provisions, and the accompanying Recruitment Report is a sector-specific signal of how the ICO expects those rules to operate in practice.

Continue Reading UK ICO Consults on Draft Automated Decision-Making Guidance and Sets Expectations for ADM in Recruitment

As agentic AI systems move from research labs to enterprise workflows, regulators worldwide are grappling with how to address the potential risks these systems may pose (as discussed in prior blog posts here and here).  In January 2026, Singapore’s Infocomm Media Development Authority (“IMDA”) launched a non-binding Model AI Governance Framework for Agentic AI (“Framework”), just a few months after the Cyber Security Agency released a discussion paper titled “Securing Agentic AI” (“Discussion Paper”).

Together, these documents provide organizations with a structured, operational roadmap to consider when navigating some of the potential security and governance challenges posed by agentic AI.  This blog post highlights some of their key points.

Continue Reading Singapore Issues Governance and Security Guidance for Agentic AI

(“Joint Statement”). The Joint Statement is aimed at services likely to be accessed by children that fall within the scope of the Online Safety Act 2023 (“OSA”) and UK data protection legislation, and is designed to help providers comply with both their online safety and data protection obligations when deploying age assurance.

The Joint Statement arrives alongside a broader push from both regulators—including Ofcom’s recent call to action directed at major tech firms, an open letter from the ICO urging platforms to strengthen their age checks, and several enforcement actions by both regulators.

Continue Reading Ofcom and ICO Issue Joint Statement on Age Assurance

On 18 March 2026, the European Parliament’s Committee on the Internal Market and Consumer Protection (“IMCO”) and the Committee on Civil Liberties, Justice and Home Affairs (“LIBE”) adopted their joint negotiating position on the European Commission’s proposed Digital Omnibus on AI (which we previously analysed here). The position will now proceed to a plenary vote, expected on 26 March 2026. The Council of the EU had previously adopted its negotiating position on 13 March 2026. This sets up trilogue negotiations between the Parliament, Council, and Commission.

Continue Reading MEPs Adopt Joint Position on Proposed Digital Omnibus on AI

On March 2, 2026, the UK Department for Science, Innovation and Technology (“DSIT”) launched its consultation, titled “Growing up in the online world: a national conversation”. The consultation is open until 26 May 2026, after which the government will publish a summary of responses and its proposed approach. DSIT has indicated that it intends to move quickly on the consultation’s findings, drawing on newly granted powers that allow for accelerated implementation of online safety measures.

The consultation seeks views on a wide range of potential measures to strengthen children’s safety and wellbeing online, including more robust age‑assurance mechanisms, a statutory minimum age for social media, raising the UK’s age of digital consent, restrictions on certain features (such as livestreaming and disappearing messages), and new obligations for AI chatbots and generative‑AI services.

DSIT’s proposals could significantly expand regulatory expectations beyond the Online Safety Act 2023 (“OSA”)—including potential age‑based access limits (including differing safeguards as between teens and younger children), feature‑level restrictions, and enhanced duties for AI‑enabled services. Early engagement will be important to ensure that the government takes account of the views of affected service providers and understands the operational and technical implications of the measures proposed.

Continue Reading UK Government Launches Consultation on Children’s Online Experiences, Including New Obligations for AI

On February 19, 2026, the UK Court of Appeal handed down its decision in DSG Retail Limited v The Information Commissioner [2026] EWCA Civ 140. The Court ruled that a controller’s data security duty applies to all personal data for which it acts as controller – irrespective of whether the information would constitute personal data in the hands of a third party (in this case, an attacker). Note that the case is concerned with events before the GDPR came into force, so the legal context is provided by UK Data Protection Act 1998 (“DPA 1998”), although the Court did take into account more recent jurisprudence, including CJEU case law.

The case adds useful colour to ongoing debates surrounding the definition of “personal data.” The Court of Appeal confirmed that a controller’s duty to implement appropriate measures to protect personal data applies to data that is “personal” from the perspective of the controller —even if a third-party attacker could not identify individuals from the exfiltrated dataset. This dovetails with the SRB v EDPS’s clarification that whether data is “personal” can depend on the context, while a controller’s obligations (such as transparency) must be assessed from the controller’s perspective at the relevant time (which, for the transparency principle, is at the time of collection of the data). (For more information on SRB v EDPS, see our prior post here.)

Continue Reading UK Court of Appeal Rules on the Concept of Personal Data in the Context of Data Security