The first review of the Japan-EU mutual adequacy arrangement was successfully concluded between the Personal Information Protection Commission of Japan and the European Commission. This follows the “equivalent” recognition of both Japan’s and EU’s data protection systems back in 2019. Read here →
The EDPB has published updated guidelines 9/2022 on personal data breach notification under the GDPR. The guidelines “clarify notification requirements for personal data breaches at non-EU establishments” and require that member states supervisory authorities are notified of such breaches when affected data subjects reside in a particular member state. Access here →
The IAB Tech Lab and the IAB Legal Affairs Council have announced the launch of a new Privacy Implementation & Accountability Task Force (PIAT) which will serve to address industry challenges. Reported here →
New Zealand’s Deputy Privacy Commissioner has urged businesses to keep their data retention policy in check and to retain only necessary information, since several recent cyberattacks have fed off excessive data retention. Press release here →
Brazil’s Autoridade Nacional de Proteção de Dados (ANPD) has published a 15 part Q&A in relation to data protection impact assessments (DPIAs). Whilst outlining the proper procedures to be undertaken, the document addresses basic inquiries that entities should follow when performing DPIAs. Read here → (in Portuguese)
2) Notable Case Law
In its most recent ruling, Austria’s DSB has declared that the Austrian Newspaper Der Standard’s cookie banner is not GDPR or e-Privacy Directive compliant, since it does not afford the user the “granularity of consent principle.” The choice presented by the “pay or okay” system does not effectively allow the users to consent freely, as their choices include either agreeing to having all of their data processed or paying as an alternative. Reported here →
The UK’s ICO has fined TikTok £12.7M for the unlawful use of children’s data, in particular children under the age of thirteen years, which held an account contrary to the terms of service. Such accounts were set up without parental consent, and the ICO found that TikTok “did not do enough” to ensure who was behind such accounts. These breaches together with TikTok’s inactivity to remove such accounts led to the fine. Read about the decision →
Canada’s Office of the Privacy Commissioner has launched an investigation into ChatGPT’s operator OpenAI, L.L.C., in “response to a complaint alleging the collection, use, and disclosure of personal information without consent.” The investigation is currently ongoing, and no further information is available at this stage. The Authority’s announcement can be found here →
Further to a complaint submitted by an individual wherein it was alleged that Banco Bilbao Vizcaya Argentaria S.A (BBVA) processed the individual’s personal data without any legal basis and moreover also failed to address the individual’s data access request, the Agencia Española de Protección de Datos (AEPD) fined BBVA €140,000 for violating Articles 6(1) and 15 of the GDPR. The AEPD however reduced the fine twice over by 20% to €84,000 since BBVA acknowledged its liability and proceeded to settle the fine within 10 days from issuance of the AEPD’s decision. Read here → (in Spanish)
3) New and Upcoming Legislation
US law updates:
Arkansas: Senate Bill 396 on protection of minors has passed the House of Representatives and has been delivered to the Governor.
Tennessee: Senate Bill 73 for the enactment of an Information Protection Act has been recommended for passage by the Senate Commerce & Labor Committee.
Texas: House Bill 4 for the regulation of the Texas Data Privacy and Security Act was passed by the House of Representatives.
California: Senate Bill 721 on the establishment of an Interagency AI Working Group has been re-referred to Senate Committee after already having been withdrawn last month.
Washington: House Bill 1155 concerning the collection, sharing and selling of consumer health data was passed by the Senate.
4) Strong Impact Tech
The UK’sNational Cyber Security Centre (‘NCSC’) and the Information Commissioner’s Office (ICO) have addressed several cyber risk concerns emanating from large language models such as ChatGPT. Both the NCSC and ICO have issued a series of Q&As which serve to enable the public to better comprehend the function and composition of these technologies as well as associated privacy risks.
The Swiss Federal Data Protection and Information Commission (FDIPC) has issued a statement concerning the use of ChatGPT and AI-supported apps. Whilst applauding the benefits of using such apps, the FDIPC also highlighted the risks associated with the processing of personal data by such technology. The FDPIC also stated that it is in contact with Italy’s Garante further to the temporary ban issued last month. Reported here →
Other key information from the past weeks
ChatGPT’s processing of Italian users’ data has been halted by the Italian Garante.
The UK Government has launched an AI white paper “to guide the use of artificial intelligence in the UK, to drive responsible innovation and maintain public trust in this revolutionary technology.”
France has ratified the modification to the Council of Europe Convention 108+ which concerns the protection of the automatic processing of individuals’ personal data.