The EU-U.S. Data Privacy Framework and Swiss-U.S. Data Privacy Framework are under stakeholder consultation, despite MEPs’ opposition to the draft EU-US DPF adequacy decision. EU MEPs have indicated that the “proposed framework is an improvement, but not enough to justify an adequacy decision on personal data transfers” at this stage. Read here →
The Irish Data Protection Authority (DPA) will be making a final decision on Meta Platforms Ireland Limited (Meta IE) based on the legal assessment and binding decision adopted by the European Data Protection Board (EDPB) under Article 65 GDPR. Access here →
The Garante has set a deadline of April 30, 2023, for OpenAI, the owner of ChatGPT, to comply with regulations to lift the temporary ban on Italian users. OpenAI must provide transparent information on ChatGPT’s operations on its website, remove contractual performance references, process data based on consent or legitimate interest, and more. Reported here, on iubenda →
The Garante’s recent enforcement action, imposed against Open AI in relation to ChatGPT, has led the EDPB to launch “a dedicated task force to foster cooperation and to exchange information on possible enforcement actions conducted by data protection authorities.” Read here →
The Irish Data Protection Commission has published four guides aimed at assisting parents with their children’s data protection rights under the GDPR. These guides form part of the Commission’s 2022-2027 Regulatory Strategy.
IAB Australia has published its response to the Australian Attorney General Department’s Privacy Act Review Report 2022, and while welcoming most of the Report, it has raised “concerns that the proposals set forth in the Report could severely restrict digital advertising and online publishers’ and platforms’ ability to provide free content and services to consumers.” Access the report here →
2) Notable Case Law
The Italian Data Protection Authority (Garante) has fined the digital marketing company Ediscom SpA 300,000 euros for using dark patterns to obtain users’ consent for data processing and communication with third parties. Ediscom was unable to adequately show that it had obtained consent to send promotional messages. Read about the decision here → (in Italian)
The Spanish Agencia Española de Protección de Datos (AEPD) has initiated an investigation into ChatGPT’s owner, OpenAI, for a possible breach of data protection regulations. The AEPD requested the EDPB to discuss ChatGPT at its upcoming plenary meeting. Reported here, on iubenda →
The Office of the Information and Privacy Commissioner of Alberta, Canada (OIPC) published an Order P2023-01, concerning corrective measures on Acuren Group Inc. pursuant to the Personal Information Protection Act, SA 2003 (PIPA), following a request for inquiry. Access here →
3) New and Upcoming Legislation
The Data Protection and Digital Information (No. 2) Bill was read for the second time this week in the U.K.’s Parliament, and the legislative process will run until the end of 2023. The Bill brings a number of changes to the current regulatory regime under the U.K. General Data Protection Regulation. Reported here →
The UK ICO has published a response to the Government’s AI white paper. The ICO emphasized the importance of reducing additional complexity for businesses, therefore welcoming close collaboration with the Government. Read the response here →
US Law Updates
Indiana: Senate Bill 5 on consumer data protection has been approved by Senate with amendments.
Arkansas: Senate Bill 396 on social media safety was signed by the Governor and comes into effect on September 1, 2023 and Senate Bill 66 on the protection of minors was sent to the Governor for signing.
Maine: Senate Bill 1629 proposing introduction of right to privacy in the Constitution of Maine introduced to Legislature.
Tennessee: House Bill 1181 concerning the Information Protection Act was passed on First Consideration in Senate and House Bill 1310 on genetic information privacy was passed by House and Senate.
Oregon: Senate Bill 619 on consumer data protection was recommended for passage with amendments.
New York: Assembly Bill 6319 establishing consumers’ foundational data privacy rights was introduced to the State Assembly.
The Government of Guyana to introduce the draft Data Protection Bill 2023 to the National Assembly. This will be followed by public consultation with national stakeholders, who can provide their recommendations to the draft bill.
4) Strong Impact Tech
The first state-wide TikTok ban was approved in the unprecedented Senate Bill 419 by the Montana House of Representatives. The state ban is still pending the Governor’s signature, and if signed, will follow suit of the previous ban on government-issued devices and state universities. Read about this on our blog →
Brightline, Inc. has been reported by the Maine Attorney General to have experienced a data breach that compromised the personal information of about 27,742 people. The Attorney General clarified that the breach took place at one of Brightline’s vendors and involved personal data such as names and other identifying information, along with social security numbers. Reported here →
Other key information from the past weeks
The UK’s ICO has fined TikTok £12.7M for the unlawful use of children’s data, in particular children under the age of thirteen years, which held an account contrary to the terms of service.
The UK’s National Cyber Security Centre (NCSC) and the Information Commissioner’s Office (ICO) have addressed several cyber risk concerns emanating from large language models such as ChatGPT.
The Swiss Federal Data Protection and Information Commission (FDIPC) has issued a statement concerning the use of ChatGPT and AI-supported apps.