ChatGPT is now available again in Italy with new data protection measures. OpenAI now requires users to confirm their age during sign-up and restricts access to users under 13. Users between 13-17 need parental consent. Personal data usage is explained, and European users can object to processing. Read here →
The European Commission’s Digital Services Act (DSA) now applies to 19 Very Large Online Platforms and Search Engines, including Facebook, Google Search, and Alibaba AliExpress. They have four months to comply with the DSA’s requirements, which aim to empower users, protect minors, and increase transparency and accountability. This decision follows the launch of the European Center for Algorithmic Transparency. Access here →
IAB Europe and other European ITAs have raised concerns about the potential conflicts between the Data Act and the GDPR. They sent a letter to Members of the European Parliament, highlighting the proposed removal of article 6(2)(b) of the draft Data Act, which could disrupt the growth of the digital economy. The signatories recommended aligning the Data Act with the GDPR. More here →
The EDPB has launched a Data Protection Guide to help small and medium-sized business owners comply with the GDPR. The guide simplifies compliance and raises privacy awareness by providing practical information on topics such as data protection, breaches, and data subject rights.
The OECD has published a report on international private-sector data flows, based on business consultations. The report recognizes difficulties in implementing global data transfer mechanisms and the need for coherent principles and rules that match business realities.
2) Notable Case Law
Meta Platforms Ireland Ltd has filed two applications (T-128/23 and T-129/23) before the European Court of Justice against the European Data Protection Board. Meta alleges that the EDPB exceeded its competence and infringed GDPR, violated the right to good administration, and failed to act as an impartial body. Read more on our blog →
The AEPD fined Telefónica Móviles España 70,000 euros for violating GDPR Article 6(1) following an identity theft complaint. Telefónica failed to verify the identity of a third party who requested a duplicate SIM card, leading to a breach of the complainant’s personal data. The Authority’s summary can be found here → (in Spanish)
The AEPD fined Energía Colectiva S.L. 42,000 euros for violating GDPR Article 6(1) after an individual filed a complaint. The company exchanged the complainant’s personal data with a third party and changed their electricity provider without their consent, processing their data without legal basis. Read the Authority’s summary here →
3) New and Upcoming Legislation
The Canadian House of Commons passed Bill C-27 after the second reading, which is an all-inclusive bill that has been divided into three acts to address different aspects of privacy protection: Consumer Privacy Protection Act, Personal Information and Data Protection Tribunal Act, and Artificial Intelligence and Data Act. The bill has been referred to the Standing Committee on Industry and Technology for further action. Access here →
The Bolivian Agencia de Gobierno Electrónico y Tecnologías de Información y Comunicación (AGETIC) has presented a new data protection bill to the Bolivian Senate and separately bill No. 349/2020-2021 for the protection of personal data was reintroduced to the Legislative Assembly. Both Bills carry similarities to the GDPR, including also the creation of a data protection agency. Access here → (in Spanish)
US Law Updates
Federal: The House Subcommittee on Innovation, Data, and Commerce hearing has once again raised the need for comprehensive privacy legislation at a federal level, namely in the form of an American Data Privacy and Protection Act
North Carolina: House Bill 644 relating to use of minors’ data for advertising, referred to Committee
4) Strong Impact Tech
Germany’s data protection authority, has asked OpenAI about the legal basis for data processing and protection of children’s data by ChatGPT. This inquiry is in line with other German authorities and the EDPB’s ChatGPT TaskForce. Read here → (In German)
Further to the banning of ChatGPT by Italy last month (even though it is accessible now), Brazil has issued its perspective on such banning and even commented on the risks that such actions may have and how they may even hamper the development of such technologies. Reported here → (In Portuguese)
Other key information from the past weeks
The Agencia Española de Protección de Datos (AEPD), has released a list of several public administration offices that have been sanctioned for failure to comply with the GDPR.
In an effort to ensure that the risk management requirements contemplated under the Digital Services Act (DSA) are met by “Very Large Online Platforms and Very Large Online Search Engines”, the European Commission has launched the European Center for Algorithmic Transparency (ECAT).
Media Post has reported that Google is presently testing artificial intelligence models to optimize ad targeting without the use of third-party cookies in an effort to find a third-party cookie alternative.