The Agencia Española de Protección de Datos has published a guide for using European data spaces in various sectors while complying with personal data protection laws. The guide provides information on the basic regulatory framework that applies to data spaces and discusses the importance of data protection by design in such spaces. It also outlines the role of data protection officers in ensuring compliance with the law. Read here → (in Spanish)
The Federal Trade Commission (FTC) has published an Order to Show Cause to modify its previous 2020 privacy order issued against Meta Platforms, Inc., for alleged failure to comply with the previous order and having also allegedly misled parents in their ability to control their children’s communications on the Messenger Kids app among other allegations. Press release here →
During his testimony in Parliament, the Canadian Privacy Commissioner advocated for federal political parties to be subject to privacy laws, stating that citizens deserve a privacy regime that goes beyond self-regulation. The Commissioner emphasized the need for a regulatory framework based on internationally recognized privacy principles, rather than allowing parties and affiliates to follow their own privacy rules. Access here →
2) Notable Case Law
An individual requested personal information from CRIF GmbH under Article 15 of the GDPR. CRIF provided a summary and list of data, which the individual found insufficient. The Austrian Data Protection Authority ruled in favor of CRIF, but the individual appealed to the Bundesverwaltungsgericht, which requested a preliminary ruling from the Court of Justice of the European Union (CJEU) on Article 15(3). The CJEU ruled that data subjects have the right to a faithful reproduction of all personal data and copies of documents or databases, if necessary to exercise their GDPR rights while considering others’ rights and freedoms. Read the press release here →
The Court of Justice of the European Union (CJEU) issued a decision concerning GDPR compensation and stated that “not every infringement of the GDPR gives rise, by itself, to a right to compensation.” In its ruling, the CJEU also stated that nonmaterial damages have no bearing on the capping of compensation and it is up to national courts to determine damage assessment. The press release can be found here →
3) New and Upcoming Legislation
The EU Digital Markets Act aims to ensure “contestable and fair markets in the digital sector” became applicable as from last week, thereby implying that “potential gatekeepersthat meet the quantitative thresholds established have until 3 July to notify their core platform services to the Commission.” Press release here →
US Law Update – The Children and Teens’ Online Privacy Protection Act (COPPA) version 2.0 has been reintroduced to the US Congress to update online data privacy rules and to ensure that children and teenagers are protected online. Specifically, COPPA 2.0would:
Build on COPPA by prohibiting internet companies from collecting personal information from users who are 13 to 16 years old without their consent.
Ban targeted advertising to children and teens.
Revise COPPA’s “actual knowledge” standard, covering platforms that are “reasonably likely to be used” by children and protecting users who are “reasonably likely to be” children or minors.
Create an “Eraser Button” for parents and kids by requiring companies to permit users to eliminate personal information from a child or teen when technologically feasible.
Establish a “Digital Marketing Bill of Rights for Teens” that limits the collection of personal information of teens.
Establish a Youth Marketing and Privacy Division at the Federal Trade Commission.
4) Strong Impact Tech
The Guardian has reported that U.K. ministers have been warned that WhatsApp could leave the country if the proposed Online Safety Bill is not modified. The main concern stems from the encryption of messages, which would require screening in light of abusive material vis-à-vis children in terms of the Bill and thus break the end-to-end encryption of messaging. Reported here →
Samsung has temporarily banned the use of ChatGPT as well as other generative AI tools such as Microsoft’s Bing and Google’s Bard, further to the internal data leak that occurred last April. Company owned devices such as tablets, phones, and computers will no longer support such AI tools as well as any other non-company-owned device which happens to run on internal company networks. Read about this on our blog →
Other key information from the past weeks
ChatGPT is now available again in Italy with new data protection measures. OpenAI now requires users to confirm their age during sign-up and restricts access to users under 13.
Meta Platforms Ireland Ltd has filed two applications before the European Court of Justice against the European Data Protection Board.
Germany’s data protection authority, has asked OpenAI about the legal basis for data processing and protection of children’s data by ChatGPT. This inquiry is in line with other German authorities and the EDPB’s ChatGPT TaskForce.