The European Parliament has adopted a resolution opposing the granting of an adequacy decision to the United States. Despite recognizing some improvements, MEPs remain concerned about issues such as judicial independence and transparency in the US. Negotiations will continue, and a European delegation has visited Washington, D.C., for discussions on privacy and data protection. Reported on our Blog →
The Commission Nationale de l’Informatique et des Libertés (CNIL) has issued an action plan which aims to provide a developmental framework for AI systems in line with privacy principles and respect for personal data. Moreover, CNIL also intends to carry out audits to ensure that AI systems are respecting individual’s rights and freedoms in the development of such technologies. Access here →
The AEPD has issued guidelines endorsing encryption as a valid security measure for safeguarding personal data and maintaining confidentiality. The target audience for these guidelines includes controllers, processors, data protection officers, and security specialists utilizing encryption in their data processing activities. Access here → (In Spanish)
The Danish Data Protection Authority’s annual report for 2022 has been published and provides an insight into the activities of the Authority. It delves into a number of specific cases that have been handled by the Authority and also addresses security issues, supervision and international work among others. The report also contains useful statistical knowledge about the Authority’s case management and operations. Read here → (In Danish)
The Swiss FDPIC has introduced the ‘Data Breach Portal‘ to facilitate the reporting of security vulnerabilities before the new Data Protection Act (FADP) takes effect on September 1, 2023. The FDPIC’s powers and responsibilities will be expanded under the new FADP, however certain features of the portal will only be available once the law is in effect. Access here →
2) Notable Case Law
The district court of Cologne has ruled in favor of the North Rhine-Westphalia consumer advice center, stating that Deutsche Telekom cannot transmit data to Google servers in the USA for analysis and marketing purposes. The court found that personal data, including IP addresses, browser information, and device details, were being sent to the USA for Google Ads, which uses personal profiles and user behavior for interest-based advertising. Read about the decision here → (in German)
France’s CNIL has imposed an overdue penalty payment of €5.2 million on CLEARVIEW AI, a US company that collects and sells access to a database of people’s images through facial recognition technology. The CNIL had previously fined CLEARVIEW AI €20 million and ordered the company to stop collecting and processing data on individuals in France without a legal basis, as well as deleting the data within two months. Since CLEARVIEW AI failed to comply within the given time frame, the CNIL imposed the penalty payment. InAustria, the DSB(Data Protection Authority) also declared the use of Clearview AI’s data illegal and required the company to appoint an EU representative, without issuing a fine or banning the company’s operations.
The company Social Insurance Bank was fined 150,000 euros “for potentially enabling unauthorized access to personal details of pension recipients” by the Dutch Data Protection Authority, Autoriteit Persoonsgegevens. The Authority held that the personal information of over 5 million people was compromised when SVB failed to confirm the identity of callers to its help desk. Read here →
3) New and Upcoming Legislation
EU – Members of the European Parliament (MEPs) from the Internal Market Committee and the Civil Liberties Committee have adopted a draft negotiating mandate for the first-ever rules governing Artificial Intelligence (AI). The proposed rules focus on transparency and risk management for AI systems. If approved, these regulations would introduce the right to file complaints about AI systems and establish tailored frameworks for general-purpose AI and foundational models like GPT. Additionally, MEPs have emphasized the inclusion of bans on “biometric surveillance, emotion recognition, and predictive policing AI systems” within the AI Act. Read here →
The Canadian Privacy Commissioner‘s recommendations on federal privacy reform have been published by the House of Commons’ Standing Committee. While acknowledging progress with Bill C-27, the Commissioner emphasized the need for a delicate balance between consumer protection and business innovation. Key recommendations include recognizing privacy as a fundamental right, protecting children’s privacy, and granting individuals the right to dispose of their personal information despite retention policies. Access the announcement here →
The Australian Financial review has reported that the contemplated reforms to the Privacy Act could lead to unintended effects, namely “consent fatigue” according to the Australian Banking Association (ABA). If customers are “bombarded with messages from lenders seeking permissions for … basic payments,” the ABA noted that this could hamper “the ability to innovate new products and address fraud.” Reported here →
US Law Updates
Florida: Senate Bill 792 on social media protection for minors has not proceeded further since it died in Committee.
Montana: House Bill 690 which concerned revising pupil data privacy protections has died in Committee
Tennessee: House Bill 1181 for the Tennessee Information Protection Act was signed into law by the Governor. The Act will apply to persons that conduct business in Tennessee or produce products or services that are targeted to residents of Tennessee, and that exceed $25 million in revenue.
Texas: House Bill 4 for the Texas Data Privacy and Security Act has passed both the Texas House of Representatives and the Texas State Senate.
4) Strong Impact Tech
The Ibero-American Data Protection Network (RIPD) has initiated a collective action against ChatGPT due to concerns over potential risks to user rights and freedoms regarding personal data processing. The RIPD has raised issues such as the legality of data processing, unauthorized data transfer to third parties, and insufficient data protection measures. The 16 regional authorities within RIPD have proposed coordinating their actions to supervise ChatGPT, marking the first-ever coordinated effort within the network. Reported here → (In Spanish)
Bloomberg has reported that the Israeli firm Rayzone Group was purchasing “cellular user’s real-time location data and browsing habits through automated auctions for surveillance purposes” which is then fed into a system called Echo and eventually sold to governments to track individuals via their mobile phones. Data is purchased “from advertising exchanges and companies that trade location and other mobile data.” Read more here →
Other key information from the past weeks
The Agencia Española de Protección de Datos has published a guide for using European data spaces in various sectors while complying with personal data protection laws.
The Guardian has reported that U.K. ministers have been warned that WhatsApp could leave the country if the proposed Online Safety Bill is not modified.
Samsung has temporarily banned the use of ChatGPT as well as other generative AI tools such as Microsoft’s Bing and Google’s Bard, further to the internal data leak that occurred last April.