The New Hampshire Attorney General announced the creation of the Data Privacy Unit. The Unit will be responsible for enforcing compliance with the New Hampshire Act, which is expected to enter into force on January 1, 2025. Read more here →
Certified US companies now offer an adequate level of protection under the Data Privacy Framework between Switzerland and the USA. This means that personal data can be transferred from Switzerland to certified US companies without any additional guarantees. Read the press release here →
The European Commission is seeking public feedback on its report on the first review of the EU-US Data Privacy Framework (DPF). EU citizens have until September 6th to submit their views on all relevant aspects of the Data Privacy Framework. Access the platform here →
The Polish Data Protection Authority (UODO) has clarified the interpretation of the Whistleblower Protection Act. According to the Polish DPA, a whistleblower can be identified not only by their name or surname, but also by any indirect data, such as their place of work. Read more here (in Polish) →
2) Notable Case Law
After randomly selecting 200 websites, the Danish Digital Agency found that all the sites were collecting data without visitors’ consent. Specifically, 42.2% of websites had unclassified cookies, 27.6% lacked information in their cookie banner, and 18.1% were missing a cookie banner. Most sites remedied this situation, however the sites that are still in violation may be subject to a fine. Reported here (in Danish) →
noyb has filed 9 separate complaints against X/Twitter. The complaints follow the Irish DPC proceedings against the company, which began training its AI models on EU data. X/Twitter has paused the training until September, but noyb is alleging that further GDPR enforcement should take place. Read more here →
The Brazilian Federal Court issued a preliminary decision against WhatsApp for violating the General Personal Data Protection Law (LGPD). WhatsApp must stop sharing unencrypted user data and it must provide users with an easy way to opt out of sharing their data with companies in the Meta group. WhatsApp has 90 days to comply, or it will face a fine of R$200,000 (approx. $36,460) per day of non-compliance. Read the press release here (in Portuguese) →
3) New and Upcoming Legislation
European Union – The EU Al Act entered into force on August 1, 2024. The Act will become fully applicable in two years, but certain requirements related to prohibited Al practices will become enforceable in February 2025. Fines for non-compliance with the AI Act can be up to 7% of the total global annual turnover, making the risk of non-compliance almost double if compared with the GDPR. Access the press release here →
United States – The Kids Online Safety and Privacy Act (KOSPA) passed in the U.S. Senate. The bill requires online platforms to pay attention to the creation of new design features, to mitigate harm to minors. Follow the progress of the law here →
4) Strong Impact Tech
According to Bleeping Computer, Google is taking a privacy-focused approach to integrating its Gemini AI into Android devices. Google is implementing end-to-end protection to secure data in transit, while storing the most sensitive data on the device. Read more here →
The European Commission has sent a request for information to Meta under the Digital Services Act (DSA). Since Meta discontinued CrowdTangle, the Commission wants to know how the company will allow researchers to access public data on Facebook and Instagram, among other things. Read more here →
Other key information from the past weeks
The European Commission has issued preliminary findings to Meta regarding its “Pay or Consent” model, stating it breaches the Digital Markets Act (DMA). Press release here →
The French CNIL commissioned a study on alternative advertising models and the decline of third-party cookies. Learn more here (in French) →