The Italian Garante approved a code of conduct for management software developers, to ensure compliance with data protection principles. The code applies to organizations that use management software for their administrative and financial tasks. Read here → (in Italian)
The French CNIL issued a formal notice to several companies for using dark patterns on their cookie banners. In particular, notices were sent where it wasn’t as easy to reject consent as it was to accept it. Read more here →
The California Privacy Protection Agency published the meeting materials for public consultation on CCPA updates, cybersecurity audits, risk assessments, automated decision-making technology and insurance companies. The consultation closes on January 14, 2025. More details here →
The Brazilian Data Protection Authority (ANPD) published Resolution No. 23, which contains the agenda for 2025-2026. According to the Resolution, the ANPD will prioritize – among other things – data subject rights, data sharing by public administration entities, minors’ data processing, artificial intelligence. Access the Resolution here → (in Portuguese)
2) Notable Case Law
The French CNIL fined the telecommunications operator ORANGE 50 million euros for showing advertising to users of its email service without their consent. The company was showing advertising messages, disguising them as regular emails. Read about the decision here →
The Italian Garante fined the Istituto Nazionale di Previdenza Sociale (INPS) €50,000 for GDPR violations. The INPS published names, dates of birth, and scores of more than 5,000 participants in a public competition. The Garante found that this data could remain online indefinitely and be misused. Read more here → (in Italian)
The Irish Data Protection Commissioner (DPC) fined Maynooth University €40,000 for GDPR violations. After a data breach which caused the unauthorized access to employee email accounts, the DPC found that the university didn’t have proper security measures in place and failed to notify the Authority about the breach. Read about the decision here →
3) New and Upcoming Legislation
European Union – On December 8, the Product Liability Directive became effective. It addresses liability for defective products, including software and AI systems. Learn more here →
Colorado – The Colorado Attorney General approved amendments to the Colorado Privacy Act Rule. The amendments include new requirements for biometric identifiers, which now need a ‘biometric identifier notice’ at the time of collection. Access here →
4) Strong Impact Tech
The UK’s Information Commissioner’s Office published a response to the generative AI consultation series, addressing topics such as lawful web scraping, individual rights, and controllership in AI models. Read here →
The Norwegian Datatilsynet provided information about X’s processing of EU users’ personal data on its platform to train AI models, including the Grok chatbot. Although users can opt out of the processing, Datatilsynet is still uncertain about the use of public posts for AI training. More details here (in Norwegian) →
Other key information from the past weeks
The House for Whistleblowers in the Netherlands released guidelines for conducting internal investigations in compliance with the Whistleblowers Protection Act. Read here (in Dutch) →
The Norwegian DPA announced that Meta will introduce a new alternative to the “consent or pay” model. More here (in Norwegian) →