The French CNIL issued recommendations to align AI practices with GDPR. It emphasized the need for transparency by ensuring individuals are informed about AI data processing and encouraged best practices for notification and transparency. It also addressed the challenge of upholding individuals’ rights in AI systems with large training databases, suggesting solutions such as pseudonymization and data minimization. Access the recommendations here →(in French)
The CNIL also reminded QWANT about its GDPR duties after a complaint in 2019, claiming QWANT’s ad data wasn’t anonymous. CNIL found the data was pseudonymous and noted QWANT’s efforts to protect privacy. QWANT updated its privacy policy to clarify the data use and its legal basis, making sure the updates were in multiple languages. Learn more here → (in French)
The UK Information Commissioner’s Office (ICO) launched a direct marketing advice generator to help organizations comply with UK privacy laws, such as PECR and GDPR. The tool offers tailored compliance advice for small organizations on direct marketing channels such as email, SMS, and social media. Read more here →
The Nebraska Attorney General’s office updated its website to include a Data Privacy Homepage with FAQs about the Nebraska Data Privacy Act (NDPA). The FAQs explain what data controllers and processors must do, detail consumer rights, and describe the process for filing a complaint. Read more here →
2) Notable Case Law
The Italian Garante fined E.ON Energia S.p.A. €890,000 for GDPR violations regarding unlawful telemarketing practices. Individuals complained about receiving unwanted calls and a lack of response to their GDPR rights. Access the decision here →(in Italian)
TheAdministrative Court in Sweden confirmed a SEK 13 million fine (around €1.1 million) against Bonnier News. Bonnier News improperly collected and processed personal data from customers and web visitors for both marketing purposes as well as creating profiles without proper consent. Read more here →(in Swedish)
The Spanish Data Protection Authority fined Generali España €5 million for violating the GDPR. The company experienced a data breach that affected over 1.5 million individuals. The breach was due to a technical issue with the company’s CMS and a lack of transaction logs. Read about the decision here →(in Spanish)
3) New and Upcoming Legislation
United Kingdom: The Data (Use and Access) Bill passed its second reading in the House of Commons and is now moving to the Committee Stage. The bill suggests various changes to the UK’s data protection rules, including the creation of a list of ‘recognized legitimate interests’ for data processing. Track the Bill’s progress here →
Oklahoma: The Oklahoma Computer Data Privacy Act has passed the first and second readings in the House of Representatives. It applies to for-profit businesses operating in Oklahoma that handle consumers’ personal information and meet certain thresholds. Here is the progress of the Act →
Oklahoma: Senate Bill No. 546 also passed the first two readings in the Senate. It aims to establish a comprehensive data privacy framework in the state. Progress of the Act →
Tennessee: Senate Bill 663 and House Bill 630 were introduced to amend the Tennessee Code Title 47, Chapter 18. These amendments allow consumers to opt-out of the processing of personal data and mandate clear opt-out methods. Read the text here →
California: Assembly Bill 566, which deals with opt-out preference signals, has been reintroduced. The bill would require businesses to make sure their browsers include a setting that lets users easily opt out of tracking by businesses. Access it here →
4) Strong Impact Tech
The Office of the Australian Information Commissioner, along with data protection authorities from Korea, Ireland, France, and the UK, signed a joint declaration to create a data governance framework for AI. Read more here →
The Dutch Data Protection Authority (AP) released guidance for enhancing AI literacy in line with the EU Artificial Intelligence Act. Access the guidance here →(in Dutch)
Other key information from the past weeks
The Italian Data Protection Authority has ordered a ban on the processing of Italian users’ data by the AI tool DeepSeek. Learn more →(in Italian)
LinkedIn has been accused of sharing the private messages of LinkedIn Premium users with other companies to train artificial intelligence models. Read more →
