The U.K. Information Commissioner’s Office has published both a review and post-transition impressions of the Children’s Code. Over 50 organizations have been assessed for conformance with the code, and there are currently 11 open investigations. 10 online services have also been audited. The ICO has also supported various other countries and states, including California, to show how they have implemented the code. The aim is also to develop similar approaches, extending the benefits of the code beyond the UK to help other countries and states set up their own laws to protect children. Read here →
The Spanish AEPD has launched a redesigned version of its Gestiona tool to support entities with processing activities, risk management and conducting impact assessments under the GDPR. Access here → (In Spanish)
The Brazilian ANPD has published a model for the simplified registration of operations for small and medium-sized businesses to track records of personal data processing activities. The “simplified model” requires information on among others categories of data subjects and data retention, the security measures applied vis-à-vis such data and information on how data is to be shared. Read here → (In Portuguese)
The United States Federal Communications Commission has announced the inception of its Privacy and Data Protection Task Force. This new task force is interested in focusing upon “approaches to data breaches and data security vulnerabilities while contributing to potential privacy rule-making, enforcement and public awareness efforts.” Announcement here →
2) Notable Case Law
The Italian data protection authority, the Garante Privacy (Garante) imposed a fine of just over €7.6 million on TIM S.p.A., for several violations of the GDPR and of the Personal Data Protection Code, Containing Provisions to Adapt the National Legislation to the GDPR (the Code). The Garante had received several complaints from individuals alleging:
TIM’s inability to display its privacy policy to users making use of its website, in particular when purchasing mobile subscriptions online;
TIM’s outright omission or delay in responding to data subject rights requests submitted under the GDPR;
a data breach, and
telemarketing calls by TIM to users that have availed of the public opt-out register, and users that have denied their consent for promotional purposes.
The CNIL fined the company KG COM which operates a number of websites to offer its customers’ clairvoyance readings by chat or phone, a fine to the tune of €150,000 “because it failed to comply with its obligations under the GDPR and the French Data Protection Act. In particular, the company collected excessive data, as well as sensitive data without prior and explicit consent, and did not sufficiently ensure the security of the data.” Access here →
Two United Kingdom energy companies, Maxen Power Supply and Crown Glazing, were found to have carried out illegal marketing phone calls to both individuals and companies that have specifically enrolled on the United Kingdom’s “do not call” register. The companies have been subsequently fined GBP 120,000 and GBP 130,000 respectively by the Information Commissioner’s Office. Read more here →
3) New and Upcoming Legislation
Members of the European Parliament have agreed to negotiate upon rules for “safe and transparent” AI regulation. The rules intend to protect people from the harmful effects of any untrustworthy AI and “would ban AI systems for social scoring, biometric categorisation and emotion recognition.” Press release →
Texas: House Bill 18 which creates the Securing Children Online through Parental Empowerment (SCOPE) Act and relates to the protection of minors on digital services was signed by the Governor.
Connecticut: Senate Bill 3, for an act concerning online privacy, data, and safety protections became law after being signed by the Governor of Connecticut.
Montana: Senate Bill 351 for genetic information privacy was passed to the Governor for signing.
4) Strong Impact Tech
Google’s generative AI tool Bard will not be launched in the EU until the company addresses privacy concerns raised by Ireland’s Data Protection Commission. The commission, acting as Google’s primary European data supervisor, has expressed that the tech giant has not provided adequate information about how Bard protects privacy for Europeans, thus delaying its EU debut under the General Data Protection Regulation (GDPR). Read about this on our blog →
A cyberattack on UK payroll provider Zellis has affected major organizations like the BBC, British Airways, and Boots. The attackers exploited a vulnerability in the MOVEit file transfer software used by Zellis and stole sensitive employee information. The incident highlights the risk of vulnerabilities in widely used third-party software. Zellis has confirmed a few affected customers, including Aer Lingus and Jaguar Land Rover. Investigations are underway by cybersecurity authorities. Organizations need to take proactive measures to protect against such attacks. Reported here →
Other key information from the past weeks
The United States and the United Kingdom have announced the Atlantic Declaration for a Twenty-First Century U.S.-UK Economic Partnership.
According to Euractiv, French senators confronted European TikTok representatives about the company’s connections with the Chinese government and its handling of data protection.
The Netherlands Data Protection Authority (AP) has opened an investigation into OpenAI’s ChatGPT data processing practices and their compliance with the GDPR.
