The implementation of executive order 14086 concerning the EU-U.S. Data Privacy Framework has been completed as confirmed by the U.S. Department of Justice and the Office of the U.S. National Intelligence Director (ODNI). EU and EEA member states have been designated with the possibility to file for redress under the proposed Data Protection Review court and ODNI has released the policies and procedures that will be applicable to the U.S. intelligence community. Press Release →
The Swiss Federal Data Protection and Information Commissioner has published it’s 30th Annual Report which covers the period between April 1, 2022, and March 31, 2023, for the section on data protection and 1 January to 31 December 2022 for the section concerning freedom of information. Press Release →
The United Kingdom and Singapore have signed two Memoranda of Understanding, one concerning emerging technologies and the other relating to data cooperation. Access here →
Brazil’s data protection authority, the Autoridade Nacional de Proteção de Dados, has published a guidance note on data processing activities in relation to academic purposes. See the guidance here → (In Portuguese)
IMY fined Bonnier News AB (which now goes by the name Expressen Lifestyle AB) SEK 13 million (approx. €1.1 million) for processing personal data without the correct legal basis in violation of Article 6(1) of the GDPR. Press release → (In Swedish)
Further to the €1.2 billion fine issued against Meta by the Irish Data Protection Commission (DPC) on May 22, 2023, the Irish Times reported that the Irish High Court has granted Meta a stay to the five-month period to cease all EU data transfers to the US pursuant to the Irish DPC’s order. Read about the decision here →
Italy’s Data Protection Authority (Garante) fined Benetton Group €240,000 for violating data protection principles and security requirements in terms of Articles 5 and 32 of the GDPR. The Authority’s summary can be found here → (In Italian)
The U.S. Department of Justice together with the Federal Trade Commission have announced a permanent injunction and a $6 million civil penalty against education technology provider Edmodo who was allegedly collecting information on children aged under 13 years of age without parental consent in violation of COPPA Rules. Read here →
3) New and Upcoming Legislation
Pursuant to a “last-minute” amendment to the “Courts and Civil Law (Miscellaneous Provisions) Bill 2022” the Irish Minister for Justice has now sponsored the addition of a new section 26A which, if passed, would allow the Irish Data Protection Commission to declare practically all of its procedures “confidential”.
The proposed European Data Act has resulted in an agreement between the European Parliament and the Council regarding fair access and utilization of data. Read here →
US law updates
Louisiana: House Bill 61 relating to the consent of a legal representative of a minor who contracts with certain parties has been signed by the Governor.
Colorado: The Colorado Privacy Act and the Colorado Privacy Act Rules entered into force this month.
California: The Sacramento County Superior Court has halted the enforcement of the California Privacy Rights Act (CPRA) from July 1, 2023 until March 29, 2024. The decision, however, does not affect the CPRA statutory provisions, which are enforced as of July 1, 2023.
Delaware: House Bill 154 on personal data privacy has passed Senate.
4) Strong Impact Tech
The MediaPost has reported upon Meta’s latest feature across all its social media apps which grants parental controls tools, thereby allowing parents to for instance see how much time their teens are spending on Messenger or receiving updates whenever news contacts are added. Reported here →
The Washington Post has reported that a class-action lawsuit has been filed against OpenAI by San Francisco based law firm, Clarkson which alleges that the ChatGPT chatbot incorrectly used people’s data and carried out copyright and privacy violations when users’ internet data, including social media comments and blog posts, were scraped to train its algorithms. Read the story here →
Other key information from the past weeks
The French company Criteo which specializes in ad-tracking activities concerning “behavioral retargeting”, was fined €40 million by the French data protection authority CNIL.
Tech radar has reported that the Singapore-based cybersecurity firm Group-IB has indicated that over 100,000 ChatGPT accounts have been stolen and thereafter sold on the dark web.
The EDPB has adopted a template complaint form together with a final version of recommendations “on the application for approval and on the elements and principles to be found” in the Controller Binding Corporate Rules.
