The EDPB has adopted an information note for both individuals and entities carrying out data transfers to the U.S., which clarifies that no supplementary measures are required for transfers based on the adequacy decision. Separately the U.S. International Trade Administration has launched an EU-U.S. data privacy framework dedicated website.
The French data protection authority (CNIL) has launched a new “sandbox” dedicated to artificial intelligence and the personal data issues that arise as a result of such innovation: “The sandbox is therefore aimed at organizations facing new issues related to personal data regulations. By intervening at an early stage in the development of the project, the CNIL teams help the organization identify possible solutions and implement them.” Press release here → (in French)
The California Privacy Protection Agency introduced the new consumer complaint system which grants both residents and nonresidents the possibility to lodge either sworn or unsworn complaints concerning alleged violations of the California Consumer Privacy Act.
The Biden administration has announced that seven leading artificial intelligence (AI) companies including Amazon, Anthropic, Google, Inflection, Meta, Microsoft, and OpenAI have committed voluntarily to, among others, carry out internal and external security testing of AI systems before release, share information on managing AI risks, and invest in safeguards. The administration said that in consultation with several allies and partners engaged in the voluntary commitments, it is working “to establish a strong international framework to govern the development and use of AI.”
2) Notable Case Law
Amazon has reached a settlement with the U.S. Department of Justice and the Federal Trade Commission over alleged children’s privacy violations concerning its Alexa voice assistant. As part of the agreement, Amazon will pay USD 25 million in civil penalties and adhere to a permanent injunction.
The FTC concluded its actions against BetterHelp with a finalized order amounting to USD 7.8 million. The order was based on allegations of improper data sharing for advertising purposes. Under the order, the online counseling service is banned from sharing consumers’ health data for advertising and using personal data for retargeting.
NOYB has now started a campaign against several Belgian news outlets, including among others RTL Belgium, the public service broadcaster VRT, newspapers Het Laatste Nieuws and L’Avenir. The NGO is claiming that these companies “have bought themselves free from GDPR compliance”. The full list of websites against which a complaint has been filed can be found here →
The Italian Garante fined the department store Rinascente SpA 300,000 euros for several violations in relation to the illegal processing of personal data of millions of customers in marketing and profiling activities through the use of loyalty cards. The infringements included but were not limited to the failure to:
indicate data retention times for marketing and profiling purposes;
indicate processing activity carried out through Facebook-Meta, which included the forwarding of customer’s email addresses to the US company;
prepare a data protection impact assessment as envisaged by the GDPR.
3) New and Upcoming Legislation
The Council of the European Union’s Committee of the Permanent Representatives of the Governments of the Member States to the EU, has approved the draft compromise text of the Data Act. Draft compromise Data Act here →
California: The California Privacy Protection Agency (CPPA) Board had unanimously voted, to support four California privacy bills. Among these bills are:
Assembly Bill 947 which would define sensitive personal information under the CCPA as amended to include personal information that reveals a consumer’s citizenship or immigration status;
Senate Bill 362, which would transfer the administration and rule-making authority over the data broker registry from the Department of Justice to the CPPA. This would also be directed to establish a deletion mechanism to allow a consumer to ask that all data brokers delete their personal information in one single request. Press release here.
Oregon: Senate Bill 619 for an Act relating to protections for the personal data of consumers was signed by the Governor of Oregon. It will enter into force on July 1, 2024 however, certain exceptions apply to non-profit entities and the Act will not apply to them until July 1, 2025.
Federal: The FTC has published a Federal Register notice seeking public comment on an application from ESRB, Yoti and SuperAwesome. The application proposes using “Privacy-Protective Facial Age Estimation” to obtain parental consent under COPPA. Comments can be submitted until August 21, 2023. Press release →
4) Strong Impact Tech
WhatsApp has updated its privacy policy by switching to the ‘legitimate interest’ legal basis following the Irish Data Protection Commissioner’s sanction in January, where it was fined €5.5 million. WhatsApp, stated that “under legitimate interest, users will still be able to object to the use of their information.” Read the full story on our blog →
The Canberra Times has reported that the release of Threads in Australia, Meta’s new social media platform, led to renewed calls for privacy law reforms. Digital Rights Watch Program Lead Samantha Floreani said that “We urgently need the Australian government to take action to pass robust reforms to the Privacy Act to make sure companies are handling our personal information appropriately […. since] All of this data is collected for the benefit of the companies harvesting it.” Reported here →
Other key information from the past weeks
The Spanish Data Protection Authority (AEPD) has issued an updated version of its guide on the use of cookies to reflect the Guidelines on deceptive design patterns issued by the EDPB in February 2023.
The Italian Garante has published its 2022 activity report, which indicates that there has been an increase in the number of inspections, totaling to 140 inspections and tripling the 2021 figures.
The EPDB held their 82nd EDPB meeting, wherein the focus of the EDPB Members was on the EU-U.S. Data Privacy Framework (DPF).
