The European Commission has designated the six “most impactful online companies” as gatekeepers under the Digital Market’s Act (DMA): Alphabet, Amazon, Apple, ByteDance, Meta, and Microsoft. These companies will now have six months to comply with the DMA’s provisions, including the appointment of a compliance officer that will report to their board and inform the European Commission of any plans for mergers or acquisition. The commission will become the enforcer of the DMA as of 6 March 2024. Read here →
Politico has reported that a French Member of the European Parliament has submitted challenges to the European Union General Court against the EU-U.S. Data Privacy Framework. The European Parliament had formally voted against the DPF last April. The challenges request the immediate suspension of the trans-Atlantic agreement for data transfers whilst also questioning the legality of the DPF’s text which was notified to EU countries only in English and not published in the EU’s Official Journal. The MEP has informed the French government and the data protection authority CNIL of his challenge. Access here →
Further to the entry into force of the Swiss Federal Data Protection Act, the Swiss Federal Data Protection and Information Commissioner has published an information sheet on the carrying out of data protection impact assessments. The document instructs federal bodies and citizens to “prepare a data protection impact assessment if the planned data processing entails a high risk for the (personal data) or the fundamental rights of the persons concerned.” Access here →
2) Notable Case Law
The Belgian Market Court has given an interim ruling and “suspended its assessment of the validation decision” with regard to IAB Europe’s action plan. It agreed that a decision from the Court of Justice of the European Union is required before any further assessment can be made. Read about the decision here →
The Norwegian Data Protection Authority’semergency decision which resulted in a temporary ban of behaviour-based marketing on Facebook and Instagram has been upheld by the Oslo District Court. Meta sought to obtain a temporary injunction against the ban, however this was to no avail. The Court held that “the Norwegian Data Protection Authority’s decision is valid, and that there is no reason to stop it.” Datatilsynet is now considering bringing the decision before the European Privacy Council to extend the ban’s application to the entire EU/EEA. The press release can be found here → (in Norwegian)
Reuters has reported that OpenAI and Microsoft Corp. are facing a lawsuit before the Northern District Court of California for “allegedly breaking several privacy laws in developing OpenAI’s chatbot ChatGPT and other generative artificial intelligence systems.” The complaint, which was filed on behalf of two unnamed software engineers who used ChatGPT, accuses the companies of “using stolen personal information from hundreds of millions of internet users” to train their AI technology. Reported here →
3) New and Upcoming Legislation
Switzerland has ratified the Protocol of Amendment of Convention 108 and becomes “the 28th State Party to join the modernized Convention 108 (Convention 108+).” Access here →
The New Zealand Privacy Commissioner’s Office has revealed that an amendment to the Privacy Act has been tabled in Parliament. This proposed law mandates that entities subject to its provisions must divulge the rationale behind their data collection practices, as well as identify the first and third parties who will be privy to the collected data. Advocating for a more expansive transparency framework, the Privacy Commissioner stated that the legislative changes are designed to align with international best practices. Read more here →
4) Strong Impact Tech
Tests conducted by the nonprofit Mozilla Foundation revealed potential issues with car manufacturers’ data practices. The survey considered 25 major automotive manufacturers and concluded that a majority are “potentially selling off consumers’ personal data and would fulfill law enforcement requests for data without a warrant.” What you need to know →
The Verge has revealed that Google has made the APIs for its Privacy Sandbox broadly accessible to users by default. This move is part of Google’s strategy to provide a privacy-focused alternative to third-party cookies, enabling Chrome developers to substitute cookies with these APIs. Google also noted that a small fraction (3%) of Chrome users will continue to operate a browser containing embedded cookies for the purpose of conducting A/B tests. Reported here →
Other key information from the past weeks
Google’s plea for a summary judgment in a case where it was alleged to have intruded upon the privacy of millions, has been rejected. Read the full story here →
YouTube and its parent company, Google, find themselves at the center of a heated debate concerning children’s online privacy. Access here →
Privacy organization noyb has filed complaints against Fitbit in Austria, the Netherlands, and Italy, alleging some serious GDPR violations. Find out more here →
