The French data protection authority, CNIL, has published “a first series of guidelines for the use of AI that respects personal data.” Principles concerning minimization, finality and retention periods are all addressed in the guidelines whilst noting that the GDPR offers an “innovative and protective framework” for AI. Read here (in French) →
The UK-US Data Bridge entered into effect on October 12, 2023. Businesses in the UK can transfer personal data to US organizations certified under the UK Extension to the EU-US DPF without needing additional safeguards. Access here →
The European Commission has published a template for the compliance report to be submitted by gatekeepers under the Digital Markets Act. The report must be completed in a detailed and transparent manner and will determine whether gatekeepers are in compliance with the DMA. Read here →
The European Commission has sent a request for information to X, formerly known as Twitter, under the Digital Services Act (DSA). Learn more here →
2) Notable Case Law
The European Union General Court has rejected the French Member of the European Parliament Philippe Latombe’s request to suspend the EU-US Data Privacy Framework. The decision follows Latombe’s filing against the transfer agreement and subsequent adequacy decision. Read about the decision here (in French) →
The UK Court of Appeal has ruled that the UK Information Commissioner’s Office (ICO) had acted lawfully in relation to a subject access request complaint. The case addressed the ICO’s remit within an investigation. The Court of Appeal further confirmed the ICO’s “broad discretion in deciding the extent to which it investigates each complaint.” Access the press release here →
3) New and Upcoming Legislation
California: Senate Bill 362 which is informally known as the “Delete Act” was signed by the California Governor. Separately, Assembly Bill 947 concerning the California Consumer Privacy Act of 2018: sensitive personal information was signed by the Governor into law. Citizenship and immigration status have been added to the definition of sensitive personal information.
4) Strong Impact Tech
The Norwegian data protection authority (Datatilsynet) has confirmed that “advertising on Facebook has not been banned in Norway” but precaution is being encouraged. Moreover, it was also confirmed that provided that users’ valid consent is given, personalized marketing on Facebook is also not banned. Read more here (in Norwegian) →
The Wall Street Journal has carried out an investigation into data brokers’ purchasing of information generated from advertisements on mobile phones and the consequent sale of such information to government contractors for surveillance purposes. It is alleged that the cloud-based data intelligence platform Near Intelligence did not have the relevant authority to resell its data. Reported here →
Other key information from the past weeks
Meta is considering a model where EU users might have to pay up if they wish to maintain their privacy rights. What you need to know →
Consumer Reports, a non-profit advocate for consumer rights, launched a new app to restore control over personal data in a few simple taps. Learn more here →
The five-year privacy controversy involving DAZN has finally come to an end. Read here →
