The Garante has released guidelines for any business or organization that keeps users’ passwords. These guidelines suggest the safest cryptographic methods for storing passwords. They cover topics like password hashing, PBKDF2, and Argon2. Read here →
Spain’s data protection agency, the AEPD, has updated its advice on reviewing human roles in automated decisions to follow Article 22 of the GDPR. Previously addressed in 2018, the new recommendations propose evaluating how much a person is involved in the decision-making process by looking at factors like their authority, skills, abilities, effort, and autonomy. Access here →
The U.S. Federal Trade Commission summarized its findings from cases where Avast, X-Mode, and InMarket sold personal data. It highlighted that selling browsing and location data by X-Mode and InMarket reveals detailed aspects of a person’s life. Additionally, the FTC noted that people can’t oppose or manage the collection, storage, and use of their data. Read here →
The U.K. Information Commissioner’s Office is asking for opinions from businesses and digital advertising parties on “pay or OK” subscription plans and their alignment with third-party cookie rules. The ICO wants to know if these models would work well for users while it updates its cookie guidelines. More here →
2) Notable Case Law
The Garante has started looking into OpenAI regarding its new AI model, ‘Sora’, and how it might handle personal data in the EU and Italy pursuant to the algorithm learns; the type of data, particularly personal data, used for training; if sensitive data like beliefs, political views, genetic or health information, or sexual life details are gathered; and the sources of this data. Read about the investigation here →
CNIL fined the telemarketing company FORIOU €310,000 for buying data from brokers and using it without the people’s permission. CNIL found that the forms used by the data brokers to collect information were misleading, so they didn’t get proper consent from the individuals. As a result, FORIOU didn’t have a legal right to use this data for marketing, which violates Article 6 of the GDPR. The Authority’s summary can be found here →
3) New and Upcoming Legislation
US law updates:
New Hampshire’s Governor has executed Senate Bill 255 relating to consumer privacy legislation. The law will come into effect on January 1, 2025, allowing people to know more about how their data is collected and kept. New Hampshire is now the 14th state in the U.S. with a full privacy law.
Virginia has updated its privacy laws with two new bills focusing on protecting children’s data. Senate Bill 361 stops the data of anyone under 18 from being collected, used, or sold without permission. House Bill 707 adds extra protections for how children’s data is processed, including restrictions on collecting their location data.
California has introduced a data broker registry as part of the California Delete Act. This registry allows California residents to easily ask for their personal information to be deleted from records held by data brokers in the state.
4) Strong Impact Tech
Microsoft plans to use Google’s Privacy Sandbox technology in its advertising services. They aim to adopt Google’s privacy standards to improve and support the digital advertising industry with new privacy-focused technologies. Read more here →
Tech Policy Press has shared insights from the Future of Privacy Forum on how U.S. states agree or differ on defining sensitive data. It highlights states whose data protection standards have been adopted by others and points out the broad range of protections for biometric data and information about minors.
The European Commission has asked Meta for details under the Digital Services Act about its subscription service that doesn’t show ads, known as “pay or ok.” This request focuses on how Facebook and Instagram handle advertising, their recommendation systems, and any risk evaluations for this subscription option. Press release →
Other key information from the past weeks
The European AI Office marks a significant milestone in the EU’s commitment to becoming a global leader in the development and regulation of AI. Read about it on our blog →
The European Data Protection Board (EDPB) has embarked on a significant initiative aimed at reinforcing the right of access, a fundamental aspect of data protection. Read more here →
The European Union has initiated a comprehensive investigation into TikTok, the popular social media platform, due to growing concerns over child safety, its advertising practices, and privacy protocols. Full story here →
