Send us a Text Message.

Privacy Corner Newsletter: July 18, 2024

Top Stories:

• UK Revives Data Protection Reform: The new UK government plans a "Digital Information and Smart Data Bill" (DISDB) that includes some proposals from the previous government's scrapped Data Protection and Digital Information Bill (DPDIB). Key details like the Information Commissioner's Office (ICO) restructuring and scientific research data rules are expected to return, but the final form of the bill remains unclear.
• Privacy Group Targets Microsoft-Owned Adtech Firm: noyb, a privacy advocacy group, filed a complaint against Xandr (owned by Microsoft) with the Italian Data Protection Authority (DPA). Xandr allegedly rejected data access and deletion requests, claiming pseudonymized data makes identification impossible. Noyb argues Xandr should be able to identify individuals and comply with requests.
• California Tightens CCPA Rules: The California Privacy Protection Agency (CPPA) proposed major changes to the California Consumer Privacy Act (CCPA) regulations. Highlights include a new definition of "artificial intelligence," cybersecurity audits for certain businesses, and an increased application threshold based on revenue.

Send us a Text Message.

This Week's Privacy News:

US Privacy Update:
Comprehensive privacy laws in Texas and Oregon are now in effect.
Colorado's privacy law's opt-out mechanism for targeted ads is now active.
Federal privacy law seems unlikely in the near future.

Meta in Hot Water:
The EU is investigating Meta's "pay-or-OK" policy under the Digital Markets Act (DMA) for potentially violating user consent.
A potential fine of up to 10% of global turnover is on the table.

Grindr Loses GDPR Battle:
The dating app must pay a $6.1 million fine for sharing user data with advertisers without proper consent.
This case sets a precedent for how companies handle data revealing sexual orientation.

Send us a Text Message.

This Week in Privacy: Stalled Law, Meta's AI U-Turn, and Snap Appeasement

This edition of the Privacy Corner Newsletter dives into three key privacy headlines:

- Vermont's ambitious privacy bill, H.121, gets vetoed due to concerns about its impact on businesses. The bill included strong consumer rights and data minimization requirements.
- Meta delays its plan to train AI models on user posts following intervention from the Irish DPC. Privacy group noyb claims a "preliminary win" due to their complaints.
- The UK ICO reveals why it dropped an enforcement notice against Snap. The social media company took ten steps to address data protection risks associated with its My AI chatbot feature.

Send us a Text Message.

This Week's Privacy News Roundup: GDPR, Privacy Sandbox, and Child Data Protection

This week's Privacy Corner dives into key data privacy developments:

- UK Court Considers EU Law in GDPR Case: A UK court judgement clarifies the "household exemption" and "right of access" under the UK GDPR, referencing relevant EU law.
- Noyb Challenges Google Chrome's Privacy Sandbox Consent Flow: Privacy group noyb argues Google's method of obtaining consent for Topics ad targeting violates the GDPR.
- New York Enacts Strict Child Data Protection Act: New York introduces a strong child data privacy law with tight restrictions on data collection and a high bar for consent.

Send us a Text Message.

This week's Privacy Corner dives into several data privacy battles:

- EU privacy group noyb filed complaints against Meta alleging its AI training policy violates GDPR rules on transparency, data subject rights, and lawful processing.
- Noyb also targeted Microsoft, accusing them of misleading schools about their role in data processing for Microsoft 365 Education products and secretly tracking student data.
- The Australian privacy regulator dropped its investigation into TikTok's use of tracking pixels due to limitations in the outdated Privacy Act, but launched proceedings against healthcare provider Medibank for a massive data breach.

Send us a Text Message.

Privacy Corner Newsletter Summary

This week's newsletter covers several key privacy topics:

- EDPB vs OpenAI: The European Data Protection Board (EDPB) is investigating OpenAI's ChatGPT software to ensure it complies with GDPR regulations.

- UK's GDPR reforms are dead: The UK's attempt to reform data protection laws has stalled due to upcoming elections. The proposed changes, including a new "recognized legitimate interests" legal basis and relaxed data subject rights, are unlikely to be revived soon.

- Irish DPC's 2023 report: The Irish Data Protection Commissioner (DPC) report shows a significant increase in workload and fines issued in 2023.

Send us a Text Message.

This week's newsletter covers developments in AI regulation, enforcement actions by the ICO, and updates on the APRA draft.

Key takeaways:

• Colorado passed a new law (CAIA) regulating high-risk AI systems. Similar to the EU AI Act, it focuses on transparency, accountability, and preventing bias in areas like healthcare and finance.
• The ICO dropped its case against Snap's AI chatbot but is investigating Microsoft's new Recall feature. Recall captures screenshots of user activity, raising privacy concerns.
• A revised draft of the APRA clarifies data minimization rules, shortens response times to data requests, and adds new data broker regulations. Pre-emption, a controversial aspect, remains largely unchanged.

Send us a Text Message.

This week's Privacy Corner dives into the latest data privacy developments:

🇬🇧 US: Maryland and Vermont passed groundbreaking privacy laws with strong data minimization requirements and a private right of action in Vermont (similar to California's CCPA).
🇬🇧 UK: The ICO is seeking views on how to uphold data subject rights in generative AI but avoids the right to rectification challenge.
🇪🇺 EU: The European Commission is investigating Meta (Facebook & Instagram) under the Digital Services Act (DSA) for potentially harming children and failing to meet age verification requirements.