This edition at a glance:
🇺🇸 New U.S. Legislation Targets TikTok Ownership to Mitigate National Security Risks
President Joe Biden signed into law the Protecting Americans’ Data from Foreign Adversaries Act on April 24, 2024, posing a direct challenge to TikTok’s operational freedom in the United States. The legislation is a pivotal development in the ongoing scrutiny of digital platforms under foreign control, particularly those from China:
- The law stipulates a mandatory divestiture of TikTok by its Chinese parent company, ByteDance, within a 12-month timeframe to avoid a national ban.
- This legislative move highlights escalating U.S. concerns over national security, data privacy, and foreign influence, particularly from China, in the tech sector.
- TikTok has announced intentions to contest the ban legally, emphasizing a commitment to continue operations and defend its platform against what it views as unconstitutional restrictions.
- Critics, including technology and civil liberties experts, argue the law could set a concerning precedent for free speech and advocate for more comprehensive data privacy legislation.
- The context for the law includes broader international tensions and concerns about data security, particularly with the increasing prevalence of digital platforms in everyday life and national infrastructure.
- The law was introduced amidst a broader legislative focus on enhancing digital security and managing the risks associated with foreign technology companies operating within U.S. borders.
- Reuters reports that ByteDance would prefer the ban than sell off TikTok, if all legal challenges fail (read here). On the other hand, Politico reports that the EU will not follow in US’s footsteps with this ban (read here).
Read the bill here, and NPR’s reporting here. I highly recommend watching this video from Morning Brew for a healthy dose of laughter:
🇪🇺 EDPB Published Its Annual Report For 2023
The EDPB published its comprehensive 2023 annual report on 22 April 2024, outlining its efforts to enhance data protection across the EU. Here are some key points:
- Leadership Transition: Anu Talus was elected as the new EDPB Chair, succeeding Andrea Jelinek, under whose leadership the board strengthened its regulatory impact.
- Guidelines and Opinions: The EDPB issued guidelines on deceptive design patterns in social media and the use of facial recognition technology by law enforcement, reflecting its commitment to address modern digital challenges.
- Enforcement and Compliance: The report highlights the issuance of binding decisions and the adoption of significant opinions on draft legislation, including the development of the EU-US Data Privacy Framework, aimed at ensuring adequate protection in transatlantic data transfers.
- Stakeholder Engagement: The EDPB engaged extensively with stakeholders through consultations. However, there are no statistics as to how many of the responses received actually led to changes in the final texts, and my personal experience has been that submitting comments is a waste of time as they are simply ignored. The report also mentions engagement through surveys, however the DPO survey results are actually not supported by the poor data obtained through questionable methodology (see here Rie Aleksandra Walle’s take on this, that I fully agree with).
- Outreach and Education: The report highlights the release of the Data Protection Guide for Small Business, calling it a significant step towards enhancing GDPR understanding and compliance among SMEs. That may be so, but at the time it was published it had been over 4 years since GDPR is applicable and over 6 since GDPR was published, so seems like too little too late to me.
- Resource Challenges: The report addresses the challenges of adequate resourcing in terms of budget and staffing, emphasizing the need for enhanced support to meet the growing demands of data protection enforcement and compliance.
So yes, the EDPB had a lot of activity last year, but IMO the quality of some of it is up for debate.
🇫🇷 CNIL published 2023 annual report
The French data protection authority, CNIL, published its annual report for 2023, reflecting a proactive stance in data protection and privacy enforcement. Here are some key aspects:
- Public Engagement and Education: The CNIL engaged directly with over 6,800 individuals through various educational events and saw a record 11.8 million website visits, indicating heightened public interest in data privacy issues.
- Complaints and Requests: There was a 35% increase in data protection complaints with 16433 complaints filed, and a staggering 217% rise in requests for indirect access rights, reflecting growing public vigilance.
- Support for Compliance: The CNIL enhanced its support for AI compliance and introduced 13 new reference documents to assist professionals, particularly in the health sector and AI-driven projects.
- Investigations and Sanctions: Enforcement saw 340 investigations and 42 sanctions, doubling the penalties from the previous year and imposing fines totaling approximately €89 million. The adoption of a simplified procedure for handling straightforward cases has improved its regulatory efficiency.
🇫🇷 CNIL released "AI and Free Will: Are We Digital Sheep?" Booklet
The CNIL has recently published a thought-provoking booklet, “AI and Free Will: Are We Digital Sheep?”, as a follow-up to their air2023 event which delved into artificial intelligence’s influence on human autonomy and societal norms. This publication deals with several discussions from the event:
- Daily Impact of AI: Examines how pervasive AI technologies are enhancing our daily routines yet raising questions about our decision-making freedom.
- Creativity and AI: Discusses the relationship between artificial intelligence and human creativity, pondering whether AI stifles or fosters creative endeavors.
- Workplace Transformation: Explores how AI is reshaping job roles and the labor market, highlighting both the opportunities and challenges posed. The booklet aims to engage not only the general public but also professionals and policymakers in reflecting on how AI shapes our lives and freedoms.
🇪🇺 EU-US DPF Redress Mechanism: New EDPB Procedural Rules on Complaints Published
The European Data Protection Board (EDPB) published detailed procedural rules outlining the cooperation between national Supervisory Authorities (SAs) and the EDPB Secretariat in managing complaints from EU individuals about potential violations of US law concerning their data by US national security agencies. This framework is part of the broader EU-US Data Privacy Framework.
- Initial Complaint Handling: The SAs are responsible for initial complaint verification, ensuring the identity of the complainant and that the complaint adheres to set conditions. This includes checking the nature of the data transferred to the US and any alleged misuse by US intelligence.
- Secretariat’s Role and Duties: The EDPB secretariat is responsible for further verifying complaints received from SAs and facilitating communication between the SAs and the US Civil Liberties Protection Officer (CLPO). The Secretariat ensures that all complaints and appeals are transmitted securely and that all replies from the US authorities are communicated back to the relevant SA.
- Declassification and Data Access: Information about declassified complaints and potential access to data under US law is provided to complainants through the SAs, facilitated by the US Department of Commerce.
- Appeal Mechanism: The rules also define the process for lodging appeals against decisions made by the US Civil Liberties Protection Officer (CLPO), including time frames and requirements for the appeal to be considered valid.
- Collaboration and Communication: Effective communication between the SAs and the EDPB Secretariat is emphasized, with mandatory use of encrypted electronic methods to ensure the security and integrity of the exchanged information.
Read the Rules of Procedure here, the Information Note here (what individuals need to know about complaint handling), and the Complaint Template here (actually filing a complaint).
Advocate General Opinion on Processing Publicly Disclosed Personal Data for Advertising (Case C-446/21)
Advocate General Rantos issued the opinion in Case C-446/21 (Schrems v. Meta) on 25 April 2024. The case stems from Max Schrems’ lawsuit against Meta Platforms Ireland, more specifically two out of the four original preliminary reference questions given that the other two have been dealt with in the judgment from July 2023 in Case C-252/21 Meta vs Bundeskartellamt.
Background and Legal Questions: The case arose from Schrems’ concerns over Meta’s use of his publicly stated sexual orientation for targeted advertising. The Austrian Supreme Court sought guidance from the Court of Justice of the European Union on whether such publicly disclosed information could be used for personalized advertising and whether Meta’s extensive data processing practices comply with GDPR.
Key Points from the Advocate General:
-
- Public Data and Advertising: The fact that personal data is manifestly made public and the conditions of Art. 9(2)e) are met, this does not mean the processing can take place, even less so with a view to aggregating and analysing the data for the purposes of personalised advertising. Having a legal basis (in this case meeting Art. 9.2.e) is only half of one of the 6 conditions for lawfulness of personal data processing under GDPR, and no legal basis (not even consent) will “legalise” the processing if you fail to meet the other conditions. Here are the two paragraphs you must read from the Opinion on this point:
“45. With regard, in the second place, to the examination of the consequences, which manifestly making public one’s sexual orientation has, as regards the processing of those sensitive data by Meta Platforms Ireland for the purposes of Articles 5 and 6 of the GDPR, I consider that the fact that data are manifestly made public within the meaning of Article 9(2)(e) of that regulation does not, in itself, allow processing of those data to be carried out for the purposes of that regulation.
46. The application of that provision simply has the effect of lifting the ‘special protection’ afforded to certain particularly sensitive personal data. Once that protection has been knowingly waived by the data subject (who has manifestly made public those data), those initially ‘protected’ personal data become ‘ordinary’ (that is to say non-sensitive) data which, like all other personal data, may be processed lawfully only under the conditions laid down in particular in Articles 6 and 7 of the GDPR and in compliance with the principles laid down in particular in Article 5 of that regulation, including the principle of purpose limitation set out in Article 5(1)(b) of that regulation, which requires that personal data be collected for specified, explicit and legitimate purposes, a matter which it is for the controller to demonstrate, in accordance with paragraph 2 of the provision in question.”
-
- Violation of Data Minimisation: Meta failed to impose clear restrictions on the duration and variety of data processed, pointing out a breach of the data minimisation principle: “Article 5(1)(c) of the GDPR must be interpreted as precluding the processing of personal data for the purposes of targeted advertising without restriction as to time or type of data and that it is for the referring court to assess, in the light of the circumstances of the case and by applying the principle of proportionality, the extent to which the data retention period and the amount of data processed are justified having regard to the legitimate aim of processing those data for the purposes of personalised advertising.”
The opinion is not binding and the Court can choose to take a different interpretation, however this is extremely rare.
Advocate General Opinion on Health Data (Case C-21/23)
The Advocate General evaluated GDPR’s application in unfair competition cases specifically linked to the online sale of non-prescription medicines.
The issue stemmed from a dispute where one pharmacy sought an injunction against another for allegedly marketing non-prescription medicines on Amazon without proper consent, claiming unfair competition under German law. It was questioned whether data collected through online sales platforms for these medicines should be considered “data concerning health” under Art. 9 GDPR.
The Advocate General is of the opinion that the personal data connected to online purchases of non-prescription medicines does not represent “data concerning health”, because:
- non-prescription medicines “may be used more generally to treat everyday diseases that may be encountered by anyone and are not symptomatic of a specific pathology or health status”;
- non-prescription medicines can be purchased for someone else, therefore it is unclear who will use that medicine – “it cannot be inferred from an order for a product freely available online that that product is intended to be used by, and only by, the purchaser”.
The AG also points out that interpreting this data (“the data transmitted when an order is placed on an online sales platform for pharmacy-only but non-prescription medicines”) as “health data” would actually do more harm than good, revealing more (and precise) information – “In fact, the request for explicit consent for the processing of data already identified as sensitive might ultimately encourage the purchaser to reveal the identity of the end user of the product. In that situation, more certain conclusions about the health status of that person might be drawn.”
Lastly, the opinion supports the idea that GDPR remedies can coexist with national competition rules, provided they do not undermine GDPR’s objectives.
Read the full opinion here.
🇧🇷 Brazil ANPD approves procedure for data breach notification
The Brazilian National Data Protection Authority (ANPD) has introduced a comprehensive Security Incident Reporting Regulation to strengthen data protection frameworks. This new regulation, effective immediately upon publication, sets forth rigorous requirements for data controllers concerning the reporting and handling of security incidents.
Key elements of the regulation include:
- Mandatory Notification: Controllers must notify both the ANPD and affected data subjects about data breaches within three business days (counted from the moment the controller becomes aware of the data breach), if such data breaches are likely to result in significant risks or damage to data subjects.
- Criteria for Reporting: The regulation defines scenarios under which a security incident is considered significant:
- it significantly affects the interests and fundamental rights of data subjects; and
- it includes the processing of:
- sensitive data;
- minors or elderly persons;
- financial data;
- authentication data;
- data protected by legal, judicial, or professional secrecy; or
- large-scale data.
- Detailed Reporting Requirements: The notification to the authority must include several elements, including a thorough description of the incident, the type and number of data subjects affected, and the protective measures taken before and after the incident, which can be provided in stages by supplementing the original notification (very similar to the EU). The necessary content of the notification to data subjects is also regulated, and is similar to the elements notified to the authority.
- How to notify: The data breach notification to the ANPD is made through a form on their website. The notification to affected individuals must be made directly to them (with exceptions), in plain language.
- Accountability Measures: Controllers are required to document all security incidents, even those not reported to the ANPD, and maintain these records for at least five years.
- Enforcement and Penalties: Non-compliance with the reporting obligations can trigger investigative and punitive actions by the ANPD, including fines and mandated corrective measures.
Read the decision (in Portuguese, but easy to translate in the browser) here.
🇫🇷 CNIL Introduces Self-Assessment Tool for Binding Corporate Rules
The French data protection authority, CNIL, has released a self-assessment tool to support multinational corporations in preparing Binding Corporate Rules (BCRs) for ensuring lawfulness of intra-group data transfers outside the EU.
- Objective: The tool’s primary function is to allow companies to self-evaluate the readiness of their BCR projects, ensuring alignment with the GDPR’s stringent standards.
- Target Audience: Designed for Data Protection Officers and other key personnel involved in data governance, the tool aids in identifying compliance gaps and creating a structured action plan.
- Mechanism: Upon completion, the tool provides a compliance score and suggests specific actions to address any deficiencies identified, thus facilitating improvements before formal submission to regulatory bodies.
By using the tool, companies can preemptively address potential issues, thereby enhancing the likelihood of a smoother and faster approval process both at the national level and within the European Data Protection Board’s framework (mainly Recommendations 1/2022 on the Application for Approval and on the elements and principles to be found in Controller Binding Corporate Rules (Art. 47 GDPR)).
Read the press release here and access the self-assessment here.
Pingback: Key takeaways from EDPB's Taskforce Report on ChatGPT - The PrivacyCraft Blog