This edition at a glance:
🇮🇹🤖 Italian DPA Issues Guidance on Protecting Online Personal Data from Web Scraping
The Italian Data Protection Authority (Garante) has issued guidance to protect personal data published online by public and private entities from web scraping. This practice involves indiscriminate data collection by third parties for training generative AI models. Garante suggests measures such as creating reserved areas accessible only upon registration, including anti-scraping clauses in terms of service, monitoring web traffic for abnormal data flows, and using robots.txt files. These recommendations are not mandatory, and data controllers must assess their necessity based on current technology and implementation costs.
🇦🇹🤖 Austria’s DSB Publishes Information on the relationship between the GDPR and the EU AI Act for controllers in the private and in the public sectors
The Austrian Data Protection Authority (DSB) issued guidelines on the relationship between the GDPR and the new EU AI Act, formally adopted on 21 May 2024. The DSB emphasized that the GDPR remains applicable when personal data is processed by AI systems. The guidelines, one aimed at private controllers and another aimed at public controllers, stress the importance of legal bases under Articles 6(1) and 9(2) of the GDPR for processing personal data. Special attention is given to Article 22 GDPR, which governs automated decision-making. The DSB also highlights that data controllers bear the burden of proving lawful processing and that non-compliance with GDPR can lead to corrective measures, including fines.
🇪🇺🤖 EDPS Issues Guidelines on Generative AI for EU Institutions
The European Data Protection Supervisor (EDPS) published its first orientations on generative AI and data protection. The guidelines provide EU institutions with advice on processing personal data using generative AI systems to ensure compliance with Regulation (EU) 2018/1725. Emphasizing data protection principles, the orientations aim to cover various scenarios without prescribing specific technical measures. They mark the first step towards more detailed guidance that will evolve with generative AI technologies and the EDPS’s oversight activities.
🤖 Danish DPA publishes AI data protection impact assessment template
On 22 May 2024, the Danish Data Protection Agency (Datatilsynet) released two templates to assist companies and authorities in conducting impact assessments. One template addresses AI solutions, and the other is more general. These templates aim to help organizations perform adequate and timely assessments, addressing challenges identified in an October 2023 survey. The AI-specific template includes examples of risks and mitigation measures and emphasizes clear documentation, stakeholder consultation, and regular updates.
🇪🇺👤 EDPB Issues Opinion on Facial Recognition at Airports
The European Data Protection Board (EDPB) issued an Opinion regarding the use of facial recognition technologies by airport operators and airlines to streamline passenger flow. The Opinion, prompted by a request from the French Data Protection Authority, emphasizes the need for maximum control by individuals over their biometric data due to significant privacy risks. It finds that only storage solutions where biometric data is kept by individuals or encrypted centrally with keys in individuals’ hands are compliant with GDPR principles of data protection by design and security. Less intrusive alternatives should be sought to avoid excessive data processing.
🇺🇸📊 NIST Reports First Results From Age Estimation Software Evaluation
The National Institute of Standards and Technology (NIST) has released a report on age estimation software, evaluating six algorithms. The study found no single algorithm significantly outperformed the others. NIST plans to update results every four to six weeks, anticipating improvements due to advancements in artificial intelligence. The study highlights variations in age estimates due to factors like facial expressions and eyeglasses. The evaluation used around 11.5 million photos from various U.S. government sources, emphasizing the need for ongoing testing to keep up with technological advancements.
🇪🇺✍️ Advocate General Opinion on GDPR and Company Registers (Case C‑200/23)
Advocate General Medina addressed the interplay between EU data protection regulations and company law concerning the public disclosure of personal data in company registers. The case involves the refusal by Bulgaria’s Registration Agency to erase personal data from a company’s constitutive instrument, published in the commercial register. The AG emphasized that the agency must balance data protection rights with legal transparency obligations. The opinion underscored the need for procedural safeguards to protect personal data while ensuring necessary public access to company information.
🇨🇦📘 Quebec CAI Releases User-Friendly PIA Companion Guide
The Quebec Commission on Access to Information (CAI) has introduced a new, user-friendly version of its Privacy Impact Assessment (PIA) Companion Guide on May 14, 2024. This guide, updated from its September 2023 edition, enhances accessibility for those overseeing personal information protection. It outlines when a PIA is necessary, steps for conducting a PIA, and preparing PIA reports. Additionally, a non-mandatory PIA reporting template is provided to assist public bodies and businesses, promoting thorough and compliant privacy practices.
🇱🇻📋 Latvian DVI Outlines Actions Post-DPO Appointment
The Latvian Data State Inspectorate (DVI) issued guidelines for organizations after appointing a Data Protection Officer (DPO). The guidelines emphasize informing the DVI of the DPO’s contact details, notifying citizens, updating changes, and reporting terminations. The DPO can be either DVI-certified or a knowledgeable professional, appointed via employment or outsourcing. Ensuring DPO availability during absences is crucial for continuous data protection compliance.
🇪🇺📊 EDPB Statement on Financial Data Access and Payments Package
The European Data Protection Board (EDPB) adopted Statement 2/2024, addressing the European Commission’s proposals for Financial Data Access (FIDA), Payment Service Regulation (PSR), and Payment Service Directive (PSD3). The EDPB highlights the need for clear rules on recording and disclosing personal data, defines obligations for Account Information Service Providers (AISPs) and Payment Initiation Service Providers (PISPs), and emphasizes data protection, transparency, and minimization. Key recommendations include robust safeguards in transaction monitoring, defining ‘permission’ distinct from GDPR consent, and enhancing cooperation among supervisory authorities.
Irish DPC Published 2023 Annual Report
The Data Protection Commission (DPC) published its 2023 Annual Report, detailing significant actions and statistics. The DPC issued 19 decisions, resulting in €1.55 billion in fines, including €1.2 billion against Meta for data transfers to the US and €345 million against TikTok for child data processing violations. The report highlighted a 20% increase in new cases, totaling 11,200, and the DPC’s input on over 37 legislative proposals.
🇨🇦✂️Quebec Implements Personal Information Anonymization Regulations
The Quebec government’s Personal Information Anonymization Regulation came into force on 30 May 2024. This regulation sets criteria and procedures for anonymizing personal data, requiring public bodies and private businesses to destroy or anonymize data once its intended use is fulfilled. Organizations must follow best practices and regularly reassess anonymized data to ensure continued anonymity. Article 9, detailing record-keeping requirements, will take effect on 1 January 2025.
🇪🇪🤖Estonian Information System Authority publishes Report on Risks and Controls for AI and Machine Learning Systems
On 27 May 2024, Estonia’s Information Systems Authority released a report titled “Risks and Controls for Artificial Intelligence and Machine Learning Systems”. The report covers the history and applications of AI, providing practical controls to mitigate risks. Key topics include use cases, explainability, regulatory trends such as the EU AI Act, legal roles of stakeholders under GDPR, deployment models, and risk assessment. Section 8 offers a practical quick reference guide for organizations, detailing steps for identifying threats, applicable laws, and selecting controls.
