Welcome to The Privacy Explorer recap of privacy news for weeks 23 and 24 of 2024 (3-16 June)!
This edition at a glance:
📉 Addressing AI Risks in the Workplace: Workers and Algorithms
The European Parliamentary Research Service issued a briefing on the impact of algorithms and AI in the workplace. The briefing highlights the tension between strict regulation and minimal oversight, exploring how AI improves productivity but poses risks like job loss and worker surveillance. It also discusses the EU’s legislative approach and the role of collective bargaining in managing these technologies. Despite some regulatory efforts, significant questions about AI’s workplace impact remain.
📝 Hamburg Commissioner Issues Guidance on Applicant Data Protection and Recruiting
The Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI) has emphasized the importance of protecting personal data in the application process, especially with the rise of artificial intelligence. The position paper discusses the legal status and rights of applicants, highlights the need for clear definitions in recruiting, proper data storage in talent pools, and cautions against the use of AI for emotion analysis while outlining conditions for CV parsers.
🔐 New Security-Focused Software Testing Measure Added to Danish DPA's Catalogue
The European Data Protection Supervisor (EDPS) published its first orientations on generative AI and data protection. The guidelines provide EU institutions with advice on processing personal data using generative AI systems to ensure compliance with Regulation (EU) 2018/1725. Emphasizing data protection principles, the orientations aim to cover various scenarios without prescribing specific technical measures. They mark the first step towards more detailed guidance that will evolve with generative AI technologies and the EDPS’s oversight activities.
🗂️ FRA publishes GDPR in practice – Experiences of data protection authorities
The European Union Agency for Fundamental Rights (FRA) report analyzes the challenges faced by data protection authorities (DPAs) in the implementation of the General Data Protection Regulation (GDPR). Key findings include inadequate resources threatening DPAs’ mandates, high volumes of complaints, public misunderstanding of data protection laws, and challenges posed by new technologies. The report emphasizes the need for additional tools and stronger cooperation between DPAs, highlighting significant discrepancies in resources and capacities across Member States. This report complements the European Commission’s evaluation of GDPR (see below).
🇪🇺 Multistakeholder Expert Group's Report on GDPR Application
On 10 June 2024, the Multistakeholder Expert Group on GDPR published a comprehensive report evaluating GDPR application. The report highlights increased data protection awareness and compliance among stakeholders. However, it also identifies ongoing issues such as legal fragmentation, difficulties in applying specific provisions, and challenges for SMEs. Concerns include transparency obligations, the interplay with other regulations like AML and PSD2, and complexities in data transfers. The report calls for enhanced guidance and consistency in GDPR application across EU member states.
👥 Bavarian Data Protection Authority Issues Joint Controllership Guidance
The Bavarian Data Protection Authority released new guidance on joint controllership under GDPR Article 26. This document clarifies the roles and responsibilities when two or more entities jointly determine the purposes and means of processing personal data. It aims to alleviate concerns and provide practical recommendations, emphasizing the legal necessity of a transparent agreement delineating each party’s obligations. This guidance helps entities navigate the complexities of shared data responsibilities, enhancing accountability and transparency in data processing activities.
⚖️ AG Opinion on the exemption to provide information under Art. 14(5)c GDPR
Advocate General Medina issued an opinion on interpreting GDPR Article 14(5)(c), addressing whether data controllers must inform data subjects about data generated by the controllers themselves. Medina clarified that Article 14(5)(c) exempts controllers from this obligation if obtaining or disclosing data is required by law and the law provides appropriate protective measures. Additionally, supervisory authorities can review whether these laws offer sufficient protection.
📱 Netherlands DPA Issues Guidance on Social Media Use in Education
The Dutch Data Protection Authority (AP) has advised educational institutions to use social media only if clear agreements are made with social media companies regarding the handling of student and teacher data. The AP highlighted significant risks associated with social media, emphasizing the need for transparent data handling and consent procedures. Institutions must ensure compliance with GDPR and prioritize data protection.
🤖 CNIL Issues Recommendations on GDPR Compliance for AI Systems
On 7 June 2024 CNIL released the English translation of its recommendations for applying GDPR to AI system development (published in April), addressing the misconception that GDPR hinders AI innovation. These guidelines – “AI how-to Sheets” 1 to 7 – emphasize responsible handling of personal data, essential for model training. Key aspects include defining a clear objective for AI systems, determining responsibilities, establishing a legal basis for data processing, ensuring lawful data reuse, minimizing data usage, setting data retention periods, and conducting Data Protection Impact Assessments (DPIAs).
🔍 CNIL launches new public consultation on practical guidelines for developing AI systems
The CNIL launched a second public consultation on developing AI systems, releasing new practical guides and a questionnaire to help professionals balance innovation with privacy rights. These “AI how to sheets”, available for consultation until 1 September 2024, cover key issues like web scraping, open-source models, and data subjects’ rights. This follows initial recommendations published in April 2024, aiming to clarify GDPR application to AI.
⚙️ Hong Kong's New AI Data Protection Framework Released
The Office of the Privacy Commissioner for Personal Data (PCPD) in Hong Kong published the “Model Personal Data Protection Framework” for AI on 11 June 2024. This framework provides detailed recommendations for enterprises on procuring, implementing, and managing AI systems while ensuring data privacy. It emphasizes a risk-based approach, human oversight, and compliance with the Personal Data (Privacy) Ordinance (PDPO).
📡 Cyber Security Agency of Singapore Publishes IoT Device Security Advisory
The Cyber Security Agency of Singapore (CSA) issued an advisory on securing Internet of Things (IoT) devices. With IoT devices revolutionizing daily life and business, they also attract cyber threats. Common vulnerabilities include weak passwords, insecure network services, and outdated software. The advisory provides measures to protect these devices, such as using strong passphrases, enabling automatic updates, buying from reputable manufacturers, and implementing physical access controls. CSA also advises on steps to take if IoT devices are compromised.
🤖 IAPP AI Governance in Practice Report 2024
The “AI Governance in Practice Report 2024” addresses the critical need for robust AI governance amidst rapid advancements in machine learning technology. These breakthroughs have significantly disrupted various sectors, emphasizing the responsibility of leaders to manage AI risks. The report outlines the essential principles, laws, policies, processes, and standards required for AI governance. It highlights transparency, bias mitigation, privacy, and security as key areas of focus. The report provides actionable insights to help organizations implement effective AI governance strategies and ensure the safe, responsible deployment of AI technologies.
📢 noyb Files Complaint Against Microsoft for Violating Children's Privacy
noyb filed a complaint with the Austrian Data Protection Authority against Microsoft on 4 June 2024, alleging that Microsoft’s 365 Education services violate children’s privacy rights. The complaint claims that Microsoft shifts GDPR responsibilities to schools, which lack control over data processing. Microsoft’s use of tracking cookies without proper consent from minors or their guardians breaches GDPR. noyb calls for an investigation and penalties, arguing that Microsoft’s practices harm children’s data protection rights.
🚨 noyb Files Complaint Against Google’s Privacy Sandbox
noyb has filed a complaint with the Austrian data protection authority against Google. The complaint argues that Google misled users into enabling an “ad privacy feature” through deceptive pop-ups, which actually track users via the new Privacy Sandbox API. The API replaces third-party cookies with first-party tracking within the Chrome browser. Google used manipulative design techniques, known as dark patterns, to secure user consent, violating GDPR requirements for informed and transparent consent. The complaint demands Google’s compliance with GDPR and suggests imposing a significant fine.
⛔ Meta Halts AI Rollout in Europe Following Irish DPC Request
Meta has paused the launch of its AI tools in Europe after a request from Ireland’s Data Protection Commission (DPC). This decision comes after the digital rights group Noyb filed complaints in 11 European countries, criticizing Meta’s vague AI plans and the opt-out requirement for users. Meta planned to use public posts from Facebook and Instagram to train AI models. The DPC’s decision, welcomed by other European authorities, followed intensive discussions with Meta. Meta expressed disappointment, noting it had incorporated regulatory feedback since March.
👇 That’s it for this edition. Thanks for reading, and subscribe to get the full text in a single email in your inbox! 👇
♻️ Share this if you found it useful.
💥 Follow me on Linkedin for updates and discussions on privacy education.
📍 Subscribe to my newsletter for weekly updates and insights – subscribers get an integrated view of the week and more information than on the blog.
