Welcome to The Privacy Explorer recap of privacy, digital and AI news for week 26 of 2024 (24-30 June)!
This edition at a glance:
💰 Avanza Bank Fined 1.34M EUR In Sweden For Misconfiguration Of Meta Pixel
The Swedish Authority for Privacy Protection (IMY) fined Avanza Bank AB 15 million SEK for violating GDPR Articles 5.1(f) and 32.1. Between 15 November 2019 and 2 June 2021, Avanza used Meta Pixel without implementing proper technical and organizational measures, leading to unauthorized disclosure of high risk personal data, including personal IDs and financial information, to Meta (Facebook). The incident affected between 500,000 and 1 million individuals. IMY found that Avanza failed to follow its procedures and detect these unauthorized data disclosures promptly.
Read the full blog post here.
🛡️ Sweden's Post and Telecom Authority Launches E-Service for Cyber Security Act Compliance
On 24 June 2024, the Swedish Post and Telecom Authority (PTS) introduced an e-service, ‘Are we covered by the CSL?’, to help companies determine if they fall under the new Cyber Security Act, effective 1 January 2025. The Act, which implements the NIS 2 Directive, mandates companies in digital infrastructure, ICT services management, space, postal and courier services, and digital supply to register with PTS. This tool is advisory and assists in evaluating compliance, though final responsibility lies with the companies.
📢 Arkansas AG Sues Temu for Data Theft and Privacy Violations
On June 25, 2024, Arkansas Attorney General Tim Griffin sued Chinese e-commerce company Temu for violating the Arkansas Deceptive Trade Practices Act and the Arkansas Personal Information Protection Act. Griffin described Temu as a data-theft business disguised as an online marketplace, alleging it illegally accessed users’ personal information and monetized the data without authorization. The lawsuit targets Temu’s parent companies, PDD Holdings Inc. and WhaleCo Inc., seeking to halt their deceptive practices, impose civil penalties, and provide monetary and equitable relief to affected Arkansas residents.
🤖 OECD Explores AI, Data Governance, and Privacy Synergies
The OECD’s report “AI, Data Governance, and Privacy: Synergies and Areas of International Co-operation,” published on 25 June 2024, examines the critical intersection of AI and privacy. Emphasizing collaboration between AI and privacy policy communities, it addresses the challenges posed by generative AI. The report covers key developments in Privacy Enhancing Technologies (PETs) and explores the complexities of applying traditional legal frameworks like “legitimate interests” to AI practices. It calls for harmonizing OECD Privacy Guidelines with AI Principles to enhance regulatory compliance and foster international cooperation.
🛡️ California AG Bonta Reminds Companies of Health Information Obligations
California Attorney General Rob Bonta has issued reminders to major pharmacy chains and health data companies about their legal obligations under the new AB 352 law, which enhances the state’s Confidentiality of Medical Information Act (CMIA). This law, effective from 1 July 2024, prevents the disclosure of reproductive health and gender-affirming care information to out-of-state entities without patient consent. The companies are required to implement robust security measures to protect sensitive health data and avoid sharing it with law enforcement without a warrant, emphasizing the state’s commitment to safeguarding patient privacy following the repeal of Roe v. Wade.
📋EDPB publishes Standardised Messenger Audit
The EDPB initiated the Standardised Messenger Audit project within the Support Pool of Experts program, prompted by the German Federal Data Protection Authority (DPA). Completed in November 2023 by Prof. Mathieu Cunche, the project developed a detailed test catalogue for GDPR-compliant messenger services. This catalogue, structured around GDPR requirements, assists data protection authorities and companies in evaluating and enhancing data privacy measures in messaging applications used for both personal and business communication.
🤖 EDPB publishes Checklist for AI auditing
The EDPB, in collaboration with the Spanish data protection authority (AEPD), initiated a project to enhance the GDPR compliance of AI systems. This project includes the development and piloting of tools and a checklist to inspect and audit AI systems. Key elements involve model card requirements, system maps, bias identification and testing, adversarial audits, and the publication of audit reports. These measures aim to improve transparency and accountability in AI systems, facilitating better oversight by data protection authorities.
EDPB publishes report on data protection risks of AI for Optical Character Recognition (OCR)
On 27 June 2024, the EDPB published the results of a project under the Support Pool of Experts program, assessing data protection risks associated with AI-powered Optical Character Recognition (OCR). Conducted by external expert Isabel Barbera and completed in September 2023, the report identifies significant privacy risks in OCR technology, such as data breaches, unlawful data storage, and the unlawful handling of sensitive information. The findings emphasize the need for robust safeguards and strict compliance with data protection regulations to mitigate these risks effectively.
🧠 EDPS and AEPD Insights into Challenges of Neurodata Processing for Privacy and Data Protection
On 27 June 2024, the Spanish Data Protection Agency (AEPD) and the European Data Protection Supervisor (EDPS) published a joint report on neurodata processing. Neurodata, defined as information gathered from the brain and nervous system, includes brain activity, structure, and function data. The report warns of significant privacy risks, especially with the rise of neurotechnologies in marketing and entertainment. It proposes the creation of new “neurorights” and emphasizes stringent data protection principles, including proportionality and transparency, to address the invasive nature of neurodata.
💸 FTC Bans Avast from Selling Web Data and Fines $16.5 Million
The Federal Trade Commission (FTC) has finalized an order against Avast Limited, banning the company from selling or licensing web browsing data for advertising. This decision follows allegations that Avast, through its subsidiary Jumpshot, sold consumer browsing data without proper notice or consent, despite claims of protecting privacy. Avast is required to pay $16.5 million, which will go towards consumer redress. The FTC also mandates Avast to delete collected data, notify affected consumers, and implement a comprehensive privacy program.
🎾 Tennis Players Raise Privacy Concerns Over ATP's New Wearable Policy
The ATP Tour’s approval of in-competition wearables for performance analytics has sparked concerns among players. Novak Djokovic and Vasek Pospisil criticized the decision to collect and store data via the ATP’s Tennis IQ program, questioning the lack of autonomy for players over their data. Pospisil’s concerns highlight issues of data control, monetization, and player independence. The new policy takes effect from July 15. ATP seems unaware that GDPR applies to it, and that there is regulator guidance on collecting performance data from athletes.
👇 That’s it for this edition. Thanks for reading, and subscribe to get the full text in a single email in your inbox! 👇
♻️ Share this if you found it useful.
💥 Follow me on Linkedin for updates and discussions on privacy, digital and AI education.
📍 Subscribe to my newsletter for weekly updates and insights – subscribers get an integrated view of the week and more information than on the blog.
