Latest Worldwide Developments on Personal Data
Meta plans EU targeted advertising opt-outs.
The Wall Street Journal reports Meta intends to offer EU users the option to opt out of data processing practices for targeted advertising. The change will be exclusive to EU Facebook and Instagram users as Meta works to meet a compliance order from Ireland's Data Protection Commission concerning legal bases for data processing under the EU General Data Protection Regulation. The plan allows users to submit an online opt-out form to elect targeted ads based on broad categories of data. Meta will review the opt-out request before honoring a selection. European privacy rights group NOYB, which brought the original case to the DPC, plans to legally challenge Meta's new process.
Garante blocks ChatGPT data collection; group calls to stop new releases.
Italy's data protection authority, the Garante, ordered a "temporary limitation of the processing of data of Italian users" by ChatGPT developer OpenAI and opened an investigation into the artificial intelligence vendor. The Garante cited a lack of information provided to users about data collected by OpenAI and a lack of legal basis justifying "the mass collection and storage of personal data."
The Center for Artificial Intelligence and Digital Policy asked the U.S. Federal Trade Commission to stop new artificial intelligence chatbot releases by OpenAI. The advocacy group said GPT-4 is "biased, deceptive, and a risk to privacy and public safety."
Facebook's $725M settlement in Cambridge Analytica suit receives preliminary approval.
U.S. District Court for the Northern District of California Judge Vince Chhabria granted preliminary approval to Facebook's USD725 million settlement in a class-action lawsuit related to the 2018 Cambridge Analytica claims, the plaintiff's law firm Keller Rohrback said in a statement. "To date, this is the largest privacy class action settlement in the United States," the firm said, adding it is pleased with the preliminary approval and looks "forward to completing the approval process as quickly as possible."
Norway DPA publishes guide helping businesses identify holiday cyber threats.
Norway’s data protection authority, Datatilsynet, published guidance to help businesses identify potential cyberattacks that often spike during holidays, such as Easter. During periods of closure, businesses relying on temporary or inexperienced employees could see the risk of a cyberattack increase. The document offers tips for the types of privacy assessments that should be conducted if a business suspects it may have experienced an attack.
UK releases white paper on AI regulatory framework.
The U.K. Department for Science, Innovation and Technology published a white paper with its approach to regulating artificial intelligence technologies. The regulatory framework seeks to "build public trust in cutting-edge technologies and make it easier for businesses to innovate, grow and create jobs." The approach consists of five AI principles: safety, transparency, fairness, accountability and governance, and redress. U.K. regulators will roll out guidance within the next 12 months to help organizations implement new rules.
Nunavut privacy commissioner recommends charges over medical records access.
Nunavut Information and Privacy Commissioner Graham Steele recommended charging a former Nunavut doctor for allegedly accessing a colleagues’ medical records "on numerous occasions" over an 18-month period and reprimanded the Department of Health for not implementing the privacy recommendations it committed to three years ago. Steele, who recommended the department implement software to flag suspicious access of medical records and change security protocols to protect records, mandated a progress update from the department by the end of the year.
Al chatbots ‘‘built by all of us’’
The Atlantic reports that while artificial intelligence chatbots are built using data available online, there is "an uncomfortable disparity between who does the work that enables these AI models to function and who gets to control and profit from them." Chatbots are created "by ingesting books and content that have been published on the internet by a huge number of people. So in a sense, these tools were built by all of us," the report states.
Children's online privacy anticipated to be key issue for lawmakers.
Axios reports on children's privacy measures anticipated to come before U.S. Congress, as states take separate action. Sens. Richard Blumenthal, D-Conn., and Marsha Blackburn, R-Tenn., are expected to reintroduce the Kids Online Safety Act in April, while Utah passed two bills limiting online activity of those under age 18 and other states are considering similar proposals. "With inaction by Congress, we have states with different laws, and time is of the essence," said Rep. Kathy Castor, D-Fla., who plans to reintroduce the Kids PRIVCY Act.
Data breach affects 780K Dutch railway passengers.
The Dutch national railway, NS, has revealed a data breach may have affected more than 780,000 passengers, NL Times reports. NS partners with market research firm Blauw, which recently discovered an "external party" gained access to its data through a third-party software provider. NS riders who participated in a satisfaction survey may have had personally identifiable information compromised, and the matter has been referred to the Netherlands’ data protection authority, the Autoriteit Persoonsgegevens.
France DPA, fines rental scooter company over geolocation data collection.
France's data protection authority, the Commission nationale de l'informatique et des libertés (“CNIL”), fined rental scooter company Cityscoot 125,000 euros for collecting and maintaining a record of vehicles' geolocation data. The CNIL said Cityscoot failed to comply with data minimization and contractual framework obligations under the EU General Data Protection Regulation, and also violated the French Data Protection Act by failing to inform users and obtain consent to access the data.