Latest Worldwide Developments on Personal Data
AEPD publishes guidance on public-sector legislation DPIAs.
Spain's data protection authority, the Agencia Española de Protección de Datos, issued guidelines to aid public administrations' data protection impact assessments on proposed legislation. The AEPD stated DPIAs in the public sector need to occur "from the design of the standards," while outlining the criteria for execution of assessments and analysis of results.
Irish DPC publishes guides on children's data protection rights.
Ireland's Data Protection Commission published four guides for parents on children's data protection rights under the EU General Data Protection Regulation. The guides outline the basics of children's data protection rights, when parental consent may be needed for processing children's data, advice on how parents can protect their children's data, and limits to exercising children's data protection rights. The DPC said the guides are meant to help parents understand their children's rights "and to answer questions that can arise in typical situations where those rights apply."
Garante fines marketing company 300K euros.
Italy's data protection authority, the Garante, fined a digital marketing services company 300,000 euros for allegedly illegally processing users' personal data for marketing purposes. The Garante said the company's online portals used dark patterns to entice users "to pay consent to the processing of data for marketing purposes and to the communication of data to third parties always for the same purpose." The company was also unable to demonstrate obtained consent for sending promotional messages, the Garante said.
Vietnam decree details personal data protections.
Vietnam's government published a Decree on Protection of Personal Data, effective 1 July. The decree implements principles around data collection, processing and storage. Under the decree, organizations are required to notify the Ministry of Public Security within 72 hours of detecting a violation.
Ireland's DPC to issue Meta EU-US transfers decision 12 May.
Ireland Data Protection Commissioner Helen Dixon expects her office to render the final decision in Meta's EU-U.S. data transfers case by 12 May, The Irish Times reports. Dixon divulged the DPC's intentions while noting the regulator's enforcement actions in general "do take time to do properly." The DPC can offer its decision after the European Data Protection Board announced the finalization of its binding Article 65 decision on the matter.
NY attorney general publishes data security guide for businesses.
New York Attorney General Letitia James published a guide with recommendations to help businesses prevent data breaches and protect consumers' personal information. Tips include maintaining secure authentication controls, encrypting sensitive customer information, ensuring third-party vendors are using appropriate security measures, guarding against attacks, and quick and accurate data breach notification measures. "When businesses are entrusted with sensitive customer information, they carry both a legal and moral responsibility to protect it against data breaches," James said.
OpenAI could face GDPR compliance challenges.
MIT Technology Review reports OpenAI faces challenges in complying with EU data protection laws due to its use of data to train its ChatGPT models. OpenAI would have to prove consent or "legitimate interest" as a legal basis for collecting data to train its algorithms to comply with the EU General Data Protection Regulation. If it can't, France's data protection authority, the Commission nationale de l'informatique et des libertés, artificial intelligence expert Alexis Leautier said OpenAI could face fines and requirements to delete models and the data used to train them.
ICO reprimands police for recording 200K calls.
The U.K. Information Commissioner's Office reprimanded Surrey and Sussex police for using an app that recorded and automatically saved more than 200,000 phone calls without individuals' knowledge. The ICO said the app was downloaded onto the work phones of 1,015 staff members and it was "highly likely" it captured "a large variety of personal data," the processing of which the ICO determined was "unfair and unlawful." The ICO issued the reprimand instead of a 1 million GBP fine per department.
EDPB taskforce releases 'Schrems II' claims report.
The European Data Protection Board published a report from its taskforce of European Economic Area data protection authorities on 101 complaints filed by NOYB regarding legal data transfers following the Court of Justice of the European Union's "Schrems II" judgment. The report shows a common position among DPAs on EU-U.S. transfers using Google Analytics and Facebook Business Tools and their compliance with requirements under Chapter V of the EU General Data Protection Regulation. Positions taken within the report reflect those of DPAs, not the EDPB.
UK NCSC updates guidance for data-driven cybersecurity.
The U.K. National Cyber Security Centre created guidance for implementing data-driven cybersecurity. The cyber resiliency approach relies on "the use of data and scientific methods to make more evidence-based decisions" in terms of security. To utilize DDC, an organization must have "high availability, quality and timeliness of data" while employing skilled workers who "engineer, govern and analyse the data," develop its infrastructure and can report findings with the goal of creating "actionable insights from data."