Latest Worldwide Developments on Personal Data
EDPB updates guidelines on personal data breach notification.
The European Data Protection Board published updated guidelines on personal data breach notification under the EU General Data Protection Regulation. The guidelines, adopted 28 March following public consultation, clarify notification requirements for personal data breaches at non-EU establishments. The guidelines state each supervisory authority for member states where affected data subjects reside need to be notified of a breach.
Judge orders Google to pay $79K in privacy case.
U.S. District Court of the Northern District of California Judge Susan Van Keulen ordered Google to pay a USD79,000 fine for failing to comply with a privacy class-action ruling, Reuters reports. Van Keulen's decision follows a class-action lawsuit claiming the company illegally tracked users through Chrome's "incognito" mode. Google has said users consented to data collection, with a spokesperson saying the company "provided and disclosed countless documents and discovery."
Media organizations oppose Australia privacy law reform.
Australia's Right to Know coalition — made up of leading media outlets and organizations — opposes privacy law reform, saying it would have a "devastating impact on press freedom and journalism," the Guardian reports. The proposed reform includes a right to sue for serious privacy invasions and would require media companies to comply with requirements around securing and destroying private information. The group said the proposal would be "contrary to public interest and result in a significant curtailing of press freedom in Australia."
ICO fines TikTok 12.7M GBP over alleged misuse of children's data.
The U.K. Information Commissioner's Office fined TikTok 12.7 million GBP for breaches of the U.K. General Data Protection Regulation. While TikTok's terms of service states children under age 13 are not allowed to create an account, the ICO estimated more than 1 million U.K. children under 13 were on the platform in 2020. The ICO also said TikTok used personal data of children under 13 without parental consent and did not take sufficient measures to remove underage children from the platform. "TikTok should have known better. TikTok should have done better," Information Commissioner John Edwards said.
BEUC calls for investigation into generative AI technology.
The European Consumer Organisation called on EU and national authorities to investigate ChatGPT and similar generative artificial intelligence chatbots, raising concerns the unregulated technology puts unprepared consumers at risk. While work is underway on the EU's AI Act, the BEUC said "there are serious concerns growing" now. "For all the benefits AI can bring to our society, we are currently not protected enough from the harm it can cause people," Deputy Director General Ursula Pachl said.
Tesla to warn of security camera risks in Germany.
Following a lawsuit filed by the Federation of German Consumer Organisations, Tesla will warn of the data privacy risks posed by its vehicle security cameras in Germany, Reuters reports. The lawsuit alleged Tesla misled consumers by not notifying them that the "sentry mode," which records a car's surroundings, could violate data protection regulations if it films individuals in public spaces without their knowledge.
FTC anticipated to bring children's privacy suit against Amazon.
Politico reports the U.S. Federal Trade Commission is anticipated to pursue a children's privacy lawsuit against Amazon over use of data by its Alexa voice assistant. While details of the case are unknown, sources said the FTC is expected to refer a complaint to the Department of Justice's Consumer Protection Branch, which will then have 45 days to bring a case forward. The FTC can proceed separately if the DOJ declines.
ICO guidance: Data protection obligations key in generative AI use, development.
The U.K. Information Commissioner's Office Executive Director, Regulatory Risk, Stephen Almond published guidance for organizations developing or using generative artificial intelligence. Almond, who outlined eight areas the ICO will focus on, said data protection obligations should be considered "from the outset, taking a data protection by design and by default approach." Almond said, "There really can be no excuse for getting the privacy implications of generative AI wrong. We'll be working hard to make sure that organisations get it right."
EU, Japan conclude first review of mutual adequacy agreement.
European Commissioner for Justice Didier Reynders and Personal Information Protection Commission of Japan Chairperson Mieko Tanno announced the first review of the EU-Japan mutual adequacy agreement has successfully concluded. A joint press release said the review demonstrates increased convergence between the EU and Japan's data protection frameworks and that the agreement is working well. Reynders said, "Japan and the EU reaffirm that, in the digital era, maintaining high data protection standards and facilitating international trade should and can go hand in hand."
Customer data exposed during Service NSW website update.
The Service NSW government department said thousands of customers' personal data may have been exposed for 90 minutes during a website update, The Australian reports. In an email to 3,700 affected customers, CEO Greg Wells said, "the update resulted in some customers’ information being visible to other customers who were logged in to the website." Compromised data could include driver’s license and vehicle registration information or mobile phone numbers. The agency notified the Information and Privacy Commission.