IAPP Europe Data Protection Digest https://iapp.org/news/europe-data-protection-digest/ Europe Data Protection Digest - Your source for the most important privacy and data protection news from the European Union. UK Parliament committee to review EU-UK adequacy agreement https://iapp.org/news/a/uk-parliament-to-review-eu-uk-adequacy-agreement-ahead-of-looming-renewal-decision https://iapp.org/news/a/uk-parliament-to-review-eu-uk-adequacy-agreement-ahead-of-looming-renewal-decision The U.K. House of Lords European Affairs Committee launched a formal inquiry to review the data privacy adequacy agreement between the EU and the U.K. ahead of a renewal decision. The inquiry includes reviewing the adequacy decision, examining potential challenges to the existing regime and understanding the implications if the adequacy agreement was dissolved or disrupted.
Full story

]]>
2024-03-18 11:45:44
UK DPDI Bill advances to House of Lords committee stage https://iapp.org/news/a/uk-dpdi-bill-advances-to-house-of-lords-committee-stage https://iapp.org/news/a/uk-dpdi-bill-advances-to-house-of-lords-committee-stage Members of the U.K. House of Lords will begin their review of the proposed Data Protection and Digital Information Bill. The House of Lords set committee hearings on the legislation 20, 25 and 27 March, during which several new amendments will be discussed, which include ensuring children's data is part of the definition of sensitive data. U.K. Information Commissioner John Edwards issued his updated opinions on the DPDI Bill. Additionally, the ICO released new guidance on issuing fines for violations of data protection laws.
Full story

]]>
2024-03-18 11:45:34
The key elements for understanding marketing privacy https://iapp.org/news/a/the-key-elements-for-understanding-marketing-privacy https://iapp.org/news/a/the-key-elements-for-understanding-marketing-privacy As data protection laws increase in complexity, "marketers must navigate this changing terrain with agility," Lime Legal founder Lisette Meij, CIPP/A, CIPP/E, CIPP/US, CIPM, CIPT, FIP, and Uplevel founder and Principal Raashee Gupta Erry, CIPP/US, CIPM, write. They said overlooked compliance areas include website modifications and legally integrating new clients and vendors. They also recommended privacy professionals better collaborate with marketing teams by looking at "legal requirements with a creative eye."
Full story

]]>
2024-03-18 11:44:49
EDPB begins work on age verification definitions https://iapp.org/news/a/aepd-edpb-approves-work-on-age-verification-definitions https://iapp.org/news/a/aepd-edpb-approves-work-on-age-verification-definitions According to Spain's data protection authority, the Agencia Española de Protección de Datos, the European Data Protection Board has taken up a mandate to craft online age verification guidelines. Spain's Council of Ministers recently formed a working group to study how such a system would work while protecting users' data and privacy.
Full story

]]>
2024-03-18 11:43:22
Garante announces accreditation of telemarketing monitoring body https://iapp.org/news/a/italys-dpa-announces-accreditation-of-telemarketing-monitoring-body https://iapp.org/news/a/italys-dpa-announces-accreditation-of-telemarketing-monitoring-body Italy's data protection authority, the Garante, announced the telemarketing monitoring body has been accredited and is set to enforce the previously adopted code of conduct. The body will ensure  telemarketers adopt the code, including "specific measures to guarantee the correctness and legitimacy of the data processing carried out along the entire telemarketing 'chain.'"
Full story

]]>
2024-03-18 11:42:37
Iceland DPA issues children's data protection advisory https://iapp.org/news/a/icelands-ppa-offers-advice-for-putting-childrens-images-online https://iapp.org/news/a/icelands-ppa-offers-advice-for-putting-childrens-images-online Iceland's data protection authority, the Personuvernd, offered advice on how to process children's data and post minors' images online prior to the authority's EU General Data Protection Regulation compliance checks. The agency suggested considering a child's view on whether they want to be posted and to follow the "special protection" measures under the GDPR.
Full story

]]>
2024-03-18 11:42:28
European Commission requests information from multiple VLOPs, VLOSEs under DSA https://iapp.org/news/a/european-commission-issues-rfis-to-multiple-vlops-vloses-under-dsa https://iapp.org/news/a/european-commission-issues-rfis-to-multiple-vlops-vloses-under-dsa The European Commission issued requests for information on risks posed by generative artificial intelligence use by six very large online platforms and two very large search engines under the Digital Services Act. These inquires were issued to Facebook, Instagram, Snapchat, TikTok, YouTube and X, formerly Twitter, as well as Bing and Google. Meanwhile, the Commission also issued a request for information to Linkedin on its alleged use of targeted advertising and a formal inquiry against AliExpress for alleged DSA violations.
Full story

]]>
2024-03-15 11:41:48
Provisional agreement reached on European Health Data Space https://iapp.org/news/a/council-of-european-european-parliament-reach-provisional-agreement-on-ehds https://iapp.org/news/a/council-of-european-european-parliament-reach-provisional-agreement-on-ehds The Council of the European Union and European Parliament struck a provisional agreement on the establishment of the European Health Data Space. The law attempts to give EU citizens greater access to and control of their electronic health data, while also enabling certain data to be reused for public health improvements and scientific research.
Full story

]]>
2024-03-15 11:40:48
IAB releases State of Data 2024 report https://iapp.org/news/a/iab-releases-its-state-of-data-2024-report https://iapp.org/news/a/iab-releases-its-state-of-data-2024-report IAB released its State of Data 2024 report to assess "privacy compliance and sustainable, consumer-friendly strategies." The report claimed the digital advertising industry is not prepared for data privacy changes after 82% of surveyed advertisers said the structure of their organizations have been impacted by legislation and user-tracking signal loss.
Full story

]]>
2024-03-15 11:40:03
Council of Europe finalizes AI framework https://iapp.org/news/a/coe-finalizes-ai-framework https://iapp.org/news/a/coe-finalizes-ai-framework The Council of Europe Committee on Artificial Intelligence completed the Artificial Intelligence, Human Rights, Democracy and the Rule of Law Framework Convention. "While this treaty has been elaborated by the Council of Europe with like-minded international partners, it will be a global instrument, open to the world," Council Secretary General Marija Pejčinović Burić said. Editor's note: Explore the IAPP AI Governance Center and subscribe to the AI Governance Dashboard.
Full story

]]>
2024-03-15 11:39:21
Understanding EU governments' mechanisms for access to private data https://iapp.org/news/a/understanding-eu-governments-mechanisms-for-obtaining-access-to-private-data https://iapp.org/news/a/understanding-eu-governments-mechanisms-for-obtaining-access-to-private-data The IAPP Research and Insights Team created an infographic featuring a nonexhaustive list of key instruments EU law enforcement agencies and governments employ for obtaining access to private data. In recent years, strict requirements on allowing government access to data have emerged that companies are left to navigate when approached by a government entity seeking to review various tranches of data.
Full story

]]>
2024-03-15 11:12:11
A view from Brussels: EU AI Act adoption is 'not the arrival point for AI legislation' https://iapp.org/news/a/a-view-from-brussels-eu-ai-act-adoption-is-not-the-arrival-point-for-ai-legislation https://iapp.org/news/a/a-view-from-brussels-eu-ai-act-adoption-is-not-the-arrival-point-for-ai-legislation Unless you have been living in a cave with no internet connection this week, you will have seen ample reporting — including from the IAPP — on the European Parliament's adoption of the EU AI Act.

AI Act co-rapporteurs Dragoş Tudorache and Brando Benifei celebrated Wednesday's vote as a major achievement for the EU, marking the end of a long parliamentary journey that even predates the European Commission's original proposal. While now is the time for implementation, they also conveyed the EU's ambition moving forward: to support implementation of the regulation and promote its safe and human-centric approach globally.

This week's vote is not the arrival point for AI legislation. In the short term, Parliament officials have already stated a corrigendum to the AI Act will be published in April and both texts will then be approved by the Council of member states before being published in the Official Journal of the European Union.

In the medium term, the next European Commission will have more to do on AI. It will have to tackle AI in the workplace and work on attracting investment in Europe. It will also pick up negotiations on the AI liability proposal and will likely look at AI and intellectual property, not to mention keep an eye on the implementation of the AI Act and that of the updated Product Liability Directive which is about to enter into force.

"It's complicated" doesn’t even begin to describe the state of affairs. The IAPP is launching a suite of resources to help privacy pros navigate what this means and how to get started, including LinkedIn Lives, 101 infographics and, of course, ongoing reporting as the clock starts to tick soon on the implementation period for many organizations.

Incidentally, on the same day Parliament adopted the AI Act, France's President Emmanuel Macron received a report from the country's AI Commission. Set up last September, the commission was tasked with making suggestions to strengthen France's position on AI, and the 25 recommendations in its report focus on six areas:

  • A nationwide training and awareness plan for all sectors.
  • AI innovation financing with the creation of a 10 billion euro short-term fund.
  • Super-computing power.
  • Data access, including facilitating access to personal and public sector data, deleting certain authorization requirements for health data, reducing the CNIL's response time to requests, creating sectoral databases, and clarifying data sharing rules — all of which are already addressed at the EU level.
  • Public research and collaboration with the private sector.
  • Global governance, creating a global AI organization and setting up an international fund to support ethical AI development.

Elsewhere:

  • Also this week, the European Parliament formally adopted the revised Product Liability Directive. The directive governs compensation for damage suffered due to a product defect, establishing a regime of strict liability and updating 40-year-old rules. The directive expands the scope of products to cover digital products like software and AI, expands the concept of damage to include loss or corruption of data, changes the burden of proof in cases where proving the defectiveness or a causal link is difficult due to technical or scientific complexity, changes liability for damage regarding the identification of a liable party and includes cases where a product has been significantly modified and reintroduced into the market, and extends the liability period in exceptional cases. Once it enters into force, this updated law will impact many manufacturers, importers and distributors in the EU.
  • The European Parliament also adopted the Cyber Resilience Act this week with 517 votes in favor, 12 against and 78 abstentions. The Council is next to formally approve before the legislation is published to the OJEU for entry into force. The European Commission originally proposed this regulation for "products with digital elements" with two main objectives: to encourage a life-cycle approach to cybersecurity of connected devices and to ensure they are placed on the market with fewer vulnerabilities; and to allow users to take cybersecurity into account when selecting and using connected devices. The CRA defines the chain of responsibility in the cybersecurity ecosystem and introduces, among other new obligations, a cybersecurity risk assessment in the technical documentation of a new connected device and requirements to report incidents impacting security of connected devices as well as actively exploited vulnerabilities — both within a window of 24 hours of becoming aware the incident.
  • The European Union Agency for Cybersecurity presented an overview of its Cybersecurity Certification framework. This work stems from the Cybersecurity Act, adopted in 2019, which created an EU-level framework for EU-wide rules for the cybersecurity certification of products, processes and services. The framework has been the basis for drafting common criteria certification, 5G, and more significantly perhaps, trusted cloud services. This last bit has been the source of intense political and technical discussions going right at the heart of sovereignty debates, as France has been promoting the inclusion of sovereignty requirements in EU-level schemes. The debate is not yet resolved, explaining the delays in finalizing trusted cloud schemes. This work could also be relevant for AI as ENISA is assessing whether and how this cybersecurity certification workstream could apply to the technology, as well as how schemes under elaboration could be re-used. An amendment to the certification framework piece of the CSA was proposed in April 2023 to extend its application to "managed security services."
]]>
2024-03-14 13:48:57
Guernsey ODPA releases data sharing guidance https://iapp.org/news/a/guernsey-promotes-data-sharing-guidance https://iapp.org/news/a/guernsey-promotes-data-sharing-guidance The Guernsey Office of the Data Protection Authority released a guide on data sharing to help people understand how to protect children while keeping their information safe.
Full story

]]>
2024-03-14 13:10:48
Norway's DPA to unveil PrevBOT to monitor for child abuse on social media https://iapp.org/news/a/norways-dpa-webinar-will-unveil-prevbot-to-monitor-social-media-for-child-abuse https://iapp.org/news/a/norways-dpa-webinar-will-unveil-prevbot-to-monitor-social-media-for-child-abuse Norway's data protection authority, Datatilsynet, will host a webinar 21 March to showcase a research collaboration between the Norwegian Police Academy and the University of Agder. The partnership created the PrevBOT, which is designed to patrol open social media to prevent the sexual abuse of children by using artificial intelligence to identify possible behaviors that could indicate a risk of abuse.
Full story

]]>
2024-03-14 13:10:44
Denmark's DPA rules against unlawful cookie wall practice https://iapp.org/news/a/denmarks-dpa-decides-cookie-walls-that-block-content-violates-user-consent https://iapp.org/news/a/denmarks-dpa-decides-cookie-walls-that-block-content-violates-user-consent Denmark's data protection authority, Datatilsynet, ordered newspaper Berlingske's to bring its cookie walls use into EU General Data Protection Regulation compliance. An investigation found the company blocked content if a user did not allow data collection. Datatilsynet said the practice does not meet valid consent requirements under the GDPR.
Full story

]]>
2024-03-14 13:10:11
CNIL announces plan to protect voter privacy  https://iapp.org/news/a/cnil-announces-plan-to-protect-voter-privacy https://iapp.org/news/a/cnil-announces-plan-to-protect-voter-privacy France's data protection authority, the Commission nationale de l'informatique et des libertés, announced its plan to protect voter privacy by "reactivating its election observatory." The CNIL said it plans to prioritize voters' data collected by candidates' canvassing efforts and try to eliminate targeted political advertising. 
Full story

]]>
2024-03-14 13:10:10
CNIL, public relations groups create GDPR guide https://iapp.org/news/a/cnil-public-relations-groups-create-gdpr-guide https://iapp.org/news/a/cnil-public-relations-groups-create-gdpr-guide France's data protection authority, the Commission nationale de l'informatique et des libertés, teamed with several public relations associations to create an EU General Data Protection Regulation compliance guide for public affairs work. The groups must follow the rules of the GDPR when collecting information on people they represent or cover.
Full story

]]>
2024-03-14 13:10:06
Rounding up initial EU AI Act reactions https://iapp.org/news/a/companies-civil-societies-react-to-the-passing-of-the-ai-act https://iapp.org/news/a/companies-civil-societies-react-to-the-passing-of-the-ai-act Following the passage of the EU Artificial Intelligence Act by European Parliament 13 March, organizations will now be tasked with preparing for various compliance deadlines as regulators roll out the pending regulation's phased implementation. IAPP Staff Writer Lexie White reports on some of the first reactions from a range of stakeholders that will be affected by the incoming rules.
Full story

]]>
2024-03-14 11:42:47
Large language models present privacy risks https://iapp.org/news/a/large-language-models-present https://iapp.org/news/a/large-language-models-present The use of large language models is creating data privacy issues because they tend to disclose personal information they scrape from the internet without the consent of the data subject, Axios reports. Artificial intelligence data leaks come in many forms, such as an accidental disclosure or through malicious actions like building a model that circumvents privacy controls. Editor's note: Explore the IAPP AI Governance Center and subscribe to the AI Governance Dashboard. 
Full story

]]>
2024-03-14 11:42:41
European Parliament passes Cyber Resilience Act https://iapp.org/news/a/european-parliament-passes-cyber-resilience-act https://iapp.org/news/a/european-parliament-passes-cyber-resilience-act Members of European Parliament adopted the Cyber Resilience Act 12 March. The act covers products like password managers, smart home assistants and other Internet-of-Things devices, which will be split into tiers based on information security risks. The act still needs to be adopted by the Council of the European Union to take effect.
Full story

]]>
2024-03-14 11:41:33