We’ve compiled the latest in Data Protection and Privacy news for your convenience below.

1) Newly Published Documentation

• The CNIL evaluated its cookie action plan from 2020 to 2022, aiming to promote compliance and improve user understanding of cookies. The plan had a significant impact, with increased awareness and rejection of cookies. The evaluation suggests a potential reduction in advertising tracking on French websites. Read here → (In French)
• The Cypriot Data Commissioner has completed 30 audits concerning the use of cookies in relation to news and other public information websites. The main issues found to date include:
  • lack of information about the purposes of using cookies;
  • the express consent to the use of cookies, or the method of obtaining such consent, is not tantamount to valid consent; and
  • cookies used to measure website traffic were erroneously categorized as absolutely necessary cookies. Access here → (In Greek)
• The Transparency and Consent Framework Version 2.2 was released by IAB Europe. Removing the legitimate interest legal basis for advertising and content personalization whilst giving end users better information were among the main policy amendments. More information on it and the transition period can be found here →
• The 2022 activity report of the Berlin data protection authority has been published, highlighting notable consultation procedures, imposed fines, and reflecting on key areas of focus. The report outlines key areas of focus, including:
  • the provision of advice related to data protection-compliant digitization of public administrations;
  • the supervision of the operationalization of the data management systems within the healthcare sector;
  • workplace data protection promotion, including employee monitoring; and
  • following upon the development of a transparency law

2) Notable Case Law

• Meta faces a significant ruling from the Irish Data Protection Commission (DPC). The decision entails a hefty fine of €1.2 billion and the suspension of European personal data transfers to the United States. Meta plans to appeal the decision, while also hoping for a new EU-US data transfer deal. Get the full story here →
• The Canadian Privacy Commissioner is appealing the Federal Court of Canada‘s rejection of the OPC’s 2019 investigation against Meta’s Facebook. This filing aims to protect the privacy rights of Canadians and their trust in the digital society, while raising significant questions about the interpretation and application of privacy law by the Federal Court. The Authority’s announcement here →
• Further to alleged misleading location tracking practices in violation of Washington State’s Consumer Protection Act, Google LLC has agreed to pay a $39,900,000 settlement as imposed by the Attorney General. It was noted that Google made use of unfair and deceptive practices in an effort “to obtain consent for tracking users”. Announcement here →

3) New and Upcoming Legislation

• An implementation notice addressed to government institutions “using de-identification as a data protection technique” was published by the Treasury Board of Canada Secretariat. In addition, the government has also published a Digital Privacy Playbook which aims to assist organizations that are implementing a privacy program.
• According to the Australian Financial Review, Meta has expressed strong opposition to Privacy Act reforms in Australia, citing potential limitations on direct marketing, targeted advertising, and the provision for an unconditional ‘opt-out’ choice for personalized advertisements. Reported here →
• US Law updates
  • Federal: At Federal level, Senate Bill 1671 was introduced which seeks to establish the Digital Platform Commission Act which will create a new Federal body to provide reasonable oversight and regulation of digital platforms. The Bill has so far been read twice and referred to the Committee on Commerce, Science, and Transportation.
  • Louisiana: Senate Bill 162 creating the Secure Online Child Interaction and Age Limitation Act was introduced and then immediately passed by Senate.
  • Iowa: House Bill 712 which introduces an Act relating to social media collection of children’s (defined as under 18 years of age) data referred to Ways and Means Committee of the Iowa House of Representatives.
  • Maine: Senate Bill 1973 for an Act to Enact the Maine Consumer Privacy Act was introduced to the Maine Senate and House Bill 1977 for the Data Privacy and Protection Act was introduced to the House of Representatives.
  • California: Senate Bill 721 relating to the California Interagency AI Working Group has passed the second reading. The Bill seeks to establish the California Interagency AI Working Group for a period until 1 January 2030. The Group is tasked with the deliverance of a report to the legislature regarding artificial intelligence.

4) Strong Impact Tech

• The EDPB is currently investigating TikTok’s alleged mishandling of children’s data further to the Irish Data Protection Commission’s initiation of a dispute resolution mechanism when it “failed to resolve objections raised by other European data protection authorities” while investigating TikTok. Read here →
• The Governor of Montana has official signed the TikTok Ban into legislation, and TikTok has responded by filing a first amendment lawsuit against Montana for banning the app. TikTok has claimed that Montana’s underlying claims for introducing the law are “unfounded” since TikTok denies any involvement with the Chinese Government. More on our blog →
• The Italian Competition Authority (AGCM) has launched an investigation into Apple for alleged abuse of its dominant position in the app market. AGCM claims that Apple imposed a stricter privacy policy on third-party app developers, placing them at a disadvantage in terms of data quality. Read more →

Other key information from the past weeks

• The European Parliament has adopted a resolution opposing the granting of an adequacy decision to the United States.
• The Ibero-American Data Protection Network (RIPD) has initiated a collective action against ChatGPT due to concerns over potential risks to user rights and freedoms regarding personal data processing.
• Members of the European Parliament (MEPs) from the Internal Market Committee and the Civil Liberties Committee have adopted a draft negotiating mandate for the first-ever rules governing Artificial Intelligence (AI).