We’ve compiled the latest in Data Protection and Privacy news for your convenience below.

1) Newly Published Documentation

• Further to the compliance order issued by the Irish Data Protection Commission, Meta now intends to exclusively offer Facebook and Instagram EU users “the option to opt out of data processing practices for targeted advertising”, as of April 5, 2023. Moreover, Meta aims to “review the opt-out request before honoring a selection.” Read here →
• ChatGPT’s processing of Italian users’ data has been halted by the Italian Garante and an inquiry has commenced in relation to the unlawful collection of personal data and the lack of an age verification system in particular where children are concerned. ChatGPT now has a 20-day window within which it is to implement the measures ordered by the Garante, failing which a “fine of up to EUR 20 million or 4% of the total worldwide annual turnover may be imposed.” Report here on iubenda →
• The German Data Protection Conference (DSK) has published its evaluation of subscription models on websites. The evaluation considered that tracking of users’ behavior can be based on consent if a tracking-free model, which may also be subject to a pecuniary charge, is offered as an alternative. Both subscription models, whether offered against consent or payment, must be an equivalent alternative to the other and in line with the requirements of the GDPR. Access here → (In German)

2) Notable Case Law

• French data protection authority, CNIL, has imposed a fine of €125,000 on CITYSCOOT for breaching the privacy of its customers by frequently tracking their location every 30 seconds. The company was found to have violated GDPR as it failed to comply with the data minimization principle and obtain the consent of the users. Read about the decision here →
• The Czech Republic’s data protection authority, Úřad pro ochranu osobních údajů, imposed a fine of 13.7 million euros on Avast, a cybersecurity software company, for allegedly processing consumers’ data illegally. Avast has been accused of collecting and selling private browsing data without users’ consent or knowledge, potentially exposing their identities. Reported here → (In Spanish)

3) New and Upcoming Legislation

• France has ratified the modification to the Council of Europe Convention 108+ which concerns the protection of the automatic processing of individuals’ personal data. The CNIL held that “This is an important step in the process of bringing this new version of the only binding international treaty on the protection of personal data into force.” Read here →
• UK Law Updates
  • Following the introduction of the revised Data Protection and Digital Information Bill, the U.K. Regulatory Policy Committee, has now published its “fit for purpose” opinion which analyses among others the “latest draft of the bill, including its amendments for the scientific research exemption, legitimate interest-based processing and use of existing data transfer mechanisms.” Access here →
  • The UK Government has launched an AI white paper “to guide the use of artificial intelligence in the UK, to drive responsible innovation and maintain public trust in this revolutionary technology.” The white paper draws upon 5 principles being: safety, security and robustness; transparency and explainability; fairness; accountability and governance; and contestability and redress. Reported on our blog →
• US Law Updates
  • California: The Office of Administrative Law has approved the revised CCPA Regulations, which will enter into effect immediately. “The revised CCPA Regulations update the existing CCPA Regulations to harmonize them with amendments adopted pursuant to the California Privacy Rights Act of 2020 (‘CPRA’) including operationalizing new rights and concepts introduced by the CPRA, as well as reorganizing and consolidating requirements set forth to make the CCPA Regulations easier to follow and understand.” Press release →
  • Iowa: Senate Bill 262 for consumer data protection was signed by the Governor and has become law.
  • Pennsylvania: House Bill 708 on consumer data protection introduced to House of Representatives.
  • Rhode Island: Senate Bill 754 on transparency and data protection for the personal identifiable information of Rhode Islanders introduced to Senate.
  • Arkansas: Senate Bill 66 on protection of minors personal data sent to Governor for signature.
  • Connecticut: Senate Bill 3 on online privacy, data and safety protections was introduced to Senate and Senate Bill 1103 relating to AI, automated decision-making, and personal data privacy was introduced to Senate and referred to Committee.

4) Strong Impact Tech

• The non-profit, charitable organization Center for AI and Digital Policy has filed a Federal Trade Commission (FTC) complaint wherein it stated that the FTC “should order OpenAI to halt the release of GPT models until necessary safeguards are established. These safeguards should be based on the guidance for AI products the FTC has previously established and the emerging norms for the governance of AI.” Read here →
• ABC News has reported that the state of Arkansas has filed lawsuits against social media companies TikTok and Meta, citing alleged violations of the Deceptive Trade Practices Act. It is further alleged that both companies, (including also TikTok’s parent company ByteDance, against which two lawsuits were brought) “deceived consumers about children’s safety on their platforms.” Reported here →
• Further to the Cambridge Analytica scandal, the Californian District Court’s preliminary approval of a $725 million settlement in In re: Facebook, Inc. Consumer Privacy User Profile Litig., was historically granted. Whilst the approval process is still pending, this remains the largest US privacy class action settlement contemplated to date. Reported here →

Other key information from the past weeks

• A ChatGPT bug leaked user’s conversation history, as well as “visibility of payment-related information of 1.2% of the ChatGPT Plus subscribers who were active during a specific nine-hour window.”
• New Hampshire’s Attorney General announced that he has joined a group of 5 other attorney generals in reaching a $9 million multistate settlement with Google.
• The Finnish Sanctions Board of the Ombudsman has imposed corrective measures on Forenom Oy after an investigation prompted by data subjects’ complaints