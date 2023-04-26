Data privacy case law and legislation is constantly updated in the United Kingdom and European Union to address key issues. In order to track the latest developments, we have set out a brief overview of case law updates, legislation, guidance and news.

Case Law Updates

On 13 April 2023, the EU Data Protection Board announced it had adopted a binding dispute resolution decision on the basis of Article 65 of GDPR concerning a draft decision by the Irish Data Protection Commission on the legality of data transfers to the US by Meta. You can read the announcement here.

Legislation

The International Civil Liberties Center announced, on 6 April 2023, that it had welcomed the acknowledgment by the Government's Teachta Dalas that the use of facial recognition technology by the police poses a serious risk to people's fundamental rights and calls for proper scrutiny of the Government proposals. The ICCL expressed opposition to plans to introduce facial recognition technology into the criminal justice system, as FRT enables mass surveillance and discriminatory targeted surveillance. You can read the press release here.

On 11 April 2023, the ICO announced that it had published its response to the Government's artificial intelligence AI white paper. In particular, the ICO emphasized the importance of reducing additional complexity for businesses, therefore welcoming close collaboration with the Government to ensure that the white paper principles for regulation of AI are interpreted in line with data protection principles. You can read the white paper here and the response here.

On 13 April 2023, the Italian Data Protection Authority ('Garante') announced that OpenAI, LLC (which manages ChatGPT) will have until 30 April 2023 to comply with Garante's requirements and obtain a halt of the temporary ban on OpenAI to process data of Italian data subjects. If this happens, ChatGPT will once again be available in Italy. You can read the press release here.

On 13 April 2023, the European Parliament announced that Members of the European Parliament had opposed the adoption of the draft adequacy decision by the European Commission on the EU-US Data Privacy Framework. In particular, the Parliament noted that the resolution explains that the EU-US Data Privacy Framework, while an improvement on the previous framework, does not provide for sufficient safeguards, highlighting that it still allows for bulk collection of personal data in certain cases, does not make collection subject to independent authorization, and does not provide clear rules on retention. You can read the press release here.

Guidance & Draft Guidance

The National Cyber Security center issued, on 14 March 2023, a press release exploring cybersecurity issues attached to ChatGPT and large language models. In particular, they noted that competitors had developed and deployed their own AI chat-bots, raising questions about security due to them being emerging technologies. You can read the press release here.

On 12 April 2023, in Germany, the Federal Office for Information Security announced the publication of a study on hardware attacks against microcontrollers. You can read the announcement, only available in German, here, and the study here.

On 23 March 2023, the German Federal Office for Information Security ('BSI') announced the publication of new technical guidelines for the secure operation of a public key infrastructure for technical security devices. The BSI explained that business transactions are increasingly being recorded electronically and that electronic recording systems must be protected with a certified technical security device. You can read the guideline here.

On 13 April 2023, the European Data Protection Board published a guide for exercising data subjects' rights under the Schengen Information System ('SIS'). In particular, the guide described how to exercise the rights of access, rectification, and erasure under GDPR. You can read the guide here.

On 13 April 2023, the National Cyber Security Centre announced the publication of a joint guide, issued in cooperation with agencies from the US, Australia, Canada, Germany, the Netherlands and New Zealand, calling on manufacturers to ensure technology products are made Secure by Design and by Default. The guide hopes to ensure that security of customers is a core business goal, and that products require no configuration changes and security features with significant cost. You can read the announcement here, and the guide here.

Data Protection Authority Updates and Privacy News

The Spanish data protection authority ('AEPD') announced on 4 April 2023 its decision in Proceedings No. PS/00678/2022, in which it fined Banco Bilbao Vizcaya ?140,000 for violations of Articles 6(1) and 15 of the GDPR following a complaint submitted by an individual. You can read the announcement here, only available in Spanish.

On 6 April 2023, the Office of the Data Protection Authority released its breach statistics for the period between January and March 2023. They noted 38 personal data breaches had been reported. You can read the press release here.

On 11 April 2023, the EU Data Protection Board published the agenda for its April plenary meeting. This agenda outlines that the EDPB will discuss the consistency mechanism, namely the binding decision on the dispute that arose on draft decision of the Irish Data Protection Commission on transfers of personal data carried out by Meta Platforms Ireland Limited in the context of their Facebook service. You can access the agenda here.

On 4 April 2023, the ICO published its exit report following its work with Good With, a start-up aiming to give young adults fairer access to financial products and services which was accepted. You can read the press release here and the report here.

On 5 April 2023, The Spanish data protection authority ('AEPD') published a blog entitled AI: Systems v Processing, Means vs Purposes. The blog highlights that AI systems may be selected by controllers to implement personal data operations on processing activities. The blog provides that controllers must be the ones to determine whether the results of AI systems would imply an automatic decision or whether to include human supervision to make the final decision. You can read the blog here.

On 11 April 2023, the National Supervisory Authority for Personal Data Processing announced the publication of its draft decision on the approval of accreditation requirements of code of conduct monitoring bodies pursuant to Article 41 of GDPR. In particular, they noted that proposals, suggestions and opinions of interested stakeholders can be submitted via email within ten calendar days. You can read the press release here and the draft decision here, both available in Romanian.

On 13 April 2023, the Spanish AEPD announced it had initiated investigate proceedings into OpenAI, which manages ChatGPT, for a possible breach of data protection regulations. The AEPD has requested the European Data Protection Board to include ChatGPT as a subject of discussion in its plenary meeting, considering the significant impact on the rights of people that requires harmonized and coordinated actions at a European level, owing to the application of GDPR. You can read the announcement here, available in Spanish.

