Skip links

November Recap | Monthly Privacy Newsletter

Here's our monthly newsletter for all your privacy, data protection, and AI news.
Make sure to subscribe at the bottom of this article if you want this recap to be delivered directly to your inbox.

sam altman meme

Privacy News

  • Meta launched ‘Pay for Data’ in Europe – After trying to rely on several legal bases for their targeted ads practices, such as the performance of a contract and legitimate interest, Meta is now launching paid subscriptions to use Facebook and Instagram in Europe. Users can choose between paying €10 or consenting to behavioural advertising with Meta’s “pay or data” approach. While many mistake this approach for “pay for privacy”, Meta will still process and sell personal data to third parties, even if users pay the monthly fee, as it would only set you free from getting targeted ads served.
    • The EDPB’s urgent binding decision noted that ‘The Irish DPC is currently evaluating this together with the Concerned Supervisory Authorities (CSAs).’
    • Norway’s DPA has already stated it has strong doubt about this proposed solution.
  • EU lawmakers to discuss AI rulebook’s revised governance structureThe AI Act is a landmark law that regulates artificial intelligence based on its capacity to cause risk. The European Commission drafted a compromise text, including a new proposal on regulating general-purpose AI models. 

    • The AI Office is to monitor and enforce the General Purpose AI (GPAI) models, requesting information, conducting ex-post evaluations, and appointing independent experts. It can also request GPAI model providers to take measures and impose sanctions, and provide coordination support for joint investigations.

    • The European Artificial Intelligence Board – The compromise bill creates an AI Board with one representative per EU country, renewable once. It is tasked with ensuring consistent application of the AI rulebook across the bloc and advising on secondary legislation, codes of conduct, and technical standards.

    • Scientific PanelThe panel advises the AI Office on General Purpose AI models, including advising on classifying models with systemic risks. The panel also suggests relevant benchmarks for GPAI models.

  • The EDPB provides Guidelines on the applicability of Article 5(3) of the ePrivacy Directive to different technical solutions, such as URL and pixel tracking, local processing, tracking based on IP only, intermittent and mediated IoT reporting, and unique Identifier. Article 5(3) of the ePrivacy Directive is most commonly known for establishing the cookie notice and cookie consent requirements in the EU. However, Article 5(3) of the ePrivacy Directive covers more than just cookies. 
      • The EDPB stated that “information includes both non-personal and personal data, regardless of the method of storing and accessing these data.” According to this, Article 5(3) applies regardless of whether cookies or similar technologies are used to store or access information on someone’s terminal equipment.
      • It is argued by the EDPB that the ePrivacy Directive may apply to devices used by multiple users, and that terminal equipment can be made up of a number of individual pieces of hardware that together form a terminal. Smartphones, laptops, connected cars, connected TVs, and smart glasses are examples of this.
      • In addition, the EDPB clarifies that Article 5(3) does not only apply to cookies, but also to tracking pixels, tracking links, other device fingerprinting techniques, certain types of local processing that transfer information outside of the user’s device, IoT reporting, and certain instances of IP tracking.
privacy laws

Regulatory Landscape

  • The US Senate introduces a bill on artificial intelligence research, innovation, and accountability – The bill defines artificial intelligence systems as engineered systems that generate outputs, such as content, prediction, recommendations, or decisions for a given set of objectives using machine and human-based inputs.

    • The bill requires the Undersecretary of Commerce for Standards and Technology to carry out research on authenticating content generated by human authors and artificial intelligence.

    • Secure and binding methods are needed to append a statement of provenance to content, to ensure authenticity, to display clear and conspicuous statements of content provenance to the end user, and to ensure attribution for content creators.

    • The bill requires that individuals operating covered internet platforms that use generative AI systems provide notice to each user that the platform uses generative AI to generate content the user sees.

    • High-impact AI systems are subject to transparency restrictions, and must submit a report annually. The bill also notes the required content of each transparency report.

More AI News - It’s All About AI These Days…

  • Global guidelines for AI security (November 27)- The UK, US and 15 other countries announced that they’ve agrees on global guidelines for AI security. The guidelines are recommended to any systems that use AI, whether they have been created from scratch or built on top of tools and services provided by others”. This also means tools built with ChatGPT’s API or HuggingFace open-source models.
    According to the guidelines, there are 4 key areas in the developments in AI systems life cycle:
      • Secure design– This section contains guidelines that apply to the design stage of the AI system development life cycle. This includes understanding risks and threat modelling, staff awareness of threats and risks, map threats to the systems, design for security alongside performance, consider security benefits and tradeoffs when selecting an AI model
      • Secure development – This section contains guidelines that apply to the development stage of the AI system development life cycle. This includes securing the supply chain, identifying, tracking and protecting assets, documenting data, models and prompts, and managing the technical debts. 
      • Secure deployment – This section contains guidelines that apply to the deployment stage of the AI system development life cycle. This includes securing the infrastructure, ongoing protection of the model, developing an IRP,  and releasing and managing AI responsibly. 
  • The UK House of Lords has introduced draft AI legislation. Some key items from the Artificial Intelligence (Regulation) Bill are:
    • An AI Authority should be established to ensure alignment with other “relevant” regulators, monitor AI regulatory frameworks, etc;
    • The AI Authority shall takes into account the need for businesses developing, deploying or using AI to be transparent; to test AI thoroughly and transparently; and to comply with applicable laws, including those relating to data protection, privacy, and intellectual property;
    • The bill promotes inclusivity by design and avoid discrimination;
    • Businesses should be mandated (through SoS regulations) to appoint AI Officers to supervise safe, ethical, unbiased, and nondiscriminatory AI use;
    • Require that those who train AI provide all third-party data and IP used in training to the AI Authority to ensure that it is only used with informed consent (including “opt-out).
  • The California Bar adopts a first-of-its-kind AI guidance for attorneys. Among the guidance notes are: Lawyers must not charge hourly fees for the time they save by using generative AI, they must understand how the technology works, they must engage in continuous learning about artificial intelligence biases, they must ensure competent use of the technology, they must apply diligence and prudence to facts and laws, and they must ensure accuracy of all generative AI outputs.
  • The French Data Protection Authority, CNIL, has published guidelines on the use of AI, along with an action plan for data controllers and processors who process personal data using AI. CNIL offers resources to help data controllers and processors use AI to process personal data without violating the GDPR. 

Where’s the fun without some Fines & Enforcement?

Take a Note

cookies cnil
By subscribing below, you can receive this newsletter monthly to your inbox.
Noa Kahalon

Noa is a certified CIPM, CIPP/E, and a Fellow of Information Privacy (FIP) from the IAPP. Her background consists of marketing, project management, operations, and law. She is the co-founder and COO of hoggo, which builds transparency around data privacy practices.

Samuel Solberg
Samuel Solberg
CEO at hoggo | + posts

Samuel is an experienced privacy consultant who holds CIPM, CIPP/E, and FIP certifications from the IAPP, as well as an L.L.M. He is the co-founder and CEO of hoggo, a privacy tech startup that aims to eliminate privacy concerns for businesses.