Here’s our monthly newsletter for all your privacy, data protection, and AI news.
This time we thought we’d do a special annual version where we recap the top 10 privacy (and AI) news of 2023! Make sure to subscribe at the bottom of this newsletter if you enjoyed this recap and our monthly newsletters to be delivered directly to your inbox.
Happy reading and Happy New Year!
RD.COM, GETTY IMAGES
Top-10 Privacy (and AI) News of 2023
1. US and EU Finalize New Data Privacy Framework
On July 10th, the European Commission adopted its adequacy decision for the EU-U.S. Data Privacy Framework. The adequacy decision concludes that the United States ensures an adequate level of protection – compared to that of the EU – for personal data transferred from the EU to U.S. companies participating in the EU-U.S. Data Privacy Framework. The DPF takes effect immediately.
On July 17, 2023, the U.S. Department of Commerce launched a new website where companies can join the DPF.
It is important to understand that the framework does not apply automatically to any US company; some conditions must be met. The new framework requires companies to obtain a certificate similar to the one needed for the Privacy Shield framework.
If your company was certified for Privacy Shield (which was invalidated as mentioned above), you can become certified for the new framework as well. You have until October 11th to decide whether to renew your certification (unless your renewal date is sooner).
The Beginner Guide To EU-US Data Privacy Framework (DPF)
2. Data Privacy Framework Challenges
In September, French lawmaker Philippe Latombe, announced he will challenge the Data Privacy Framework before the European Union’s General Court .
He argued that the framework fails to adhere to GDPR standards, attributed to the absence of effective remedies, access to an impartial tribunal, and assurances regarding the security of processed data. In October the European Union General Court ruled against the interim measures to pause the implementation of the framework that were requested as part of the process. However, the challenge of Mr. Latombe together with separate challenges from additional groups , such as from the famed privacy rights advocates, NOYB, who’s challenges led to the cancellation of the two previous frameworks (Safe Harbor and Privacy Shield) , — we are most likely looking at years of legal battles.
3.UK-US Data Bridge extension
By extending the EU-US Data Privacy Framework, the UK’s Secretary of State established a data bridge with the United States. This extension is called the UK-US Data Bridge and came into force on October 12, 2023. This means that by following the certification process included in the Data Privacy Framework, UK companies now have an additional and simpler transfer mechanism available when transferring personal data to the United States.
The Data Bridge, allowing certifying entities to transfer personal data from the UK to the US easily.
The UK-US Data Bridge – Meaning and Implications
4. EDPB Adopts Finalized Guidelines On The Calculation Of Fines Under GDPR
Guidelines on the Calculation of Administrative Fines under the General Data Protection Regulation (GDPR) were adopted by the European Data Protection Board (EDPB) on June 7, 2023. These guidelines are intended to establish a standardized approach for data protection authorities (DPAs) when determining fines, incorporating consistent starting points. According to the EDPB, three key factors are considered: (i) the nature of the violations, (ii) the severity of the breach, and (iii) revenue generated by the business.
5.The highest GDPR fine yet was imposed in May 2023
With more than €1.2 billion fined to Meta in 2023, the total amount of GDPR fines during its 5 years of existence is now almost €4 billion.
This is another demonstration of the importance of being compliant and committed to data protection regulations. Although many of the fines given until now were aimed at big-tech and larger corporations, there were also plenty of smaller companies getting fines and the continued drive for improvement of the enforcement mechanisms and processes show that these will only rise.
6. The EU AI Act
After much drama and heated debates, on December 8, 2023, the European Parliament and Council reached political agreement on the European Union’s Artificial Intelligence Act (“EU AI Act”). The Act, which is the first regulation in the world focusing on AI, is the legal framework which will govern the sale and use of artificial intelligence throughout the European Union. It has been enacted for the purpose of setting uniform standards for AI systems across each member state.
Upon completion of EU procedures (the trilogue), the AI Act will likely be fully adopted in early 2024, before European Parliament elections in June 2024, which will be followed with a transition period of at least 18 months until coming into full force.
The AI Act will be based on risk categorization, in which AI systems are regulated according to the level of risk they pose to the health, safety and fundamental rights of individuals. There are four levels of risk: unacceptable, high, limited, and minimal.
There is a ban on AI systems with unacceptable risk which include those that can be manipulated either through subconscious messaging and stimuli, or by exploiting vulnerabilities like socioeconomic status, disability, or age, based on consensus among the three proposals. The use of artificial intelligence for social scoring, or evaluation and treatment of individuals based on their social behavior, is also prohibited.
7. EDPB provides clarity on tracking techniques covered by the ePrivacy Directive
EDPB has issued guidelines regarding Article 5(3) of the ePrivacy Directive. Thes guidelines clarify how the directive applies to various technical operations, especially new and emerging tracking techniques. Article 5(3) of the ePrivacy Directive is most commonly known for establishing the cookie notice and cookie consent requirements in the EU. However, according to the issued guidelines, Article 5(3) of the ePrivacy Directive covers more than just cookies.
Read more here
8. California’s Delete Act enhances personal data privacy
Delete Act (SB 362) signed by California Governor Gavin Newsom allows residents to request deletion of their personal data from all state data brokers, streamlining a process that involves individual requests.
Data brokers must register with the California Privacy Protection Agency and provide an easy, free method for data deletion. Non-compliant brokers face fines. The law takes effect by 2026 with some exemptions for certain companies.
Read more here
9. CJEU landmark rulings on “credit ranking”
SCHUFA is a German credit score agency which collects vast amount of personal data to determine a person’s creditworthiness. Banks and companies use this score to determine whether someone is “trustworthy” for certain services such as being granted a loan or a mobile phone contract. SHUFA was making these determinations by using personal data with automated decision-making systems
The Court of Justice of the EU has ruled against the use of automated decision-making systems this practice in accordance with Article 22 of the General Data Protection Regulation (GDPR) if such practices have a significant impact on individuals’ lives.Given that SHUFA is used to make decisions that can have a significant impact on individuals especially when used by banks to approve loans, the court declared them illegal.
10. Meta moved to a ‘pay or consent’ approach in the EU
Meta has proposed a “Pay for your Rights” model, suggesting that EU users pay $14 monthly, totaling $168 (€160) annually to opt out of personalised advertising.
Many mistake it for “pay for privacy” meaning that if they pay their privacy will be protected. However, even if a user pays this fee, Meta will still continue with certain tracking and other privacy violating practices. It has been argued that the “consent” option in the free version is misleading. Despite opting out, users are still tracked and profiled for purposes other than targeted advertising, even though they think they’re opting out of all data collection.
Meta’s decision to change their privacy approche did not come voluntarily. It follows another successful lawsuit filed by NOYB. Meta’s bypassing of user consent was previously declared illegal by the European Data Protection Board (EDPB). From 2018 to 2023, Meta’s data usage practices were illegal in the EU, according to the Court of Justice of the European Union (CJEU).
2023 has been a pretty intense year and not just in the world of privacy and AI.
These were the events from the world of privacy and AI we thought were worth another mention as most of them will continue to follow us throughout 2024 and beyond.
One of the things that make the privacy sector so interesting is the same thing that makes it challenging – it is constantly changing and developing. This makes staying updated so important.
But no worries, we got you covered. We’ll be sending monthly newsletters throughout 2024 to make sure you’re kept informed about everything that’s going on including updates on legislation, court rulings, and industry practices.
If you haven’t yet, make sure you subscribe today!
📰 Subscribe Now:
Privacy News Monthly Recap
You will receive only useful resources on privacy and trust every month.
You can unsubscribe at anytime.
Noa Kahalon
Noa is a certified CIPM, CIPP/E, and a Fellow of Information Privacy (FIP) from the IAPP. Her background consists of marketing, project management, operations, and law. She is the co-founder and COO of hoggo, an AI-driven Digital Governance platform that allows legal and compliance teams connect, monitor, and automate digital governance across all business workflows.
Samuel Solberg
Samuel is an experienced privacy consultant who holds CIPM, CIPP/E, and FIP certifications from the IAPP, as well as an L.L.M. He is the co-founder and CEO of hoggo, a privacy tech startup that aims to eliminate privacy concerns for businesses.