Data Protection News Update 17 April

United States

Vimeo agrees to pay 2.25 million USD in AI-related biometric privacy lawsuit

  • In a privacy lawsuit against Vimeo and its AI-based video creation and editing platform (Magisto), it was claimed that the platform collected and stored the user’s biometric data and that this was done without the user’s consent.
  • Vimeo denies any wrongdoing but agreed to pay a 2.25 million USD nonetheless.

Tesla faces class action lawsuit over alleged privacy issues

  • The lawsuit was brought forward in the US District Court for the Northern District of California.
  • It is alleged that Tesla employees could access video footages and images of customer’s vehicle cameras and shared them for their amusement in their internal messaging system.


Spain’s Data Protection Authority urges EDPB probe into ChatGPT

  • Reuters reports that the AEPD officially urges the EDPB to review ChatGPT’s compliance with the GDPR.
  • It is also said that the AEPD envisions a ‘coordinated decision at European level’ towards ChatGPT and that ‘harmonised actions can be implemented within the framework of the application of the General Data Protection Regulation’

EDPB makes binding dispute resolution decision concerning Meta data transfers

  • The case was brought forward by Ireland’s Data Protection Commission (DPC).
  • In its binding decision, the EDPB settles whether an administrative fine and/or an additional order to bring processing into compliance must be included in the DPA’s final decision.
  • The decision has not yet been made public.
  • The DPC has now one month to implement the decision.

EDPB creates task force on ChatGPT

  • In the plenary meeting of the 13th of April 2023, the EDPB discussed the enforcement action by the Italian data protection authority against OpenAI and ChatGPT and decided to launch a dedicated task force to ‘foster cooperation and to exchange information on possible enforcement actions conducted by data protection authorities’.

France’s data protection authority receives first two complaints concerning ChatGPT

  • The two complaints received by CNIL concern the personal data use by ChatGPT.
  • One complaint from a lawyer brings forth that when they created an account to use ChatGPT, there was no ‘general conditions of use’ to accept and no privacy policy to peruse. An attempt was made with the company to exercise the right of access but it remained unsuccessful.
  • Furthermore, French digital minister, Jean-Noël Barrot declared that ChatGPR is in violation of the GDPR but argues that it still should not be banned.


Liberal party of Canada fights privacy rules for parties as government mulls legislation

  • In Canada, federal political parties are exempt from federal privacy rules. This means that they can collect and process personal data from Canadian voters with no oversight. Safeguards that are imposed on private companies and most public institutions do not apply to them.
  • The liberal government intends to change that and suggests the implementation of a ‘uniform federal approach’ to the data processing of all political parties.

South Korea’s Supreme Court decides against Google

  • South Korea’s Supreme Court decided that Google must provide information if it shared the personal data of South Korean citizen with third parties.
  • The original complaint alleges that personal data was shared with the US National Security Agency’s PRISM surveillance program.
  • ‘The Supreme Court’s decisions […] are in line with South Korea’s recent tendency to take a tough stance on regulatory matters concerning foreign technology giants’

United Kingdom

ICO comments on UK government’s AI white paper

  • The ICO welcomes the ambitious approach by the government to AI regulation which is described as ‘pro-innovation’.
  • The ICO notes that the white paper should clarify on the respective roles of the government and the regulators in issuing of guidance and advice as a result of the proposals in the AI White Paper.
  • The ICO gives guidance on the five principles introduced in the AI White Paper which have been discussed in a previous Monday news update. It says that the principles should be interpreted in a way that is compatible with the data protection principles in the UK GDPR, so that additional burden or complexities for businesses can be avoided.

Campaigners call for stricter oversight of workplace AI

  • Concerns were raised about surveillance and the use of ‘management by algorithm’.
  • They also voice worries that the UK government is about to weaken the protection that was provided by the GDPR, since the GDPR was used in a number of cases where employees fought for their rights in the workplace, using the GDPR to bridge ‘the gaps in employment law’.
  • The government’s AI white paper was dismissed by campaigners as ‘basically just a bunch of intentions with no firepower behind it’.


More Posts

Send Us A Message