United Kingdom
European Commission proposes UK adequacy deadline extension
- The European Commission has proposed an extension of its two UK adequacy determinations from 2021. The deadline for UK adequacy is currently set for 27th June, but the proposed six-month extension would move the deadline to 27th December.
- The proposal comes as the UK Parliament moves to pass the Data (Use and Access) Bill. The extension would take some pressure off the adequacy procedure as the UK finalises the DUA legislation.
- With a potential extension, it is not expected that the UK bill would be delayed. The only possibility for delay is if there is something in the bill that the European Commission wants to be removed (or something which they consider should be added) for adequacy to be conferred.
- According to Bates Wells Partner and Head of Data and Privacy Eleonor Duhs, this would be unlikely as the relevant amendments would have been made before this late stage. The Commission’s proposal should give reassurance to organisations in both the UK and the EU that both sides want UK data adequacy to continue.
New ICO regulatory commitments aim to support economic progress
- On 17th March, the ICO has unveiled new commitments under the UK government’s growth agenda that aim to leverage the existing data protection regulatory regime to support economic growth.
- The planned initiatives include piloting a new data protection sandbox regime, improved support for small and medium-sized businesses, updated guides for AI and international data transfers, and more.
- As global economies like the EU and the US are exploring their own versions of deregulation to foster technological innovation, the ICO’s approach signals the UK will attempt to find a middle ground between impactful regulation and unfettered technology use and development. Replacing enforcement with more oversight is a clear goal within the measures.
- For example, the proposed sandbox update is designed to “enable businesses to trial innovative data-driven solutions within a controlled regulatory environment”, with participating projects expected to spur future guidance on various data protection matters. Additionally, the SME Data Essentials training program launching in 2025 will educate businesses on compliance to avoid potential malpractice.
United States
Judge stops Musk’s team from ‘unbridled access’ to Social Security private data
- Following the wave of multiple lawsuits against Elon Musk’s “Department of Government Efficiency” (DOGE), another Judge has ordered to temporarily stop data sharing with the tech billionaire’s aides.
- The most recent decision refers to the Social Security Administration providing DOGE “unbridled access” to systems containing information of every person who has applied for or been given a social security number in the US.
- Information in SSA’s records include social security numbers, personal medical and mental health records, driving licence information, bank account data, tax information, earnings history, birth and marriage records, and employment and employer records.
- Musk justifies access as necessary to investigate alleged fraudulent practices by the public to claim social security payments using the identities of deceased people. However, former SSA officials claim that the names of millions of deceased people are inside the main database because it contains records dating back to the agency’s founding in the 1930s, not because they receive payments.
- In response to the decision, Leland Dudek, the acting head of the SSA, has threatened to shut down the entire system rather than complying with the order to “let the courts figure out how they want to run a federal agency”. The SSA did not immediately respond to a request for comment about Dudek’s remarks.
Europe
Meta AI is finally coming to the EU, but with limitations
- On 20th March, Meta announced it will launch its AI-powered virtual assistant in the EU, despite an ongoing regulatory battle with European privacy authorities.
- Meta AI has been available in the US since September 2023, serving as an AI assistant capable of not just chatting and answering questions, but generating images and creating stylistic selfies. However, at this time, the European launch will only feature the chat-based features.
- The launch had been postponed in 2024 after the Irish Data Protection Commission questioned the company’s plans to use data of adult users of Facebook and Instagram to train large language models (LLMs) without a valid legal basis under the GDPR. At the time, Meta had implemented an onerous opt-out process based on the company’s legitimate interests, rather than a simple opt-in model focused on consent.
- Meta has confirmed that the version of the AI assistant currently being launched in the EU has not been trained on local users’ data, hence why it won’t be notifying EU users or otherwise seeking their consent.
Amazon considers appeal after court sides with regulator on record privacy fine
- A Luxembourg national court upheld a record privacy fine of €746 million imposed on Amazon. The fine was issued by the Luxembourg Data Protection Authority (CNPD) in 2021 for failure in asking users’ consent to process personal data for marketing purposes, against which Amazon appealed.
- The Administrative Court of Luxembourg rejected Amazon’s appeal and confirmed the CNPD’s initial decision. Amazon now has 40 days to submit a new appeal to further challenge the decision.
- Amazon confirmed it is considering an appeal, as the CNPD’s decision allegedly “imposed an unprecedented fine based on subjective interpretations of the law about which they had not previously published any interpretive guidance.”
- The effects of the CNPD’s decision will remain suspended during the appeal period and, where applicable, during any appeal proceedings before the Administrative Court.
International
Norwegian files complaint after ChatGPT falsely said he had murdered his children
- Arve Hjalmar Holmen, a self-described “regular person” with no public profile in Norway, asked ChatGPT for information about himself and received a reply stating that he murdered his two young sons and received a 21-year prison sentence for the crimes.
- Holmen filed a complaint to the Norwegian Data Protection Authority, claiming that although the story is false, it still contained elements similar to his life such as his hometown, the number of children he has and the age gap between his sons. It argues that these outputs could have a harmful effect in his private life and reiterates that he has never been accused nor convicted of any crime.
- The complaint alleges that ChatGPT’s “defamatory” response violated accuracy provisions within the GDPR and asks the Norwegian authority to order OpenAI to adjust its model and to impose a fine on the company.
- In response, an OpenAI spokesperson said the company is committed to “reduce hallucinations”, and that the complaint refers to a version of ChatGPT that has since then been enhanced with online search capabilities to improve the AI model’s accuracy.
