Data Protection Updates

18 Nov

  1. UK-US CHILDREN SAFETY GROUP
    The UK and the US have established a joint children’s online safety working group to enhance cross-border collaboration, focusing on understanding and mitigating the risks posed by the digital world, like generative AI, on young people. The group aims to focus on promoting transparency from digital platforms.
  2. UPDATED EDPB GUIDELINES ON ARTICLE 5 OF EPRIVACY DIRECTIVE
    The new Guidelines
    aim to clarify the application of Article 5(3) of the ePrivacy Directive to various emerging tracking tools (e.g. pixel tracking). The European Data Protection Board (EDPB) identified three key criteria for a technology to fall within Article 5(3): (A) the operations carried out relate to ‘information’ (not personal data); (B) the operations carried out involve a ‘terminal equipment’ of a user/subscriber; and (C) the operations carried out constitute ‘storage’ or a gaining of access’.
  3. EDBP ON RELIANCE ON PROCESSORS
    The EDPB issued an opinion
    on controller duties when relying on processors. It confirmed that controllers should have information on the identity of all processors and sub-processors readily available at all time, and should verify that the (sub-) processors provide sufficient guarantees regardless of the level of risk.
    The EDPB also specified that a controller is ultimately responsible for all sub-processsors, and should decide (based on risk) whether to verify the data protection terms signed by these sub-processors.
  4. PUBLIC DATA & ADVERTISING
    In Maximilian
    Schrems v Meta Platforms Ireland
    Ltd (Case C-446/21), the ECJ ruled that a public statement about one’s sexual orientation does not permit an online social network to process the data for personalised advertising. The principle of data minimisation under the GDPR restricts the aggregation and analysis of such data without clear consent.
    In this case, Max Schrems had discussed his sexual orientation in a public panel discussion. This information was then used by Meta to provide Schrems with advertising related to his sexual orientation.
  5. SOCIAL MEDIA & THE DSA
    The European Commission requested information from YouTube, Snapchat and TikTok under the Digital Services Act (DSA) about their algorithms to recommend content to users, focusing on risks to mental health and the spread of harmful content, and the measures put in place to mitigate these risks.
    Under the DSA, platforms must evaluate and adequately mitigate risks from their recommender systems, particularly those relying on engagement-drive design.
    The platforms must respond by 15 November 2024, and face potential fines and/or proceedings for non-compliance.
  6. ICO COMPLIANCE TOOLKIT
    The ICO launched a new
    audit framework with nine toolkits to help organisations self-assess and improve their data protection compliance covering key areas likely to be reviewed during an ICO audit.