?? 2024-W14: Meta's appeal denied, New guidelines by UK ICO, Chief AI Officers for US Federal Agencies, Amazon loses battle and more

Hi privacy navigators,

Here is the latest from the ???Privacy Navigator?- your one-stop destination for everything privacy. Another week full of news and resources passed by. Here are the highlights:

Meta's Appeal Denied: FTC Greenlit to Continue Facebook Privacy Probe

Meta Platforms' attempt to delay the Federal Trade Commission's (FTC) renewed scrutiny into its privacy practices was rejected by the U.S. Court of Appeals for the D.C. Circuit.

With a decision issued on 29th of March, the court determined that Meta did not fulfill the stringent requirements needed for an injunction pending appeal against any of its five constitutional challenges, stating that none of them demonstrated a likelihood of success.

This ruling represents another defeat for Meta this month in a series of decisions concerning the FTC's ability to reopen a 2020 privacy settlement. This settlement had previously addressed allegations that the company violated terms after being fined $5 billion in 2023.

At the ground of the FTC's proposed changes to the settlement with Meta is a focus on banning the exploitation of minors' data and expanding the limitations on the use of facial recognition technology. Furthermore, Meta faces accusations of employing deceptive practices by providing misleading assurances to parents about the safeguards in place for children's protection. Meta disputes these allegations, arguing that the FTC's dual role as investigator and adjudicator breaches constitutional rights, including the right to a trial by jury.

U.S. District Judge Randolph Moss emphasized that that if the FTC's claims that Meta is endangering consumer privacy are accurate, it would be in the public interest for the investigation to proceed.

Besides privacy issues, the FTC has charged Meta with leveraging its dominance in the social media landscape to either suppress or acquire competing entities. Meta has refuted these allegations, which, if validated, might compel the tech giant to divest its ownership of the Instagram photo-sharing service and the WhatsApp messaging app.

Source

This week's edition is sponsored by?Conformally.

If you are a privacy professional and want to do your job even better and faster check out Conformally. Manage and collaborate on everything - DPIAs, Vendors, DSARs, Policies, and more. Try free for 7 days.?

Try it free for 7 days

New Data Protection Fine Guidelines Issued by the UK ICO

On March 18, 2024, the Information Commissioner's Office (ICO) released its Data Protection Fining Guidance, updating the protocol for imposing fines under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This new guidance supersedes the penalty notice sections of the ICO's 2018 Regulatory Action Policy, providing a modern framework for assessing data protection fines.

Firstly, The updated guidance details the criteria for issuing fines, including the significance of the term 'undertaking' which determines the financial basis for penalties. An undertaking whose turnover serves as the fundamental basis for determining fine amounts is defined broadly. It encompasses any entity engaged in economic activity, and can extend to encompass entire corporate groups for the purpose of calculating fines. This includes assessing the autonomy of the entity in question and the degree of control exercised by parent companies.

Based on the specific provisions violated, the ICO has the discretion to enforce two distinct maximum penalty levels. For the first level, known as the 'standard maximum amount,' penalties can reach up to ￡8.7 million or 2% of the 'undertaking's' annual global turnover, whichever is greater. In cases of more serious breaches, the 'higher maximum amount' comes into play, imposing fines of up to ￡17.5 million or 4% of the annual worldwide turnover, depending on which is higher.

As the UK contemplates changes to its data protection legislation through the Data Protection and Digital Information Bill, it remains to be seen how these new guidelines will be applied and whether future legal amendments will necessitate further updates to the ICO's approach to fines.

Source

Mandatory Chief AI Officers for US Federal Agencies

The Office of Management and Budget (OMB) has mandated that every US federal agency appoint a Chief AI Officer to oversee the deployment and management of artificial intelligence (AI) technologies.

This move aims to guarantee the safe application of AI within public services. Announced by Vice President Kamala Harris, this directive is part of broader efforts to establish robust AI governance across federal agencies, requiring the creation of AI governance boards by the summer and the submission of annual AI system inventories. These inventories will detail the AI technologies used, associated risks, and strategies for risk mitigation.

Agencies are tasked with ensuring their AI systems adhere to safety and anti-discrimination safeguards and must provide transparency regarding their use of AI. Non-compliance with these safeguards requires the discontinuation of the AI system, unless an exception is justified by agency leadership. Additionally, the government plans to open up its AI models, code, and data to the public, barring any security risks to government operations.

This policy builds upon the Biden administration's AI executive order, emphasizing safety standards and the recruitment of AI talent into government roles. The initiative reflects an ongoing effort to integrate AI responsibly into government operations, even as the US lacks comprehensive AI regulation laws.

Source

Amazon Loses Battle Against Advertising Transparency Requirement

On March 27, Brussels reported that Amazon faced a setback in its attempt to pause a mandate related to its online advertising practices under the EU's Digital Services Act (DSA), as Europe's highest court sided with EU regulators. The court ruled that the interests of the EU take precedence over the concerns of the U.S. online retail giant. For a reminder that the DSA, effective from last year, categorizes Amazon as a major online platform, imposing stringent regulations to combat illegal and detrimental content.

Amazon contested a specific DSA directive demanding the disclosure of comprehensive information about its online advertising in a public repository and sought a temporary suspension while awaiting the court's final decision. Although a lower court initially granted Amazon's request for temporary relief, the European Commission appealed to the Court of Justice of the European Union (CJEU), which overturned the suspension and denied Amazon's plea for interim measures.

The court acknowledged Amazon's concerns regarding potential violations of its rights to privacy and free business conduct as not without merit. It also recognized that not suspending the requirement could lead to significant, irreversible damage to Amazon pending the final court decision. Nevertheless, the court emphasized that halting the enforcement of the DSA might severely hinder the act's objectives, potentially allowing the proliferation of an online environment that could threaten fundamental rights for years.

Amazon expressed its disappointment, insisting that it does not meet the DSA's criteria for being classified as a 'Very Large Online Platform' (VLOP) and should not be subject to such designation.

Source

California's GenAI Guidelines and Risk Assessments Unveiled

On 22 of March, California state agencies released extensive guidelines aimed at facilitating the procurement process for generative artificial intelligence (GenAI) technologies. These regulations, crafted in collaboration with various state entities including the Government Operations Agency (GovOps) and the Department of General Services (DGS), offer updated definitions and mandates surrounding both incidental and intentional GenAI procurements.

They delineate specific responsibilities for agencies engaging in both incidental and intentional GenAI purchases.

Firstly, incidental purchases, agencies are required to appoint executive-level team members for continuous monitoring, provide mandatory training for procurement teams, and conduct annual reviews of policy and training effectiveness.

On the other hand, intentional procurements necessitate a more comprehensive approach, including the identification of business needs, risk assessment, and the establishment of communication channels between state staff and end-users. Additionally, state entities must undergo a Generative Artificial Intelligence Risk Assessment to evaluate potential risks associated with GenAI deployment.

Furthermore, vendors participating in state procurement processes are mandated to identify and disclose any GenAI technologies involved in their offerings. Starting from April 30, 2024, all solicitations, regardless of acquisition type, must include GenAI disclosure language, as stipulated by the guidelines.

To ensure comprehensive understanding and compliance with these guidelines, training initiatives are divided into three phases, catering to different levels of staff involvement. Access to training resources related to identifying AI purchases is available to purchasing officials from March 29.

Source

?? Privacy Navigator

We have added new resources to the Privacy Navigator. You can enjoy:

• More Opinions by EPDB uploaded

That's all for now, see you next week!

Eli

email: [email protected]

Schedule a call with me