?? 2024-W16: The end of "Pay or Okay"?, Meta released "open source" Llama 3 model, first international AI Convention and more

Hi privacy navigators,

Here is the latest from the ???Privacy Navigator?- your one-stop destination for everything privacy. Another week full of news and resources passed by. Here are the highlights:

The End of “Pay or Okay”? EDPB Sets New Standards for User Consent

On April 17, 2024, the European Data Protection Board (EDPB) released an Opinion 08/2024 critiquing the 'consent or pay' models used by major online platforms. Following complaints by ?European Center for Digital Rights (NOYB) and requested by the Dutch, Norwegian, and Hamburg Data Protection Authorities, the opinion evaluates the legitimacy of consent in exchange for behavior-based advertising, highlighting the inadequacy of presenting users with only two options: consent to data processing or pay a fee. ?

The EDPB stated that these models often do not meet the GDPR’s requirements for valid consent. It recommended that platforms should avoid making paid alternatives the default for ad-related data processing services. Instead, they should provide an "equivalent alternative" that doesn't involve fees and uses minimal or no personal data for advertising. Should platforms opt to charge for any alternative service, they must also offer a completely free option that eschews behavioral advertising, thus ensuring the consent obtained is genuinely valid.

The board also emphasized the need for consent to be free of any detrimental conditions, the importance of balancing power between users and platforms, and the necessity for consent to be informed, specific, and unambiguous. Platforms should consider whether denying consent could unfairly exclude users from services or lead to other negative consequences.

Moreover, the EDPB reminded controllers that obtaining consent does not absolve them from complying with all other GDPR principles, such as purpose limitation and data minimization. Data processing activities must be shown to be necessary and proportionate.

In conclusion, this Opinion from the EPDB might influence how Meta and other large companies manage consent for processing personal data, suggesting a need for lawful consent mechanisms. ?However, the court will have the final say in determining whether these practices will need to be adjusted in accordance with the EDPB's stance.

See the full text of the EPDB opinion here.

Source

This week's edition is sponsored by?Conformally.

If you are a privacy professional and want to do your job even better and faster check out Conformally. Manage and collaborate on everything - DPIAs, Vendors, DSARs, Policies, and more. Try free for 7 days.?

Try it free for 7 days

META released the largest "open source" Llama 3 model

Meta has launched Llama 3, an advanced open-source large language model available across major platforms including AWS and Google Cloud. Llama 3 introduces enhanced capabilities like improved reasoning and coding, supported by new safety tools such as Llama Guard 2 and Code Shield. This model boasts advanced reasoning and instruction-following capabilities with significant enhancements over its predecessors through its 8B and 70B parameter models.

However, the claim of Llama 3 being "open source" has sparked debates. According to the Open Source Initiative's definition, open source software should allow free use, modification, and redistribution, but Llama 3’s licensing restrictions seem to contradict these principles by limiting these freedoms.

The associated Acceptable Use Policy (AUP), which is still aligned with Llama 2's guidelines, sets forth stringent conditions to ensure the technology's safe and responsible utilization. This includes prohibitions on illegal activities, infringement of third-party rights, or mishandling sensitive information, highlighting a rigorous compliance requirement across different legal jurisdictions.

The licensing agreement grants users a non-exclusive, worldwide, non-transferable, royalty-free license to use and modify Llama materials, albeit under strict conditions that maintain Meta’s ownership of the underlying technology and limit the commercial use of any developments derived from Llama 3.

One significant stipulation is that if a user initiates litigation against Meta—or any related party—claiming IP infringement by Llama 3 or its outputs, the granted licenses may be terminated. Additionally, users must indemnify Meta against any third-party claims related to their use of Llama.

These licensing terms and the AUP reflect a cautious approach by Meta to retain control over the technology while placing substantial legal and operational responsibilities on the end-users. The limitations of liability and disclaimers of warranty within the license expose users to significant risks associated with deploying Llama 3, necessitating careful consideration of the terms provided.

Source

First International AI Convention endorsed by PACE

The Parliamentary Assembly of the Council of Europe (PACE) has endorsed the final draft of the Framework Convention on Artificial Intelligence, Human Rights, Democracy, and the Rule of Law, but expressed disappointment that it does not comprehensively apply to both public and private sector actors. This draft, which is the first international treaty on AI aimed at guiding national laws globally, now awaits approval from the Council of Europe’s Committee of Ministers.

PACE unanimously supported the convention, noting its potential to regulate AI systems, many of which are developed by private companies. They criticized the draft for creating a loophole by not uniformly applying to private entities and urged that all member states, upon ratification, commit to fully implementing the treaty’s guidelines across all sectors.

Further, PACE recommended amendments to ensure that any AI activities reserved for national security must comply with international human rights law, and advocated for restrictions or bans on AI uses that could threaten human rights. They also proposed adding provisions specifically addressing health and environmental concerns.

The convention, which involved negotiators from EU member states, the EU itself, and non-European nations including the US, Japan, and Australia, is expected to be adopted soon by the Committee of Ministers and subsequently opened for signature and ratification.

Source

Dutch Government May Disconnect Facebook Pages Over Privacy Issues

The Dutch government is considering discontinuing the use of Facebook Pages due to concerns over data privacy, with a potential exit planned before the upcoming summer recess. This decision is influenced by the advice of the Netherlands' data protection authority, which has raised significant questions about the transparency and insightfulness of data processing on the platform.

Alexandra van Huffelen, Dutch state secretary for digital affairs, has been actively engaging with Meta, the parent company of Facebook, to overhaul the way Facebook Pages operate. She stressed the urgency of receiving a satisfactory response from Meta on how it will address these privacy concerns, failing which the government will abandon its use of Facebook Pages.

The concerns originated from an assessment by the data protection authority two years ago, which identified major data protection risks associated with the government's use of the service. Despite ongoing negotiations and Meta's efforts to contest these findings, claiming that the privacy assessment was factually incorrect and misunderstood the functionality of their products, the Dutch government has reiterated its stance.

Meta spokesperson Matthew Pollard responded, asserting that all Meta products undergo reviews to ensure compliance with local laws, and expressed Meta's intent to continue discussions to enable the government's effective use of social media for public communication. However, the Dutch officials are seeking more transparency and better data handling practices from Meta before making a final decision.

Source

Generative AI third call for evidence by UK ICO

The Information Commissioner's Office (ICO) is conducting its third call for evidence as part of a broader consultation series focused on generative AI. This consultation aims to gather insights on how various decisions throughout the generative AI lifecycle can influence the accuracy of the outputs. The feedback obtained will play a crucial role in refining the ICO's regulatory approach to generative AI, slated to inform an upcoming revision of its AI guidelines.

This consultation is open until 5 pm on May 10, 2024, and encompasses a survey structured into three main sections: an overview of the ICO's proposed regulatory approach, details about the respondents and their organizations, and an opportunity for final comments. All collected responses, which will be kept confidential and securely stored on UK servers, may be published without revealing any personal contact details.

The ICO is particularly committed to ensuring that AI technologies operate within frameworks that not only foster innovation but also protect public interests and comply with data protection laws.

To participate in the survey and contribute to shaping the future of AI regulation, please visit this link.

Source

?? Privacy Navigator

We have added new resources to the Privacy Navigator. You can enjoy:

• Opinion 08/2024 on Valid Consent in the Context of Consent or Pay Models Implemented by Large Online Platforms by EDPB
• Perspectives on Issues in AI Governance by Google
• Deploying AI Systems Securely by NSA

That's all for now, see you next week!

Eli

email:?[email protected]

Schedule a call with me