?? 2024-W21: First international AI treaty adopted, Colorado's AI Act, Spanish DPA with new fine and more

Hi privacy navigators,

Here is the latest from the ???Privacy Navigator?- your one-stop destination for everything privacy. Another week full of news and resources passed by. Here are the highlights:

Historic AI Treaty Adopted to Safeguard Human Rights and Democracy

On May 17, 2024, the Council of Europe adopted the first-ever international treaty focused on regulating artificial intelligence (AI), marking a significant milestone in the global governance of AI technologies. This treaty, known as the "Convention on Artificial Intelligence, Human Rights, Democracy, and the Rule of Law," aims to establish a comprehensive legal framework to ensure AI systems uphold fundamental human rights and democratic values.

Key provisions:

• Global Reach: The treaty, adopted in Strasbourg, is open to the 46 Council of Europe member states and 11 non-member states including the US, Japan, and Canada.
• Risk-Based Approach: It requires a careful evaluation of the negative consequences of AI systems throughout their design, development, usage, and decommissioning.
• Sector Coverage: Applicable to both public and private sectors, the treaty mandates transparency, accountability, and human rights safeguards.
• Regulatory Flexibility: Countries can either directly adhere to the treaty's provisions or implement alternative measures that align with their legal systems.
• Protecting Democracy: Measures must be taken to prevent AI from undermining democratic institutions and processes.
• Human Rights Focus: Ensures equality, prohibits discrimination, and provides legal remedies for human rights violations involving AI.
• Oversight Mechanisms: Each party must establish independent oversight to ensure compliance, raise awareness, and foster public debate on AI use.

The treaty will be open for signature on September 5, 2024, in Vilnius, Lithuania, during a conference of Ministers of Justice, signaling the beginning of a new era in AI governance.

Source?

See the full text of the Convention here.

This week's edition is sponsored by?Conformally.

Are you a privacy professional looking to elevate your efficiency and productivity? ???

Discover Conformally – the ultimate tool for effortless privacy management. Put DSARs, DPIAs, ROPAs and much more on autopilot.

Let Conformally take the hassle out of your workflow, so you can focus on what truly matters ??

LEARN MORE HERE

Colorado First to Regulate AI Across Critical Sectors

On May 17, 2024, Colorado Governor Jared Polis signed SB24-205, the Colorado AI Act, into law. This groundbreaking legislation makes Colorado the first state in the U.S. to adopt comprehensive regulations for artificial intelligence (AI) across critical sectors. While other states, like Utah, have enacted AI-specific laws, Colorado's AI Act sets a new benchmark with detailed requirements for developers and deployers of high-risk AI systems.

The Colorado AI Act targets "high-risk artificial intelligence systems" that significantly influence decisions in employment, education, financial services, government services, healthcare, housing, insurance, and legal services. These systems are deemed high-risk if they can lead to differential treatment based on protected classifications like age, race, and sex.

Key Obligations:

For Developers:

• Disclosures and Documentation: Provide information on harmful uses, system limitations, and training data to deployers. Publish public statements on AI systems and risk mitigation strategies.
• Risk Disclosures: Inform the Attorney General (AG) and deployers of new algorithmic discrimination risks within 90 days of discovery.

For Deployers:

• Risk Management: Implement comprehensive risk management policies, conduct regular impact assessments, and notify consumers when AI systems influence decisions.
• Consumer Rights: Offer consumers the right to opt-out of profiling and provide explanations and data corrections for adverse decisions.

The Colorado AI Act will take effect on February 1, 2026, giving businesses time to adapt. The Colorado AG will enforce the law and develop further regulations to ensure rigorous oversight.

Source

See the text of the Colorado AI Act here.

Minnesota Enacts Comprehensive Consumer Data Privacy Law

On May 19, the Minnesota legislature passed the Minnesota Consumer Data Privacy Act (HF 4757 / SF 4782), making Minnesota a pioneer in AI and data privacy regulation. Sponsored by Representative Steve Elkins, the bill now awaits Governor Tim Walz's signature.

Some of the key features are that the Act grants consumers unique rights, such as the ability to question profiling decisions and access lists of third parties who received their data. Controllers are required to maintain data inventories and document compliance policies. This legislation applies to businesses processing data of over 100,000 consumers or deriving 25% of their revenue from data sales, excluding small businesses as defined by the SBA.

Consumers can utilize universal opt-out mechanisms, and controllers are prohibited from providing sensitive data upon access requests. Additionally, it mandates clear opt-out methods, comprehensive online privacy notices, and thorough documentation of privacy practices.

Enforcement of the bill will be handled by the Attorney General, with no private right of action and a thirty-day right to cure violations until January 31, 2026. The effective date for most provisions of the bill is July 31, 2025, with specific exemptions for postsecondary institutions until July 31, 2029.

Source?

Spanish DPA Fines 4Finance €600,000 for Security Failures

The Spanish Data Protection Authority (AEPD) has fined 4Finance Spain Financial Services, S.A.U. (the controller) €600,000 for failing to implement adequate security measures, including the lack of two-factor authentication when approving loans. The controller acknowledged its fault and paid a reduced fine of €360,000.

The Background story:

On August 10, 2022, a data subject alerted 4Finance of an unsolicited loan in their bank account. By September 1, the company had received 10 similar complaints. Despite conducting internal risk assessments, the controller decided not to notify the AEPD or affected parties, deeming the breach low-risk.

Then between February 3 and 23, 2023, the AEPD received various complaints about unsolicited loans. On February 14, 4Finance became aware of a data breach affecting 9,636 data subjects, involving sensitive information such as names, birth dates, national identification numbers, and payment data. The breach resulted from a brute force attack that exploited weak security measures. Attackers took out loans in victims' names and contacted them via WhatsApp, requesting refunds to attacker-controlled accounts. 139 individuals fell victim to this fraud.

The company notified the AEPD of the breach but did not consider it high-risk. The AEPD initiated an investigation on April 11, ordering the controller to inform affected data subjects, which it did the same day.

In response, 4Finance registered the incident, filed a police report, updated clients, reset user passwords, and implemented two-factor authentication. The AEPD found violations of Articles 5(1)(f) and 32 GDPR due to the sensitive nature of the data and inadequate security measures. The lack of two-factor authentication was deemed a serious oversight.

Source?

?? Privacy Navigator

We have added new resources to the Privacy Navigator. You can enjoy:

• THE COLORADO AI ACT “SENATE BILL SB24-205”
• CONVENTION ON AI, HUMAN RIGHTS, DEMOCRACY AND THE RULE OF LAW – BY THE COUNCIL OF EUROPE (DRAFT)
• REVIEW OF CYBERSECURITY NEWS IN UKRAINE, TENDENCIES, AND WORLD EVENTS RELATED TO THE FIRST WORLD CYBER WAR BY U.S. AGENCY FOR INTERNATIONAL DEVELOPMENT

That's all for now, see you next week!

Eli

email:?[email protected]

Schedule a call with me