?? 2024-W41: Five New CJEU Rulings, California with 17 New Laws for GenAI, Ryanair Under EU Investigation and more

Hi privacy navigators,

Here is the latest from the ???Privacy Navigator ?- your one-stop destination for everything privacy. Another week full of news and resources passed by.

In today’s edition:

• Five New CJEU Rulings: A Turning Point for GDPR Compliance
• California with 17 New Laws to Govern the Future of GenAI
• Ryanair Under EU Investigation for Facial Recognition Use in Bookings
• Meta Glasses Privacy Breach: AI-Powered Facial Recognition Reveals Personal Data

Five New CJEU Rulings: A Turning Point for GDPR Compliance

What happened

The ?Court of Justice of the European Union (CJEU) has issued five significant new rulings on 4 October 2024, shaping the interpretation of GDPR across various areas. Here’s a brief overview:

• C-21/23, Lindenapotheke: The court ruled that GDPR violations can be treated as unfair commercial practices, enabling legal action under national unfair competition laws.
• C-621/22, KNLT: The CJEU confirmed that commercial purposes can qualify as a legitimate interest under GDPR, but data processing must be strictly necessary and balanced with individual rights.
• C-446/21, Schrems vs Facebook: Meta and other companies must minimise personal data usage for advertising, limiting how long and how much data they can store and use.
• C-200/23: The court determined that a handwritten signature qualifies as personal data, and non-material damages don’t require tangible harm to claim compensation.
• C-507/23: The ruling established that an apology can count as compensation for non-material damages, with no regard for the controller’s intent or attitude.

Look out for the next edition of Privacy Navigator Resources, where we’ll dive deeper into each case and its implications for privacy professionals.

Read more here .

NAVIGATE PRIVACY RESOURCES

Did you know that Privacy Navigator gives you much more than news in your inbox?

Research any topic using the Privacy Navigator in three easy steps:

1. Start an advanced search

Click the advanced search button below the search bar. If you want to make your search quicker you can start typing directly in the search bar.

2. Narrow down your search

For this example, let’s research data protection impact assessments [1]. After briefly browsing the resources, you can narrow them down by keyword [2], or resource type [3]. You can always reset the filters [4].

In this case, let’s show only guidelines.

3. ?Check the latest DPA decisions

To complete your research, you can find DPA decisions across the EU and the UK by using our Fine Tracker . Simply Select the country [1], sector [2], or the type of violation [3]. If you want a broader search, you can skip some of the filters.

The last step is to open the file by clicking “see more” [4].

TRY IT FOR FREE

All the above research tools are completely free. No subscription, no registration.

California with 17 New Laws to Govern the Future of GenAI

What happened

California has taken a bold step in regulating Generative AI (GenAI) with the signing of 17 new bills over the past 30 days, making it the most comprehensive legislative effort in the country.?

Governor Gavin Newsom announced a series of initiatives aimed at advancing safe and responsible GenAI technology while protecting Californians from potential risks.?

The new laws address several key areas, such as:

• combatting AI-generated misinformation,
• protecting children and workers,
• requiring AI watermarking to prevent deepfakes.
• use of GenAI in healthcare and elections, requiring transparency and disclosures when AI is used in sensitive decisions or communications.
• assessments of potential threats GenAI poses to critical infrastructure, such as power and water systems, with new measures codified in SB 896.
• creation and distribution of AI-generated sexually explicit content without consent will qualify as a crime.

Education is another key focus, with new legislation requiring schools to include AI literacy in their curricula, preparing students to navigate and understand this rapidly evolving technology.

Read more here .

Ryanair Under EU Investigation for Facial Recognition Use in Bookings

What happened

On 4 October 2024, Ireland’s Data Protection Commissioner (DPC) launched an EU-wide investigation into Ryanair’s use of facial recognition technology for verifying the identity of customers booking through third-party websites.

The inquiry was triggered by multiple complaints from customers across the EUwho were asked to provide additional verification when booking tickets through online travel agents (OTAs) not directly affiliated with Ryanair.

Ryanair, Europe’s largest airline by passenger numbers, defended the practice, stating that the additional verification process is necessary to protect customers from unauthorized OTAs that may provide incorrect contact or payment information.

The company offers an alternative to facial recognition, allowing passengers to submit a form with a photo of their passport or ID card in advance, although this process can take up to seven days. This additional verification is not required for bookings made directly through Ryanair’s website, mobile app, or OTAs with a commercial agreement with the airline.

Why it matters

This investigation raises critical questions about the use of biometric data for identity verification in the travel industry and whether Ryanair’s process aligns with GDPR regulations, potentially impacting customer trust and the use of facial recognition in future travel bookings across Europe.

Read more here .

Meta Glasses Privacy Breach: AI-Powered Facial Recognition Reveals Personal Data

What happened

Harvard student, AnhPhu Nguyen, has turned $379 Meta Ray-Ban 2 smart glassesinto a real-time privacy nightmare.?

Using the glasses' livestreaming feature, Nguyen connects them to a computer running AI-powered facial recognition software that identifies people on the street in an instant.?

Within seconds, his system scours the internet, pulling up personal details like names, addresses, phone numbers, and even social security numbers from public databases and online sources. The results are sent directly to his phone, creating a real-life version of Cyberpunk 2077 where anyone can become a walking dossier.

Nguyen insists he's doing this to raise awareness about the dangers of unchecked AI and facial recognition technology.

He’s even shared tips on how to remove your personal data from some of the databases he uses. But the ease with which he can extract and compile sensitive information, using nothing more than off-the-shelf tech and publicly available software, paints a disturbing picture of what could lie ahead.

Read more here .

That's all for now, see you next week!

Eli

email:?[email protected]

Schedule a call with me