Latest data protection rulings April 2023

Italy Embraces AI: ChatGPT Ban Lifted

The Italian data protection authority (IDPA) took an action by imposing a temporary ban on ChatGPT, an AI chatbot developed by OpenAI. IDPA insisted that OpenAI should prioritize transparency in informing users about how their data is handled. Furthermore, they stressed the significance of obtaining user consent for utilizing their data in the platform's future development. Additionally, measures to protect minors' data were required. OpenAI expressed their eagerness to collaborate in order to make ChatGPT available to their users in Italy once again.

After the introduction of the changes, the ban on ChatGPT was lifted by the end of April 2023, and the chatbot is now accessible to users in Italy. OpenAI has made significant updates to its chatbot, mainly:?

(a) an information notice describing which personal data are processed for training algorithms, and recalling that everyone has the right to opt-out from such processing;?

(b) granting users and non-users in Europe the right to opt-out from processing of their data for training of algorithms also by way of an online, easily accessible ad-hoc form; and?

(c) including a request to specify one's birthdate in the service sign-up page to block access by users aged below 13 and to request confirmation of the consent given by parents or guardians for users aged between 13 and 18.

Underage TikTok users unprotected

The UK data protection authority (UKDPA) recently conducted a thorough investigation into TikTok's practices regarding the use of their platform by users who are clearly under the age of 13. In the UK, it is required by law to obtain consent from parents or carers when collecting personal data from children under 13 who are using information society services. Unfortunately, TikTok fell short in fulfilling this obligation, even though they should have been aware that underage users were accessing their platform. Moreover, TikTok failed to implement adequate measures to identify and remove these underage users from their platform, despite concerns being raised by some of the company's senior employees. This situation has serious implications, as these young users' personal data may have been used to track and target them with potentially harmful or inappropriate content.

Additionally, UKDPA found that TikTok did not provide clear and easily understandable information to its users regarding the collection, use, and sharing of their data. TikTok failed to ensure that the personal data belonging to its users was processed lawfully, fairly and in a transparent manner.

As a result of TikTok's failure to verify the ages of its users and take appropriate actions to address the issue, UKDPA has imposed a penalty of ￡12,7 million.

Uber's App ban of drivers backfires

Amsterdam court ruled in the case of drivers against Uber, where the drivers' accounts were disabled, and they have been prevented from using the Uber app to render services to their clients.

Uber uses an automated decision-making system that warns the drivers if they inappropriately manipulate the Uber app. Once they do not obey this warning, their account is temporarily blocked. As a last resort, it gets permanently deactivated.

Uber's software identifies activities such as duplicate accounts, incomplete trips, false fees, manipulation of the Uber app, and trip details based on multiple factors and patterns. Once these activities are detected, and the accounts are irreversibly deactivated, the drivers requested Uber to provide processed personal data and other information that could help them understand the logic behind it.

The automatically generated messages sent by Uber are formulated in a general manner, without mentioning any concrete conduct that forms the basis for decisions. Consequently, the drivers were not heard, and no one approached them to discuss the issue. Uber explained that an internal Risk team oversees the software detecting and issuing warnings but could not demonstrate that each case receives appropriate attention.

The court assessed whether individuals were sufficiently informed of this process and the circumstances surrounding the lawful nature of automated decision-making and profiling, which have legal effects on individuals. Such systems, in general, must not interfere with the legitimate interests of individuals and must involve human intervention that can challenge the final outcome of the decision-making process.

Uber failed to meet the requirement of providing useful information about how their decisions are made, including the reasons behind them and their impact on individuals. They were obligated to disclose general information about the factors considered and their importance in the decision-making process. The provided information should be comprehensive enough to understand the decision without needing complex details about the algorithms involved.

Furthermore, Uber did not adequately substantiate that there was actual human intervention. There was only automated decision-making.

Controversy in antivirus industry

The Czech data protection authority (CZDPA) recently turned its attention to a well-known Czech antivirus company, Avast, due to its subsidiary, Jumpshot, and its questionable practices regarding user data. Avast had assured its users in its privacy policy that their data would either not be transferred or, if it were, it would be anonymized or obtained with their consent. However, this turned out to be far from the truth.

At the time, Avast boasted an impressive 435 million active users, and it intended to monetize their data by offering the information of 100 million users for sale through Jumpshot. This data included details such as visited websites, installed applications, and saved files. It was collected from various devices running Avast antivirus software on Windows, Apple Mac, and Android platforms.

Following the discovery of these practices, Avast took swift action since January 2020 to ensure the security and privacy of its users' data. The immediate closure of Jumpshot demonstrates the company's commitment to rectify the situation. Avast continues to implement proactive measures to prioritize user privacy.

CZDPA imposed a substantial fine of €13.7 million on Avast, which currently stands as the highest fine ever imposed in the Czech Republic and ranks among the top twenty fines worldwide for GDPR violations. The magnitude of the fine can be attributed to two primary factors. Firstly, Avast positions itself as a company focused on data protection and privacy, leading its customers to expect their data to be treated in line with the company's promises. The second factor was the intentional nature of Avast's breach.