Privacy and AI weekly - Issue 17

Privacy and AI weekly - Issue 17

This Friday on Privacy and AI weekly

Privacy

? EU Commission opinion on legitimate interests

? DSK (Germany) data issues FAQs about Facebook fan pages

? European DPAs get Facebook Data Transfer Decision by Irish DPC

? Italian Data Protection Supervisory Annual Report 2021

? UK Data Reform?

? Data Protection event: Alpine Privacy Days

? Officine Dati: Il Consenso: il Labile Confine tra Legittimità nel Mondo Digitale

? Sistema de cumplimento de la normativa de privacidad (por Manuel Castilleja Toscano)

Artificial Intelligence

? The Danish supervisory authority evaluates the legal basis for an AI intended to use for profiling by public bodies?



PRIVACY

EU Commission opinion on legitimate interests

The EU Commission reportedly invited?Autoriteit Persoonsgegevens (Dutch DPA) ?to change its strict stance on legitimate interest.

Last week the Dutch newspaper NRC Handelsblad reported that the commission sent a letter to the Dutch SA in 2020 after issuing guidance considering that purely commercial interests should be excluded from the scope of the GDPR’s?#legitimateinterest ?basis for processing personal data.

Dutch SA position:

Interests are only legitimate if they stem from a legal provision, otherwise there is no legitimate interest that can be considered in the balancing test.?

Concrete examples where LI cannot be used as legal basis (NL interpretation):

-?processing personal data for purely commercial interests,?

- profit maximisation,

- monitoring employee conduct without legitimate interest?

- tracking the (purchasing) behaviour of (potential) customers?

This interpretation was applied in the case VoetbalTV (EUR 575.000 fine, 2020), which was later overturned by a local judge and awaits a final decision from a Dutch administrative court.?

The Commission, citing several cases where the notion of legitimate interests was interpreted by the CJEU, argued that the interpretation from the Dutch SA would hinder business and would have severe consequences in their ability to process personal data since this would require “to collect consent from the data subject in every case where an economic interest is pursued”.

The Commission invited the SA to readjust the language of the guidance note to clearly reflect that commercial interests can be regarded as ‘legitimate’ interests when (subject to a concrete balancing) they are not overridden by the fundamental rights and freedoms of the data subject.

Access the Commission letter here



DSK (Germany) data issues FAQs about Facebook fan pages

Meta ?fan pages are sometimes used for business purposes, replacing or complementing company website

Problematic aspects

- FB delivers targeted ads based on user profiles and interactions

- as FB and fan page creators are joint controllers (ECJ

“Wirtschaftsakademie”) so they are jointly responsible for the processing of personal data

- as joint controllers, they must sign an agreement (art. 26 GDPR) and the current Addendum published by?Facebook ?does not meet those requirements

- however, fan page creators do not know the processing operations, including transfers to non-EU countries

- fan page operators, as joint controllers, are responsible to comply with their obligations under the GDPR. However, this is not possible?

- it seems that the only way to comply with GDPR is to deactivate the fan pages

Access the DSK FAQs here (automated translation)



European DPAs get Facebook Data Transfer Decision by Irish DPC

The Irish data protection authority (Data Protection Commissioner) it issued a Draft Decision under Article 60 GDPR (cooperation mechanism), concerning Facebook's (Meta's) EU-US data transfers in light of FISA 702 and the Snowden disclosures.

According to Politico "The Irish Data Protection Commission on Thursday informed its counterparts in Europe that it will block Facebook-owner Meta from sending user data from Europe to the U.S. The Irish regulator’s draft decision cracks down on Meta’s last legal resort to transfer large chunks of data to the U.S., after years of fierce court battles between the U.S. tech giant and European privacy activists"

European data protection authorities now have one month to evaluate the draft decision and decide on the matter.

Source: Politico


Italian Data Protection Supervisory Annual Report 2021

No alt text provided for this image

The most relevant interventions

? Online protection of minors: the supervisory action on the age of registration to social networks continued in the past year. The Authority has imposed on Tik Tok, measures to keep very young users off the platform, by removing hundreds of thousands of accounts of subscribers under the age of thirteen.

? Biometric data and facial recognition: The Authority fined € 20 million for Clearview, a company specializing in facial recognition that acquires data on the web and banned the use of biometric data and the monitoring of Italians. Regarding the use of facial recognition systems for public security purposes, the Authority opposed the use of the Sari Real Time system because it lacks the necessary safeguards to protect the freedom of individuals and does not comply with the legislation on the protection of data. And it authorized the use of body cams for the Police, but without the use of biometric data.

? Cyberattacks: the Authority drew the attention of public administrations and companies to the need to invest in security and provided indications, in particular, on how to defend themselves against ransomware, software that "hostage" an electronic device to then "free" it against the payment of sums of money.

? Data breaches: the data breaches notified in 2021 to the Authority by public and private entities are significant: 2071 (with an increase of about 50% compared to 2020), many of which related to the dissemination of health data which also led to sanctions. The Authority's interventions also concerned large social platforms such as Facebook and LinkedIn in this area.

The most frequently encountered phenomena are the spread of ransomware-type malware, which has compromised the availability of data within the server systems, workstations and databases of numerous public and private organizations, and which, in some cases, has also impacted the confidentiality of information treated; unauthorized or illegal access to personal data processed within complex information systems; the accidental disclosure of personal data due to incorrect configurations of the e-mail management software systems.

? New Technologies: The work carried out to ensure the protection of online data continued, in particular with regard to the possible risks associated with the use of digital assistants, installed on smartphones or present in our homes, on the Smart glasses launched by Facebook, on the use of drones for private or public safety purposes. Investigations have been opened on the new forms of data collection for reputational rating purposes. With regard to online profiling, the Authority approved, after a public consultation, new guidelines on information and consent for the use of cookies.

Breakdown of the corrective measures

No alt text provided for this image

Source here



UK Data Reform

The UK Government published its response on Brexit reforms to UK Data Protection law in June 2022.

This is an excellent summary about the?UK Gov's response to the Brexit reform consultation and how it impacts on the organisations' governance on UK GDPR, DPA and PECR

Link to the video by Robert Baugh



Data Protection event: Alpine Privacy Days

MLL Legal ,?Signatu ?and?BULL ?are co-organising a privacy conference out of the ordinary: Alpine Privacy Days, 14 – 17 September 2022 in Zuoz, Switzerland.

No alt text provided for this image


Highly professional, practical, intimate discussions and unique networking in a fun and interactive format. All sessions are led by leading lecturers and practitioners.

The following speakers are already confirmed:?

Bruno Gencarelli ?from the?European Commission ,?

Dr. Anna Zeiter, LL.M. ?from?eBay ,?

Lukas Bühlmann ?from?MLL Legal ,?

Jutta O. ?from?Google ,?

David Sturzenegger ?from?Decentriq ,?

Axel Anderl ?from?DORDA Rechtsanw?lte GmbH ,?

Georg Philip Krog ?from?Signatu ,

Rob van Eijk from?Future of Privacy Forum ,

Lee Andrew Bygrave from?University of Oslo (UiO) ,?

Carmen De la Cruz from Swiss Digital Law Community

Federico Marengo ?from?White Label Consultancy ,?

Kristian Foss ?from?BULL ?

Andreea Lisievici ?from?Boeing .

More information and registration:?https://lnkd.in/eTKq-ATX


Officine Dati: Il Consenso: il Labile Confine tra Legittimità nel Mondo Digitale

Ancora pochi giorni al prossimo evento di?#OfficineDati , che si terrà martedì 12 luglio, alle ore 17.30, presso la?#Greenhouse ?di?Deloitte ?a Milano, in Via Tortona n°25.

No alt text provided for this image

??Riccardo Acciai ?| Dirigente Dip. Reti telematiche e marketing e del Dip. Libertà di manifestazione del pensiero e cyberbullismo presso l'Autorità Garante per la protezione dei dati personali

??Tommaso Stranieri ?| Partner di Deloitte Risk Advisory

??Giovanni Guerra?| Avvocato esperto in diritto della protezione dei dati, DPO - Cerved Group S.p.A.

??Giovanni Ziccardi ?| Avvocato, Professore di Informatica Giuridica - Università degli Studi di Milano

Moderano:

??Rosario Imperiali ?| Presidente di Officine Dati

??Anna Cataleta ?| Vicepresidente di Officine Dati

Per partecipare in presenza presso la?#Greenhouse ?di?#Deloitte ?è necessario inviare una mail a?[email protected] ?e attendere conferma. (Ancora pochi posti disponibili)

L’evento verrà anche trasmesso in diretta sulla Piattaforma Zoom a questo link:?https://lnkd.in/eba8HZTT

(Non è richiesta alcuna registrazione, basterà collegarsi all'ora dell'evento al link indicato)

Maggiori informazioni sono disponibili sul sito di?#OfficineDati ?cliccando qui:?https://lnkd.in/eDmSfe8A



Sistema de cumplimento de la normativa de privacidad (por Manuel Castilleja Toscano)

Manuel Castilleja Toscano (titular de Privacy Driver ) me hizo llegar días atrás un libro que publicó poco tiempo atrás.

No alt text provided for this image

En primer término, quería renovar mis felicitaciones por la iniciativa y haber finalizado el libro. Encontrar tiempo para escribir un libro, hoy en día, es ya de por sí algo que debe ser celebrado y merita el aplauso de mi parte.

Por otra parte, la segunda felicitación se debe al contenido del libro. El libro no sólo incluye los conceptos básicos de nivel europeo que todo professional de la privacy debe conocer, sino que además resulta vital para la labor professional tener conocimiento sobre las regulaciones específicas de la jurisdicción en la que se desempe?a y, sobre todo, ciertos aspectos prácticos que uno sólo los descubre luego de desesperantes horas detrás del teclado. èste libro conjuga esos tres aspectos de modo ejemplar y sintético.

Espero poder terminar de leerlo este fin de semana, pero la primera impresión resulta muy alentadora.

Nuevamente, muchas gracias Manuel por el gesto y felicitaciones por la iniciativa!



ARTIFICIAL INTELLIGENCE

The Danish supervisory authority evaluates the legal basis for an AI intended to use for profiling by public bodies

On 4 May 2022, the Danish Agency for Labor Market and Recruitment (STAR) requested the Danish Data Protection Agency to assess the question of the municipalities' authority to use the AI profiling tool Asta.

The Asta tool carries out a statistical analysis of the citizen in order to estimate the duration of the unemployment benefits claims

No alt text provided for this image

In general, the following information is available:

  • Information from the citizen's CV plays a significant role. The highest level of education, language skills, but also the connections between education, experiences and job goals ("I am looking for a job as").
  • The citizen's previous job also plays an important role, as e.g. looks at how many geographical regions the citizen has applied for a job in, as well as how often an application has led to a job interview.
  • Finally, information about the citizen's possible previous contact processes also plays a role.
  • Personal data about the citizen, e.g. age, gender and need for interpreters are also included.

On the legal basis:

Legitimate interests do not apply to processing carried out by public authorities in the performance of their tasks.

Consent cannot constitute the legal basis. The Danish Data Protection Agency considers that the citizen's consent cannot form the basis for processing in accordance with the Data Protection Regulation (GDPR), since the citizen's consent in the context in question cannot be considered voluntary.

Provision on the exercise of authority. The Danish Data Protection Agency, on the other hand, considers that the municipalities' authority to process personal data - when they use the Asta tool - is the Data Protection Ordinance's provision on the exercise of authority, which presupposes implementation in national legislation if the tool is to be used. If special categories of personal data are processed, the prohibition on the processing of such data will only apply in cases where there are significant societal interests, which also presupposes that the processing is authorized by national law.

Source here (Danish)



ABOUT ME

I'm a data protection consultant currently working for?White Label Consultancy . I previously worked for TNP Consultants and Data Business Services. I have an LL.M. (University of Manchester), and I'm a PhD candidate (Bocconi University, Milano). As a PhD researcher, my research deals with the potential and challenges of the General Data Protection Regulation to protect data subjects against the adverse effects of Artificial Intelligence. I also serve as a teaching assistant in two courses at Bocconi University.

I'm the author of “Data Protection Law in Charts. A Visual Guide to the General Data Protection Regulation“, e-book released in 2021. You can find the book?here

Excellent weekly update.

回复
Georg Philip Krog

Pioneering AI-Driven Data Privacy, Security & Compliance | Creator of Data Privacy and Security Standard Vocabularies and Ontologies | Founder of Signatu | Transforming Legal Tech into Business Advantage

2 年

Great as always, Federico!

Robert Baugh

Keepabl's SaaS is Privacy-in-a-box for busy professionals operationalising governance at their organisation, see how at keepabl.com

2 年

Another excellent newsletter Federico Marengo thank you for all you do in our space. And thank you for referring to our Privacy Kitchen video on the Brexit reforms! Link in Federico's (highly recommended) newsletter.

要查看或添加评论,请登录

Federico Marengo的更多文章

  • Privacy and AI #18

    Privacy and AI #18

    In this edition of Privacy and AI AI REGULATION ? California AI Transparency ? ICO consultation on the application of…

    5 条评论
  • Privacy and AI #17

    Privacy and AI #17

    In this edition of Privacy and AI ? Privacy & AI book giveaway ? LLMs can contain personal information in California ?…

    3 条评论
  • Privacy and AI #16

    Privacy and AI #16

    In this edition of Privacy and AI ? AI & Algorithms in Risk Assessments (ELA, 2023) ? Hamburg DPA position on Personal…

    6 条评论
  • Privacy and AI #15

    Privacy and AI #15

    In this edition of Privacy and AI ? Generative AI and EU Institutions (EDPS) ? Supervision of AI systems in the EU (NL…

    4 条评论
  • Privacy and AI #14

    Privacy and AI #14

    In this edition of Privacy and AI: PRIVACY ? Privacy and AI for AI Governance Professional (AIGP) certification ?…

    7 条评论
  • Privacy and AI #13

    Privacy and AI #13

    In this edition of Privacy and AI: PRIVACY ? FTC prohibits telehealth firm Cerebral from using or disclosing sensitive…

    21 条评论
  • Privacy and AI #12

    Privacy and AI #12

    In this edition of Privacy and AI: PRIVACY ? Purpose limitation in the GenAI lifecycle (ICO call for evidence) ?…

    9 条评论
  • Privacy and AI #11

    Privacy and AI #11

    In this edition of Privacy and AI: PRIVACY AND AI GIVEAWAY (CLOSED) PRIVACY ? Cisco 2024 Data Privacy Benchmark Study ?…

    3 条评论
  • Privacy and AI #10

    Privacy and AI #10

    In this edition of Privacy and AI: PRIVACY ? A fine for not conducting a DPIA ? The legal basis for web scraping to…

    11 条评论
  • Privacy and AI #9

    Privacy and AI #9

    In this edition of Privacy and AI: PRIVACY ? EDPB bans Meta's processing PD for behavioral ads using legitimate…

    1 条评论

社区洞察

其他会员也浏览了