Privacy Transformation - Issue 194

Curated privacy news, insights & resources, with a focus on Irish and EU developments.

PRIVACY

EU vows to get tougher on Big Tech privacy violations

The European Commission will now require that EU nations share overviews of "large-scale" GDPR investigations every two months. This includes "key procedural steps" and actions taken — national regulators will have to show they're moving forward.

🔗 RELATED:

• Ombudsman welcomes Commission's constructive response to GDPR inquiry findings
• Europe-wide overhaul of GDPR monitoring triggered by ICCL

EDPS: Privacy and data protection too often suspended at EU borders

Privacy and data protection are part of the human rights too often suspended at the borders of the European Union – as long as we continue treating migration as a ‘problem’, fundamental rights will remain compromised, Wojciech Wiewiórowski writes.

Council hashes out secondary use of data in EU health data space

The EU Council has found common ground on the secondary use of data, one of the most crucial aspects for gaining citizens’ trust in the European Health Data Space (EHDS).

Global Privacy State of Play: What to Pay Attention to in 2023

Dr. Gabriela Zanfir-Fortuna analyses what global privacy developments to pay attention to in 2023, including:

• Enforcement, enforcement, enforcement.
• The race to AI Regulation, and the AI awakening of DPAs.
• Seeing the results of ever-more-intertwining Competition and Data Protection Law.
• Big Intergovernmental Push for Cross-border Data Flows: G7 and G20.

📣Opinion: One-stop shop places an unmanageable load on one small member state’s underfunded data regulator

Is the General Data Protection Regulation (GDPR) one-stop shop mechanism for dealing with complaints fit for purpose? Ireland has unfortunately provided most of the evidence in the “no” corner.

Coming Soon: GDPR-like Privacy Regulation In Ukraine

Taking the GDPR as a reference for privacy reform is seen as a sensible move. The GDPR is a regulation that most companies operating in Ukraine aim to comply with, and therefore setting mirrored requirements is business-friendly. In addition, the GDPR outperforms current Ukrainian legislation in terms of data subject protection.‌

SECURITY & TECH

Meta's EU data transfer case faces Article 65 dispute resolution mechanism

The fate of Meta's data transfers to the U.S. could hinge on an Article 65 dispute resolution mechanism in the EU, after Ireland's Data Protection Commission was unable to resolve objections from other EU data protection authorities to its draft enforcement decision.

'We hacked the hackers': Gardaí assist in operation to bring down ransomware gang

The Garda National Cyber Crime Bureau has been part of an internationally supported operation targeting the Hive Ransomware Group. Operation Downbreaker has shut down the servers and technical infrastructure utilised by the group.

🔗 RELATED: Hive ransomware disrupted after FBI hacks gang's systems

🔍 Insights: Tackling the AI regulatory challenge

Eduardo Ustaran analyses the AI regulatory challenge.

The CNIL creates an Artificial Intelligence Department and begins to work on learning databases

The CNIL is creating an Artificial Intelligence Department to strengthen its expertise on these systems and its understanding of the risks to privacy while preparing for the implementation of the European regulation on AI.

📣 Opinion: EU’s proposed CE mark for software could have dire impact on open source

The EU’s proposed Cyber Resilience Act (CRA), which aims to “bolster cybersecurity rules to ensure more secure hardware and software products,” could have severe unintended consequences for open source software, according to leaders in the open source community.

Reality Check: How is the EU ensuring data protection in XR Technologies?

Data processing in XR environments implicates the fundamental rights to respect for private life and personal data protection under the EU Charter of Fundamental Rights (Charter) and triggers the application of the General Data Protection Regulation (GDPR), as well as other new and pending EU laws governing data and the digital environment.

Twitter research group stall complicates compliance with new EU law

The stalling of a Twitter program that was critical for outside researchers studying disinformation campaigns throws into question the company's strategy to comply with upcoming regulation in Europe, former employees and experts told Reuters.

French privacy chief warns against using facial recognition for 2024 Olympics

The French data protection authority's president Marie-Laure Denis warned Tuesday against using facial recognition as part of the 2024 Paris Summer Olympics security toolkit.

UK NCSC: Weekly Threat Report

The NCSC's threat report is drawn from recent open source reporting.‌

ENFORCEMENT

Significant GDPR rulings from the Finnish DPA and the ECJ

• Case 1 (Finland): First decision from the Finnish DPA regarding the use of Google Analytics.
• Case 2 (Finland): The Finnish DPA fines debt collector agency; biggest administrative fines imposed in Finland since the entry into force of the GDPR.
• Case 3 (Finland): ECJ ruling on the right of data subject to know to whom his/her data has been disclosed (Case C-154/21).

ICO: Former RAC employee fined for stealing data of victims of road traffic incidents

A former employee of breakdown services company RAC has plead guilty and been fined for the stealing of data of victims of road traffic accidents.

GUIDANCE & OPINIONS

EDPS: Opinion on the Proposal for a Council Regulation on jurisdiction, applicable law, recognition of decisions and acceptance of authentic instruments in matters of parenthood and on the creation of a European Certificate of Parenthood

RESOURCES

🎙Podcast: DPC: Data Protection Day 2023 - FAQ Podcast

This Data Protection Day, Deputy Commissioner Graham Doyle is joined by Deputy Commissioner Ian Chambers (Head of Regulatory Activity in the DPC), to take a look at some of the more frequently asked questions relating to data protection.

US NIST publishes AI Risk Management Framework 1.0

The U.S. took a big step in the development of a national artificial intelligence strategy with the release of the U.S. Department of Commerce National Institute of Standards and Technology’s Artificial Intelligence Risk Management Framework 1.0, Jan. 26.

⏬ Access Artificial Intelligence Risk Management Framework 1.0

ENISA Report: Engineering Personal Data Sharing

This report attempts to look closer at specific use cases relating to personal data sharing, primarily in the health sector, and discusses how specific technologies and considerations of implementation can support the meeting of specific data protection.

CONTRIBUTE

‌‌Have an interesting article, book, video, podcast or other resource that you would like to share with your fellow privacy practitioners? Please do drop me a note!