Per art. 1 the draft reg covers:
- placing on the market
- putting into service
- use of AI systems in the Union
Does this leave out training of AI? Possibly. But when they're trained w personal data, no worries. The GDPR applies.
Other rules in scope of the regulation:
- prohibitions of certain AI systems (!)
- requirements for high-risk AI systems
- transparency rules for AI intended to interact w people
- rules on market monitoring and surveillance. 3/
Time to pay close attention to #China & #India's comprehensive #DataProtection bills. Why? Because they are coming probably by the end of 2021, they are giving 'data subject' rights to app 2.7 billion people & they legislate DP where the US is absent: 1/ linkedin.com/posts/iapp---i…
In this panel that opened the #GPS2021 online sessions for @PrivacyPros, I explore with Barbara Li and Malavika Raghavan @teninthemorning some of the context & background leading to these two legislative developments in China and India, as well as the burning topics of ... 2/
...data localization, international data transfers, private rights of action and enforcement. There was so much more to talk about - we promise to be back with a follow-up and a deeper dive into individual data subject rights and other practical topics. Why the time pressure? 3/
A couple of things I would keep in mind on this saga: 1) The 1st Constitutional Courts which declared unconstitutional the data retention laws transposing the defunct directive, did so in 2009, 2010 & 2011: 1st, the Romanian Const Court ❤️, then the German and Czech Const Courts.
2) Before them, the Bulgarian Supreme Administrative Court annulled a provision of the data retention national law in 2008.
What do these countries have in common? A history of suffering under surveillance states & no rule of law. Maybe they know this leads to bad stuff?
3) The ECJ tried to avoid the problem in a couple of cases, looking at formal issues & competence of the EU to act, when 1st looking at the 2006 Directive.
It couldn’t avoid it any longer when 2 other Constitutional-level tribunals sent it Qs : Austria & Ireland.
I see a bit more interesting interaction between data protection rules and the #DigitalMarketsAct. Two points: (1) the obligation for gatekeepers to refrain from combining personal data from any other services offered by the gatekeeper or w PD from 3rd-party services, unless 1/
"unless the end user has been presented with the specific choice and provided consent in the sense of the GDPR" (Art. 5(a) of the proposal). And 2) the obligation for gatekeepers to submit to COM an annual independent audit w a description of the user profiling techniques 2/ #DMA
There are also data sharing obligations with third parties, including personal data, which are quite interesting. In fact, one of them speaks of "continuous and real time access" offered to business users (Art. 6(1)(i)) #DSA 3/
which technically means that it applies on top of them and in case of conflict, the provisions in the #GDPR and the ePrivacy Directive prevail. There are 2 areas of interaction that immediately pop-up. First, the rules on recommender systems and online advertising 2/n #DSA
Both of these certainly rely on processing of personal data. But it seems there is broad convergence between the existing #EUDataP regime and the proposed #DSA, especially in relation to transparency and rights to explanation 3/n #DSA
Momentous development in EU law for the digital market: the EU Commission is expected to publish today the #DataGovernanceAct proposal for a Regulation. From a new European Board, to fiduciary duties, to data intermediaries, data cooperatives (!) and data altruism… 1/
There are plenty of things to look out for! Here is my top list of hot topics, based on the leaked version that circulated among Brussels tech media a couple of weeks back. First: lots of “data sovereignty” undertones to key rules, sometimes sliding into data localization … 2/n
Exhibit A: The title regulating the re-use of data held by public sector bodies allows such re-use by different actors “within the Union”, with an additional specification that “the processing of such data shall be limited to the European Union” 3/
... within the federalized legal system, where consumer protection agencies, big and small, have a strong tradition of enforcing consumer rights, where Prosecutors from the Public Ministry - federal and regional, have the power to bring #LGPD breaches to Court ... 2/n
... where there is a long tradition of class actions, with actually very few barriers to proceed in Court from an admissibility and costs perspective, where the Supreme Constitutional Court recognized this year an autonomous fundamental right to data protection... 3/n
The CJEU clearly upheld its string of serious data protection cases against gov access to personal data, starting with Digital Rights Ireland, then Schrems I, then Tele2Sverige, EU-Canada PNR Opinion. If you knew those decisions, the outcome of the PS assessment is no surprise.
The surprise was that the Court decided to go full strength on in this particular case, after the AG has given it a way out to postpone the assessment of the PS and focus on SCCs. Clearly, the Court saw an inextricable link between the two. The other option would have been...
to show the weaknesses of the Privacy Shield and give the Commission and the US government time to act/react, while sharpening Commission's attention to the rest of the world too, with Chinese-based apps taking more and more of the European market very recently.
A couple of things I noted in today's GDPR review report published by the European Commission that I find interesting: 1) The One Stop Shop mechanism came out of it stronger than I would have expected; technically, ~it needs more time to become effective~ ec.europa.eu/info/sites/inf…
2) There are two potential legislative updates mentioned on the long run, both of them very narrow: harmonizing the age of consent for children for online services and record keeping by SMEs. COM is giving the GDPR more time to settle in before considering any serious reviews.
3) There seems to be a preoccupation for clarifying rules related to processing of personal data for research and for the public good, particularly in relation to health - this being mentioned a couple of times in the report. #healthdata
Worrying news from Brazil 🇧🇷 The Fake News bill being discussed by Congress imposes mandatory social media account ID registration (!) and seems to be aiming to strict data localization and data retention obligations. 1/5 #LGPD#GDPR#privacy
If you thought mandatory SIM card registration is bad, this is worse. All social media users would have to provide valid Brazilian ID or passports if they’re foreigners & a Brazilian phone number to be able to open a user account. 2/5
It also aims to impose data retention obligations for internet connection logs (!) for 1 year by ISPs and 6 months by online applications. Plans for EU Adequacy post-LGPD may be … problematic. See CJEU in Digital Rights Ireland curia.europa.eu/juris/document… 3/5 #dataretention#GDPR
Andrea Jelinek, Chair of @EU_EDPB, said there are currently 70 cross-border cases w final decisions, proving that OSS works; ‘these are not spectacular cases in terms of fines’ though #CPDP2020#OneStopShop#GDPR
Most of these +70 cases are related to the rights of the data subject (erasure & access), followwd by cases related to data breach notifications.
One of the main challenges for smooth functioning of OSS are differences in national peocedural laws. ‘Resolution of cross border cases is time & resource consuming & intensive’ #CPDP2020
I still can't stop being amazed by the 1973 HEW Report, which recommended a US Federal Code for Fair Information Practice. Check this out - it recommended all those goodies that are currently a GDPR trademark, starting with having some sort of DPO in place 1/ :
Have data security measures in place and only share personal data with third parties after ensuring the third party has appropriate safeguards in place 2/
And it even recognized some sort of portability rights. Yes, #portability! 3/
Setting the scene: this is not a data protection or #privacy case. This is a case concerning deletion of information, but grounded on defamation. It is irrelevant for the case at hand that those comments contained personal data, even if they did. 2/
Fun fact: the #GDPR specifically excludes from its scope of application those situations which also fall under the scope of liability rules for intermediary service providers, Art 12 to 15 from eCommerce Directive, precisely what the CJEU was asked to interpret. 3/
@winfriedveil@PrivacyMatters@WieseSvanberg@hartzog It is not me or you who ultimately say #EUDataP is about control or not. We are not talking about an intellectual construct here, but about a fundamental right distinct than privacy, protected at constitutional level in the European Union. A constitutional order which 1/14
@winfriedveil@PrivacyMatters@WieseSvanberg@hartzog is guaranteed by the Court of Justice of the EU, which beautifully laid out in several of its cases what this right is and is not. Look for example at para 48 in Nowak, where the Court explains that data protection principles are “reflected” 2/14
@winfriedveil@PrivacyMatters@WieseSvanberg@hartzog in accountability obligations of the controller & in the rights that are conferred to the person to know about the processing, see the data, to request correction and even to object. Speaking of the right to object, it’s one of clearest manifestations of control in #EUDataP 3/14
An “establishment” of a non-EU entity in the EU doesn't require a registered branch/subsidiary. Any stable arrangements will be taken into account 4 data protection law purposes.But merely the fact that the company’s website is accessible from the EU is not an "establishment"2/14
A processor in the EU is not deemed to be an “establishment” of the non-EU controller in the EU. The existence of the controller-processor relationship does not trigger the application of the #GDPR to the non-EU controller 3/14