While EU officials & MEPs have spent the last 20 hours continuously negotiating prohibitions under the AI Act, lo & behold the Court of Justice of the EU deciding that there is already a prohibition on individual automated decision-making based on personal data in the #GDPR 🤭1/

https://twitter.com/eucourtpress/status/1732684725582533046

Per the Court: “Scoring’ is a mathematical statistical method used to predict the probability of future behaviour, such as the
repayment of a loan” 🫢 & such scoring amounts to #ADM as regulated under Article 22 #GDPR, which the Court clarifies contains a PROHIBITION 2/

⚡️Breaking news from the EU & #GDPR land: the Italian Data Protection Authority #GarantePrivacy issued an order today against OpenAI, effectively blocking #ChatGPT in Italy (ordering it not to use personal data of Italians). Here is a deep dive into the short order - 1/ What did the Italian DPA #GarantePrivacy found problematic with ChatGPT4?
- Lack of transparency
- Absence of a lawful ground for processing
- Not respecting accuracy
- Lack of age verification
- Overall breach of Data Protection by Design
Why for each? A short explainer:
2/

Almost 5 years after the GDPR came into force, this is probably the most significant enforcement decision to date - following complaints made on May 25, 2018 (!), the day the GDPR came into force. The Irish DPC fined Meta 390 million euros, but this is not about the fine. 1/

https://twitter.com/DPCIreland/status/1610652507038154754

I'm reading now through the detailed press release - have not found yet the text of the decision published. Let's go:
The fine is split - 210 million euro for breaches related to Facebook, and 180 million euro for breaches related to Instagram. 2/

At long last, the European Commission published today the draft Adequacy Decision for the Transatlantic Data Privacy Framework of the U.S., including the new EO and DOJ Regulations & the Privacy Shield Principles. Final Decision expected in 5-6 months 1/ commission.europa.eu/document/e5a39… My first meta-comment: it looks like the "data privacy" denomination finally entered official terrain in the EU-US data protection world. The framework for which adequacy is granted is officially called the "EU-US Data Privacy Framework" or the "DPF" 2/

Is data localization coming to the EU? Maybe. The EDPB & EDPS in their latest joint Opinion - on the EU Health Data Space Proposal, make the argument that they can't fully exercise their powers if personal data is not localized in the EU 1/x
edps.europa.eu/system/files/2… They say that the “control of compliance with the requirements of protection and security by an independent supervisory authority *cannot be fully ensured in the absence of a requirement to retain the data in question within the EU*” (para 102 of the Opinion). 2/

Now that we have the text of the #DMA published, let me point out a couple of outstanding provisions that have data protection implications & that show why this Regulation concerns all businesses & platform users, not only gatekeepers. Let's go 🧵 1/?
consilium.europa.eu/media/56086/st… First of all, check out the list of Core Platform Services that may pull a business into the gatekeeper class (Art 2). Notably including web browsers, virtual assistants, & *online advertising services*, e.g. Exchanges, as long as they are provided by a business offering a CPS 2/

And it dropped! Here it is, the official proposal of the @EU_Commission for an AI Regulation:
#AIRegulation
#EUAIReg
1/
digital-strategy.ec.europa.eu/en/library/pro… Per art. 1 the draft reg covers:
- placing on the market
- putting into service
- use of AI systems in the Union
Does this leave out training of AI? Possibly. But when they're trained w personal data, no worries. The GDPR applies.
2/

Time to pay close attention to #China & #India's comprehensive #DataProtection bills. Why? Because they are coming probably by the end of 2021, they are giving 'data subject' rights to app 2.7 billion people & they legislate DP where the US is absent: 1/ linkedin.com/posts/iapp---i… In this panel that opened the #GPS2021 online sessions for @PrivacyPros, I explore with Barbara Li and Malavika Raghavan @teninthemorning some of the context & background leading to these two legislative developments in China and India, as well as the burning topics of ... 2/

A couple of things I would keep in mind on this saga:
1) The 1st Constitutional Courts which declared unconstitutional the data retention laws transposing the defunct directive, did so in 2009, 2010 & 2011: 1st, the Romanian Const Court ❤️, then the German and Czech Const Courts.

https://twitter.com/LauKaya/status/1383096780213092352

2) Before them, the Bulgarian Supreme Administrative Court annulled a provision of the data retention national law in 2008.
What do these countries have in common? A history of suffering under surveillance states & no rule of law. Maybe they know this leads to bad stuff?

I see a bit more interesting interaction between data protection rules and the #DigitalMarketsAct. Two points: (1) the obligation for gatekeepers to refrain from combining personal data from any other services offered by the gatekeeper or w PD from 3rd-party services, unless 1/ "unless the end user has been presented with the specific choice and provided consent in the sense of the GDPR" (Art. 5(a) of the proposal). And 2) the obligation for gatekeepers to submit to COM an annual independent audit w a description of the user profiling techniques 2/ #DMA

And the text fo the long awaited #DigitalServicesAct Proposal is here! One day early, thanks to @SamuelStolton and his sources. One key thing to note is that the DSA is clearly without prejudice to both the GDPR and the ePrivacy Directive... euractiv.com/wp-content/upl… 1/n #DSA which technically means that it applies on top of them and in case of conflict, the provisions in the #GDPR and the ePrivacy Directive prevail. There are 2 areas of interaction that immediately pop-up. First, the rules on recommender systems and online advertising 2/n #DSA

Momentous development in EU law for the digital market: the EU Commission is expected to publish today the #DataGovernanceAct proposal for a Regulation. From a new European Board, to fiduciary duties, to data intermediaries, data cooperatives (!) and data altruism… 1/ There are plenty of things to look out for! Here is my top list of hot topics, based on the leaked version that circulated among Brussels tech media a couple of weeks back. First: lots of “data sovereignty” undertones to key rules, sometimes sliding into data localization … 2/n

Big thanks to @ddoneda @rafa_zanatta @brunobioni @RenatoLeiteM and Laura Schertel Mendes for enlightening us at @futureofprivacy about the complexity of the Brazilian jurisdictional system and the wondrous ways in which the #LGPD takes a life of its own ... 1/n ... within the federalized legal system, where consumer protection agencies, big and small, have a strong tradition of enforcing consumer rights, where Prosecutors from the Public Ministry - federal and regional, have the power to bring #LGPD breaches to Court ... 2/n

The CJEU clearly upheld its string of serious data protection cases against gov access to personal data, starting with Digital Rights Ireland, then Schrems I, then Tele2Sverige, EU-Canada PNR Opinion. If you knew those decisions, the outcome of the PS assessment is no surprise. The surprise was that the Court decided to go full strength on in this particular case, after the AG has given it a way out to postpone the assessment of the PS and focus on SCCs. Clearly, the Court saw an inextricable link between the two. The other option would have been...

A couple of things I noted in today's GDPR review report published by the European Commission that I find interesting:
1) The One Stop Shop mechanism came out of it stronger than I would have expected; technically, ~it needs more time to become effective~
ec.europa.eu/info/sites/inf… 2) There are two potential legislative updates mentioned on the long run, both of them very narrow: harmonizing the age of consent for children for online services and record keeping by SMEs. COM is giving the GDPR more time to settle in before considering any serious reviews.

Worrying news from Brazil 🇧🇷 The Fake News bill being discussed by Congress imposes mandatory social media account ID registration (!) and seems to be aiming to strict data localization and data retention obligations. 1/5
#LGPD #GDPR #privacy If you thought mandatory SIM card registration is bad, this is worse. All social media users would have to provide valid Brazilian ID or passports if they’re foreigners & a Brazilian phone number to be able to open a user account. 2/5

Andrea Jelinek, Chair of @EU_EDPB, said there are currently 70 cross-border cases w final decisions, proving that OSS works; ‘these are not spectacular cases in terms of fines’ though #CPDP2020 #OneStopShop #GDPR Most of these +70 cases are related to the rights of the data subject (erasure & access), followwd by cases related to data breach notifications.

I still can't stop being amazed by the 1973 HEW Report, which recommended a US Federal Code for Fair Information Practice. Check this out - it recommended all those goodies that are currently a GDPR trademark, starting with having some sort of DPO in place 1/ : Have data security measures in place and only share personal data with third parties after ensuring the third party has appropriate safeguards in place 2/

With my last drop of CJEU judgments brainpower for the week, here are some key points from the global takedown of #Facebook defamatory comments case published yesterday #Glawischnig Long thread alert! 1/x curia.europa.eu/juris/document… Setting the scene: this is not a data protection or #privacy case. This is a case concerning deletion of information, but grounded on defamation. It is irrelevant for the case at hand that those comments contained personal data, even if they did. 2/

@winfriedveil @PrivacyMatters @WieseSvanberg @hartzog It is not me or you who ultimately say #EUDataP is about control or not. We are not talking about an intellectual construct here, but about a fundamental right distinct than privacy, protected at constitutional level in the European Union. A constitutional order which 1/14 @winfriedveil @PrivacyMatters @WieseSvanberg @hartzog is guaranteed by the Court of Justice of the EU, which beautifully laid out in several of its cases what this right is and is not. Look for example at para 48 in Nowak, where the Court explains that data protection principles are “reflected” 2/14

The #EDPB published the *long awaited* draft #GDPR Territorial Scope #Guidelines today, which also have a section dedicated to the “legal representative” issue. Some takeaways below ⬇️ Thread time 1/14 edpb.europa.eu/sites/edpb/fil… An “establishment” of a non-EU entity in the EU doesn't require a registered branch/subsidiary. Any stable arrangements will be taken into account 4 data protection law purposes.But merely the fact that the company’s website is accessible from the EU is not an "establishment"2/14