Berry Picks in IT Law this week sees artificial intelligence in the spotlight, for a lot of professions as well as lawyers. So much so, it’s been allocated a featured story spot. Also, we now apparently provide songs for the background. Sensory delight.
🪩 Featured Story
“Breaking news: the Italian Data Protection Authority has banned ChatGPT” – it was quite literally, the biggest piece of news across circles that had anything even remotely to do with AI. Though it’s not the first instance the Italian Authority banned an AI-powered application in 2023. The Italian Data Protection Authority (“GPDP”) had ordered Replika, an AI-powered chatbot app, to bring processing of data in accordance with the GDPR, earlier this year.
This time, the GPDP imposed an immediate temporary limitation on the processing of Italian users’ data by OpenAI and is giving them 20 days to comply with the GDPR.
🔎 Bases of the GPDP’s decision:
🔑 No legal basis for the processing of personal data in order to ‘train’ the algorithms
😶🌫️ Lack of transparency: no information is provided to users and data subjects whose data are collected by Open AI.
🗑️ Lack of accuracy: the processing of personal data of the data subjects is incorrect as the information provided by ChatGPT does not always correspond to the actual data.
🧸 Lack of age verification mechanisms: although terms published by OpenAI specifically provide that services are for those over 13, there are no filters in place. And that use by those under 13 would “expose them to absolutely unsuitable answers with respect to the degree of development and self-awareness.”
Curious to see how OpenAI will handle this.
🤖 Artificial Intelligence
The UK government has announced its Artificial Intelligence Regulation White Paper. The policy objectives contain five main principles for regulators to apply using sector-specific expertise: (1) safety, security and robustness (2) transparency and explainability (3) fairness (4) accountability and governance, and (5) contestability and redress. Post-Brexit UK is again parting ways from the EU approach. Whilst the EU seeks to impose prescriptive governance obligations depending on type of artificial intelligence systems, the UK will seek to set a broad set of principles and have regulators (like the ICO, FCA, etc.) develop their own sector-specific guidelines. Now playing: Bye Bye Baby (Baby Goodbye)
🔏 Data Protection & Privacy
Meta is switching its data processing bases from contractual necessity to legitimate interest. Meaning users in the EU will now have an option to opt-out of behavioral advertising. The change follows the Irish Data Protection Commission’s findings, and the binding decision of the EDPB earlier this year that stated behavioral advertising is not required for performance of a contract. grabs popcorn
CJEU rules live streaming by videoconference of classes in state school education falls within the scope of the GDPR, and national legislation cannot constitute a “more specific rule”. The Court is of the view that the application of national provisions on processing of employees’ personal data in the employment context must be disregarded where those provisions do not comply with the conditions and limits laid down in the GDPR. Unless the provisions constitute a legal basis, obvs.
Facebook’s settlement in the Cambridge Analytica suit is granted a preliminary approval. The $725 million settlement will be the end to the high-profile class action lawsuit. The lawsuit claims Facebook illegally shared user data with the research firm Cambridge Analytica and other third parties, and mislead users about its privacy practices.
France ratified the Council of Europe Convention 108+. Convention 108+ is also known as the modernisation of Convention 108. Its main objective being to deal with challenges resulting from the use of new information and communication technologies and to strengthen the Convention’s effective implementation. Bienvenue!
🔐 Cybersecurity
The European Union Agency for Cybersecurity (“ENISA”) launched a new cybersecurity tool for SMEs to help assess their level of cybersecurity maturity. The tool includes cybersecurity evaluation and a personalised action plan to help organisations benefit from tailor made follow-up actions to increase their cybersecurity levels.
ENISA published a cybersecurity market analysis of the cloud and an updated version of the cybersecurity market analysis framework. Key findings include challenges in assessing the provision of cloud cybersecurity services, inconsistencies in perception between supply and demand, and a scarcity of skills as a significant barrier for the adoption of cloud cybersecurity. The updated version of the cybersecurity market analysis framework was simplified and further explains steps to perform cybersecurity market analyses.
📄 Recommended Readings
Here is a concise list –in no particular order– of recent publications that caught my eye this week.
Copyright Content Moderation in the EU: Conclusions and Recommendations by João Pedro Quintais, Christian Katzenbach, Sebastian Felix Schwemer, Daria Dergacheva, Thomas Riis, Péter Mezei & István Harkai
Pandemics and Platforms: Private Governance of (Dis)Information in Crisis Situations by Matthias C. Kettemann & Marie-Therese Sekwenz
I am in no way affiliated with the authors or publishers in sharing these, and do not necessarily agree with the views contained within. I try to include mostly open access publications due to, well you know, accessibility of knowledge and science.
Featured image generated using Midjourney.
2 thoughts to “Berry Picks in IT Law #16”