On the precipice of changing the newsletter heading to Berry Picks in Data Protection & Privacy, this week and most weeks 🤫
🔏 Data Protection & Privacy
The European Data Protection Supervisor published an opinion on the Product Liability Directive (“PLD”) and the AI Liability Directive (“AILD”) Proposals. The EDPS recommends equal protection to individuals harmed by AI systems, whether these AI systems are produced and/or used from EU institutions or private entities. The opinion also suggests procedural safeguards in the AILD Proposal apply universally to AI damages, and emphasize the need for transparent information disclosure, upholding data protection laws, and considering measures to ease the victim’s burden of proof. The EDPS also advocates for shorter review periods in both AILD and PLD Proposals.
The Croatian Supervisory Authority imposed an administrative fine on a debt collection agency for failure to comply with the GDPR. The debt collection agency lacked adequate technical measures in their main database to detect irregular activities, violating Article 32 of the GDPR. They improperly processed data of non-debtors and recorded health data of certain individuals, contradicting their own privacy policies and breaching several GDPR articles. Moreover, between May 2018 and January 2019, they recorded phone conversations of about 50,000 individuals without a clear legal basis, further infringing on GDPR regulations.
The CJEU dismissed the application for interim measures seeking the suspension of EU-U.S. Data Privacy Framework adequacy decision. The decision comes after Philippe Latombe filed against the transfer agreement and subsequent adequacy decision. The court stated that Latombe failed to demonstrate the specific or collective damage caused by the agreement. The decision to the merits to follow ⏳
The UK-US data bridge came into force (fanfare? not sure). The EU-US Data Privacy Framework is an opt-in certification scheme for US companies. This new framework replaces the previous “Privacy Shield” established in 2016. The UK established a data bridge specifically for the “UK Extension to the Data Privacy Framework”, permitting certified US companies to receive UK personal data. The US Attorney General designated the UK as a ‘qualifying state’ under a particular executive order. This permits UK individuals to access a new redress mechanism if they believe their data has been unlawfully accessed by US national security authorities. Brexit diaries do not grow old. Wish upon a shooting star?
🛒 E-Commerce & Digital Consumer
A court in Illinois ruled in favor of the Federal Trade Commission (FTC) against a telemarketing company for making illegal calls to individuals on the Do Not Call Registry. The court discovered that these companies purchased contact details, primarily from job-seeking websites, and made unsolicited marketing calls. They were also found to have assisted and facilitated other telemarketing companies by paying them to make approximately 40 million calls. The court found that the defendants knowingly violated the Telemarketing Sales Rule, and ignored repeated complaints from consumers and warnings from business partners.
The European Commission formally issued a request for information to X under the DSA due to concerns about the spread of illegal content. DSA’s regulations for VLOPs include managing risks tied to the spread of harmful content. X is now to provide more information regarding its crisis response. The DSA requires VLOPs implement systems and tools to address risks of certain content. It does not however warrant removal of content on the views of the Commission and subsequent censorship. What an interesting start to the DSA game.
📄 Recommended Readings
Here’s a couple –in no particular order– of recent publications that piqued my interest this week. Remember to grab a cuppa and settle in for some riveting reading.
Code as personal data: implications for data protection law and regulation of algorithms by Nazdezhda Purtova & Ronald Leenes
Rising Above Liability: The Digital Services Act as a Blueprint for the Second Generation of Global Internet Rules by Martin Husovec
Disclaimer: I am in no way affiliated with the authors or publishers in sharing these, and do not necessarily agree with the views contained within. I try to include mostly open access publications due to, well you know, accessibility of knowledge and science.
If you have any thoughts or suggestions on how to make this digest more enjoyable, feel free to drop a line. Your feedback is always welcome!
Featured image generated using Midjourney.
One thought to “Berry Picks in IT Law #25”