#GDPR

#GDPR

This week in Other Barks & Bites: Senator Thom Tillis (R-NC) returns to lead the Senate IP Subcommittee during the 119th Congress; the Federal Circuit finds that Judge Boyle of Eastern North Carolina erred in admitting untimely expert reports and reassigns the case on remand for objectionable statements by the judge; the CJEU clarifies the rights of online marketplace operators to protect personal data under the General Data Protection Regulation;

If your partner in Munich mishandles customer data, or your reseller in Paris uses a "black box" AI tool to generate deceptive ads, it isn't just their reputation on the line. It's yours. With the EU AI Act now in full swing and GDPR entering its "mature enforcement" era, the distance between a partner's mistake and your company's $20 million fine has never been shorter.

The United Grand Lodge of England (UGLE) and other groups representing the secretive organisation in England, Wales, the Isle of Man and the Channel Islands have pushed back against plans, announced earlier this month, to make Freemasonry membership a declarable association. It will mean officers and staff are required to declare membership past or present of any organisation that is hierarchical, has confidential membership and requires members to support and protect each other.

The EU has extended its adequacy decision, allowing data sharing with and from the UK under the General Data Protection Regulation for at least six more years. This will be some relief to techies in the UK and the member state block and beyond whose work or product set depends on the frictionless movement of data between the two, especially as they can point to the 2031 expiration date as a risk managing aspect to backers and partners. But the move does have its critics.

The core of the problem lies in a direct and irreconcilable legal conflict. The US CLOUD Act of 2018 allows American authorities to compel US-based technology companies to provide requested data, regardless of where that data is stored globally. This places European organizations in a precarious position, as it directly clashes with Europe's own stringent privacy regulation, the General Data Protection Regulation (GDPR).

The groups cite a "high volume" of data errors linked to the eVisa scheme, which they say amount to both operational failures and serious data protection breaches. In one documented case referenced in the letter, the passport details, contact information, and immigration status of a Canadian citizen were wrongly disclosed to a Russian woman. Other failures have seen migrants locked out of their eVisa accounts, with no effective support from the Home Office and no clear way to escalate urgent issues.

The European Commission has been accused of a massive rollback of the EU's digital rules after announcing proposals to delay central parts of the Artificial Intelligence Act and water down its landmark data protection regulation. If agreed, the changes would make it easier for tech firms to use personal data to train AI models without asking for consent, and try to end cookie banner fatigue by reducing the number times internet users have to give their permission to being tracked on the internet.

A coalition of reporters obtained the dataset, offered as a free sample from a data broker, containing 278 million location data points from the phones of millions of people around Belgium. Much of the location data is uploaded by ordinary apps installed on a person's phones, which is sold to data brokers. Those data brokers then sell that data to governments and militaries.

We are a Berlin company with international employees working on decentral collaborative AI services in real estate. We change how people live and work, by making buildings think and act adaptive to occupant needs. It is not another App. We save highest possible energy and run AI in compliance with GDPR. We look for developers who know AI on edge as well as power of Edge&Cloud.

You can't outsource accountability, but many organizations are doing just that, often without even realizing it. This is especially the case when it comes to data. As businesses rely more heavily on third-party suppliers to store, move, and manage their data, the risk of something going wrong multiplies. Whether that's compliance, the ability to restore lost data, or susceptibility to cyber attack.

Under the GDPR, "personal data" is broadly defined and includes both directly identifiable information (e.g., names, contact details) and indirectly identifiable information (e.g., IP address, unique IDs). "Pseudonymous data" constitutes personal data if individuals can be identified using "reasonably likely" means - taking into account all objective factors such as cost, time, and available technology. By contrast, "anonymous data" is information which does not relate to an identified or identifiable individual.

On September 1, France's CNIL imposed a fine of EUR 325M on Google for displaying advertisements between Gmail users' emails without their consent and for placing cookies when creating Google accounts, without valid consent of French users. Following a complaint filed by the organization None Of Your Business on August 24, 2022, the CNIL conducted several inspections between 2022 and 2023 on Gmail messaging service and on the process of creating a Google account.

Privacy policy templates are pre-written documents that simplify the creation of legally compliant privacy policies for websites, apps, and online businesses, ensuring transparency for users.

Last year, Meta paused training its AI models on EU public content due to privacy concerns, emphasizing compliance with GDPR and user rights.