The Garantepublished its 2023 activity report focusing on digitalisation, AI, aggressive telemarketing, vulnerable subjects, and health data protection. Key actions included the initial block of ChatGPT, suspension of the Replika chatbot, and an investigation into the Sora AI model. Efforts continued on age verification on social media and developing cybersecurity guidelines with the National Cybersecurity Agency. In 2023, 2037 data breaches were reported (37% public, 63% private). The Garante imposed heavy fines for aggressive telemarketing, handled 9,281 complaints, conducted 144 inspections, and issued 394 sanctions totaling €8 million in fines. Press Release → (in Italian)
Following the EDPB’s cookie banner taskforce report, noybreleased a Consent Banner Report comparing the taskforce’s findings with positions from 15 national DPAs. The report highlights the need for clear cookie reject options, the illegality of pre-ticked boxes, and issues with nudging through different colored buttons. Learn more →
CNIL commissioned a study on alternative advertising models and the decline of third-party cookies. The study examined which models might replace third-party cookies and the associated risks. It identified seven solutions: Google’s Privacy Sandbox, substitution identifiers, contextual targeting, cohort targeting, retail media, user account-driven environments, and paywalls. Press Release →(in French)
2) Notable Case Law
The Austrian Data Protection Authority (DSB) published the Federal Administrative Court’s (BVwG) judgment in Case BVwG to No. W137 2248575-1/31E, which upheld a fine for an appellant failing to facilitate the exercise of data subject rights by using a mandatory contact form. The fine was reduced to €500,000 considering minor negligence and cooperation during the proceedings. (in German)
noyb filed a complaint against Microsoft’s Xandr with the Italian Garante for GDPR infringements, alleging violations of transparency, right of access, and holding inaccurate user information. The complaint highlights Xandr’s failure to comply with GDPR access requests. Read more →
3) New and Upcoming Legislation
Published in the Official Journal, the AI Act will come into force on August 1, 2024, however it will fully apply by August 2, 2026, with phased provisions starting from February 2025. These include bans on certain AI systems, regulations for general-purpose AI, and high-risk AI systems in various sectors. The European AI Office will oversee implementation.
4) Strong Impact Tech
The European Commission requested information from Amazon under the DSA regarding measures taken to ensure transparency of recommender systems, ad repository maintenance, and risk assessment compliance. Read more →
The European Commission has issued preliminary findings to Meta regarding its “Pay or Consent” model, stating it breaches the Digital Markets Act (DMA). The Commission found that Meta’s model forces users to consent to the combination of their personal data without offering a less personalized but equivalent alternative. Under Article 5(2) of the DMA, gatekeepers must obtain user consent for combining personal data and provide an equivalent alternative if consent is refused. Gatekeepers cannot condition service use or certain functionalities on user consent. Press Release →
Other key information from the past weeks
In a significant move to protect consumer privacy, the Federal Trade Commission (FTC) has finalized an order against Avast, a software provider, banning the company from selling or licensing web browsing data for advertising purposes.Follow this news →
The US Federal Trade Commission (FTC) has escalated a complaint against TikTok and its Chinese parent company, ByteDance, to the Department of Justice over potential breaches of children’s privacy regulations. Full details →
