Plenty of news to discuss as we approach the summer! The EU officially adopted the long awaited AI Act, worker unions challenged Amazon over workplace surveillance in 11 EU countries, and the EDPB took what looks like a somewhat strict stance on ChatGPT (and foundational models in general).
Without further ado, let's dive in!
- EU finalizes AI Act
- EDPB weighs in on ChatGPT
- Trade unions challenge Amazon workplace surveillance
- Meta collects data for AI training, faces legal challenge
- Spanish watchdog suspends Meta election tools
- CJEU upholds data retention, AG weighs in on Meta
- AWS invests billion on EU sovereign cloud
- Journalists bring surveillance case against Northern Ireland police
- US still debating Chinese data collection
- Greek authority fines ministry over data breach
- ByteDance fights TikTok divestment
the EDPB took a somewhat strict stance on ChatGPT
EU finalizes AI Act
The Council of the European Union adopted the AI Act. The long anticipated Act forbids certain AI applications and subjects “high risk” applications to certain compliance obligations, including an obligation to assess their impact on fundamental rights. Furthermore, general purpose AI (that is, the foundation models at the heart of generative AI) face specific requirements and deepfakes must be labeled as such.
The long anticipated Act is the first law of its kind and is likely to set an example for policy makers worldwide. However, some features of the Act have been criticized, including its excessive reliance on self-regulation and its broad exemptions for law enforcement.
The April Monthly incorrectly reported that the AI Act was finalized in March. I apologize for the confusion.
EDPB weighs in on ChatGPT
The European Data Protection Board published its report on the work of the ChatGPT task force. While the document addresses the ongoing investigation on ChatGPT, it deals with compliance issues common to foundational models and is quite likely to impact other companies.
The report is complex and nuanced but seems to hint at a rigorous position overall. Particularly, the Board stresses that “technical impossibility cannot be invoked to justify non-compliance” with the GDPR. In other words, privacy watchdogs probably won’t show too much leniency when it comes to hard (and possibly unsolvable) problems such as the right to erasure and the right to accuracy.
The Board started looking into ChatGPT’s compliance issues last year when the Italian privacy watchdog imposed (and later lifted) a ban. The Italian investigation is still ongoing, along with parallel investigations in other Member States.
Trade unions challenge Amazon workplace surveillance
Trade unions from 11 EU countries are challenging Amazon over workplace surveillance.
The tech giant employs notoriously invasive workplace surveillance technology. Not long ago Amazon was fined for €32M in France for severe violation of workers’ privacy. As if it wasn’t enough, the EU Parliament recently revoked badges for Amazon lobbyists after the company refused to engage in dialogue with MEPs over working conditions in Amazon facilities.
Meta collects data for AI training, faces legal challenge
Meta is developing new AI features for Facebook and Instagram and changed its privacy policy to reflect the use of personal data for training. Users of the platform have been notified about the changes and may “object” to the use of their data for training purposes.
Anecdotally, Meta seems to be accepting objections at lightning pace and regardless of their content. In practice, the system is effectively an opt-out disguised as an objection.
Privacy NGO noyb has already challenged Meta’s new privacy policy on several grounds, including the lack of opt-in consent from users.
Spanish watchdog suspends Meta election tools
In more Meta-related news, the Spanish data protection authority (AEPD) provisionally ordered Meta to suspend the deployment of two election tools (“Election Day Information” and “Voter Information Unit”) on its social platforms. The Italian regulator is also investigating the tool.
The suspension order is based on privacy concerns including excessive data collection, the sharing of data with third parties, and an overall lack of clarity.
Little is known about the tools. The company’s blog does not mention them, although it states that a “Voter Information Unit” and an “Election Day Reminder” were implemented ahead of the recent South African election.
CJEU upholds data retention, AG weighs in on Meta
The Court of Justice upheld a French data retention law in a case involving privacy NGO La Quadrature du Net. The law allows ISPs to retain IP addresses which authorities can later access in order to prosecute copyright infringements. According to the NGO, the ruling departs from the Court’s own case law on data retention and raises issues with the preservation of online anonymity.
In other CJEU-related news, Advocate General Rantos weighed in on a case on Meta’s targeted advertising. Rantos accepted some of Meta’s arguments but still concluded that sensitive data were used unlawfully by Meta. That being said, the case is still pending and the AG’s opinion is not binding on the Court of Justice.
AWS invests billion on EU sovereign cloud
AWS announced an almost €8B investment on its EU sovereign cloud. While AWS already offers a data localization option, the sovereign cloud will allow for more separation of EU data and will limit access to EU-based Amazon staff.
The compliance burdens for transferring personal data and the regulatory uncertainty surrounding US data transfers have made localization desirable for many companies. US giants including Amazon, Microsoft, Oracle, and Google are investing heavily in European infrastructure to tap into this demand
Journalists bring surveillance case against Northern Ireland police
A London court is investigating allegations that the Northern Ireland Police** covertly monitored two journalists **in an attempt to uncover their sources. According to a witness, the two are among the targets of a broader surveillance operation against journalists who carried out unwanted investigations.
US still debating Chinese data collection
Even after the TikTok ban, the debate on US-China data flows shows no signs of boiling down. The House passed a bill aiming to prevent US companies from doing business with certain Chinese biotech firms in order to prevent the sharing of American healthcare data. Meanwhile, Commerce Secretary Gina Raimondo stated that the U.S. is considering banning or imposing restrictions on Chinese connected vehicles .
Incidentally, a report by the Mozilla Foundations found that data privacy practices across the car industry are absolutely terrible, and a recent article from The Markup highlighted some of the very tangible harms of these practices. Maybe banning all vehicles from spying on their owners would be a better approach?
Greek authority fines ministry over data breach
The Greek privacy watchdog fined the interior ministry €400.000 for leaking about 20.000 email addresses of expatriate voters in 2023. The addresses were used by a Greek politician to forward emails to voters and invite them to subscribe to her newsletter.
ByteDance fights TikTok divestment
As announced and expected, Chinese giant ByteDance challenged the new US law forcing it to divest ownership in TikTok. According to Reuters, ByteDance would rather leave the US market than sell the TikTok platform if the legal challenge were to fail.