The role of a DPO: Dismissal and conflicts of interests

The GDPR requires both controllers and processors to appoint a Data Protection Officer (DPO) if they meet one of three criteria set out in Article 37. The application of the criteria is fairly clear and is not often a source of confusion, however, the same cannot be said for the application of Article 38, which relates to the position of the data protection officer.

In our most recent blog we explore the recent Court of Justice of the European Union (CJEU) case relating to dismissal and conflict of interest of the DPO. Read the full Blog here.

Italy bans ChatGPT 

The Italian data protection authority (DPA), Garante, has clarified its plans to investigate OpenAI after it outlawed the use of the start-up’s ChatGPT. Some of the complaints involve failing to verify the age of users, but the investigation stems from the potential illegal collection of personal data. The DPA has ordered the temporary ban on the processing of Italian users’ data until OpenAI can ensure that ChatGPT is compliant with the GDPR. Alongside the breach ChatGPT suffered, the DPA found a “serious lack of information to users whose data is collected” and that ChatGPT had “no legal basis that justified the mass collection and storage of personal data” for training purposes.

The ICO fined TikTok £12.7 million over the misuse of children's data.

The Information Commissioner’s Office (ICO) announced on April 4 that it had fined the social media companies TikTok Inc. and TikTok Information Technologies UK Ltd. for violating the UK GDPR. The ICO had intended to fine the company £27 million for failing to protect children’s data, but reduced this to £12.7 million after its investigation. The ICO confirmed that between May 2018 and July 2020, TikTok had breached the UK GDPR by failing to ensure that UK collected data was processed lawfully, fairly, and in a transparent manner; providing its services to children under 13 and processing their data without consent from parents or carers; and failing to provide proper information to individuals about how their data is collected, used, and shared in a way that is easy to understand. You can read the full story here.

MEPs against the EU-US Data Privacy Framework

In a resolution adopted by the Civil Liberties Committee MEPs on April 13, MEPs argued that the European Commission should not grant the United States of America an adequacy decision. Although clarifying that the current agreement is an improvement over the last framework, the MEPs made it clear that it does not go far enough in providing sufficient safeguards. This is because the framework still allows for the bulk collection of personal data in certain situations and does not provide information on data retention. MEPs also note that while the framework did create a Data Protection Review Court, the decisions would be made in secret, which could violate access to and the ability to rectify data. In addition, the independence of the Court was called into question, as the President could overrule its decisions and dismiss the judges. MEPs stressed the importance of not only making this agreement future-proof but also ensuring that it can withstand any legal challenges. You can read the full statement here.

Leaked EU-US plans set to weaken encryption 

Leaked notes from a meeting between EU and US senior officials have raised concern over the plans to undermine encryption and create a de facto ‘access by design’ for law enforcement agencies. Earlier this month, nine civil society organisations wrote to the European Commission recommending a cautious approach and to resist “the clear and deliberate plans to disregard” human rights. The leaked notes reveal that authorities want to influence public opinion around law enforcement’s legitimacy to look at encrypted communication. The fears stem from Europol sharing personal data (including sensitive biometric data), which may not be lawfully collected under the GDPR.

A bill on data brokers has been introduced to the California Senate

Senate Bill 362 will amend a number of sections of the Civil Code as well as add two additional sections. The bill was introduced to the Senate earlier this month and relates to data brokers. If successful, the bill will incorporate the definitions from the California Consumer Privacy Act (CCPA) (as amended by the California Privacy Rights Act (CPRA)) into the provisions relating to data brokers in the Civil Code. The new bill would require data brokers to register, pay a fee to, and provide information to the California Privacy Protection Agency (CPPA) instead of the Attorney General; and to compile and disclose specified information relating to requests received under the CCPA as amended. The bill also requires the CPPA to create an accessible deletion mechanism that allows customers to request that every data broker delete their personal data.

Iowa becomes sixth US state to enact comprehensive consumer privacy legislation

Iowa is no stranger to privacy legislation in the United States. The state has taken into consideration comprehensive consumer data privacy laws since its initial attempt in 2020, however privacy really started to take shape and become a priority in 2023. On March 29, Iowa joined Connecticut, Utah, Virginia, Colorado, and California as the sixth state to approve a comprehensive privacy bill. Organisations will have 21 months to meet the new regulations when the law takes effect on January 1, 2025. Although the new law contains many components that are recognisable from other state regulations, businesses should be aware of variations as they increase their U.S. compliance efforts.