The DPIA is a bitesize assessment of the impact of the most significant, interesting and important-to-know data protection issues.
The DPIA newsletter is a round-up of the most interesting and need-to-know privacy issues from the past two weeks. A quick 3-minute read to keep you on top of the news.
Knowledge nuggets for busy privacy professionals
Lead generation and the GDPR: Are you compliant?
Targeting potential customers and generating sales is essential for the growth of any business, but there are strict rules about how this can be done in the context of data protection laws. If you are a business operating in the EU and UK markets, GDPR compliance is vital. In our latest blog, we cover the key areas you need to consider, including lawful bases, managing consent, and the additional requirements under the electronic communications legislation.
King Charles III gave his first speech as monarch at the State Opening of Parliament on 7 November 2023. Included in the speech was the Data Protection and Digital Information (No. 2) Bill, which reached the report stage in the House of Commons in the previous session. The GDPR reform aims to ‘create an innovative and flexible data protection regime.’ The speech also highlighted how businesses will be able to ‘protect personal data in more proportionate and practical ways than under the EU’s GDPR.’
Critics argue the Bill will weaken data subjects’ rights. In an open letter published in July 2023, civil rights groups and privacy specialists warned the European Commission that the DPDI Bill will turn the UK into a ‘leaky valve’ and the data protection rights of EU citizens will be undermined.
International AI safety agreement reached at Bletchley Park
On 1 November 2023, at the AI Safety Summit at Bletchley Park, Buckinghamshire, an international agreement on AI safety was confirmed between 28 jurisdictions, including the EU, the US, and China. The Bletchley Declaration is a world-first agreement that establishes a shared responsibility to understand and manage the potential risks of AI development. Bias and privacy were topics covered, with an agenda to focus on building respective risk-based policies across the countries. Critics have highlighted the lack of detail and the absence of any actionable points for building an effective regulatory framework.
Tech giant Meta announced the launch of a paid, ad-free monthly subscription service for Facebook and Instagram users in the EU, EEA, and Switzerland. In a bid to comply with the GDPR, the new subscription option will be available in November. Users can still use the platforms free of charge, but the free option includes personalised ads. The Court of Justice of the European Union (CJEU) stated that users must have the option to individually decline non-essential data processing during the contract process, without having to forgo the entire service from Meta, suggesting that an alternative service, possibly for a fee, should be available without such data processing.
The European Commission has chosen Oracle Cloud Infrastructure services for EU institutions, sparking questions about consistency and security. Despite Commissioner Thierry Breton’s emphasis on digital sovereignty, the decision allows the US-based company to provide cloud services to EU institutions in a 6-year framework agreement. The Commissioner has defended his decision, citing a multi-cloud strategy that enables institutions to select providers based on their specific needs. However, non-EU cloud vendors may fall short of the highest assurance level of the European Cloud Services certification, raising concerns about the Commission’s standards versus its practices.
H&M fined by Sweden's IMY for direct marketing
On 19 October 2023, the Swedish Authority for Privacy Protection (IMY) imposed a fine of SEK 350,000 (approx €30k) on retailer Hennes & Mauritz GBC AB (H&M) for violating the General Data Protection Regulation (GDPR). Following complaints about direct marketing, the IMY found that the company had failed to provide clear and comprehensive information about the processing of personal data. This included not obtaining valid consent from individuals regarding marketing activities and not offering a straightforward opt-out. The IMY’s decision highlights the importance of transparency and respect for individual privacy rights in all aspects of data processing, including marketing processes.
Quebec Commission releases guidelines on valid consent
On 31 October 2023, the Data Protection Commission of Quebec released the final version of its guidelines on the validity of consent. Aligning with Law 25, the guidelines detail 8 key criteria that must be ensured when obtaining consent, including how it must be unambiguous and freely given. The guidelines also include examples and best practices to help organisations understand the requirements and how to implement them effectively. A significant step in Quebec’s efforts to ensure robust data protection in line with Law 25.
Following the landmark Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence, the White House released draft guidance for public comment on 1 November 2023. The guidance aims to ensure the responsible use of AI and mitigation of its substantial risks. It reflects the growing global concerns about the rapid acceleration of AI. The Office of Management and Budget (OMB) is accepting comments on the proposal until 5 December 2023, allowing the opportunity for stakeholders to contribute their insights and concerns.
To support our ongoing requirement to continuously grow our remarkable and extraordinary #ONETEAM, we are seeking candidates for the following positions:
Data Protection Officers (based in the United Kingdom or The Netherlands)
Data Subject Access Rights (DSAR) Officers
Senior Graphic Designer
Digital Marketing Specialist to join our #ONETEAM
If you are looking for a new and exciting challenge, and the opportunity to work for a Great Place to Work-Certified™ company, apply today!
You have been sent this newsletter under legitimate interest, for more information please read our Privacy Notice
The DPO Centre is a limited company registered in England and Wales (Company Number: 10874595) Registered Office: Suffolk Enterprise Centre, Felaw Street, Ipswich, IP2 8SJ, United Kingdom
The DPO Centre, 50 Liverpool Street, London, Greater London EC2M 7PR, United Kingdom