UK Data Use and Access Bill Updates

The UK government is proposing the Data Use and Access Bill to modernise data protection regulations.

• The bill seeks to balance data processing benefits with user privacy and has received positive feedback from the Information Commissioner's Office (ICO).
• It impacts sectors like health and finance, promoting data sharing in research while clarifying consent procedures.
• The bill addresses the use of automated decision-making technology (ADMT) in AI, granting individuals the right to challenge decisions made by AI systems.
• The proposed reforms would restructure the ICO, granting it additional enforcement resources and responsibilities related to technology innovation and public safety.
• The ICO would gain powers to investigate data protection compliance and security incidents, potentially requiring organisations to provide technical reports.
• The bill emphasises the responsible and careful handling of personal data in the context of AI and data breaches.

Read more here

Seven consortia have been selected to establish AI Factories across Europe

Seven consortia have been selected to establish AI Factories across Europe. The tldr:

• These factories aim to boost AI innovation and will receive €1.5 billion in funding, split equally between the EU and national sources.
• They will be hosted in research hubs across Europe, including Barcelona, Bologna, Kajaani, Bissen, Linköping, Stuttgart and Athens.
• The AI factories will provide access to computing power, data, and talent necessary for AI development.
• Their focus is on developing large language models and specialised vertical AI models for various sectors.
• The next opportunity for Member States to submit proposals for new AI factories is 1 February 2025.

Read more here

Brazil is on its way to regulate AI.

Here is what you need to know:

• The Brazilian Senate will vote in two days on a bill to regulate Artificial Intelligence (AI).
• The bill defines AI systems similarly to the EU AI Act.
• It outlines rights for people affected by AI, drawing inspiration from GDPR principles.
• A risk-based approach is adopted, prohibiting certain AI systems deemed to be excessively risky.

We quite liked Luiza Jarovski’s take on this, see it here

Find all resources from this episode at: https://conformally.com/privacy-navigator
Learn more about Conformally at https://conformally.com

On 28 November 2024, the Court of Justice of the European Union (CJEU) delivered a significant judgment in Case C-169/23 Másdi, clarifying key GDPR transparency provisions. The case arose from a dispute in Hungary regarding the issuance of COVID-19 immunity certificates and whether authorities were required to inform individuals about the processing of their personal data.



The Court examined Article 14(5)(c), Article 32, and Article 77(1) of the GDPR. Here's what the Court ruled:

Article 14(5)(c) Exception

The Court held that the exception applies to all personal data not collected directly from the data subject, whether obtained from external sources or created by controllers during their duties. However, this exception is valid only if national or EU law specifically provides for the collection or disclosure of such data and ensures measures to protect the data subject’s rights.

Supervisory Authority’s Role (Article 77(1))
Supervisory authorities are required to verify whether national laws meet the conditions of Article 14(5)(c). This includes ensuring the law provides clear protections, such as informing individuals about how their data are processed. However, their role does not include verifying if the controller has implemented adequate technical and organizational measures under Article 32.



Transparency and Control
The Court reaffirmed the GDPR’s principle of giving data subjects sufficient transparency and control over their data to ensure the lawfulness of processing. If authorities find that the Article 14(5)(c) exception is inapplicable, controllers must comply with GDPR’s information obligations

Find all resources from this episode at: https://conformally.com/privacy-navigator
Learn more about Conformally at https://conformally.com

On November 18, 2024, the German Federal Court of Justice (BGH) ruled on a case related to the 2021 Facebook data scraping incident, where personal data of 533 million users was exposed. The plaintiff claimed Facebook’s weak security measures caused a loss of control over their data and sought compensation under Article 82(1) GDPR.

Initially, the Regional Court of Bonn awarded €250 in damages to the plaintiff. However, the Higher Regional Court of Cologne overturned the decision, dismissing the case due to insufficient proof of harm. Upon appeal, the BGH partially reversed the Cologne court’s decision, stating that even a temporary loss of control over personal data constitutes immaterial damage under GDPR, without requiring proof of emotional distress or misuse of the data.

The court emphasized that Facebook’s default privacy setting, which allowed profiles to be searchable by phone numbers, likely breached GDPR principles of data minimization and data protection by design and default. The BGH instructed the appellate court to reassess the case, examining whether the plaintiff had been adequately informed about the default settings and whether valid consent was given for the data processing.

The BGH also provided guidance on assessing non-material damages under GDPR, suggesting that €100 could be a reasonable amount for cases involving loss of data control without further harm. However, higher compensation could be justified if psychological or other impacts are demonstrated.

The case was sent back to the Higher Regional Court of Cologne for further proceedings in line with these findings.

See the decision in german here.

Find all resources from this episode at: https://conformally.com/privacy-navigator
Learn more about Conformally at https://conformally.com