Privacy Roundup: Top 10 Stories of April 2023

From ChatGPT’s ban lift to operation cookie monster, last month saw a mix of stories in the world of data privacy. Meanwhile, privacy laws and bills continue to gain momentum in the US and the EU. Don’t miss out on the top stories from April.

ChatGPT is available to users in Italy after being temporarily banned by the country’s data protection authority in March for a possible violation of the GDPR. Italy’s Garante announced the reinstatement of ChatGPT, after OpenAI, the creator of the generative AI system, made changes to meet the demands of the regulator. These changes include age verification, transparent policies, and the rights of users to opt out from the processing of their personal data. Read more 

Mozilla’s Firefox web browser has rolled out Total Cookie Protection (TCP) as the default setting for all users worldwide. This feature prevents websites from accessing cookies for cross-site tracking. So, the cookies that are deposited while you are browsing a website, can only be accessed by that website. TCP also offers additional privacy protections such as Enhanced Tracking Protection (ETP) which works by blocking trackers based on a maintained list. Read story

An international police crackdown dubbed “Operation Cookie Monster” took down Genesis Market, one the world’s largest illicit online marketplaces. The service hosted an estimated 80 million credentials and digital fingerprints stolen from more than 2 million people.  Founded in 2018, Genesis Market sold stolen data such as usernames, passwords, bank account details and device fingerprints. The operation also led to over 100 arrests worldwide and was headed by the US FBI and the Dutch National Police. Read more 

Under the Digital Services Act (DSA), the European Commission has released the first list of 17 businesses that will be considered Very Large Online Platforms (VLOPs) and 2 that will be considered Very Large Online Search Engines (VLOSEs). Services operated by Google, Meta and Microsoft are part of the list of Platforms, while Google and Bing are the designated VLOSEs. The platforms have to be compliant with the full set of DSA obligations by 25 August 2023. Find the list

Montana and Tennessee became the latest US states to pass comprehensive privacy legislation, joining California, Colorado, Virginia, Utah, Connecticut, Iowa, and Indiana). Both bills cleared their state legislatures and are awaiting signatures from the Governor’s office before becoming law. If enacted, Montana’s bill takes force on October 1st, 2024 while Tennessee’s follows on July 1st, 2025. Read more 

The UK’s Data Protection and Digital Information Bill passed its second reading in the House of Commons on 17 April 2023. After being shelved for several months, the Bill was debated in Parliament and will now move to a Parliamentary committee for more detailed scrutiny. The Bill is intended to provide a business-friendly regime, without creating regulatory roadblocks for businesses, especially for international trade with Europe. Read more

TikTok has been issued with a £12.7 million (~$15.7M) fine for illegally processing the data of 1.4 million children under 13. Britain’s privacy watchdog, the Information Commissioner’s Office (ICO), announced that it found the video-sharing platform “did not do enough” to keep a check on who was accessing their platform and failed to take sufficient action to remove the under-13s from using the app. Read story

The European Data Protection Board (EDPB) has resolved a dispute concerning the legality of data transfers to the US by Meta. The EDPB decided that Meta inappropriately relied on contract as a legal basis to process personal data for Facebook’s and Instagram’s services for the purpose of behavioural advertising. The EDPB also instructed Italian DPA to include an order for Meta to bring its processing in compliance with Art. 6(1) GDPR within three months. Read more 

WhatsApp, Signal, and other messaging service providers have written an open letter opposing about the UK’s new Online Safety Bill (OSB). The messaging platforms raised concerns that the Bill could undermine end-to-end encryption and compromise users’ privacy. The letter pointed out that the Bill opens the door to “routine, general and indiscriminate surveillance” of personal messages and risks “emboldening hostile governments who may seek to draft copycat laws.” Read story 

The European Data Protection Board (EDPB) has recently released guidelines on how data subject’s right to access has to be implemented in different situations.  The Guidelines provide clarifications on the scope of the right of access, the information the controller has to provide to the data subject, the format of the access request, when requests can be denied, and more. Read more