Privacy Roundup: Top 10 Stories of March 2024

AI regulations continue to emerge globally, with Europe’s new AI Act and Utah’s new AI legislation. Meanwhile, Big Tech is already facing scrutiny for potential non-compliance with the recently passed Digital Markets Act (DMA). Here are all the top stories from March.

On March 13, 2024, EU lawmakers passed the landmark regulation on artificial intelligence (AI). After a 523-46 voting result, with 49 abstentions, the act adopts a tiered regulatory approach, assessing the level of risk associated with different applications of AI technology and establishing different deadlines for fulfilling various requirements. The EU member states are anticipated to approve the text in April, following which the law is slated for publication in the EU’s Official Journal by May or June. Read more

The European Commission announced investigations into Apple, Google, and Meta for their alleged “non-compliance” with the Digital Markets Act (DMA. This marks the first case under the DMA, that came into effect in March. The DMA aims to prevent Big Tech companies from monopolizing digital markets and requires designated “gatekeeper” companies like Apple, Google, Microsoft, TikTok, and Meta to facilitate access to their platforms and services for other businesses. Read more

Utah Governor Spencer Cox recently approved the Artificial Intelligence Policy Act (AI Policy Act). This legislation is the first comprehensive state law on artificial intelligence (AI) in the United States, setting a precedent that other states are expected to follow. The AI Policy Act introduces certain disclosure obligations for entities and professionals using AI systems, particularly targeting “regulated occupations”. Read more

The European Union has requested additional details from Meta regarding its Pay-or-Okay scheme, which requires European users to pay if they opt out of having their data utilized or sold. Meta adopted this controversial subscription model following a ruling by the European Court of Justice in July 2023, which deemed the company’s handling of user data unlawful. The European Commission said in a press release that it has sent Meta a formal request for information (RFI) under the Digital Services Act (DSA). Read more

President Joe Biden has signed an executive order, to safeguard the personal data of American citizens and sensitive government data from “countries of concern” or “covered persons”. As per the White House, the executive order addresses concerns regarding the potential exploitation of sensitive data, whether legally acquired through commercial channels or stolen by state-sponsored threat actors. Read more

The US House of Representatives has approved a bill that could result in the forced sale or complete ban of TikTok within the United States. By a big majority of 352 to 65, the US lawmakers marked their firm position against what they view as a national security risk associated with the Chinese-owned video-sharing platform. If approved by the Senate and signed into law by the president, the bill would enforce civil penalties on app stores, such as Apple and Google, for distributing or updating TikTok. Read more

The guidance emphasizes that “Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures” of Personal Health Information (PHI) to tracking technology vendors or any other breaches of the HIPAA. For instance, revealing PHI to tracking technology vendors for marketing purposes, without express consent from individuals, would be deemed impermissible disclosures. Read more

The UK Information Commissioner’s Office (ICO) released fresh guidance on March 18, 2024, detailing its approach to imposing penalties and assessing fines. This comprehensive guidance outlines a five-step method for calculating fine amounts and addresses various factors and considerations pertinent to the imposition of fines, as outlined in the relevant legislation (such as Article 83(2) UK GDPR) including the nature, gravity and duration of the infringements. Read more

A recent investigation by the European Data Protection Supervisor (EDPS) has found that the European Commission breached data protection rules by using Microsoft 365. According to the EDPS, the Commission failed to specify the types of personal data collected and their purposes when using the software. The EDPS issued corrective measures, requiring the Commission to address compliance issues by December 9, 2024. Read more

The  Information Commissioner’s Office (ICO) has issued an enforcement notice and warning to the Home Office for failing to adequately evaluate the privacy implications of its pilot scheme that was launched to track the GPS locations of up to 600 migrants arriving in the UK via unauthorised means. The ICO emphasized that such tracking is highly invasive and requires robust justification. Read more