The EU’s recent negotiated agreement over the A.I. Act is one of the world’s first comprehensive attempts to govern the use of AI. Enforcement won’t kick in until 2025, but IT leaders are already trying to stay ahead lest they risk falling behind.
A recent change to its EU terms of service and an email sent out to some ChatGPT users indicates that OpenAI is now formally under the watch of the Irish DPC in terms of its responsibility to EU data privacy regulations.
Fine imposed by the Norwegian data protection authority in August could be expanded to the entirety of the EU, subjecting Meta to extensive daily penalties until it makes big changes to tracking ads. Decision could potentially spark an EU ban.
Since the GDPR went into effect in 2018, Meta has done nearly everything possible to claim legitimate interest to avoid user consent for collecting personal information for targeted ads. The company appears to have finally reached the end of its rope in this area, though a recently announced changeover to a consent basis.
Meta has now lost that case in the EU's highest court, opening the door for other antitrust law investigations in the bloc to incorporate data privacy violations and frame them as part of a systemic abuse of market position.
The central objection raised is a predictable one, and one that some analysts believe will inevitably cause the EU-US data transfer proposal to fail yet another court challenge if it makes it to implementation: the lack of a federal-level data privacy law in the US.
A new paper from global law multinational DLA Piper lays out the case for a risk-based approach to GDPR international data transfers, arguing that the status quo is too onerous and that data exporters are suffering.
Losing Ireland "main establishment" status means that any national DPA in the EU could bring direct GDPR action against Twitter on behalf of its citizens without the standard collaborative process that ultimately funnels everything through the Irish DPC.
The crux of the privacy objections is that the executive order does not guarantee that indiscriminate collection will be stopped; it merely attempts to narrow the scope of intelligence activity in EU-US data transfers.
Organizations must elevate their data management and privacy regulations to adhere to governance policies, which will align with privacy laws. This will enable the proper management and storage of personal data and avoid some of the ongoing privacy issues faced today.