Our latest briefing dives into the public launch of the NIST’s long-awaited AI Risk Management Framework, the EEOC’s new plan to tackle AI-based discrimination in recruitment and hiring, and the New York Department of Financial Services’ endeavor to better understand the potential benefits and risks of AI and machine learning in the life insurance industry.
Year: 2023
Meta Fines Expose EU Regulators’ Differences and Highlight Fundamental Issues for Data Controllers
Meta Ireland (Meta) has recently been issued with two fines by the Irish Data Protection Commission (DPC) for breaches of the EU General Data Protection Regulation (GDPR) relating to advertisements run on its Facebook and Instagram services. The decisions highlight some fundamental issues for all data controllers in respect of identifying the appropriate legal basis for their data processing operations and the need to be transparent about how personal data is used. The decisions also reveal some core differences in approach between the DPC, the Irish national privacy regulator in this case, and the European Data Protection Board (EDPB). It signals the likelihood of ongoing wrangling between the various European data regulators as they seek to interpret the decisions and as they are (inevitably) challenged through the courts.
The penalty imposed against Meta Ireland
The substantial fines of €210m (approximately $223m) with respect to Facebook and €180m (approximately $191m) with respect to Instagram reflect the consolidated turnover of the Meta group and the level of fines which, in the EDPB’s view, are required to be effective, proportionate and dissuasive in accordance with Article 83(1) of the GDPR. Meta now has 3 months to take corrective action and amend its privacy policies (including identifying an appropriate legal basis for processing) and its operations to bring its data processing in line with the GDPR.
Keeping Pace with Today’s Challenges: FCC Proposes New Data Breach Rules for CPNI
Prompted by a rapid increase in frequency, sophistication, and scale of data leaks and data breach legislation in recent years, the Federal Communications Commission (FCC) unanimously voted to kick off a proceeding aimed at adopting new proposals to update data breach response obligations involving Customer Proprietary Network Information (CPNI). These proposals aim to ensure timely notification to affected customers, the FCC, and federal law enforcement agencies and require effective measures to mitigate and prevent harm.
CPNI is a subset of personal information with regard to telecommunications carriers’ customers and the FCC has maintained rules about safeguarding the confidentiality of CPNI data for many years. Examples of CPNI are rate plan, minutes used, type of services subscribed to, type of device, location information, call detail records, and other proprietary information about a customer’s telecommunications services accounts.
Continue reading “Keeping Pace with Today’s Challenges: FCC Proposes New Data Breach Rules for CPNI”