Shows
Privacy Navigator: Weekly Insights on Privacy, AI, and Compliance2025-W22 Replica with EUR 5M Fine, Meta Wins Big, EU Commision IndecisiveGarante Slams Replika with a EUR 5M FineThe Italian Data Protection Authority (Garante) has imposed significant corrective measures, including EUR 5M fine and a potential ban on processing Italian users' data, against Luka Inc., the company behind the AI chatbot Replika.According to the decision, the Garante found multiple GDPR breaches:Lack of Legal Basis: Particularly for processing sensitive data inferred from user conversations, including emotional and health-related information (violating Articles 6 and 9).Transparency Failures: Insufficient information provided to users about how their data, especially chat content, would...2025-05-2924 minPrivacy Navigator: Weekly Insights on Privacy, AI, and Compliance2025-W21 nyob vs Meta, Google with 1.3 Billion Settlement and Deepfakes lawAI Training & Privacy: nyob vs MetaPrivacy advocacy group noyb (none of your business) has issued a "cease and desist" letter to Meta's Irish headquarters, threatening a class action lawsuit if the tech giant proceeds with its plan to train its AI models using EU user data without explicit opt-in consent.Meta's intention, set for May 27, 2025, is to use public data shared by adults across Facebook and Instagram for AI training, relying on an alleged "legitimate interest" under GDPR.Noyb argues that this "opt-out"...2025-05-2210 minPrivacy Navigator: Weekly Insights on Privacy, AI, and Compliance2025-W07 Largest GDPR Civil Damages Awarded by the Irish CourtThe Irish High Court recently awarded €7,500 in damages for a GDPR breach—reportedly the highest such court-awarded damages in Ireland (and Europe?) to date.While administrative fines from data-protection authorities often reach into the millions or even billions, this relatively modest figure highlights a key point: it represents only an individual claim. Where numerous people are similarly affected by a single breach, the potential exposure for organizations could be enormous.2025-05-2211 minPrivacy Navigator: Weekly Insights on Privacy, AI, and Compliance2025-W06 UK ICO’S Pay or OK Framework – A Tight Balance or A Bad CompromiseThe Consent or Pay model is now a reality in the UK, and the ICO has set out a framework for how businesses can implement it while remaining GDPR-compliant.At first glance, the approach seems balanced: users get a choice, companies get flexibility, and privacy remains protected—at least in theory.But here’s the real question: Is privacy something that can be bought and sold like any other commodity? If so, shouldn’t the market set the price? And if not, doesn’t that make the very concept of “payi...2025-05-2220 minPrivacy Navigator: Weekly Insights on Privacy, AI, and Compliance2025-W05 DeepSeek: A Quantum Leap in AI, A Dead End in GDPR ComplianceWhen news first broke that a small Chinese AI startup called DeepSeek managed to build a reasoning model better than OpenAI’s top-tier o1 model—and for around $6 million investment—everyone’s jaws dropped.How could such an underdog possibly outperform a tech giant that’s burned billions in research and developmentNot to mention it’s free. As you can imagine it went viral in a matter of days.But as we all know, there’s a dark side to these too-good-to-be-true stories. DeepSeek’s sud...2025-05-2210 minPrivacy Navigator: Weekly Insights on Privacy, AI, and Compliance2025-W04 Navigating the Pseudonymisation GuidelinesPseudonymisation is a multifunctional tool helping us comply with many GDPR provisions and principles. Pseudonymisation should always be considered in the context of ROPAs. It’s not something that is simply stated in some document. “We are protecting data by using pseudonymisation” is definetly not enough.Lastly, the framework below is the result of me summarising the examples from the Annex of the Guidelines. It’s not something I came up with on my own.Context and Purpose of ProcessingStart by understanding the purp...2025-05-2213 minPrivacy Navigator: Weekly Insights on Privacy, AI, and Compliance2025-W03 The Austrian DSB Slaps Down Google’s Controllership DenialThe Austrian DSB Slaps Down Google’s Controllership DenialA data subject submitted a Data Subject Access Request (DSAR) directly to Google LLC, demanding access to their personal data under GDPR.Google LLC dodged responsibility, passing the request off to Google Ireland Ltd., claiming the latter was the sole controller for EEA and Swiss operations.This triggered an investigation by the Austrian DSB, who didn’t buy Google LLC’s claim that they were just a bystander.Evidence uncovered showed Google LLC wasn’t...2025-05-2210 minPrivacy Navigator: Weekly Insights on Privacy, AI, and Compliance2025-W02 German Court Awards €10,000 for UnlawfulGerman Court Awards €10,000 for Unlawful Disclosure of Employee’s Health DataA German court ruled that an employee was entitled to €10,000 in damages after the unauthorized sharing of their health data. The employee’s health information, shared via email, was disseminated to nearly 10,000 members of an association.The court emphasized that the sharing of sensitive health data constitutes harm in itself under GDPR, even without evidence of additional damages. This aligns with the CJEU’s stance on non-material damages.2025-05-2215 minPrivacy Navigator: Weekly Insights on Privacy, AI, and Compliance2024-W50 UK Data Use and Access Bill UpdatesUK Data Use and Access Bill UpdatesSeven consortia have been selected to establish AI Factories across Europe.Brazilian AI Act On the WayUK Data Use and Access Bill UpdatesThe UK government is proposing the Data Use and Access Bill to modernise data protection regulations.The bill seeks to balance data processing benefits with user privacy and has received positive feedback from the Information Commissioner’s Office (ICO).It impacts sectors like health and finance, promoting data sharing in research while clarifying co...2025-05-2214 min