Global Privacy Landscape Roundup - March 2023

Introduction

This monthly roundup goes through the main developments in privacy at a global level, and recommended actions for global businesses. March 2023 brings us proposed changes to the UK, Canadian, and Australian data protection regimes, updates to the US state privacy laws, and some insights into the privacy issues of ChatGPT.

European Economic Area

The news: The Austrian Data Protection Authority (DPA) found Facebook’s tracking pixel to be in violation of the GDPR. They have already found an identical violation for Google Analytics, so the DPA simply clarified that the "Facebook Login" and "Meta Pixel" tools provided by Meta are also violating the GDPR due to the lack of an appropriate data transfer mechanism. 

The actions: European website operators are advised not to use any tools from Meta on their websites until the Trans-Atlantic Data Privacy Framework between the EU and the US is approved. Alternatively, they should conduct a DPIA that acts as a ‘bridge’ to the future approval of the Framework. Trace can support with our DPIA as a service.

The United Kingdom

The news: The UK has introduced the new Data Protection and Digital Information (No.2) Bill (the “DPDI”) to the Parliament. The DPDI seeks to reform the UK’s existing data protection regime (including the UK GDPR, Data Protection Act 2018 and the Privacy and Electronic Communications Regulations 2003). The DPDI’s amendments seek to depart from the EU’s “one size fits all” approach towards a more flexible, business friendly approach to data protection compliance. Core data protection principles, individual privacy rights and key controller/processor obligations will remain the same. For many large organisations which operate in the UK, across the EU and further afield, it could be mostly business as usual, with EU GDPR remaining the benchmark. The proposed changes are:

• Removing the balancing test for “recognized legitimate interests”

• Loosening the rules around the processing of personal data for research purposes

• Record of Processing Activities (RoPA) only required for activities likely to result in high risk to the rights and freedoms of data subjects. Previously, organisations were exempted only where fewer than 250 people are employed and where there is no high-risk processing.

• Removing the requirement of appointing a UK Representative.

• Data Protection Officers are replaced with Senior Responsible Individuals, who are only required for public bodies or where there is high risk processing

• The collection of statistical information no longer requires opt-in.

The actions: Businesses operating in the UK should continue to monitor these developments as they are likely to be favourable to them.

North America

The news:

• The new California Consumer Privacy Act (CCPA) regulations and the Colorado Privacy Act (CPA) regulations have been finalised. The CCPA, as amended by the CPRA, becomes enforceable on July 1, 2023. The CPA goes into effect on the same date. Companies doing business in these states should make sure they comply with both the applicable law(s) and the regulations, as a violation of a section from the regulations is treated as a violation of the law it pertains to.

• Iowa has enacted a comprehensive privacy law effective on January 1, 2025. This law is similar to the one in Virginia.

• 18 other US states have also introduced similar privacy laws.

• Canada’s Bill C27, which would also update its privacy laws, moves to its second reading in the House of Commons. It’s expected that Canada’s privacy laws will be strengthened.

The actions: Companies doing business in the state of California or Colorado should make sure their CPRA and CCPA compliance efforts are aligned with these new Regulations. Trace can support with CCPA/CPRA readiness assessments.

Oceania

The news: Australia’s Privacy Act of 1988 is undergoing a reform which includes enhanced data subject rights and increased accountability requirements for organisations collecting and processing Australians’ personal information, as well as the introduction of a right of direct action for individuals and a new tort of serious invasion of privacy. Per the Attorney General’s Department Privacy Act Review Report, one of the other key intentions of the reform is to more closely align the Privacy Act with equivalent overseas laws, including the General Data Protection Regulation (GDPR) in the European Union and United Kingdom:

• Introduction of the Controller-Processor distinction into Australian Law

• Removal of the Small Business Exemption (<$3m turnover)

• Narrowing of the Employee Record Exemption

• Increased requirements for valid consent

The actions: Companies doing business in Australia should continue to monitor these developments, especially considering the intention is to align the Australian Privacy Act to the GDPR, thus significantly strengthening it.

ChatGPT and other LARGE LANGUAGE MODELS

The news: Large Language Models (LLMs) such as ChatGPT from OpenAI have become all the rage in the past few months. While indeed fascinating, if you intend to use it in a professional or personal context you need to do so with the right safeguards and guardrails, as illustrated by recent stories:

• ChatGPT invented a sexual harassment scandal and named a real law prof as the accused

• An AI Chatbot convinced a man to take his own life

• Samsung meeting notes and new source code leaked after employees used ChatGPT

Unsurprisingly, the Italian DPA has blocked ChatGPT in Italy and is currently investigating them. The Office of the Privacy Commissioner of Canada has also announced its own investigation. This is not surprising because:

• There is no way to correct inaccurate data. Neither the falsely-accused professor nor Samsung can take any (easy) actions to remove the data ingested by ChatGPT.

• The mass data scraping of information that OpenAI has been doing might lack a legal basis under the GDPR (and other data protection laws)

Regulatory pressure is undoubtedly ramping up and it’s likely we’ll see significant developments and findings about the privacy and business confidentiality risks that LLMs pose.

The actions: Businesses should expect at least some of their employees to try to use this technology in order to increase their productivity. Instead of trying to ban it, businesses should develop guidelines on how to use LLMs that focus on:

• What information employees are allowed to provide to an LLM (i.e. no confidential information can be provided to an LLM)

• How to validate the outputs of an LLM (i.e. explaining how LLMs work and why they can be ‘confidently incorrect’, thus presenting the need for validation of all outputs)

Conclusion

Trace can help you remain up to date with the fast-paced developments in privacy through tailored audits and actionable guidance. Reach out to us for an informal discussion about your needs, book your free consultancy call now.

This article was authored by Trace privacy consultant Bogdan Barburas , CIPP/E, CIPT, CIPM, CIPP/US.