The month kicked-off with the EU Artificial Intelligence Act entering into force 1 Aug. While the act's date of application is still two years away, AI developers and deployers must keep in mind that certain rules, such as prohibitions on unacceptable risk AI, take effect much sooner.
EU and European Economic Area countries must identify national competent authorities by 2 Aug. 2025. Although most countries have not yet made their designations, certain trends are emerging.
In August, Norway's data protection authority, Datatilsynet, stated it should be designated as a supervisory authority under the EU AI Act, as it has experience and expertise investigating the impact of AI technologies on citizens' rights. This is in accordance with the European Data Protection Board's recent statement on the role of DPAs in the AI Act framework. Datatilsynet is not the first DPA expressing its interest in this role. Italy's DPA, the Garante, stated the same earlier this year.
International data flows
China and the EU launched the first discussions under the new Cross-Border Data Flow Communication Mechanism, stemming from the bilateral High-level Digital Dialogue launched in 2020. According to the European Commission, the mechanism will focus on practical solutions to address problems European companies face in China regarding cross-border flows of nonpersonal data.
"Addressing China's cross-border data transfer issues is probably one of the biggest challenges faced by privacy professionals working at multinational corporations since China adopted its Cybersecurity Law, Data Security Law and Personal Information Protection Law," Reed Smith Partner Barbara Li said in an article.
On 14 Aug., Switzerland issued an adequacy decision for the U.S., joining the EU and U.K. in allowing organizations to transfer residents' personal data to the U.S. without additional safeguards. Starting 15 Sept., U.S. companies can rely on the decision, provided they are certified under the Swiss-U.S. Data Privacy Framework. Similar to the EU-U.S. DPF adopted last July, the Swiss-U.S. agreement provides for a data subject's access to a free and independent redress mechanism and limitations on government's access to transferred data. It precludes onward transfers to third parties that are not certified under the framework.
The European Commission's first annual report on the EU-U.S. DPF's functioning is expected to come in the fall, following a bilateral review meeting in July. The Commission is seeking stakeholder feedback until 6 Sept.
August ended with a hefty EU General Data Protection Board fine. The Netherlands' DPA, Autoriteit Persoonsgegevens, imposed its largest fine yet — 290 million euros — on Uber for transferring Europeans' sensitive personal data to the U.S. without appropriate safeguards over the time frame coinciding with the gap between the EU-U.S. Privacy Shield's invalidation and the EU-U.S. DPF's adoption. Uber plans to appeal the fine.
More from European DPAs
Article 9 of the GDPR prohibits processing special categories of personal data. Derogations are only possible under certain conditions.
Denmark's DPA, Datatilsynet, recently weighed in on its interpretation in a decision concluding facial recognition systems may be used for identity verification in a gym if valid consent is obtained. Offering alternative verification methods, which occurred in the case surrounding the DPA's decision, may amount to obtaining valid consent, it said. As there were issues with the way these alternatives were communicated, the DPA highlighted that valid consent must also be informed and correctly obtained.
A recent investigation of 200 websites by Denmark's Agency for Digitalisation confirmed the importance of informed consent, this time in relation to tracking technologies. The results showed all randomly selected websites breached this requirement by either using unclassified tracking technologies, lacking information in cookie banners or missing cookie banners altogether. While most websites have since fixed their practices, those that have not may be fined for violations.
A review of 34 social media and video sharing platforms by the U.K. Information Commissioner's Office found 11 lacked in children's privacy efforts. The investigation revealed problems with targeted advertising, default privacy settings, geolocation and more. The ICO concluded enforcement actions may be taken against noncompliant platforms and announced a call for feedback from stakeholders regarding the use of children's data in recommender systems and under-13 age assurance developments.
Laura Pliauskaite is European operations coordinator for the IAPP.