EU-UK Data Privacy Round Up

November was a busy month for data privacy. See below for updates to the EU AI Act, the Information Commissioner’s Office’s (ICO) response regarding third party cookies, the ICO’s appeal of Clearview ruling, and the Italy data protection authority’s (DPA) training probe.

EU AI Act Updates

As we continue monitoring the EU AI Act legislative debate, please see key issues below.

High Risk AI System Exemptions

Initially, all AI systems in certain critical use cases were labeled high-risk. The current debate has brought forward possible exemption opportunities to AI developers from the stringent regulations of oversight. Critics against the exemptions have extended an olive branch calling for narrower and more specific designs for the exemptions. We await the European Commission’s response and how it is tailored to maintain consistent protection levels.

Deep Learning Has Redefined AI

The new definition states:

An AI system is a machine-based system that, for explicit or implicit objectives, infers, from the input it receives, how to generate outputs such as predictions, content, recommendations, or decisions that [can] influence physical or virtual environments. Different AI systems vary in their levels of autonomy and adaptiveness after deployment.

This is a significant change because it removes the factor that “objectives must be defined by humans” to now include scenarios where an AI system can acquire new objectives by itself.

Biometric Surveillance

Lawmakers want a ban on AI use in biometric surveillance, but EU countries led by France want exceptions for national security, defense, and military purposes. However, in the latest compromise, the Council has adopted the approach. For tracking down a suspect, the text now specifies that the criminal offense must fall under a new list and be punishable for a maximum period of at least five years.

Severe offenses are listed in a new annex and include terrorism, human, drugs and weapons trafficking, child sexual exploitation, murder, kidnapping, crimes covered under the International Criminal Court, hostage-taking, and rape. Law enforcement agencies can also apply the authorized uses of real-time remote biometric identification only if they register the system in the EU public database and have completed a fundamental rights impact assessment.

Other Current Controversies

Several other key debates focus on AI’s use of copyrighted material and changes in the foundational models.

Lawmakers are pushing for AI regulations to address the use of copyrighted content, but EU member states contend that the current copyright regulations in the are adequate for this purpose. Parliament is currently responding to an agreement by France, Germany, and Italy that have stressed the importance of  “mandatory self-regulation through codes of conduct,” instead of enforcing more stringent rules on the “most capable” providers, particularly those developed by companies outside of Europe.

ICO Third-Party Cookie Warning

The ICO’s executive director stated, “Our research shows that many people are concerned about companies using their personal information to target them with ads without their consent… many of the biggest websites have got this right. We’re giving companies who haven’t managed that yet a clear choice: make the changes now, or face the consequences.”

According to the ICO, some websites do not give users fair choices over whether or not to be tracked for personalized advertising. The ICO has previously issued clear guidance that organizations must make it as easy for users to “Reject All” advertising cookies as it is to “Accept All”. Websites can still display adverts when users reject all tracking but must not tailor these to the person browsing.

The ICO advised that they have written to companies running many of the UK’s most visited websites setting out our concerns and giving them 30 days to ensure their websites comply with the law.

ICO Seeks Permission to Appeal Clearview Ruling

The Information Commissioner is seeking permission to appeal the judgment of the First Tier Tribunal (Information Rights) (Tribunal) on Clearview AI Inc (Clearview).

The Tribunal supported the ICO’s view that US-based Clearview was processing personal information which related to the monitoring of an individual’s behavior through the collection of billions of facial images, which were then offered for access and analysis using AI, to foreign subscribers.

However, the ICO does not agree with the Tribunal’s finding that Clearview’s processing fell outside the reach of UK data protection law because it provided its services to foreign law enforcement agencies. The ICO’s argument is that Clearview was not solely processing for foreign law enforcement purposes; therefore, it should not be shielded from the scope of the UK law. Just because Clearview so happened to provide services to foreign law enforcement agencies, Clearview provides its services commercially and should thus be subject to the ICO’s jurisdiction.

The ICO is pursuing the reversal of the Tribunal’s finding.

Italy DPA Training Probe

Italy’s data protection authority began its “fact-finding investigation” into how large amounts of personal data online are being used for training Artificial Intelligence (AI) systems. The investigation is being conducted to check whether websites are undertaking “adequate measures” to protect user/visitor personal data from unwarranted scraping by AI companies.

The Garante has invited stakeholders including trade associations, consumer associations, representatives of academics, and AI experts to submit their comments on the fact-finding process in 60 days. The announcement also provides that the Italy DPA reserves the right to employ necessary measures on the basis of the results of the review.

As we wait for the European Commission and Parliament’s decisions on approved uses and regulations for foundational models — in addition to both China’s AI rules published in July 2023 and France establishing a taxation for works generated by AI with unknown origins — countries will look to Italy, especially as the strictest member of the EU as it relates to data privacy, for its investigation findings and recommendations.

Disclaimer

This material is provided for informational purposes only. It is not intended to constitute legal advice nor does it create a client-lawyer relationship between Hall Booth Smith, P.C. and any recipient. Recipients should consult with counsel before taking any actions based on the information contained within this material. This material may be considered attorney advertising in some jurisdictions. Prior results do not guarantee a similar outcome.