News Alerts and Breach Report for Week of July 10, 2023
New Lawsuit Asks for AI Privacy Council
A complaint filed in the Northern District of California against OpenAI could put the AI company in hot water. The complaint lists 15 violations regarding the data scraping methods OpenAI has used to train its LLM, ChatGPT, including violations of the Computer Fraud and Abuse act, the Electronic Communications Privacy Act. The complaint alleges that OpenAI stole data to train ChatGPT and, “used the stolen data to train and develop [ChatGPT] utilizing large language models.” Computerworld notes that, “By taking data from the public internet that nevertheless contained personally identifiable information, the plaintiffs contend, OpenAI has violated their privacy.” The plaintiffs were not identified in the complaint. Interestingly, the complaint asks for monetary damages, as well as the establishment of an independent AI governance council, and for consumers to gain access to any personal information OpenAI has collected that belongs to them.
European Commission Announces Stronger GDPR Enforcement Rules
The European Commission this week proposed a new law to streamline communication between data protection authorities and govern cross-border data transfers between member states. The announcement cites one example of what this could look like, citing a new “obligation for the lead Data Protection Authority to send a ‘summary of key issues’ to their counterparts concerned, identifying the main elements of the investigation and its views on the case, and therefore allowing them to provide their views early on.” The announcement also notes that the new rules will clarify which materials are required when individuals submit a complaint, and clarify due process rights for businesses. The ultimate goal of the rules is to speed up resolution of cases, and allow DPAs to make more unified decisions.
Ireland’s DPA Granted New Powers
As the European home to many major tech companies, Ireland has found itself in the position of being the European Union’s lead regulator. At this point, Ireland’s Data Protection Authority (DPA), has levied billions in fines due to violations of GDPR and other data privacy laws. Late last week, Ireland’s government gave its DPA even more privacy enforcement authority when it passed an amended bill that limits how much information its DPA has to share with the public during ongoing investigations. According to Reuters, the government noted that the bill’s purpose is to “protect disclosures made during the DPC’s lengthy probes from being made public without the regulator’s permission.” Privacy activist Max Schrems has opposed the bill, citing a lack of transparency and accountability, and The European Consumer Organisation, European Digital Rights group and Amnesty International have also spoken out against the bill.
EU-U.S. Data Privacy Framework Could be Finalized by Late July
According to the International Association of Privacy Professionals, European Commissioner for Justice Didier Reynders has confirmed the EU-U.S. Data Privacy Framework could be finalized by late July. With the Biden administration’s recent steps to finalize its executive order limiting access to EU citizens’ data, the agreement could be enforceable by October, pending a review and vote by the European Commission.
BREACH REPORT
NYC Department of Education (MOVEit)
US Patents and Trademarks Office
* * * * * * *
To read our latest article, Explainer: Nevada’s New Health Data Privacy Law click here.
Jody Westby hosts our podcast, ADCG on Privacy & Cybersecurity, bringing together leaders in the privacy and cybersecurity arenas to discuss a wide range of issues ranging from the proposed federal and state regulations to best practices and standards for compliance. Episodes can be enjoyed on many platforms including Spotify and Apple Podcasts. Don’t forget to subscribe!
Our most recently released episodes:
92 | Interview With Tom Kemp, Silicon Valley Privacy Advocate and Author of Containing Big Tech
91 | Managed Detection & Response; The Path Forward (with Guest Sam DeNormandie, Silver Sky Security)
90 | AdTech Meets Privacy Laws (with Guest Susan Israel)
To browse our previously published articles and news alerts, please visit our website, and don’t forget to subscribe to receive free weekly Data and Cyber Governance news and Breach Reports directly to your email.