The United Kingdom’s Information Commissioner’s Office has issued guidance on the accuracy of artificial intelligence Some key points: For generative AI models, both developers and deployers must consider the impact that training data has on the outputs and how the outputs will be used. If inaccurate training data contributes to inaccurate outputs, and the outputs have consequences for individuals, then it is likely that the developer and the deployer are not complying with the accuracy principle Once the organization deploying the model has established the purpose for it, and ensured with t ..read more

Can an employer review social media posts for the purpose of assessing job candidates? Sometimes, according to a guide on data protection in employment released by the national Data Protection Authority for Latvia, Datu valsts inspekcija, Some key points: The purpose for which the applicant has created a social network profile should be distinguished (i.e. private or professional). For example, if the applicant stated in the application that he regularly publishes his opinion on some topics related to the field of the position, familiarization with the content created by the applicant would ..read more

The California Privacy Protection Agency, the California Attorney General’s Office, the FCC, the Federal Trade Commission, and more are embracing a collaborative approach. They all talk with each other. That is according to CPPA Executive Director Ashkan Soltani, who spoke with Travis LeBlanc during the International Association of Privacy Professionals Global Privacy Summit. On enforcement: There is an ongoing sweep on connected vehicles and one re: data minimization in the consumer requests space There is a big push on public awareness to provide resources for individuals The kid gloves ar ..read more

U.S. Secretary of Transportation Pete Buttigieg recently announced the Department of Transportation (DOT) would undertake a privacy review of the nation’s ten largest airlines. Specifically, they will look at their policies and procedures as they relate to the collection, handling, maintenance and use of passengers’ personal information. “Airline passengers should have confidence that their personal information is not being shared improperly with third parties or mishandled by employees,” he said, according to a news release. Some key points DOT, in partnership with Sen. Ron Wyden (D-Oregon ..read more

California recently released GenAI Guidelines for Public Sector Procurement, Uses and Training, as well as a GenAI Risk Assessment. What do you need to know? The guidelines and risk assessment come on the heels of Gov. Gavin Newsom’s AI Executive Order and California GenAI Risk Report. Key points: Generative Artificial Intelligence (GenAI) is defined as: Pretrained AI models that can generate images, videos, audio, text and derived synthetic content. For Incidental GenAI purposes all state entities must: (1) Assign a member of the executive team the responsibility of continuous GenAI monitor ..read more

The Federal Trade Commission and the DOJ support a Digital Millennium Copyright Act exemption for vehicle operational data to promote the “right to repair.” An exemption currently exists for computer programs that control motorized land vehicles, marine vessels, and mechanized agricultural vehicles for purposes of diagnosis, repair, or lawful modification of the vehicle or vessel function. The FTC and DOJ support adopting an additional exemption to allow vehicle owners or the repair shop of their choice to access, store, and share vehicle operational data. Per the FTC: Giving owners the opti ..read more

India enacted its new Digital Personal Data Protection Act last year. Here are some key takeaways regarding the law, courtesy of Sajai Singh, a partner at J. Sagar Associates in India. Singh spoke recently at Alpine Privacy Days in Switzerland. Does not apply to: Offline data Publicly available information (Hello scraping public information!) Domestic use. Employee data for employment purposes Adopts key FIPs like: Data minimization, purpose limitation, accuracy, information security, retention limitation. Applies to non-Indian businesses that offer services to individuals in India or dat ..read more

U.S. companies thinking about falling back on “disproportionate” effort for access requests under the new U.S. privacy laws because they require compiling too many documents should think again. The Berlin Administrative court recently said that if complying with a request would require a review of more than 5,000 pages of documents from over 100 proceedings over the last 20 years to check in each case whether the rights of third parties would be infringed by handing them over [to redact], that it would not be disproportionate and you must comply. Will the US regulators interpret it this way ..read more

The U.S. Federal Trade Commission is working to enforce employee surveillance, according to Benjamin Wiseman, Associate Director of the FTC’s Division of Privacy and Identity Protection. Here are some key takeaways from a recent speech he gave to the Harvard Journal of Law & Technology. The Commission’s recent actions addressing AI facial recognition technology, data brokers and health apps and websites demonstrate that the FTC will not hesitate to combat emerging privacy harms and other abuses in the marketplace. The same applies to worker surveillance. As worker surveillance and AI man ..read more

The Office of the Data Protection Authority of the Bailiwick of Guernsey has issued concise guide on the definition of consent. This is helpful not only for GDPR, but also for understanding and implementing consent under the new U.S. State privacy laws. It is worth noting that it is important to refresh consent. While the law does not set a time limit for when consent “expires,” it is up to you to ensure you review and refresh consent as appropriate given your circumstances. How long consent lasts will depend on the context, and your retention policy periods. Note: The FTC recently told Inmar ..read more