Sign in Subscribe
By Max Kerr

February Links

Red Lines under the EU AI Act - Future of Privacy Forum - There's a lot here, but it's particularly worth looking over the prohibited uses of AI under the AI act:

It seems likely to me that LLM providers are going to end up liable under these rules - ads might be too close to deception, AI companions might look too much like emotion recognition, etc. Fines are up to 7% of global revenue, potentially billions of dollars for companies like OAI, Google, and Anthropic.

Updates from AGID - the Italian Data Protection Authority - A couple of updates here:

Police body cameras that sync data to US cloud providers are a no-go, though it sounds like it might be possible with the right encryption scheme.

The transfer of personal data for law enforcement purposes, a competence not attributable to the US company, is in fact regulated by specific rules that impose strict safeguards for cross-border transfers, including binding agreements and an adequate level of data protection in the third country.

Ban on tracking in accessibility features. I'd imagine if you sell some accessibility service - e.g, screen reader software - this will make online advertising pretty difficult. I also wonder if browser fingerprinting is going to accidentally run afoul of this by detecting accessibility extensions and settings.

Based on the GDPR's privacy by design and privacy by default principles, providers of services dedicated to people with disabilities will be required to adopt appropriate measures to prevent the tracking of tools, solutions, and settings that help them access digital services. They must also expressly declare that they do not use web tracking techniques that could indicate a user's disability.

Both quotes above were translated with Google translate.

PIPC's No-Action letter on using pseudonymized data of deceased patients

South Korea's GDPR inspired privacy regulator has issued its first no-action letter, pre-approving some medical data sharing on deceased patients for research purposes. Their privacy law (PIPA) only applies to living individuals.

I like the no-action letter scheme but it isn't likely to be taken up by the EU where there isn't single privacy regulator.

Subscribe to Privacy Notes

Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe