{"id":8779,"date":"2024-07-22T12:16:09","date_gmt":"2024-07-22T10:16:09","guid":{"rendered":"https:\/\/s8.tgin.eu\/?p=8779"},"modified":"2024-07-22T12:16:10","modified_gmt":"2024-07-22T10:16:10","slug":"data-protection-digest-22072024-llms-and-personal-data-social-media-monitoring-differential-privacy","status":"publish","type":"post","link":"https:\/\/techgdpr.com\/blog\/data-protection-digest-22072024-llms-and-personal-data-social-media-monitoring-differential-privacy\/","title":{"rendered":"Data protection digest 5-19 Jul 2024: LLMs and personal data, social media monitoring, differential privacy"},"content":{"rendered":"\n

In this issue we highlight SOCMINT as a new standardised procedure, data processing in LLMs and supported AI systems, an updated standard data protection model, third-party tracking technologies in health and care, and much more.<\/em><\/p>\n\n\n\n

Stay up to date! Sign up to receive our fortnightly digest via email.<\/a><\/em><\/p>\n\n\n\n

LLMs<\/strong> and personal data<\/h4>\n\n\n\n

The Hamburg Data Protection Commissioner discusses whether Large Language Models store personal data. It distinguishes between an LLM as an AI model, (eg, GPT-4), and as a component of an AI system, (eg, ChatGPT). The mere storage of an LLM does not constitute processing<\/a>. Thus, data subject rights cannot relate to the model itself. Claims for information, deletion or correction can rather relate to the input and output of an AI system of the responsible provider or operator.\u00a0<\/p>\n\n\n\n

To the extent that personal data is processed in an LLM-supported AI system<\/a>, the processing operations must comply with the requirements of the GDPR. This applies in particular to the output of such a system. Similarly, any training that may violate data protection regulations does not affect the legality of using such a model in an AI system. See the full discussion paper here<\/a>.<\/p>\n\n\n\n

The most recent clarifications by the French CNIL on the deployment of Generative AI systems<\/a> and the official EU AI Compliance Checker<\/a> might be useful for your organisation. The latter also recommends that you obtain expert legal advice before using AI solutions.<\/p>\n\n\n\n

Privacy notice<\/h4>\n\n\n\n

The UK Information Commissioner encourages people to check how an app plans to use their personal information before they sign up. It is far too easy to just click \u201cagree\u201d when installing a new app. But signing up often involves handing over large amounts of your sensitive personal information, especially with apps that support our health. An organisation that values your privacy will make its privacy notice easy to understand<\/a> and set out how it will use your personal information, with whom it will be shared, what are the security measures, and whether your data will be deleted when you stop using it.\u00a0<\/p>\n\n\n\n

CCTV<\/strong><\/h4>\n\n\n\n
\"\"<\/figure>
\n

<\/p>\n\n\n\n

The operation of CCTV in gym facilities, on the one hand, should aim to ensure the protection of the facilities in question while on the other hand, it should respect the right of customers and employees to protect their privacy, reiterates the Cyprus data protection authority. CCTV can be permitted at a gym entrance\/exit, parking space, reception, (only the cashier), and general perimeter of the gym property.\u00a0<\/p>\n<\/div><\/div>\n\n\n\n

It is not allowed in the areas where persons exercise<\/a>, kitchens, restrooms\/ changing rooms, and offices. Audio recording is not allowed under any circumstances. Video material must be accessible only from a device which is located within the premises of the gym and to which only the director and\/or an authorised person has access. Access to said material, from a personal device and on an ongoing basis, is not permitted.\u00a0<\/p>\n\n\n\n

More official guidance<\/h4>\n\n\n\n

EU-US DPF:<\/strong> The EDPB has published the EU-US Data Privacy Framework FAQ <\/a>for European individuals and businesses: how to benefit from it, how to lodge a complaint and how this complaint should be handled by the EU and US authorities. It also includes what to do before transferring personal data to a DPF-certified company in the US, (data controllers or processors), and self-certification of US subsidiaries of EU\/EEA businesses.<\/p>\n\n\n\n

DPIA:<\/strong> Industry professionals and interested parties are invited by the Latvian data protection authority DVI to share their thoughts and provide real-world examples of the Data Protection Impact Assessment. It is a procedure by which, through risk inventory, analysis, and evaluation of prospective outcomes<\/a>, (identifying severity and likelihood), the organisation can identify potential dangers to natural persons that may occur from planned data processing. The DPIA also includes the identification of measures to prevent possible risks. The draft guidance can be read here<\/a>, (in Latvian).<\/p>\n\n\n\n

AI projects sandbox:<\/strong> The Danish data protection authority has selected two AI projects for examination in its sandbox project. One wants to develop an AI insurance assistant for structuring and summarising accident claims<\/a>, (to determine the degree of injury more quickly than today). The other one is a public-private innovation to develop a solution that will ease the documentation burden for employees in health and care<\/a>.\u00a0<\/p>\n\n\n\n

Social media monitoring<\/strong><\/h4>\n\n\n\n
\"\"<\/figure>
\n

<\/p>\n\n\n\n

According to Privacy International, social media monitoring, or SOCMINT, is becoming more common and standardised<\/a> but is still mostly uncontrolled and inconsistent. One of the most vivid examples is fraud investigations by the UK Department for Work and Pensions. Alongside covert surveillance tactics, the department\u2019s staff guide has an entire section on “Open Source Instructions<\/a>\u201d on the use of publicly available information. <\/p>\n<\/div><\/div>\n\n\n\n

However, such invisible monitoring goes against or beyond individuals\u2019 reasonable expectations and their possibility to anticipate intrusive examination.\u00a0<\/p>\n\n\n\n

GDPR in practice<\/strong><\/h4>\n\n\n\n

The Fundamental Rights Agency recently published the report “GDPR in practice – the experience of data protection authorities”. All the improvement areas directly or indirectly target the availability of human, financial and technical resources<\/a>. In particular,  underfunded and understaffed authorities are obliged to prioritise complaints handling over other regulatory tasks that the GDPR has entrusted to them \u2013 such as promoting awareness and providing advice, undertaking their own investigations and external cooperation. <\/p>\n\n\n\n

SDM 3.0<\/strong><\/h4>\n\n\n\n

The German Data Protection Conference published the updated Standard Data Protection Model<\/a> – a method for data protection advice and testing based on uniform objectives, Data Guidance reports. In particular, the model transfers the legal requirements into technical and organisational measures<\/a> required by the GDPR, which are detailed in the catalogue of reference measures. The SDM is aimed at both the supervisory authorities and those responsible for processing personal data.\u00a0<\/p>\n\n\n\n

EHDS<\/strong><\/h4>\n\n\n\n
\"\"<\/figure>
\n

<\/p>\n\n\n\n

In the next couple of years, patients, healthcare providers, and authorised researchers within the EU will start using the European Health Data Space, for which a DLA Piper legal blog provides the standards on the electronic health record system<\/a>. Interoperability and the logging component are two essential components of the software that make up this records system. Further requirements for conformity can be read in the original analysis<\/a>.\u00a0\u00a0<\/p>\n<\/div><\/div>\n\n\n\n

More legal updates<\/h4>\n\n\n\n

Dark patterns:<\/strong> The Canadian Privacy Commissioner with other counterparts conducted a review of over 1000 websites and apps, and found that nearly all had at least one deceptive design element that potentially violated privacy requirements<\/a>. This includes complex and confusing language, interface Interference, nagging, obstruction, and forced action<\/a>, (tricking users into disclosing more personal information to access a service than is necessary). When two or more deceptive design patterns are used together, they can become more effective.\u00a0\u00a0<\/p>\n\n\n\n

HBNR: <\/strong>Starting in July, the amendments to the US Health Breach Notification Rule went into effect. These now underscore health apps and similar technologies<\/a> not covered by Health Insurance Portability and Accountability. HBNR requires vendors of personal health records and related entities to notify individuals, the Federal Trade Commission, and, in some cases, the media of a breach of unsecured personally identifiable health data. It also requires third-party service providers to notify such vendors and related entities.\u00a0<\/p>\n\n\n\n

Rhode Island<\/strong> became the nineteenth US state<\/a> overall and the seventh state in 2024 to enact a comprehensive privacy law, The Future of Privacy Forum sums up. The law will take effect starting in 2026. The law includes familiar terminology and core obligations, such as controller\/processor responsibilities, rights of access, correction, deletion, portability, express consent for processing sensitive data, and disclosure requirements, but lacks data minimisation requirements or an obligation for controllers to recognize universal opt-out mechanisms.\u00a0<\/p>\n\n\n

<\/div>\n
\n \n

\n Receive our digest by email <\/h2>\n

Sign up to receive our digest by email every 2 weeks<\/h3>\n \n
\n
\n
\n
\n
\n
\n
\n