Privacy Recap: March 2023

In March, we saw a number of national privacy authorities and lawmakers cracking down on social media companies, particularly Meta. Here are the biggest online privacy stories for March 2023.

Italian regulators order ChatGPT ban over alleged violation of data privacy laws

OpenAI, the creators of the AI chatbot ChatGPT, have also run into trouble with a European privacy regulator. Italy's Data Protection Authority, the GPDP, has found that the company lacks a lawful basis for the collection of users' personal information.

In a press release issued March 31, the GPDP also stated that OpenAI has no mechanism in place to stop underage users accessing the service, which can expose them to "developmentally inappropriate answers". OpenAI has confirmed that they have blocked ChatGPT in Italy.

The Italian watchdog may be justified - the move was reportedly prompted by a recent data breach that exposed ChatGPT users' personal information. This isn't the first AI chatbot to be banned in Italy - in February, the chatbot app Replika.ai was banned after it became notorious for the personal relationships some users had developed with the bot. The GPDP similarly cited risks to minors and emotionally fragile people.

European authorities crack down on Facebook's breach of data protection rules

The Austrian Data Protection Authority (DPA) has decided using Facebook’s tracking pixel directly violates the EU General Data Protection Regulation. This decision stems from the 101 complaints that were filed against European companies (Pixel users) by Austrian privacy group noyb back in August 2020.

Those complaints followed the July 2020 Court of Justice of the European Union (CJEU) ruling, which struck down the Privacy Shield data protection agreement after finding that the agreement did "not grant data subjects actionable rights before the courts against the US authorities".

The Facebook Pixel is used for ad retargeting and conversion attribution purposes, and it achieves this by tracking your activities on websites that contain the pixel code. It lets businesses and other advertisers collect website visitors' personal data, with certain data such as form entries collected and shared with Meta without the visitor's knowledge or consent.

A Dutch court also ruled that Facebook's behavioural ads lack legal basis earlier this month. It found that Facebook/Meta broke privacy law when it processed the personal data of Dutch Facebook users for advertising purposes without having the legal grounds, such as consent, to do so. The crux of this case is the long-standing complaint often referred to as 'forced consent', which was finally tackled by Meta's lead data protection regulator in January of this year.

The Irish Data Protection Commission gave the tech giant orders to change how it operates in the region (along with a fine of €390 million), and while Meta has appealed the decision, they announced on March 30 that they would be switching the legal basis to 'legitimate interest'.

Whether the pivot in legal basis for data processing sticks remains to be seen - a similar recent move by TikTok was quickly shot down by EU regulators and eventually withdrawn. Meta is facing other GDPR-related complaints and decisions, however, so it is running out of space for circumventing privacy regulation requirements. As they say, the plot thickens.

U.S. poised for nation-wide TikTok ban

Following a series of bans enforced by other countries, most notably the complete ban implemented by India in 2020, TikTok is looking at a real possibility of a full ban in the US as well. A number of countries have recently banned the popular social video app from government devices, including the White House: U.S. federal agencies were told on February 27 to delete the app in 30 days.

TikTok has come under government scrutiny as a potential security risk because its parent company, ByteDance, is based in China. The concerns are that citizens' data could be accessed by the Chinese government (a 2017 law requires all organizations and citizens to cooperate with "state intelligence work") and that the platform could be used to influence or manipulate public opinion.

Legislation allowing President Biden to ban TikTok from all devices in the country is also currently being processed by the House of Representatives. While the ultimate fate of TikTok in the U.S. is still in the air, it's not looking good: on March 23, TikTok's CEO Shou Chew gave testimony in Congress noting that ByteDance is privately owned and thus not owned or controlled by the Chinese government. Shortly before the hearing, China's commerce ministry announced Beijing's firm opposition, should a sale of TikTok attempt to be forced. Not surprisingly, Chew failed to convince the members of the House Energy and Commerce Committee in the light of Beijing's announcement.

Want to talk to us? Join us on the Koofr subreddit!

Enjoyed this article? Why not check out what we do.