FPF Submits Comments to the FEC on the Use of Artificial Intelligence in Campaign Ads
On October 16, 2023, the Future of Privacy Forum submitted comments to the Federal Election Commission (FEC) on the use of artificial intelligence in campaign ads. The FEC is seeking comments in response to a petition that asked the Agency to initiate a rulemaking to clarify that its regulation on “fraudulent misrepresentation” applies to deliberately deceptive AI-generated campaign ads.
FPF’s comments follow an op-ed FPF’s Vice President of U.S. Policy Amie Stepanovich and AI Policy Counsel Amber Ezzell published in The Hill on how generative AI can be used to manipulate voters and election outcomes, and the benefits to voters and candidates when generative AI tools are deployed ethically and responsibly.
With contributions from Aaron Massey, FPF Senior Policy Analyst and Technologist, Keir Lamont, Director for U.S. Legislation, and Tariq Yusuf, FPF Policy Intern
Several technologies can help individuals configure their devices to automatically opt out of web services’ requests to sell or share personal information for targeted advertising. Seven state privacy laws require that organizations honor opt-out requests. This blog post discusses the legal landscape governing Universal Opt-Out Mechanisms (UOOMs), as well as the key differences between the leading UOOMs in terms of setup, default settings, and whether those settings can be configured. We then offer guidance to policymakers to consider clarity and consistency in establishing, interpreting, and enforcing UOOM mandates.
The legal environment behind Universal Opt-Out Mechanisms
Online advertising continues to evolve, specifically in reaction to new regulatory requirements as an increasing number of international jurisdictions and U.S. states have enacted comprehensive privacy laws. As of October 2024, twelve states grant individuals the right to opt out of businesses selling their personal information or processing that data for targeted advertising. Of these twelve state privacy laws, seven include provisions that make it easier for individuals to opt out of certain uses of personal data. This includes the kind of personal and pseudonymized information that is routinely shared with websites, such as browser information or information sent via cookies.
Historically, a significant practical hurdle existed in the implementation of opt-out rights: users wishing to exercise the right to opt out of the use of this information for targeted advertising must locate and manually click opt-out links that businesses provide on their web pages, and they generally must do so for every site they visit. To make opting out easier, seven state’s privacy laws (California, Colorado, Connecticut, Delaware, Montana, Oregon, and Texas) require businesses to honor individuals’ opt-out preferences transmitted through Universal Opt-Out Mechanisms (UOOMs) as valid means to opt out of targeted advertising and data sales. UOOMs refer to a range of desktop and mobile tools designed to provide consumers with the ability to configure their devices to automatically opt out of the sale or sharing of their personal information with internet-based entities with whom they interact. These tools transmit consumers’ opt out preferences by using technical specifications, chief among these the Global Privacy Control (GPC).
California became the first state to establish the force of law for opt-out signals as valid opt-outs through an Attorney General rulemaking process in August, 2020. Specifically, businesses who do not honor the Global Privacy Control on their websites may risk being found in noncompliance with the California Consumer Privacy Act (CCPA), which was the central topic in the recent enforcement action against Sephora, an online retailer. In the complaint, state authorities alleged that Sephora’s website was not configured to detect or process any GPC signals and, as a result, failed to honor users’ opt-out preferences by not opting them out of sales of their data.
Although other UOOMs exist (and more are likely to emerge), we focus exclusively on the tools endorsed by the creators of the Global Privacy Control specification. In 2023, the FPF team downloaded and installed each tool and evaluated each tool’s installation process, whether GPC signals were sent without additional configuration, and whether those settings could be adjusted (see Figure 1 below).
Installation
GPC Signals Sent without Additional Configuration
Can the Configuration Be Adjusted?
IronVest
Requires account sign-up
❌ No
Yes; GPC can be enabled only on a per-site basis, not globally.
Brave Browser
No steps required after installation
✅ Yes
No; GPC cannot be disabled, either globally or per-site, even when other protections in the “Shields” feature are turned off.
Disconnect
No steps required after installation
❌ No
Yes; GPC can be enabled globally but not on a per-site basis using a checkbox in the main browser plugin window.
DuckDuckGo Privacy Browser
No steps required after installation
✅ Yes
Yes; GPC can be disabled globally but not on a per-site basis.
DuckDuckGo Privacy Essentials
No steps required after installation
✅ Yes
Yes; GPC can be disabled both globally or on a per-site basis by disabling “Site Privacy Protection.”
Firefox
Requires technical configuration
❌ No
Yes, GPC can be disabled globally in the browser’s technical configuration but not on a per-site basis.
OptMeowt
No steps required after installation
✅ Yes
Yes; GPC can be disabled both globally or on a per-site basis by disabling the “Do Not Sell” feature.
Privacy Badger
No steps required after installation
✅ Yes
Yes; GPC can be disabled both globally or on a per-site basis by disabling the “Do Not Sell” feature.
Figure 1: Observations of eight leading UOOM toolsas of October 12, 2023
Our survey allows us to make four key observations about the state of these UOOMs.
Current GPC implementations are largely limited to browser plugins for desktop environments. Google Chrome, Microsoft Edge, and Safari do not natively support the GPC signal. Mozilla Firefox supports sending the GPC signal, but configuring was the most challenging setup of all the tools we tested. Brave and DuckDuckGo are the only browsers that natively support the GPC. In addition, Brave and DuckDuckGo are the only desktop and mobile browsers with GPC enabled by default.
GPC tools significantly differ from one another in user experiences for both installation and use. The installation process for six of the tools was direct and, therefore suitable to a broad range of consumer knowledge. Two of the tools, IronVest and Firefox, require additional steps to enable GPC. Ironvest requires the creation of an account upon downloading the tool, and through that account offers not only GPC but also a subscription-based suite of further online security services like password managers and email maskers. By contrast, Firefox does not require an account, but it requires users complete more steps to enable the GPC that require technical knowledge or experience. Specifically, users must access the about:config settings page in Firefox, which warns the user to “Proceed with Caution” and requires users to know how to find the GPC configuration options. Users with limited experience configuring about:config settings on this browser may struggle to enable the GPC signal on Firefox. Following FPF’s study on September 25, 2023, Mozilla enabled a graphical UI setting for GPC in Firefox Nightly. Firefox Nightly provides tech savvy users with more experimental builds of Firefox. Features typically migrate from Nightly to the more broadly available Firefox browser over time.
GPC tools differ significantly in their default settings after installation, potentially creating consumer confusion in switching from one service to another. Three of the tools leave the GPC off by default following final installation; four of them enable the GPC by default. Firefox, for example, does not enable GPC by default, and it requires the most work to enable, whereas Brave enables GPC by default without notifying users or allowing them to disable it. Many tools include other privacy features in addition to GPC, such as Privacy Badger’s ability to block surreptitious tracking mechanisms like supercookies. These tools were not examined in this report, though they may create divergent user experiences that can cause consumers to draw different conclusions as to each tool’s utility and effectiveness. Users installing a privacy-focused browser extension or using a privacy-focused browser may be unaware that in certain cases privacy features are disabled by default and require additional configuration after installation.
Finally, we observe that these tools significantly differ in configuration options for when and where to send the GPC signal. The tools collectively deploy two types of configuration: globally sending the GPC to every site and/or selectively sending the GPC on a per-site basis. None of the tools have pre-configured profiles or “allow / deny” lists for when to send the GPC, and about half of the tools allow users to set the GPC both as a global setting and on a per-site basis. IronVest only allows sending the GPC on a per-site basis, while Brave only enables the GPC on a global basis. However, given that most state laws that require compliance with a UOOM also require affirmative consent to opt back in following an opt-out, it is unclear whether disabling the GPC signal for a site after visiting it will have legal effect.
Next Steps & Policy Considerations
In 2023 alone, six states passed comprehensive privacy laws. In the years ahead, we expect that more states will be added to this list, and many are likely to include provisions regarding UOOMs. Policymakers must ensure that all UOOM requirements offer adequate clarity and consistency.
One place where greater detail from policymakers would provide benefit to organizations seeking to comply with legal requirements is in guidance not only for covered businesses, but also for vendors of consumer-facing privacy tools. Specifically, guidance would be useful regarding how a UOOM must be configured or implemented to give assurance that the GPC signals being sent are a legally valid expression of individual intent. For example, a minor detail such as whether a tool contains a “per-site” toggle for the GPC may be significant in one state, but not another.
Similarly, the question of “default settings” and their legal significance requires greater clarity in many jurisdictions. For example, to be considered a valid exercise of individuals’ opt-out rights under Colorado law, a valid GPC signal occurs when individuals provide “affirmative, freely given, and unambiguous choice.” This requirement creates an engineering ambiguity for publishers and websites over the validity of GPC signals they receive. For example, users installing a browser extension that requires a separate, affirmative user configuration prior to sending the GPC signal will unambiguously be a valid expression of individual choice. On the other hand, an individual using a browser marketed with a variety of privacy preserving features, including the GPC, may be sending a GPC signal that does not meet the law’s standards for defaults if those features are enabled by default and they do not provide notice to users. The user may have wanted a privacy feature other than GPC and not been aware that the GPC signal would be sent. On the other hand, another user may both be seeking and appreciate a default-on GPC and not want it to be legally ignored because they didn’t affirmatively enable it. Publishers and websites do not have an engineering mechanism to differentiate between these scenarios, incentivizing them to use nonstandard techniques, like fingerprinting, for the purposes of discerning which GPC signals are valid.
New states implementing comprehensive privacy laws also increase the odds that specific privacy rights may fracture across jurisdictions in ways that are either cohesive or irreconcilable. The current GPC specification does not support conveying users’ jurisdictions, so it is unclear how organizations must differentiate between signals originating from one jurisdiction or another. The result could be that entities must choose which state to risk running afoul of the law in such that they may follow the requirements of a conflicting jurisdiction.
As user-facing privacy tools are developed and updated, responsible businesses will likely err on the side of over-inclusion by treating all GPC signals as valid UOOMs. However, increased user adoption and the expansion of the GPC into new sectors (such as connected TVs or vehicles) could change expectations and put more pressure on different kinds of advertising activities. In the absence of uniform federal standards that would create guidance for such mechanisms, most businesses will aim to streamline compliance across states, providing a significant opportunity for policymakers to shape the direction of consumer privacy in the coming years. Policymakers must be aware of these developments and strive for clarity and consistency in order to best inform organizations, empower individuals, and set societal expectations and standards that can be applied in future cases.
FPF Weighs In on the Responsible Use and Adoption of Artificial Intelligence Technologies in New York City Classrooms
Last week, Future of Privacy Forum provided testimony at a joint public oversight hearing before the New York City Council Committees on Technology and Education on “The Role of Artificial Intelligence, Emerging Technology, and Computer Instruction in New York City Public Schools.”
Specifically, FPF urged the Council to consider the following recommendations for the responsible adoption of artificial intelligence technologies in the classroom:
Establish a common set of principles and definitions for AI, tailored specifically to educational use cases;
Identify AI uses that pose major risks – especially tools that make decisions about students and teachers;
Create rules that combat harmful uses of AI while preserving beneficial use;
Build more transparency within the procurement process with regard to how vendors use AI; and
Take a student-driven approach that enhances the ultimate goal of serving students and improving their educational experience.
During this back to school season, we are observing school districts across the country wrestle with questions about how to manage the proliferation of artificial intelligence technologies in tools and products used in K-12 classrooms. In the 2022-2023 school year, districts used an average of 2,591 different edtech tools. While there is no standard convention for indicating that a product or service uses AI, we know that the technology is embedded in many different types of edtech products and has been for a while now. We encourage districts to be transparent with their school community regarding how AI is utilized within the products it is using.
But first, it is critical to ensure uniformity in how AI is defined so that it is clear what technology is covered and to avoid creating overly broad rules that may have unintended consequences. A February 2023 audit by the New York City Office of Technology and Innovation on “Artificial Intelligence Governance” found that the New York City Department of Education has not established a governance framework for the use of AI, which creates risk in this space. FPF recommends starting with a common set of principles and definitions, tailored specifically to educational use cases.
While generative AI tools such as ChatGPT have gained public attention recently, there are many other tools already used in schools that fall under the umbrella of AI. Uses may be as commonplace as autocompleting a sentence in an email or speech-to-text tools to provide accommodations to special education students, or more complicated algorithms used to identify students at higher risk of dropping out. Effective policies governing the use of AI in schools should follow a targeted and risk-based approach to solve a particular problem or issue.
We can look to the moratorium on adopting biometric identification technology in New York schools following the 2020 passage of State Assembly Bill A6787D as an example of how an overly broad law can have unintended consequences. Although it appeared that lawmakers were seeking to address legitimate concerns stemming from facial recognition software used for school security, a form of algorithmic decision making, the moratorium had broader implications. Arguably, it could be viewed to ban the use or purchase of many of the computing devices used by schools. This summer, the NY Office of Information Technology Services released its report on the Use of Biometric Identifying Technology in School, following which it is likely that the Commission will reverse or significantly modify the moratorium on biometric identification technology in schools. This will present an opportunity for the city to consider what additional steps should be taken if it resumes use of biometric technology and will also likely open a floodgate for new procurement.
Accordingly, this is an important moment for pausing to think through the specific use cases of AI and technology in the classroom more broadly, identify the highest risks to students, and prioritize developing policies that address those higher risks. When vetting products, we urge schools to consider whether that product will actually enhance the ultimate goal of serving students and improving their educational experience and whether the technology is indeed necessary to facilitate that experience.
We urge careful consideration about the privacy and equity concerns associated with adopting AI technologies as AI systems may have a discriminatory impact on historically marginalized or otherwise vulnerable communities. We have already seen an example of how this can manifest in classrooms. Commonly deployed in schools, self-harm monitoring technology works by employing algorithms that rely on scanning and detecting key words or phrases across different student platforms. FPF research found that “using self-harm monitoring systems without strong guardrails and privacy-protective policies is likely to disproportionately harm already vulnerable student groups.” It can lead to students being needlessly put in contact with law enforcement and social services or facing school disciplinary consequences as a result of being flagged. We recommend engaging the school community in conversation prior to adopting this type of technology.
It is also critical to note that using any new classroom technology typically comes with increased collection, storage, and sharing of student data. There are already requirements under laws like FERPA and New York Ed Law 2-D. Districts should have a process in place to vet any new technology brought into classrooms and we urge an emphasis on proper storage and security of data used in AI systems to protect against breaches and privacy harms for students. School districts are already vulnerable as targets for cyber attacks, and it is important to minimize risk.
Finally, we flag that there are disparities in the accuracy of decisions made by AI systems and caution that there are risks when low accuracy systems are treated as gospel, especially within the context of high impact decision making in schools. Decisions made based on AI have the potential to shape a student’s education in really tangible ways.
We encourage you to consider these recommendations and thank you for allowing us to participate in this important discussion.
Future of Privacy Forum and Leading Companies Release Best Practices for AI in Employment Relationships
Expert Working Group Focused on AI in Employment Launches Best Practices that Promote Non-Discrimination, Human Oversight, Transparency, and Additional Protections.
Today, the Future of Privacy Forum (FPF), with ADP, Indeed, LinkedIn, and Workday — leading hiring and employment software developers — released Best Practices for AI and Workplace Assessment Technologies. The Best Practices guide makes key recommendations for organizations as they develop, deploy, or increasingly rely on artificial intelligence (AI) tools in their hiring and employment decisions.
Organizations are incorporating AI tools into their hiring and employment practices at an unprecedented rate. When guided by a framework centered on responsible and ethical use, AI hiring tools can help match candidates with relevant opportunities and inform organizations’ decisions about who to recruit, hire, and promote. However, AI tools present risks that, if not addressed, can impact job candidates and hiring organizations and pose challenges for regulators and other stakeholders.
FPF and the AI working group recommend:
Developers and deployers should have clearly defined responsibilities regarding AI hiring tools’ operation and oversight;
Organizations should not secretly use AI tools to hire, terminate, and take other actions that have consequential impacts;
AI hiring tools should be tested to ensure they are fit for their intended purposes and assessed for bias;
AI tools should not be used in a manner that harmfully discriminates, and organizations should implement anti-discrimination protections that go beyond laws and regulations as needed;
Organizations should not use facial characterization and emotion inference technologies in the hiring process absent public disclosures supporting the tools’ efficacy, fairness, and fitness for purpose;
Organizations should implement AI governance frameworks informed by the NIST AI Risk Management Framework;
Organizations should not claim that AI hiring tools are “bias-free;” and
AI hiring tools should be designed and operated with informed human oversight and engagement.
“When properly designed and utilized, AI must process vast amounts of personal data fairly and ethically, keeping in mind the legal obligations organizations have to those with disabilities and people from underrepresented, marginalized and multi-marginalized communities. This is why developers and deployers of AI in the employment context should use these Best Practices to show their commitment to ethical, responsible, and human-centered AI tools in compliance with civil rights, employment and privacy laws.”
“The intersection between hiring, employment, and AI tools presents complex opportunities and challenges for organizations, particularly concerning issues of equity and fairness in the workplace. Our Best Practices will guide U.S. companies as they create and use AI technologies that impact workers, ensuring that they address key issues regarding non-discrimination, responsible AI governance, transparency, data security and privacy, human oversight, and alternative review procedures.”
John Verdi, Senior Vice President of Policy at FPF
Leading policy frameworks, including the NIST’s AI Risk Management Framework (AI RMF), Civil Rights Principles for Hiring Assessment Technologies, the Data and Trust Alliance’s initiative Algorithmic Safety: Mitigating Bias in Workforce Decisions, and more, helped inform the Best Practices guide.
“AI tools can help candidates discover and describe their skills and find new opportunities that match their experience. The Best Practices assist organizations in instituting guardrails around using AI systems responsibly and ethically.”
Jack Berkowitz, ADP’s Chief Data Officer
“The use of automated technology in the workplace can result in better matches for both job seekers and employers, increased access to diverse candidates and a broader pool of applicants, and greater access to hiring tools for small to mid-sized businesses. These Best Practices provide concrete guidance for using the tools responsibly.”
Trey Causey, Indeed’s Head of Responsible AI
“We know that a responsible and principled approach to AI can lead to more transparency and better matching of job seeker skills to employer needs. The Best Practices are a real step forward and reflect the accountability needed to ensure these technologies continue to power opportunity for all members of the global workforce.”
Sue Duke, LinkedIn’s VP of Global Public Policy
“Since 2019, Workday has partnered with government officials and thought leaders like the Future of Privacy Forum to advance smart safeguards that cultivate trust and drive responsible AI. We’re proud to have co-developed these Best Practices, which offer policymakers a roadmap to responsible AI in the workplace and call on other organizations to join us in endorsing them.”
Chandler Morse, Workday’s Vice President of Public Policy
While existing anti-discrimination laws can apply to the use of AI tools for hiring, the AI governance field is still maturing. FPF’s Best Practices engages the broader AI governance field in the ethical use and development of AI for employment. The guide may also be updated to reflect developing AI regulatory requirements, frameworks, and technical standards.
Call for Nominations: 14th Annual Privacy Papers for Policymakers
The Future of Privacy Forum (FPF) invites privacy scholars and authors with an interest in privacy issues to submit finished papers to be considered for FPF’s 14th annual Privacy Papers for Policymakers (PPPM) Award. This award provides researchers with the opportunity to inject ideas into the current policy discussion, bringing relevant privacy research to the attention of the U.S. Congress, federal regulators, and international data protection agencies.
The award will be given to authors who have completed or published top privacy research and analytical work in the last year that is relevant to policymakers. The work should propose achievable short-term solutions or new means of analysis that could lead to real-world policy impact.
FPF is pleased to also offer a student paper award for students of undergraduate, graduate, and professional programs. Student submissions must follow the same guidelines as the general PPPM award.
We encourage you to share this opportunity with your peers and colleagues. Learn more about the Privacy Papers for Policymakers program and view previous year’s highlights and winning papers on our website.
FPF will invite winning authors to present their work at an annual event with top policymakers and privacy leaders in spring 2024 (date TBD). FPF will also publish a printed digest of the summaries of the winning papers for distribution to policymakers in the United States and abroad.
Learn more and submit your finished paper by October 20th, 2023. Please note that the deadline for student submissions is November 3rd, 2023.
Navigating Cross-Border Data Transfers in the Asia-Pacific region (APAC): Analyzing Legal Developments from 2021 to 2023
Today, the Future of Privacy Forum (FPF) published an Issue Brief comparatively analyzing cross-border data transfer provisions in new data protection laws in the Asia-Pacific. Titled Navigating Cross-Border Data Transfers in the Asia-Pacific region (APAC): Analyzing Legal Developments from 2021 to 2023, the Issue Brief outlines key developments in cross-border data transfers in the Asia-Pacific in the last few years, and explores the potential impact on businesses operating in the APAC region.
Today, cross-border data transfers are pivotal in enabling the global digital economy and facilitating digital trade. These transfers allow businesses to provide services globally, while allowing individuals access to a wide range of digital services and platforms. Yet, cross-border data transfers also raise legitimate concerns regarding the protection of individuals’ privacy and security.
Amidst this tension, data protection laws attempt to strike a balance by requiring organizations to satisfy certain conditions to ensure that personal data is appropriately protected when it is transferred out of jurisdiction, absent special circumstances. Common conditions include:
Assessment of the level of personal data protection in the destination jurisdiction (also known as “adequacy”);
Adoption of safeguards, such as legally binding agreements or certifications or rules approved by a regulator;
Consent from data subjects; and
Necessity for various, specifically defined purposes.
The APAC region has seen a significant acceleration in data protection regulatory activity in recent years, including the enactment of new data protection laws. In particular, since 2021, China, Indonesia, Japan, South Korea, Thailand, and Vietnam have newly enacted or amended their data protection laws and regulations.
An analysis of the data protection laws and regulations in these six jurisdictions indicates that there is a degree of alignment between Indonesia, Japan, South Korea, and Thailand regarding legal bases for cross-border data transfers, but China and Vietnam appear to be outliers with their own unique requirements. Notably:
Indonesia, Japan, South Korea, and Thailand all recognize adequacy and consent as valid legal bases for cross-border data transfers. There is also some alignment on the recognition of certification schemes.
However, given that these laws were enacted or amended recently, there remains uncertainty on which jurisdictions might be recognized as mutually adequate, or which certification schemes will be ultimately recognized.
China and Vietnam differ substantially from the other jurisdictions studied. Both jurisdictions impose unique conditions for transferring personal data, such as requiring transferring organizations to file detailed assessments with the relevant regulator.
Vietnam also only recognizes a single legal basis for transferring personal data abroad, while China recognizes three.
These divergences to regulating cross-border data transfers likely reflect the different policy considerations in every jurisdiction, the tension between enabling cross-border data transfers to facilitate digital trade, and national considerations, such as protecting national security and sovereignty. These divergences could complicate efforts by organizations operating in multiple jurisdictions to align their regional compliance programs. Nonetheless, there are promising avenues for increasing interoperability in the region, such as standardized or model contractual clauses, the growing recognition of regional certification schemes such as the APEC Cross Border Privacy Rules and Privacy Recognition for Processors systems, and to a more limited extent, the possibility that some jurisdictions may obtain adequacy decisions from the European Union in future.
For deeper analysis of these points and of the cross-border data transfer provisions for each of the six jurisdictions covered, download the Issue Brief here.
For inquiries about this Issue Brief, please contact Josh Lee Kok Thong, Managing Director (APAC), at [email protected], or Dominic Paulger, Policy Manager (APAC), at [email protected].
FPF is grateful to the following contributors for their assistance in ensuring the accuracy of this report:
Kemeng Cai (In-house Privacy Counsel, China)
Iqsan Sirie (Partner, TMT, Assegaf Hamzah & Partners) and Daniar Supriyadi (Associate, Capital Markets, M&A, Assegaf Hamzah & Partners)
Takeshige Sugimoto (Managing Director and Partner, S&K Brussels LPC; Senior Fellow, Future of Privacy Forum)
Thitirat Thipsamritkul (Lecturer, Faculty of Law, Thammasat University)
Kwang Bae Park (Partner, Head of TMT, Lee & Ko)
Kat MH Hille (General Counsel, OceanCDR.Tech)
Please note that nothing in this Issue Brief should be construed as legal advice. Further reading: In November 2022, FPF’s APAC office concluded a year-long project on consent and alternative legal bases for processing data in APAC that culminated in a reportcomparing relevant requirements in 14 APAC jurisdictions.
How Data Protection Authorities are De Facto Regulating Generative AI
The Istanbul Bar Association IT Law Commission published Dr. Gabriela Zanfir-Fortuna’s article, “How Data Protection Authorities are De Facto Regulating Generative AI,” in their August monthly AI Working Group Bulletin, “Law in the Age of Artificial Intelligence” (Yapay Zekâ Çağinda Hukuk).
Generative AI took the world by storm in the past year, with services like ChatGPT becoming “the fastest growing consumer application in history.” For generative AI applications to be trained and function immense amounts of data, including personal data, are necessary. It should be no surprise that Data Protection Authorities (‘DPAs’) were the first regulators around the world to take action, from opening investigations to actually issuing orders imposing suspension of the services where they found breaches of data protection law.
Their concerns span from the lack of a justification (a lawful ground) for processing personal data used for training the AI models, lack of transparency about the personal data used for training, and about how the personal data collected while users are interacting with the AI service is used, lack of avenues to exercise data subject rights such as access, erasure, and objection, impossibility to exercise the right of correcting inaccurate personal data when it comes to the output generated by such AI services, insufficient data security measures, unlawfully processing sensitive personal data and children’s data, to not applying data protection by design and by default.
Global Overview of DPA Investigations into Generative AI
Defined broadly, DPAs are supervisory authorities vested with the power to enforce comprehensive data protection law in their jurisdictions. In the past six months, as the popularity of generative AI was growing among consumers and businesses around the world, DPAs started opening investigations into how the providers of such services are complying with legal obligations related to how personal data are collected and used, as provided in their respective national data protection law. Their efforts are focusing currently on OpenAI as the provider of ChatGPT. Only two of the investigations have resulted until now in official enforcement action, be it preliminary, in Italy and South Korea. Here is a list of known open investigations, their timeline, and key concerns:
The Italian DPA (Garante) issued an emergency order on 30 March 2023, to block OpenAI from processing personal data of people in Italy. The Garante laid out several potential violations of provisions of the General Data Protection Regulation (‘GDPR’), including lawfulness, transparency, rights of the data subject, processing personal data of children, and data protection by design and by default. It lifted the prohibition a month later, after OpenAI announced changes as required by the DPA. An investigation on substance is still ongoing.
In the aftermath of the Italian order, the European Data Protection Board created a task force to “foster cooperation and exchange information” in relation to handling complaints and investigations into OpenAI and ChatGPT at EU level, on 13 April 2023.
The Federal Office of the Privacy Commissioner (OPC) of Canada announced on 4 April 2023, that it has launched an investigation into ChatGPT following a complaint that the service is processing personal data without consent. On 25 May, the OPC announced that it will investigate ChatGPT jointly with the provincial privacy authorities of British Columbia, Quebec, and Alberta, expanding the investigation to also look into whether OpenAI has respected obligations related to openness and transparency, access, accuracy, and accountability, as well as purpose limitation.
The Ibero-American Network of DPAs, reuniting supervisory authorities from 21 Spanish and Portuguese-speaking countries in Latin America and Europe, announced on 8 May 2023 that it initiated a coordinated action in relation to ChatGPT.
Japan’s Personal Information Protection Commission (PPC) published a warning issued to OpenAI on 1June 2023 which highlighted it should not collect sensitive personal data from users of ChatGPT or other persons without obtaining consent, and it should give notice in Japanese about the purpose for which it collects personal data from users and non-users.
The Brazilian DPA announced on 27 July 2023 that it has started an investigation into how ChatGPT is complying with the Lei Geral de Proteção de Dados (LGPD) after receiving a complaint, and after reports in the media arguing that the service as provided is not compliant with the country’s comprehensive data protection law.
The US Federal Trade Commission (FTC) has opened an investigation into ChatGPT in July 2023 to see whether its provider has engaged in “unfair or deceptive privacy or data security practices or engaged in unfair or deceptive practices relating to risks of harm to consumers” in violation of Section 5 of the FTC Act.
The South Korean Personal Information Protection Commission (PIPC) announced on 27 July 2023 that it imposed an administrative fine of 3.6 million KRW (approximately 3,000 USD) against OpenAI for failure to notify a data breach in relation to its payment procedure. At the same time, the PIPC issued a list of instances of non-compliance with the country’s Personal Information Protection Act related to transparency, lawful grounds for processing (absence of consent), lack of clarity related to the controller-processor relationship, and issues related to the absence of parental consent for children younger than 14. The PIPC gave OpenAI a month and a half, until 15 September 2023, to bring the processing of personal data into compliance.
This survey of investigations into how a generative AI service provider is complying with data protection law in jurisdictions around the world reveals significant commonalities among their legal obligations and how they are applicable to processing of personal data through this new technology. There is also overlap among concerns that DPAs have about generative AI’s impact on the rights of people in relation to their personal data. This provides good ground for collaboration and coordination among supervisory authorities as regulators of generative AI.
G7 DPAs Issue Statement on Generative AI, Distilling Key Data Protection Concerns Across Jurisdictions
In this spirit, the DPAs of the G7 members adopted in Tokyo, on 21 June 2023, a Statement on generative AI which lays out their key areas of concern related to how the technology processes personal data. The Commissioners started their statement by acknowledging that “there are growing concerns that generative AI may present risks and potential harms to privacy, data protection, and other fundamental human rights if not properly developed and regulated.”
The key areas of concern highlighted in the Statement considered the use of personal data at various stages of developing and deploying AI systems, including a focus on datasets used to train, validate, and test generative AI models, the interactions of individuals with generative AI tools and also the content generated by them. For each of these stages, the issue of a lawful ground for processing was raised. Security safeguards against inverting a generative AI model to extract or reproduce personal data originally processed in data sets used to train the model were also added as a key area of concern, as well as putting in place mitigation and monitoring measures to ensure personal data generated through such tools are accurate, complete and up-to-date, free from discriminatory, unlawful, or otherwise unjustifiable effects.
Other areas of concern mentioned were transparency to promote openness and explainability; production of technical documentation across the AI development lifecycle; technical and organizational measures in the application of the rights of individuals such as access, erasure, correction, and the right not to be subject to solely automated decision-making that has a significant effect on the individual; accountability measures to ensure appropriate levels of responsibility across the AI supply chain; and limiting collection of personal data to what is necessary to fulfill a specified task.
A key recommendation spelled out in the Statement, but also emerging from the investigations above, is for developers and providers to embed privacy in the design, conception, operation, and management of new products and services that use generative AI technologies, and to document their choices in a Data Protection Impact Assessment.
Navigating Privacy-Enhancing Technologies: Key Takeaways from the Inaugural Meeting of the Global PETs Network
In recent years, privacy-enhancing technologies (PETs) have been an increasingly popular subject on regulators’ and policymakers’ agendas. Whether by issuing guidance about these types of tools (Canada’s Office of the Privacy Commissioner; United Kingdom’s Information Commissioner’s Office; Organisation for Economic Co-operation and Development), setting up regulatory sandboxes (Singapore’s Personal Data Protection Commission; Colombia’s Superintendence of Industry and Commerce); or creating prize challenges (United States and United Kingdom),1 regulators are investing resources and energy to better understand, support the deployment, and potentially regulate PETs.
On June 26, 2023, the Israel Privacy Protection Authority (IPPA) and the Future of Privacy Forum (FPF) brought industry experts, government officials, and academia together in Tel Aviv to discuss experiences and challenges faced towards the adoption of PETs. The in-person event served as the inaugural meeting of an informal Global PETs Network for regulators, providing a platform to discuss the latest developments and projects related to privacy-enhancing technologies among regulators and relevant stakeholders worldwide.
The inaugural meeting, hereinafter referred to as the “PETs Conference,” included the presentation of two case studies, a closed roundtable for regulators, and an open discussion with academia and industry experts, with the discussions being held under Chatham House Rule. This blog analyzes the main challenges raised by participants for adequate implementation of privacy-enhancing technologies, as well as the main takeaways of the discussions.
PETs: an evolving concept gaining increasing attention
As technological developments increase the collection and exchange of personal data across jurisdictions and organizations, privacy-enhancing technologies can help by providing greater security, confidentiality, and protection of personal data. There are several types of PETs, which may be classified based on their functionality. For instance, some tools obfuscate and hide information (i.e., anonymization, synthetic data, differential privacy), other technologies allow for computations on encrypted data (i.e., homomorphic encryption, secure multi-party computation), while others facilitate the training of models without transferring and sharing data to a local server (i.e., federated learning).
Although PETs have received heightened attention from authorities in recent years through different policies and initiatives, the concept is not new. As a term of reference, PETs were first introduced by the predecessor of the Dutch Data Protection Authority and the Information and Privacy Commissioner in Ontario back in 1995, through a joint report that sought to demonstrate that identity-protective elements might be included in the design of information technology systems.2
Ever since, interest in PETs has increased not only through extensive research but also in practice. For instance, federated learning and multi-party computation have proven to be useful when feeding machine learning models with on-device user data to improve digital services and products, without transferring the data to a central server. Public and private sector players use differential privacy to protect identities and privacy of people when publishing large sets of data
While governments and organizations seem to acknowledge the potential benefits of PETs, significant challenges to their effective deployment remain. Some of these challenges include the lack of maturity and high costs associated with some of these technologies, as well as an apparent lack of communication between experts and regulators, resulting in limited regulatory guidance and understanding about the benefits, limitations, and use cases of PETs.
1. Collaboration and a greater understanding of PETs are essential
For some jurisdictions, privacy-enhancing technologies are still seen as a new and complex subject by regulators and companies alike. In that sense, educational resources and guidance can help translate the benefits and limitations of these tools. Although PETs may be encapsulated in one general concept, they differ in technical capabilities and usability. During the PETs Conference, participants praised efforts by regulators and international organizations to conceptualize the functionality and use cases of these technologies and tools. These studies include the United Kingdom’s Information Commissioner’s Office (ICO) recently published “PETs Guidance”, as well as the OECD’s 2023 Report on “Emerging Privacy-Enhancing Technologies.”
These efforts are a starting point for greater understanding and certainty about the role of PETs in protecting personal information and privacy, which can lead to more detailed guidance and initiatives. During the meeting, authorities advocated for increased communication and collaboration to advance the understanding of PETs. This not only refers to collaboration for new projects and initiatives but also to leveraging useful and already available information to provide greater guidance and certainty to the industry. For instance, authorities could translate and disseminate available guidance by foreign authorities to their own official languages, where useful, or build their own guidance from previous documents. This kind of exercise can be helpful in providing guidance to the industry faster and in building capacity and technical knowledge within agencies.
2. Regulatory certainty is necessary to boost the adoption of PETs
Secondly, regulatory guidance can provide greater certainty for the deployment and adoption of PETs. During the open discussion with industry stakeholders, some participants indicated that more certainty on regulators’ perceptions of these tools can spur the innovation and deployment of privacy-enhancing technologies. In the long term, guidance can also manifest through metrics to evaluate the success and risks associated with some of the tools.
While some organizations might recognize the value of these tools to offer more privacy-preserving products, barriers to their implementation – such as high investments in time and resources, technical expertise, lack of maturity, and information asymmetries between developers and potential buyers – are a major factor in deciding whether to invest in these tools. However, if these technologies provide an opportunity for more privacy-preserving products and services, regulators should make efforts to ensure that most organizations consider the implementation or integration of PETs, when possible. Authorities have an important role in building trust in the digital ecosystem by providing greater certainty regarding how privacy-enhancing technologies can ensure the protection of personal information.
Importantly, data protection authorities have a special task in identifying how PETs overlap with data protection principles and how these technologies could potentially complement data protection compliance systems. Providing greater certainty in this regard could be definitive to some organizations’ decisions regarding investment and adoption of privacy-enhancing technologies.
Later on in the open discussion, industry representatives highlighted the importance of noticing the dynamics and different incentives created by PETs. In providing guidance and regulatory certainty, authorities should consider that privacy-enhancing technologies can benefit different parties across the chain of data utilization, particularly in cases where a certain technique enables data-sharing across multiple organizations. In this sense, regulators could consider economic and behavioral incentives to foster collaboration between organizations and public institutions.
3. The adoption of PETs requires constant evaluation and review of potential detrimental market outcomes
Regulators and industry participants agreed on the merit of setting standards and certification programs as a viable way to generate more trust in the use and deployment of PETs across organizations. However, they also agreed that regulation and guidance are necessary to ensure the adequate implementation of standards. Importantly, regulators still have an important role in assessing whether standardized tools will be sufficient to comply with data protection regulations, and if additional measures are required to integrate data protection and privacy throughout organizations.
Finally, due to the high costs associated with some PETs, regulators should be cautious of potential barriers to competition that might arise from the deployment of these technologies. If PETs start to be actively promoted within digital services and products, centering privacy as a key market value, regulators must consider that certain companies might be able to get a competitive advantage through the early development and deployment of PETs. To avoid additional market deficiencies caused by privacy-enhancing technologies, regulators have an important task at hand in attempting to strike a balance between privacy and competition concerns.
Conclusion
Regulators, academia, and industry experts seem to agree that further study and understanding of the potential benefits and limitations of privacy-enhancing technologies is necessary. Importantly, if PETs are part of the solution towards privacy-enhanced products and services in the digital ecosystem, regulators must strengthen their efforts to achieve their adequate deployment. Particularly, data protection authorities must indicate the extent to which privacy-enhancing technologies align with data protection and privacy frameworks and should evaluate whether their implementation is enough, or if additional measures are necessary. This assessment requires greater communication and collaboration between regulators, academia, and industry.
Importantly, more regulatory certainty on whether and how organizations should deploy PETs is essential. PETs already face intrinsic barriers to their adoption because they require technical expertise within organizations and are costly to adopt. Regulatory certainty plays an important role in tackling these challenges by providing greater transparency and knowledge about PETs, as well as the technology’s relation to data protection compliance. Regulators and data protection authorities, in particular, should focus on providing more information about the potential of PETs and provide metrics to assess their effectiveness or risks, if possible.
Finally, while PETs can help build more privacy and trust in the digital ecosystem, it is important to note that they are not a fail-safe solution. Authorities and organizations should keep core data protection principles in mind and supplement these technical tools with other organizational and administrative measures.
1The US-UK PETs Prize Challenge was led by the U.K.’s Centre for Data Ethics and Innovation (CDEI) and Innovate UK, the U.S. National Institute of Standards and Technology (NIST), and the U.S. National Science Foundation (NSF), in cooperation with the White House Office of Science and Technology Policy.
EU’s Digital Services Act Just Became Applicable: Outlining Ten Key Areas of Interplay with the GDPR
DSA: What’s in a Name?
The European Union’s (EU) Digital Services Act (DSA) is a first-of-its-kind regulatory framework, with which the bloc hopes to set an international benchmark for regulating online intermediaries and improving online safety. The DSA establishes a range of legal obligations, from content removal requirements, prohibitions to engage in manipulative design and to display certain online advertising targeted to users profiled on the basis of sensitive characteristics, to sweeping accountability obligations requiring audits of algorithms and assessments of systemic risks for the largest of platforms.
The DSA is part of the EU’s effort to expand its digital regulatory framework to address the challenges posed by online services. It reflects the EU’s regulatory approach of comprehensive legal frameworks which strive to protect fundamental rights, including in digital environments. The DSA should not be read by itself: it is applicable on top of the EU’s General Data Protection Regulation (GDPR), alongside the Digital Markets Act (DMA), as well as other regulations and directives of the EU’s Data Strategy legislative package.
The Act introduces strong protections against both individual and systemic harms online, and also places digital platforms under a unique new transparency and accountability framework. To address the varying levels of risks and responsibilities associated with different types of digital services, the Act distinguishes online intermediaries depending on the type of business service, size, and impact, setting up different levels of obligations.
Given the structural and “systemic” significance of certain firms in the digital services ecosystem, the regulation places stricter obligations on Very Large Online Platforms (VLOPs) and Very Large Online Search Engines (VLOSEs). These firms will have to abide by higher transparency standards, provide access to (personal) data to competent authorities and researchers, and identify, analyze, assess, and mitigate systemic risks linked to their services. Such systemic risks have been classified into four different categories (Recitals 80-84): illegal content; fundamental rights (freedom of expression, media pluralism, children’s rights, consumer protection, and non-discrimination, inter alia); public security and electoral/democratic processes; and public health protection, with a specific focus on minors, physical and mental well-being, and gender-based violence.
The European Commission designated VLOPs and VLOSEs earlier this year (see Table 1), based on criteria laid out in the DSA and a threshold number of 45 million monthly users across the EU. The DSA obligations for these designated online platforms became applicable on August 25, 2023, with the exception of a transparency database whose publication was postponed for a month following complaints. The full regulation becomes applicable for all covered starting on February 17, 2024.
* The companies that sought to challenge their designation as ‘VLOPs’ – the European General Court will be addressing these challenges and will determine whether the European Commission’s designation shall be upheld.
However, VLOPs and VLOSEs are not the only regulated entities. All intermediaries that offer their services to users based in the EU, including online platforms such as app stores, collaborative economy platforms, and social media platforms, fall within the scope of the regulation, regardless of their number of users. Notably, micro and small-sized enterprises that do not meet the VLOP/VLOSE criteria, as defined by EU law, are exempted from some of the legal obligations. While “regular” online platforms may have scaled down requirements compared to VLOPs/VLOSEs, their new legal obligations are nonetheless significant and include, among others, transparency regarding their recommendation systems, setting up internal complaint-handling mechanisms, prohibitions on designing their platforms in a way that deceives or manipulates users, and prohibitions on presenting ads based on profiling using special categories of personal data, including personal data of minors.
All providers of intermediary services, including online platforms, covered by the DSA are also “controllers” under the GDPR to the extent that they process personal data and decide on the means and purposes of such processing. As a consequence, they have to comply with both these legal frameworks at the same time. While the DSA stipulates, pursuant to Recital 10, that the GDPR and the ePrivacy Directive serve as governing rules for personal data protection, some DSA provisions intertwine with GDPR obligations in complex ways, requiring further analysis. For instance, some of the key obligations in the DSA refer to “profiling” as defined by the GDPR, while others create a legal requirement for VLOPs and VLOSEs to give access to personal data to researchers or competent authorities.
After a brief overview of the scope of application of the DSA and a summary of its key obligations based on the type of covered entity (see Table 2), this blog maps out ten key areas where the DSA and the GDPR interact in consequential ways and reflects on the impact of this interaction on the enforcement of the DSA. The ten interplay areas we are highlighting are:
Manipulative design in online interfaces;
Targeted advertising based on sensitive data;
Targeted advertising and protection of minors;
Recommender systems free-of-profiling;
Recommender systems and advertising transparency;
Access to data for researchers and competent authorities;
Takedown of illegal content;
Risk Assessments;
Compliance function and the DSA legal representative;
Intermediary liability and the obligation to provide information.
The DSA Applies to Intermediary Services of Various Types and Sizes and Has Broad Extraterritorial Effect
The DSA puts in place a horizontal framework of layered responsibilities targeted at different types of online intermediary services, including:
Including “mere conduit services” (e.g. internet access, content delivery networks, WiFi hotspots); “caching services” (e.g. automatic, intermediate, and temporary storage of information); and “hosting services” (e.g. cloud and web-hosting services).
(2)Online platform services
Providers bringing together sellers and consumers, such as online marketplaces, app stores, collaborative economy platforms, social media platforms, and providers that disseminate information to the public.
(3) Very Large Online Platforms (VLOPs)
Reaching at least 45 million active recipients in the EU on a monthly basis (10% of the EU population).
(4)Very Large Online Search Engines (VLOSEs)
Reaching at least 45 million active recipients in the EU on a monthly basis (10% of the EU population).
Recitals 13 and 14 of the DSA highlight the importance of “disseminating information to the public” as a benchmark for which online platforms fall under the scope of the Regulation and the specific category of hosting services. For instance, Recital 14 explains that emails or private messaging services fall outside the definition of online platforms “as they are used for interpersonal communication between a finite number of persons determined by the sender of the communication.” However, the DSA obligations for online platforms may still apply to them if such services “allow the making available of information to a potentially unlimited number of recipients, … such as through public groups or open channels.”
Important carve-outs are made in the DSA for micro and small-sized enterprises, as defined by EU law, that do not meet the VLOP/VLOSE criteria. These firms are exempted from some of the legal obligations, in particular from making available an annual report on the content moderation they engage in, as well as the more substantial additional obligations imposed on providers of online platforms in Articles 20 to 28 – such as the prohibition to display ads based on profiling conducted on special categories of personal data, and obligations for platforms allowing consumers to conclude distance contracts with traders in Articles 29 to 32.
These carve-outs come in contrast with the broad applicability of the GDPR to entities of all sizes. This means, for instance, that even if micro and small-sized enterprises that are online platforms do not have to comply with the prohibitions related to displaying ads based on profiling using special categories of personal data and profiling of minors, they continue to fall under the scope of the GDPR and its requirements that impact such profiling.
The DSA has extra-territorial effect and global coverage, similar to the GDPR, since it captures companies regardless of whether they are established in the EU or not, as long as the recipients of their services have their place of establishment or are located in the EU (Article 2).
The DSA Just Became Applicable to VLOPs and VLOSEs and Will Continue to Roll Out to All Online Platforms
The Act requires that platforms and search engines publish their average monthly number of active users/recipients with the EU-27 (Article 24 – check the European Commission’s guidance on the matter). The first round of sharing those numbers was due on February 17, 2023. Based on the information shared through that exercise, the Commission designated the VLOPs and VLOSEs with additional obligations because of the “systemic risks that they pose to consumers and society,” (Article 33). The designation announcement was made public on April 25.
Four months after the designation, on August 25, 2023, the DSA provisions became applicable to VLOPs and VLOSEs through Article 92. This means that the designated platforms must already implement their obligations, such as conducting risk assessments, increasing transparency of recommender systems, and offering an alternative feed of content not subject to recommender systems based on profiling (see an overview of their obligations in Table 2).
As of February 17, 2024, all providers of intermediary services must comply with a set of general obligations (Articles 11-32), with certain exceptions for micro and small enterprises as explained above.
Table2 – List of DSA Obligations as Distributed Among Different Categories of Intermediary Service Providers
Pillar obligations
Set of Obligations
Intermediary Services
Hosting Services
Online Platforms
VLOPs/VLOSEs
Transparency measures
Transparency reporting (Article 15)
🚩
🚩
🚩
🚩
Requirements on terms and conditions wrt fundamental rights (Article 14)
🚩
🚩
🚩
🚩
Statement of reasons (Article 17)
🚩
🚩
Notice-and-action and obligation to provide information to users (Article 16)
🚩
🚩
🚩
Recommender system transparency (Articles 27 and 38)
🚩
🚩
User-facing transparency of online advertising (Article 24)
🚩
🚩
Online advertising transparency (Article 39)
🚩
User choice for access to information (Article 42)
🚩
Oversight structure to address the complexity of the online intermediary services ecosystem
Cooperation with national authorities following orders (Article 11)
🚩
🚩
🚩
🚩
Points of contact for recipients of service (Article 12) and, where necessary, legal representatives (Article 13)
🚩
🚩
🚩
🚩
Internal complaint and handling system (Article 20) and redress mechanism (Article 32) and out-of-court dispute settlement (Article 21)
🚩
🚩
Independent auditing and public accountability (Article 37)
🚩
Option for recommender systems not based on profiling (Article 38)
🚩
Supervisory fee (Article 43)
🚩
Crisis response mechanism and cooperation process (Article 36)
🚩
Manipulative Design
Online interface design and organization (Article 25)
🚩
🚩
Measures to counter illegal goods, services, or content online
Trusted flaggers (Article 22)
🚩
🚩
Measures and protection against misuse (Article 23)
🚩
🚩
Targeted advertising based on sensitive data (Article 26)
🚩
🚩
Online protection of minors (Article 28)
🚩
🚩
Traceability of traders (Articles 30-32)
🚩
🚩
Reporting criminal offenses (Article 18)
🚩
🚩
Risk management obligations and compliance officer (Article 41)
🚩
🚩
Risk assessment and mitigation of risks (Articles 34-35)
🚩
Codes of conduct (Articles 45-47)
🚩
Access to data for researchers
Data sharing with authorities and researchers (Article 40)
🚩
From Risk Assessments to Profiling and Transparency Requirements – Key Points of Interplay Between the DSA and GDPR
While the DSA and the GDPR serve different purposes and objectives at face value, ultimately both aim to protect fundamental rights in a data-driven economy and society, on the one hand, and reinforce the European single market, on the other hand. The DSA aims to establish rules for digital services and their responsibilities toward content moderation and combating systemic risks, so as to ensure user safety, safeguard fairness and trust in the digital environment, and enhance a “single market for digital services.” Notably, providing digital services is inextricably linked to processing data, including personal data. The GDPR seeks to protect individuals in relation to how their personal data is processed, ensuring that such processing respects their fundamental rights, while at the same time seeking to promote the free movement of personal data within the EU.
While the two regulations do not have the same taxonomy of regulated actors, the broad scope of the GDPR’s definitions of “controllers” and “processing of personal data” are such that all intermediaries covered by the DSA are also controllers under the GDPR in relation to any processing of personal data they engage in and for which they establish the means and purposes of processing. Some intermediaries might also be “processors” under the GDPR in specific situations, a fact that needs to be assessed on a case-by-case basis. Overall, this overlap triggers the application of both regulations, with the GDPR seemingly taking precedence over most of the DSA (Recital 10 of the DSA), with the exception of the intermediary liability rules in the DSA as the updated eCommerce Directive, which take precedence over the GDPR (Article 2(4) of the GDPR).
The DSA mentions the GDPR 19 times in its text across recitals and articles, with “profiling” as defined by the GDPR playing a prominent role in core obligations for all online platforms. These include the two prohibitions to display ads based on profiling that use sensitive personal data or the data of minors, and the obligation that any VLOPs and VLOSEs that use recommender systems must provide at least one option for their recommender systems not based on profiling. The GDPR plays an additional role in setting the definition for sensitive data (“special categories of data”) in its Article 9, which the DSA specifically refers to for the prohibition of displaying ads based on profiling done on such data. In addition to these cross-references, where it will be essential to apply the two legal frameworks consistently, there are other areas of overlap that create complexity for compliance, at the minimum, but also risks for inconsistencies (such as the DSA risk assessment processes and the GDPR Data Protection Impact Assessment). Additional overlaps may confuse individuals concerned regarding the best legal framework to rely on for removing their personal data from online platforms, as the DSA sets up a framework for takedown requests for illegal content that may also include personal data and the GDPR provides individuals with the right to obtain erasure of their personal data in specific contexts.
In this complex web of legal provisions, here are the elements of interaction between the two legal frameworks that stand out. As the applicability of the DSA rolls out on top of GDPR compliance programs and mechanisms, other such areas may surface.
Manipulative Design (or “Dark Patterns”) in Online Interfaces
These are practices that “materially distort or impair, either on purpose or in effect, the ability of recipients of the service to make autonomous and informed choices or decisions,” per Recital 67 DSA. Both the GDPR and the DSA address these practices, either directly or indirectly. The GDPR, on the one hand, offers protection against manipulative design in cases that involve processing of personal data. The protections are relevant for complying with provisions detailing lawful grounds for processing, requiring data minimization, setting out how valid consent can be obtained and withdrawn, or how controllers must apply Data Protection by Design and by Default when building their systems and processes.
Building on this ground, Article 25 of the DSA, read in conjunction with Recital 67, includes a ban on providers of online platforms to “design, organize or operate their online interfaces in a way that deceives or manipulates the recipients of their service or in a way that otherwise materially distorts or impairs the ability of the recipients of their service to make free and informed decisions.” The ban seems to be applicable only to online platforms as defined in Article 3(i) of the DSA, as a subcategory of the wide spectrum of intermediary services. Importantly, the DSA specifies that the ban on dark patterns does not apply to practices covered by the Unfair Commercial Practices Directive (UCPD) or the GDPR. Article 25(3) of the DSA highlights that the Commission is empowered to issue guidelines on how the ban on manipulative design applies to specific practices, so further clarity is expected. And since the protection vested by the GDPR against manipulative design will remain relevant and primarily applicable, it will be essential for consistency that these guidelines are developed in close collaboration with Data Protection Authorities (DPAs).
Targeted Advertising Based on Sensitive Data
Article 26(3) and Recital 68 of the DSA underline a prohibition of the providers of online platforms to “present” ads to users stemming from profiling them, as defined by Article 4(4) of the GDPR, based on sensitive personal data, as defined by Article 9 of the GDPR. Such personal data include race, religion, health status, and sexual orientation, among others on a limited list. However, it is important to mention that case law from the Court of Justice of the EU (CJEU) may further complicate the application of this provision. In particular, Case C-184/20 OT, in a judgment published a year ago, expanded “special categories of personal data” under the GDPR to also cover any personal data from which a sensitive characteristic may be inferred. Additionally, the very recent CJEU judgment in Case C-252/21 Meta v. Bundeskartellamtmakes important findings regarding how social media services as a category of online platforms can lawfully engage in profiling of their users pursuant to the GDPR, including for personalized ads. While the DSA prohibition is concerned with “presenting” ads based on profiling using sensitive data, rather than with the activity of profiling itself, it must be read in conjunction with the obligations in the GDPR for processing personal data for profiling and with the relevant CJEU case-law. To this end, the European Data Protection Board has published relevant guidelines for automated decision-making and profiling in general, but also specifically on targeting of social media users.
Targeted Advertising and Protection of Minors
Recital 71 of the GDPR already provides that solely automated decision-making, including profiling, with legal or similarly significant effects should not apply to children – a rule that is relevant for any type of context, such as educational services, and not only for online platforms. The DSA enhances this protection when it comes to online platforms, prohibiting the presentation of ads on their interface based on profiling by using personal data of users “when they are aware with reasonable certainty that the recipient of the service is a minor” (Article 28 of the DSA). Additionally, in line with the principle of data minimization provided by Article 5(1) of the GDPR, this DSA prohibition should not lead the provider of the online platform to “maintain, acquire or process” more personal data than it already has in order to assess if the recipient of the service is a minor. While this provision addresses all online platforms, VLOPs and VLOSEs are expected to take “targeted measures to protect the rights of the child, including age verification and parental control tools” as part of their obligation in Article 35(1)(j) to put in place mitigation measures tailored to their specific systemic risks identified following the risk assessment process. As highlighted in a recent FPF infographic and report on age assurance technology, age verification measures may require processing of additional personal data than what the functioning of the online service requires, which could be at odds with the data minimization principles in the absence of additional safeguards. This is an example where the two regulations complement each other.
In recent years, DPAs have been increasingly regulating the processing of personal data of minors. For instance, in the EU, the Irish Data Protection Commission published Fundamentals for a Child-Oriented Approach to Data Processing, the Italian Garante often includes the protection of children in its high-profile enforcement decisions (see, for instance, the TikTok and ChatGPT cases), and the CNIL in France published recommendations to enhance the protection of children online and launched several initiatives to enhance digital rights of children. This is another area where collaboration with DPAs will be very important for consistent application of the DSA.
Recommender Systems and Advertising Transparency
A significant area of overlap between the DSA and the GDPR relates to transparency. A key purpose of the DSA is to increase overall transparency related to online platforms, manifesting through several obligations, while transparency related to how one’s personal data are processed is an overarching principle of the GDPR. Relevant areas for this principle in the GDPR are found in Article 5, through extensive notice obligations in Articles 13 and 14, data access obligations in Article 15, and underpinned by modalities on how to communicate to individuals in Article 12. Two of the DSA obligations that increase transparency are laid out in Article 27, which imposes on providers of online platforms transparency related to how recommender systems work, and in Article 26, which imposes transparency related to advertising on online platforms. To implement the latter obligation, the DSA requires, per Recital 68, that the “recipients of a service should have information directly accessible from the online interface where the advertisement is presented, on the main parameters used for determining that a specific advertisement is presented to them, providing meaningful explanations of the logic used to that end, including when this is based on profiling.”
As for transparency related to recommender systems, Recital 70 of the DSA explains that online platforms should consistently ensure that users are appropriately informed about how recommender systems impact the way information is displayed and can influence how information is presented to them. “They should clearly present the parameters for such recommender systems in an easily comprehensible manner” to ensure that the users “understand how information is prioritized for them,” including where information is prioritized “based on profiling and their online behavior.” Notably, Articles 13(2)(f) and 14(2)(g) of the GDPR require that notices to individuals whose personal data is processed include “meaningful information about the logic involved, as well as the significance and the envisaged consequences” of automated decision-making, including profiling. These provisions should be read and applied together, complementing each other, to ensure consistency. This is another area where collaboration between DPAs and the enforcers of the DSA would be desirable. To understand the way in which DPAs have been applying this requirement so far, this case-law overview on automated decision-making under the GDPR published by the Future of Privacy Forum last year is helpful.
Recommender Systems Free-of-Profiling
“Profiling” as defined by the GDPR also plays an important role in one of the key obligations of VLOPs and VLOSEs: to offer users an alternative feed of content not based on profiling. Technically, this stems from an obligation in Article 38 of the DSA for VLOPs and VLOSEs to “provide at least one option for each of their recommender systems which is not based on profiling.” The DSA explains in Recital 70 that a core part of an online platform’s business is the manner in which information is prioritized and presented on its online interface to facilitate and optimize access to information for users: “This is done, for example, by algorithmically suggesting, ranking and prioritizing information, distinguishing through text or other visual representations, or otherwise curating information provided by recipients.”
The DSA text further explains that “such recommender systems can have a significant impact on the ability of recipients to retrieve and interact with information online, including to facilitate the search of relevant information,” as well as playing an important role “in the amplification of certain messages, the viral dissemination of information and the stimulation of online behavior.” Additionally, as part of their obligations to assess and mitigate risks on their platforms, VLOPs and VLOSEs may need to adjust the design of their recommender systems. Recital 94 of the DSA explains that they could achieve this “by taking measures to prevent or minimize biases that lead to the discrimination of persons in vulnerable situations, in particular where such adjustment is in accordance with Article 9 of the GDPR,” where Article 9 establishes conditions for processing sensitive personal data.
Access to Data for Researchers and Competent Authorities
Article 40 of the DSA includes an obligation for VLOPs and VLOSEs to provide access to the data necessary to monitor their compliance with the regulation to competent authorities (Digital Services Coordinators designated at the national level in the EU Member State of their establishment or the European Commission). This includes access to data related to algorithms, based on a reasoned request and within a reasonable period specified in the request. Additionally, they also have an obligation to provide access to vetted researchers following a request of their Digital Services Coordinator of establishment “for the sole purpose of conducting research that contributes to the detection, identification, and understanding of systemic risks” in the EU, and “to the assessment of the adequacy, efficiency, and impacts of the risk mitigations measures.” This obligation presupposes that the platforms may be required to explain the design, logic of the functioning, and the testing of their algorithmic systems, in accordance with Article 40 and its corresponding Recital 34.
Providing access to online platforms’ data entails, in virtually all cases, providing access to personal data as well, which brings this processing under the scope of the GDPR and triggers its obligations. Recital 98 of the DSA highlights that providers and researchers alike should pay particular attention to safeguarding the rights of individuals related to the processing of personal data granted by the GDPR. Recital 98 adds that “providers should anonymize or pseudonymize personal data except in those cases that would render impossible the research purpose pursued.” Notably, the data access obligations in the DSA are subject to further specification through delegated acts, to be adopted by the European Commission. These acts are expected to “lay down the specific conditions under which such sharing of data with researchers can take place” in compliance with the GDPR, as well as “relevant objective indicators, procedures and, where necessary, independent advisory mechanisms in support of sharing of data.” This is another area where the DPAs and the DSA enforcers should closely collaborate.
Takedown of Illegal Content
Core to the DSA are obligations for hosting services, including online platforms, to remove illegal content: Article 16 of the DSA outlines this obligation based on a notice-and-action mechanism initiated at the notification of any individual or entity. The GDPR confers rights on individuals to request erasure of their personal data (Article 17 of the GDPR) under certain conditions, as well as the right to request rectification of their data (Article 16 of the GDPR). These rights of the “data subject” under the GDPR aim to strengthen individuals’ control over how their personal data is collected, used, and disseminated. Article 3(h) of the DSA defines “illegal content” as “any information that, in itself or in relation to an activity … is not in compliance with Union law or the law of any Member State…, irrespective of the precise subject matter or nature of that law.” As a result, to the extent that “illegal content” as defined by the DSA is also personal data, an individual may potentially use either of the avenues, depending on how the overlap of the two provisions is further clarified in practice. Notably, one of the grounds for obtaining erasure of personal data is if “the personal data has been unlawfully processed,” and therefore processed not in compliance with the GDPR, which is Union law.
Article 16 of the DSA highlights an obligation for hosting services, including online platforms, to put mechanisms in place to facilitate the submission of sufficiently precise and adequately substantiated notices. Article 12 of the GDPR, on another hand, requires controllers to facilitate the exercise of data subject rights, including erasure, and to communicate information on the action taken without undue delay and in any case no longer than one month after receiving the request. The DSA does not prescribe a specific timeline to deal with notices for removal of illegal content, other than “without undue delay.” All hosting services and online platforms whose activity falls under the GDPR have internal processes set up to respond to data subject requests, which could potentially be leveraged in setting up mechanisms to remove illegal content pursuant notices as requested by the DSA. However, a key differentiator is that in the DSA content removal requests can also come from authorities (see Article 9 of the DSA) and from “trusted flaggers” (Article 22), in addition to any individual or entity – each of these situations under their own conditions. In contrast, erasure requests under the GDPR can only be submitted by data subjects (individuals whose personal data is processed), either directly or through intermediaries acting on their behalf. DPAs may also impose the erasure of personal data, but only as a measure pursuant to an enforcement action.
VLOPs/VLOSEs will have to additionally design mitigation measures ensuring the adoption of content moderation processes, including the speed and quality of processing notices related to specific types of illegal content and its expeditious removal.
Risk Assessments
The DSA, pursuant to Article 34, obliges VLOPs/VLOSEs to conduct a risk assessment at least once per year to identify, analyze, and assess “systemic risks stemming from the design or functioning of their service and its related systems,” including algorithmic systems. The same entities are very likely subject to the obligation to conduct a Data Protection Impact Assessment (DPIA) under Article 35 of the GDPR, as at least some of their processing operations, like using personal data for recommender systems or profiling users based on personal data to display online advertising, meet the criteria that trigger the DPIA obligation. A DPIA is required in particular where processing of personal data “using new technologies, and taking into account the nature, scope, context, and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons.”
There are four systemic risks that the DSA asks to be included in the risk assessment: dissemination of illegal content; any actual or foreseeable negative effects on the exercise of specific fundamental rights, among which the right to respect for private life and the right to the protection of personal data are mentioned; any actual or foreseeable negative effects on civic discourse, electoral processes and public security; and any actual foreseeable negative effects in relation to gender-based violence, the protection of public health and minors, and serious negative consequences to the person’s physical and mental well-being.
Among the elements that a DPIA under the GDPR must include is “an assessment of the risks to the rights and freedoms of data subjects” that may arise from how controllers process personal data through new technologies, such as algorithmic systems. Other elements that must be included are the measures envisaged to address these risks, similar to how Article 35 of the DSA requires VLOPs/VLOSEs to put mitigation measures in place tailored to the identified risks. The EDPB has also published guidelines on how to conduct DPIAs.
When conducting the risk assessments required by the DSA, VLOPs/VLOSEs must take into account whether and how specific factors enumerated in Article 34(2) influence any of the systemic risks mentioned. Most factors to consider are linked to how VLOPs/VLOSEs process personal data, such as the design of their algorithmic systems, the systems for selecting and presenting advertisements, and generally their data-related practices.
Both DSA risk assessments and DPIAs are ex-ante risk assessment obligations and both involve some level of engagement with supervisory authorities. The scope of the assessments differ, with the DSA focused on systemic risks and risks that go beyond impact on fundamental rights, and the GDPR’s DPIA focused on any risks that novel processing of personal data may pose on fundamental rights and freedoms and on assessments unique to data protection. However, they also have areas of clear overlap where processing of personal data is involved. DPIAs can potentially feed into DSA risk assessments, and the two processes should be implemented consistently.
Compliance Function and theDSA Legal Representative
Under the DSA, in accordance with Article 41, the designated VLOPs/VLOSEs will be obliged to establish a “compliance function,” which can be composed of several compliance officers. This function must be (i) independent from their operational functions; (ii) allocated with sufficient authority, stature and resources; and must have (iii) access to the management body of the provider to monitor the compliance of that provider with the DSA. On top of that, the compliance function will have to cooperate with the Digital Services Coordinator of the establishment, ensure that all risks are identified through the risk assessments and that the mitigation measures are effective, as well as inform and advise the management and employees of the provider in relation to DSA obligations.
All providers of the services designated as VLOPs and VLOSEs who are also controllers under the GDPR are under an obligation to appoint a Data Protection Officer (DPO), as they very likely meet the criteria required by Article 37 of the GDPR due to the nature and scope of their processing activities involving personal data. There are similarities between the compliance function and the DPO, including their independence, reporting to the highest management level, their key task to monitor compliance with the whole regulation that creates their role, or their task to cooperate with the competent supervisory authorities. Appointing two independent roles that have a powerful internal position and with roles that may overlap to a certain extent will require consistency and coordination, which can be supported by further guidance from DPAs and DSA supervisory authorities.
Another role in the application of the two regulations that has many similarities is the role of a “representative” in the EU, in the situations of extraterritorial applicability of the DSA and the GDPR covering entities that do not have an establishment in the EU. In the DSA, this obligation pertains to all online service providers, pursuant to Article 13. If they are processing personal data in the context of targeting their services to individual recipients in the EU or if they monitor the recipients’ behavior, the service provider triggers the extraterritorial application of the GDPR as well. In such cases, they also need to appoint a GDPR representative, in accordance with Article 27. Under the GDPR, the representative acts as a mere “postal box” or point of correspondence between the non-EU controller and processor on one hand and DPAs or data subjects on the other hand, with liability that does not go beyond its own statutory obligations. In contrast, Article 13(3) of the DSA suggests that the “legal representative” could be held liable for failures of the intermediary service providers to comply with the DSA. Providers must mandate their legal representatives for the purpose of being addressed “in addition to or instead of” them by competent authorities, per Article 13(2) of the DSA.
Recital 44 of the DSA clarifies that the obligation to appoint a “sufficiently mandated” legal representative “should allow for the effective oversight and, where necessary, enforcement of this regulation in relation to those providers.” The legal representative must have “the necessary powers and resources to cooperate with the relevant authorities” and the DSA envisages that there may be situations where providers even appoint in this role “a subsidiary undertaking of the same group as the provider, or its parent undertaking, if that subsidiary or parent undertaking is established in the Union.” Recital 44 of the DSA also clarifies that the legal representative may also only function as a point of contact, “provided the relevant requirements of this regulation are complied with.” This could mean that if other structures are in place to ensure an entity on behalf of the provider can be held liable for non-compliance by a provider with the DSA, the representative can also function just as a “postal box.”
Intermediary Liability and the Obligation to Provide Information
Finally, the GDPR and the DSA intersect in areas where data protection, privacy, and intermediary liability overlap.
The GDPR, per Article 2, stresses that its provisions shall be read without prejudice to the e-Commerce Directive (2000/31/EC), in particular, to “the liability rules of intermediary service providers in Articles 12 to 15 of that Directive”. However, the DSA, pursuant to its Article 89, stipulates that while Articles 12 to 15 of the e-Commerce Directive become null, relevant “references to Articles 12 to 15 of Directive 2000/31/EC shall be construed as references to Articles 4, 5, 6 and 8 of this Regulation, respectively.”
The DSA deals with the liability of intermediary services providers, especially through Articles 4 to 10. With respect to Article 10, addressing orders to provide information, the DSA emphasizes the strong envisaged cooperation between intermediary service providers, national authorities, and also the Digital Services Coordinators as enforcers. This could potentially involve the sharing of information, including in certain cases that already collected personal data, in order to combat illegal content online. The GDPR actively passes the baton on intermediary liability on the DSA, but in the eventuality of data sharing and processing, the intermediary service providers should ensure that they comply with the protections of the GDPR (in particular sections 2 and 3). This overlap signals yet another instance where the two Regulations will be complementary to each other, this time in the case of intermediary liability and the obligation to provide information.
The DSA Will Be Enforced Through a Complex Web of Authorities, And The Interplay With The GDPR Complicates It
Enforcement in such a complex space will be challenging. In a departure from the approach promoted by the GDPR, where enforcement is ensured primarily at the national level and through the One Stop Shop mechanism for cross-border cases coordinated through the European Data Protection Board, the DSA centralizes enforcement of the DSA at the EU level when it comes to VLOPs and VLOSEs, leaving it in the hands of the European Commission. However, Member States will also be playing a role in ensuring enforcement of the DSA against the intermediary services providers who are not VLOPs and VLOSEs. Each Member State must designate one or more competent authorities for the enforcement of the DSA, and if they designate more, they must choose one to be appointed as their Digital Services Coordinator (DSC). The deadline to designate DSCs is February 2024. Challenges come with the designation of national competent authorities left to the Member States, as it seems that there is no consistent approach related to what type of authority will be most appropriately positioned to enforce the Act. Not all Member States have appointed their DSCs for the time being, but there is a broad spectrum of enforcers that Member States plan to rely on, creating a scattered landscape.
Table 3 – Authorities Designated or Considered for Designation as Digital Services Coordinators Across the EU Member States (Source: Euractiv)
Digital Services Coordinators
Member States
Media Regulator
Belgium, Hungary, Ireland and Slovakia
Consumer Protection Authority
Finland and the Netherlands
Telecoms Regulator
Czech Republic, Germany, Greece, Italy, Poland, Slovenia and Sweden
Competition Authority
Spain
The Digital Services Coordinators will be closely collaborating and coordinating with the European Board for Digital Services, which will be undertaking an advisory capacity (Articles 61-63 of the DSA), in order to ensure consistent cross-border enforcement. Member States are also tasked to adopt national rules on penalties applicable to infringements of the DSA, including fines that can go up to 6% of the annual worldwide turnover of the provider of intermediary services concerned in the preceding financial year (Article 52 of the DSA). Complaints can be submitted to DSCs by recipients of the services and by any body, organization, or association mandated to exercise rights conferred by the DSA to recipients. With respect to VLOPs and VLOSEs, the European Commission can issue fines not exceeding 6% of the annual worldwide turnover in the preceding year, following decisions of non-compliance which can also ask platforms to take necessary measures to remediate the infringements. Moreover, the Commission can also order interim measures before an investigation is completed, where there is an urgency due to the risk of serious damage to the recipients of the service.
The recipients of the service, including users of online platforms, also have a right to seek compensation from providers of intermediary services for damages or loss they suffer due to infringements of the DSA (Article 54 of the DSA). The DSA also applies in out-of-court dispute resolution mechanisms with regard to decisions of online platforms related to illegal content (Article 21 of the DSA), independent audits in relation to how VLOPs/VLOSEs comply with their obligations (Article 37 of DSA), and voluntary codes of conduct adopted at the Union level to tackle various systemic risks (Article 45), including codes of conduct for online advertising (Article 46) and for accessibility to online services (Article 47).
The newly established European Centre for Algorithmic Transparency (ECAT) also plays a role in this enforcement equation. The ECAT will be supporting the Commission in its assessment of VLOPs/VLOSEs with regard to risk management and mitigation obligations. Moreover, it will be particularly relevant to issues pertaining to recommender systems, information retrieval, and search engines. The ECAT will use a principles-based approach to assessing fairness, accountability, and transparency. However, the DSA is not the only regulation relevant to the use of algorithms and AI by platforms: the GDPR, the upcoming Digital Markets Act, the EU AI Act, and the European Data Act add to this complicated landscape.
The various areas of interplay between the DSA and the GDPR outlined above require consistent interpretation and application of the law. However, there is no formal role recognized in the enforcement and oversight structure of the DSA for cooperation or coordination, specifically among DPAs, the European Data Protection Board, or the European Data Protection Supervisor. This should not be an impediment to setting up processes for such cooperation and coordination within their respective competencies, as the rollout of the DSA will likely reveal the complexity of the interplay between the two legislative frameworks even beyond the ten areas outlined above.
Editor: Alexander Thompson
FPF Submits Comments to the FTC on the Application for a New Parental Consent Method
Today, the Future of Privacy Forum (FPF) submitted comments to the Federal Trade Commission (FTC) regarding the use of “Privacy-Protective Facial Age Estimation” as a potential mechanism for verifiable parental consent (VPC) under the Children’s Online Privacy Protection Act (COPPA) Rule.
FPF observes:
The “Privacy-Protective Facial Age Estimation” technology may improve the existing landscape for verifiable parental consent, provided appropriate privacy safeguards are in place;
The “Privacy-Protective Facial Age Estimation” technology and associated risks are distinct from the biometric privacy risks associated with facial recognition technologies; and
If the FTC approves the application, the Commission’s approval should require ongoing implementation of the privacy and fairness safeguards outlined in the application.
In June, FPF published The State of Play: Is Verifiable Parental Consent Fit for Purpose?, investigating the shortcomings and opportunities presented by the current framework for verifiable parental consent (VPC) under COPPA and encouraging ingenuity to address key challenges. As federal lawmakers seek more comprehensive ways to update the 1998 law to match the 2023 online landscape, the approval of a new method for obtaining VPC has the potential to improve a process that is grappling with changing technologies, business practices, and individuals’ expectations.
FPF’s comments do not discuss the merits of using technology as a method of age estimation or verification for all users of a child-directed or mixed-audience service, which may place disproportionate privacy risks and burden on all users. Rather, we confine our analysis to the proposed context of this application, which we understand to only refer to the limited use of verifying that a purported parent granting COPPA consent is, in fact, an adult.
FPF’s full comments to the Commission are available here.
