top of page

The AI & Privacy Explorer #31/2024 (29 July – 4 August)

Welcome to the AI digital and privacy recap of privacy news for week 31 of 2024 (29 July – 4 August)! 



 This edition at a glance:

🤖 The EU AI Act entered into force

🏛️ Meta to pay Texas $1.4 billion  over Facial Recognition Privacy Violations

⚔️ Meta is sued in Argentina for using data from WhatsApp to train its AI

🎵AI Music Generator Suno Admits It Trained it’s AI on ‘Essentially All Music Files on the Internet’

🕵️ Argentina's AI Crime Prediction Plan Raises Human Rights Concerns

🌐 New York AG Launches Website Privacy Guides

⚖️ FTC Sues TikTok for Violating US Children's Privacy Law (COPPA)

📊 Noyb Publishes 2023 Annual Report 


 

🤖 The EU AI Act entered into force

On 1 August 2024, the European Commission officially announced the entry into force of the European Artificial Intelligence Act (AI Act), marking a pivotal step in AI regulation globally. It highlights that the AI Act ensures AI systems in the EU are trustworthy by introducing a risk-based approach and categorizes AI systems into four risk levels: minimal, specific transparency, high, and unacceptable. High-risk systems face strict requirements, while unacceptable-risk systems are banned.

Implementation and Enforcement

Member States have until 2 August 2025 to designate national authorities responsible for enforcing the AI Act. The Commission's AI Office will oversee implementation at the EU level, supported by the European Artificial Intelligence Board and a scientific panel of experts. Companies not complying with the rules face fines of up to 7% of global turnover.

The AI Act has a staggered implementation timeline, and this FPF infographic shows it well:

EU AI Act timeline

 

🇺🇸 Texas $1.4 Billion Settlement with Meta Over Its Unauthorized Capture of Personal Biometric Data

On 30 July 2024, Texas Attorney General Ken Paxton secured a $1.4 billion settlement with Meta Platforms Inc. over the unauthorized capture and use of Texans' biometric data. This record-setting agreement, the largest ever obtained from a single US state, highlights the enforcement of Texas’s “Capture or Use of Biometric Identifier” Act (CUBI). 

Background and Legal Context 

In February 2022, Paxton filed a lawsuit against Meta, accusing the tech giant of violating CUBI and the Deceptive Trade Practices Act by using facial recognition software without informed consent. The feature, initially called Tag Suggestions, was automatically enabled for Texans without explaining its operation. Meta’s software scanned photographs to capture facial geometry, violating state law that requires explicit consent. 

Settlement Details

  • Payment Structure: Meta will pay $1.4 billion over five years. The first installment of $500 million is due within 30 days, with subsequent annual payments of $225 million each.

  • Use of Funds: The state treasury will receive the funds, with portions allocated to attorney fees and the state’s general revenue fund.

Broader Implications

  • Historic Precedent: This settlement surpasses the previous largest privacy-related settlement in the US, a $390 million agreement involving Google and 40 states in 2022.

  • Future Enforcement: The outcome serves as a deterrent to companies engaging in unauthorized biometric data practices, emphasizing the importance of compliance with privacy laws.

  • Legal Framework: This case marks the first enforcement action under CUBI, setting a significant precedent for future privacy litigation in Texas.

Read the press release here, find here my recap of Meta’s troubles in 2024 prior to this settlement.

 

⚔️ Meta is sued in Argentina for using data from WhatsApp to train its AI

A formal complaint against Meta has been filed in Argentina, highlighting concerns about the misuse of personal data from WhatsApp and other platforms for AI training without proper user consent. The complaint, brought forward by lawyers specializing in data protection, Facundo Malaureille and Daniel Monastersky, seeks to address these practices under Argentina's Personal Data Protection Law (Law 25,326), which has remained unchanged for over 20 years.  

Complaint Details 

The 22-point complaint demands Meta Argentina provide: 

  • Evidence of user consent related to updates in the Privacy Policy. 

  • A Privacy Impact Assessment (PIA) that aligns with Argentine regulations. 

  • Technical details on anonymization processes and measures to prevent data re-identification. 

  • Information on the handling of metadata and sensitive data during anonymization. 

  •  Policies on data retention and destruction. 

The complaint also urges the authority to perform an independent audit of Meta’s data practices and establish national standards for data anonymization, which align with Argentina's legal framework.  

Complainants’ Statements 

Monastersky, who directs the Center for Cybersecurity Studies, emphasized that Argentinians should not be treated as "guinea pigs" in the absence of modernized data protection laws. He stressed the importance of updating Law 25,326 to better protect citizens from the risks posed by the expansive reach of multinational tech companies like Meta.  

International Context 

Recently, Brazil’s data protection authority (ANPD) ordered Meta to halt its AI training on user data in the country and imposed potential fines of R$50,000 per day for non-compliance (I wrote about that in the week 27 edition). Similarly, the Brazilian Prosecutor's Office demanded a fine of R$1.733 billion against WhatsApp for alleged privacy violations. In Europe, Meta decided not to launch its new Llama 3.1 AI models due to the stringent regulatory environment, fearing penalties under the GDPR.  

Read more here (in Spanish).

 

🎵AI Music Generator Suno Admits It Trained it’s AI on ‘Essentially All Music Files on the Internet’

On 1 August 2024, Suno, a leading AI music generator, disclosed in court that its product was trained on "essentially all music files of reasonable quality" accessible online. This admission surfaced during a lawsuit brought in the United States by major record labels, including Universal Music Group and Warner Music. The lawsuit alleges that Suno scraped vast amounts of copyrighted music without permission and reproduced parts of famous songs in their AI-generated outputs.  

Suno’s court filing confirmed that its AI model ingested tens of millions of recordings, including those owned by the plaintiffs. The company defended its actions by arguing that the use of copyrighted material for AI training should be considered Fair Use, claiming that its AI was designed to create new, original songs. Suno criticized the music industry’s licensing practices, suggesting they aim to stifle AI development.  

The record labels’ lawsuit presents evidence that Suno can generate music strikingly similar to famous songs in their catalogs, with specific examples like Chuck Berry’s "Johnny B. Goode" and Mariah Carey’s "All I Want for Christmas Is You" being cited. Suno has argued that their use of copyrighted material for AI training falls under Fair Use, positioning the case as a critical test of whether mass data scraping for AI products can be considered a transformative, protected use of copyrighted content.  

The outcome of this legal battle could have profound implications for the legality of using copyrighted works to train AI models, potentially shaping the future of AI-generated content across various media.

 Read 404Media's reporting here.

 

🕵️ Argentina's AI Crime Prediction Plan Raises Human Rights Concerns

On 1 August 2024, Argentina’s President Javier Milei introduced the Artificial Intelligence Applied to Security Unit, aiming to leverage AI for predicting future crimes. The unit will use machine-learning algorithms to analyze historical crime data, employ facial recognition technology to identify "wanted persons," and monitor social media and real-time security footage to detect suspicious activities. The government claims this approach will enhance the ability to detect potential threats, track criminal movements, and anticipate disturbances. 

However, this initiative has raised significant concerns among human rights groups. Amnesty International warned that large-scale surveillance could infringe on citizens' freedom of expression, as people may self-censor their speech due to the fear of being monitored. The Argentine Center for Studies on Freedom of Expression and Access to Information echoed these concerns, highlighting the potential for misuse, particularly in profiling journalists, activists, and other vulnerable groups. 

Critics are especially alarmed given Argentina’s history of state repression during the 1976-83 dictatorship, where an estimated 30,000 people disappeared, and the potential for AI technologies to replicate similar oppressive tactics. The Milei administration, which has also taken a hardline stance on protests and security policy, has drawn comparisons to controversial security measures in other countries. Despite assurances from the Ministry of Security that the new AI unit will operate within the current legal framework, concerns about privacy and misuse persist, particularly regarding the broad access to personal data by security forces.

Read The Guardian’s reporting here.

 

🌐 New York AG Launches Website Privacy Guides

The New York State Attorney General's Office published a comprehensive guide on website privacy controls to assist businesses in complying with New York's consumer protection laws. The guide aims to enhance consumer privacy by ensuring that businesses' tracking practices and privacy disclosures are accurate and transparent. It outlines several key areas of concern and provides practical recommendations for businesses to improve their privacy controls.

Regulating Online Tracking

Different U.S. states and countries have varying regulations for online tracking. Depending on the jurisdiction, websites may need to disclose tracking activities, allow consumers to opt-out, or obtain consent before tracking. Although New York does not have a comprehensive privacy law, businesses must adhere to New York's consumer protection laws, ensuring their privacy practices are truthful and not misleading.

Key Issues Identified

  • Uncategorized Tags: Many websites fail to categorize tracking tags correctly, leading to broken privacy controls. Seven of the thirteen websites investigated had at least one uncategorized tag.

  • Misconfigured Tools: Consent-management and tag-management tools must be properly configured to work together. Misconfigurations can result in privacy controls not functioning as intended.

  • Hardcoded Tags: Tags that are hardcoded into websites bypass consent-management tools, undermining user privacy choices.

  • Incomplete Understanding of Tag Data Collection: Businesses often lack complete information about the data collected by tags and how it is used, leading to improper data handling.

  • Cookieless Tracking: Businesses must ensure that privacy controls are effective across all tracking technologies, not just cookies

 Recommendations

  1. Accurate Privacy Representations: Ensure that all statements about privacy controls are truthful and not misleading.

  2. Clear and Accessible Interface: Design privacy controls that are intuitive and easy to use, avoiding ambiguous or misleading language.

  3. Equal Weight to Options: Provide equivalent options for accepting and declining tracking, making it equally easy for users to choose either.

  4. Ongoing Reviews: Regularly review and test privacy controls to ensure they function correctly and align with user expectations.

Read it here.

 

⚖️ FTC Sues TikTok for Violating US Children's Privacy Law (COPPA)

On 2 August 2024, the Federal Trade Commission (FTC) filed a lawsuit against TikTok and its parent company ByteDance in the U.S. District Court for the Central District of California. This legal action stems from allegations that TikTok violated the Children's Online Privacy Protection Act (COPPA) and an existing 2019 FTC consent order. The lawsuit contends that TikTok knowingly collected and used personal data from millions of children under 13 without obtaining the required parental consent, posing significant risks to children's privacy and safety.

Key Allegations

The complaint outlines several critical allegations: 

  • Bypassing COPPA Requirements: TikTok is accused of enabling children to bypass age verification and create accounts without parental consent by using third-party credentials from services like Google and Instagram. These "age unknown" accounts, which grew to millions, allowed TikTok to continue collecting data from children under 13. 

  • Failure to Notify Parents: TikTok allegedly failed to inform parents about the personal data it collected from children, including extensive app activity data and persistent identifiers. This data was reportedly used to build profiles on children and shared with third parties like Facebook to "retarget" users. 

  • Inadequate Account Deletion Processes: The complaint asserts that TikTok made it difficult for parents to delete their children’s accounts. Even when parents successfully navigated the complex process, TikTok often did not comply with deletion requests, maintaining and using children's data unlawfully. 

  • Internal Concerns Ignored: Despite internal warnings from employees, including concerns about potential COPPA violations, TikTok allegedly continued its practices. One compliance officer noted that TikTok could face legal repercussions, yet the company did not take adequate action to rectify the issues. 

  • Violations of 2019 FTC Order: The lawsuit also claims that TikTok violated the terms of a 2019 consent order, which had been established to resolve previous COPPA violations related to TikTok’s predecessor, Musical.ly.

Legal Actions and Consequences

The FTC seeks: 

  • Permanent Injunction: To prevent further COPPA violations by TikTok and ByteDance.

  • Civil Penalties: Financial penalties for each violation of COPPA, which could reach up to $51,744 per violation, per day. 

  • Enforcement of COPPA Compliance: The lawsuit aims to ensure that TikTok adheres to federal regulations, safeguarding children's privacy on digital platforms.

The press release and the complaint are available here.

 

📊 Noyb Publishes 2023 Annual Report

On 29 July 2024, NOYB (None of Your Business) published its 2023 Annual Report, detailing a year of significant actions and victories in the realm of data privacy. NOYB filed over 40 new complaints and secured critical wins that underscore its role as a leading GDPR enforcement body. 

 Major Enforcement Actions 

  • Meta's "Pay or Okay" Model: NOYB launched two complaints against Meta’s controversial practice of charging users to avoid personalized tracking, which was challenged for violating the GDPR's requirement for freely given consent. 

  • Unlawful Credit Scoring: NOYB stepped up actions against credit agencies like KSV1870 and CRIF for illegal data collection practices. Austrian authorities ruled these practices illegal, leading to orders for mass data deletions and further lawsuits. 

  • Fines Against Major Corporations: NOYB’s efforts contributed to substantial fines, including a €1.5 billion penalty against Meta for illegal data transfers to the U.S., a €40 million fine against advertising company CRITEO, and a €5 million fine against Spotify for non-compliance with data access rights.

It is also mentioned that NOYB plans to leverage the EU's new Directive on Collective Redress to address large-scale GDPR violations - something I for one am really looking forward to.


PrivacyCraft divider

That’s it for this edition. Thanks for reading, and subscribe to get the full text in a single email in your inbox!


♻️ Share this if you found it useful.

💥 Follow me on Linkedin for updates and discussions on privacy education.

🎓 Take my course to advance your career in privacy – learn to navigate global privacy programs and build a scalable, effective privacy program across jurisdictions.

📍 Subscribe to my newsletter for weekly updates and insights in your mailbox.

Privacy & digital news FOMO got you puzzled?

Subscribe to my newsletter

Get all of my privacy, digital and AI insights delivered to you weekly, so you don’t need to remember to check my blog. You can unsubscribe at any time.


My newsletter can also include occasional marketing, such as information on my product launches and discounts.


Emails are sent through a processor located outside of the EU. Read more in the Privacy Notice.

It  takes  less  time  to  do  a  thing  right  than  to  explain  why  you  did  it  wrong.


Henry Wadsworth Longfellow

bottom of page