The DPOInsider covers the latest news and developments in data compliance and privacy. The DPO's favourite weekly read ☕️
Facebook political ads ‘unlawful processing of voter’s personal data’
I can't help but be deeply concerned about the recent content in the actions taken by the European privacy rights campaign group, noyb. They have filed six complaints against every major political party in Germany for allegedly processing voters' personal data unlawfully during the 2021 federal elections via Facebook's adtech platform. This development highlights a significant issue in data privacy and the way political parties target potential voters.
The General Data Protection Regulation (GDPR) categorizes information on political opinions as 'special category data,' which has a higher bar for processing. However, noyb claims that neither Facebook nor the political parties that paid the tech giant to run microtargeted ads obtained express consent from the users whose information was processed. The case brings into question the legality of using such data for political ads and campaigns, as it may result in large-scale manipulation of voters.
Apart from the legal implications of this situation, the broader issue with microtargeting political messaging at potential voters is that it undermines democratic accountability. The individually targeted messages aren't immediately visible to anyone other than the intended recipient, making it harder for the public to hold political parties accountable for their claims and promises. This kind of political ad targeting also lends itself to anti-democratic voter suppression efforts, which further damages our democratic systems.
In response to these issues, the European Commission has proposed some limits and improved transparency around political ads. However, noyb's actions serve as a reminder that existing EU law – the GDPR – is already being breached. What is needed is actual enforcement to stop the misuse of data, rather than mere adjustments to transparency requirements.
The use of personal data for political ad targeting has far-reaching consequences, not just for individual privacy but also for the democratic process. It's crucial that we work together to ensure that data protection regulations are respected and enforced, to protect both individual privacy and the integrity of our democratic systems.
OpenAI fix bug that may have breached GDPR
As some of you may be aware, OpenAI recently faced a significant issue in which ChatGPT conversation titles were inadvertently exposed to other users without consent. This troubling situation raises questions about the company's potential breach of GDPR legislation and serves as a reminder of the importance of data protection as AI becomes more prevalent in our daily workflows.
The problem was traced back to a third-party open-source library and has since been fixed. However, it begs the question of whether the exposure of titles in other users' accounts constitutes a breach of data protection laws. Legal experts suggest that any regulatory action would depend on the level of harm caused by the incident and the nature of the exposed information. OpenAI's CEO, Sam Altman, expressed his regret over the matter on Twitter, promising a "technical postmortem" to uncover the root cause of the glitch.

ChatGPT, having become one of the fastest-growing consumer apps in history, has ignited discussions surrounding the regulation and classification of AI technologies within GDPR and the upcoming EU AI Act. With companies like Microsoft and Google launching their own chatbots and integrating generative AI tools into their products, the need for robust regulation and data protection measures has never been greater.
Platforms like ChatGPT rely on user data to function, and users must be able to trust that their information is secure. This incident serves as a lesson for businesses that aspire to utilize AI and ML – data governance basics must be mastered before diving into more advanced technologies.
OpenAI's recent glitch is a sobering reminder of the challenges that lie ahead in our quest for a secure and privacy-oriented digital landscape.
Other data privacy news
UK takes another bite at post-Brexit data protection reform — with ‘new GDPR’
Turns out the UK government, under current prime minister Rishi Sunak, is not replacing the GDPR, as Michelle Donelan, his secretary of state for science, innovation and technology, implied last October — when as a fresh-in-post digital secretary under a different PM, she paused the flagship data protection reform, saying the government wanted to rethink its approach and inviting businesses to “co-design” the legislation with her.
Replika, a ‘virtual friendship’ AI chatbot, receives GDPR ban and threatened fine from Italian regulator over child safety concerns
The Italian Regulator (Garante) has recently issued an order banning the Replika app from processing Italian users’ data following an investigation. Luka Inc (the developer of Replika) is an artificial intelligence (“AI”) company based in the US which operates a ‘virtual friendship’ service based on customisable digital avatars whose responses are personalised and powered by AI to make its “human users feel better”.
Report: public disclosure of ESG compliance does not harm competitiveness
A report by two Swiss-based research organisations assesses ESG policies and practices of a sample of companies in the resources extraction sector.