The DPOInsider covers the latest news and developments in data compliance and privacy. The DPO’s favourite weekly read ☕️

Hello and welcome to this edition of the DPOInsider.

A special hello to those who have subscribed since last week’s edition. Thanks for joining. You can see all of our previous editions here.

As always, it really helps me out to share our updates with colleagues or acquaintances in the space.

For now, let’s look at what’s been going on this week:

ICO publishes a risk toolkit for AI-specific risks

The ICO (information commissioner’s office) has launched a toolkit to help businesses understand the specific risks that AI can bring.

The toolkit is designed to operate alongside data protection impact assessments where AI is likely to increase the risk to individuals.

The ICO clearly has received a lot of requests regarding the practical steps to mitigate, reduce or manage these risks. This toolkit is its first version to help businesses tackle the implications of AI modelling and training.

As artificial intelligence evolves, it magnifies the ability to use personal information in ways that can intrude on privacy interests by raising the analysis of personal information to new levels of power and speed.

Therefore the toolkit is an excellent first step to giving organizations confidence that they are in control of these potential intrusions. But with the growth of data involved in AI, businesses might require a more automated system or process to ensure compliance.

The ICO claims that it will expand the toolkit’s scope in later versions. So I’ll keep you posted.

Your weekly fine/legal update

This news of fines and the lark is becoming a regular update. But this week, the UK seems to be at the forefront of compliance wrist-slapping.

The ICO has fined Clearview £7.5m for collecting publically available social media images without the user’s knowledge.

The images fuel an AI-based identity matching service, which they sell to law enforcement.

This tech was donated to Ukraine and was used to turn Russians against the war in Ukraine.

In other UK compliance news, Google is being sued for using the NHS data of 1.5 million Britons 'without their knowledge or consent'. The data was used by DeepMind’s AI to build a smartphone app that could detect kidney injuries.

If only that ICO AI risk toolkit was available earlier…

Cookie walls are getting better guidance in France

A news flash coming from France is that you can’t leverage access to your site’s content to force users to accept cookies.

That’s what cookie walls do - requiring users to accept cookies or other tracking devices to access website content.

But under the GDPR, consent is only valid if it is freely given.

That’s hardly surprising news, but the CNIL has published guidance on assessing the legality of cookie walls.

For those of us who can’t read French (Qu’est-ce qu’un cookie wall, right?), this excellent piece walks you through the criteria.

Interesting links

• This article claims that data privacy has the power to move financial markets.

• You might have missed this, seeing as a Google search first returns the Professional Darts Players Association and the People's Democratic Party of Afghanistan. Still, the PDPA (that’s Thailand’s Personal Data Protection Act) is now live. Read about it here.