The murky future for data transfers and the to-do list for AI

Aušra Mažutavičienė
Written by
Aušra Mažutavičienė
on
June 6, 2023

Meta

Meta received a long-awaited decision with a record fine of 1.2 billion euros.The fine, which is the highest to date under the GDPR, was accompanied by an order requiring Meta to stop data transfers to the U.S. and to bring its processing operations into compliance. 

The hottest privacy topic at the moment is still around Meta and international data transfers. 

Meta received a long-awaited decision with a record fine of 1.2 billion euros.The fine, which is the highest to date under the GDPR, was accompanied by an order requiring Meta to stop data transfers to the U.S. and to bring its processing operations into compliance.

As expected, Meta will appeal the decision. And perhaps rightfully so, as some say that Meta have been punished for the uncertainty of the international transfer regulation and had no chances to comply. 

Though Meta has long been in the spotlight, this decision will have implications for other businesses as well. This is because basically the authorities are saying that unless the U.S. surveillance laws are changed or the new transfer framework is introduced, currently there’s no way to transfer personal data in compliance with the GDPR. 

The level of uncertainty in the international transfer field is very high at the moment and the legal landscape for data transfers between the EU and the U.S. has become highly political. 

All eyes on authorities to finalise the new framework. Until then, take a close look before engaging U.S. tech companies.

To assist you, we have updated our vendor questionnaire to request more specific information about international transfers (such as the applicability of the U.S. surveillance laws, supplementary measures, etc). 

We will of course continue monitoring the developments and keep you informed.

ChatGPT & AI 

As you might know, using AI, e.g. ChatGPT, means privacy responsibilities and a lot of work. But what do you need to do and what should you focus on. 

So what do you need to do? You need:

- To have a DPA in place: because your company is the controller,

- vet the AI provider: because they are your data processor,

- you’ll likely transfer data to the US. So you need SCCs, a TIA, additional security measures and more (not easy after the Meta decision),

- Get security documents from the AI provider: because you might incorporate it into your product / platform / services / support - and its required pursuant to the GDPR,

- Do a DPIA,

- If your company starts incorporating the AI into your product / platform / services, you need to update your own DPA (sub processor list) and/or your privacy policy,

- Make sure that you have the right to the data and that data deletion & retention is outlined,

- Train your organisation on how to use the AI, so they know they can and cant do, eg dont upload personal data.

- And remember data accuracy can be a problem.

These are just a few tips of what you should do when your company starts working with AI from a privacy standpoint.