Blog

The European Data Protection Board’s (EDPB) Nov. 5 stakeholder consultation on AI models and data protection—organized to gather input for an upcoming Irish Data Protection Commission opinion under Article 64(2) of the General Data Protection Regulation (GDPR)—showcased significant lingering disagreement on how the GDPR should apply to AI.

[First published on Truth on the Market on 12 August 2024] Google recently announced that it has changed its plans to phase out third-party cookies in the Chrome web browser. The company had previously planned to disable third-party cookies in Chrome, a change supported by many in the privacy-stakeholder community, but which was met with criticism from the adtech industry and competition lawyers.

Despite the official publication of the EU Artificial Intelligence Act, debates on the legal status of AI in Europe continue. Two significant potential legal obstacles for AI development and use remain inadequately addressed: intellectual property and privacy laws.

The “pay or OK” debate in the EU continues, and it is still unclear what its outcome will be, for Meta and everyone else. Today, the European Commission announced their preliminary finding that Meta’s approach is not compliant with the law.

I joined Eric Seufert on his Mobile Dev Memo podcast (link) once again, this time to discuss the EU EDPB opinion on “pay or OK” and “large online platforms,” which I speculated about in my “EU authorities on “pay or consent”: mid-April 2024 update.

Update 2: The EDPB opinion is now available in full. Update: According to Politico and MLex, the EDPB adopted the opinion I speculated about below. The headlines that this constitutes a prohibition on Meta’s paid subcriptions are misleading.

It’s been an eventful two weeks for those following the story of the European Union’s implementation of the Digital Markets Act. On April 18, the European Commission began a series of workshops with the companies designated as “gatekeepers” under the DMA: Apple, Meta, Alphabet, Amazon, ByteDance, and Microsoft.

On 14 July, the Norwegian Data Protection Authority (DPA) imposed a temporary three-month ban on “behavioural advertising” on Facebook and Instagram to users based in Norway. The decision relied on the “urgency procedure” under the General Data Protection Regulation (GDPR), which exceptionally allows direct regulatory interventions by other national authorities than the authority of the country where the business is registered (here: Ireland).

By Mikołaj Barczentewicz (0xMikolaj) Thanks to Barnabé Monnot, Caspar Schwarz-Shilling (EF RIG), and Quintus Kilbourn (Flashbots) for their comments and discussion. This work is supported by a grant from the Ethereum Foundation (more information about the larger research project).

Previously published by Lawfare on 6 July 2023. Among the regulatory tools created by the European Union’s Digital Markets Act (DMA)—landmark competition legislation that took effect across the EU last November—is a mandate that the largest digital-messaging services must be made interoperable.