The EDPS has issued five Opinions on the European Commission’s Recommendations to open negotiations for International Agreements on the exchange of personal data between Europol, the EU Agency for Law Enforcement, and the competent authorities of five Latin American countries: Ecuador, Brazil, Peru, Bolivia, and Mexico to fight serious crime and terrorism.

The EDPS Opinions aim to provide advice on further developing data protection safeguards in these future International Agreements so that individuals’ personal data is protected according to EU standards.

...

Judgment of the Court (First Chamber) in Case C-487/21 | Österreichische Datenschutzbehörde and CRIF - 4 May 2023

On those grounds, the Court (First Chamber) hereby rules:

1. The first sentence of Article 15(3) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation),

must be interpreted as meaning that the right to obtain from the controller a copy of the personal data undergoing processing means that the data subject must be given a faithful and intelligible reproduction of all those data. That right entails the right to obtain copies of extracts from documents or even entire documents or extracts from databases which contain, inter alia, those data, if the provision of such a copy is essential in order to enable the data subject to exercise effectively the rights conferred on him or her by that regulation, bearing in mind that account must be taken, in that regard, of the rights and freedoms of others.

2. The third sentence of Article 15(3) of Regulation 2016/679

must be interpreted as meaning that the concept of ‘information’ to which it refers relates exclusively to the personal data of which the controller must provide a copy pursuant to the first sentence of that paragraph.

Sentenza della Corte (Prima Sezione) nella causa C-487/21 | Österreichische Datenschutzbehörde e CRIF - 4 maggio 2023

Per questi motivi, la Corte (Prima Sezione) dichiara:

1) L’articolo 15, paragrafo 3, prima frase, del regolamento (UE) 2016/679 del Parlamento europeo e del Consiglio, del 27 aprile 2016, relativo alla protezione delle persone fisiche con riguardo al trattamento dei dati personali, nonché alla libera circolazione di tali dati e che abroga la direttiva 95/46/CE (regolamento generale sulla protezione dei dati),

deve essere interpretato nel senso che:

il diritto di ottenere dal titolare del trattamento una copia dei dati personali oggetto di trattamento implica che sia consegnata all’interessato una riproduzione fedele e intelligibile dell’insieme di tali dati. Detto diritto presuppone quello di ottenere copia di estratti di documenti o addirittura di documenti interi o, ancora, di estratti di banche dati contenenti, tra l’altro, tali dati, se la fornitura di una siffatta copia è indispensabile per consentire all’interessato di esercitare effettivamente i diritti conferitigli da tale regolamento, fermo restando che occorre tener conto, al riguardo, dei diritti e delle libertà altrui.

2) L’articolo 15, paragrafo 3, terza frase, del regolamento 2016/679

deve essere interpretato nel senso che:

la nozione di «informazioni» ivi menzionata si riferisce esclusivamente ai dati personali di cui il titolare del trattamento deve fornire una copia in applicazione della prima frase di tale paragrafo.

Judgment of the Court (Third Chamber) in Case C-300/21 | Österreichische Post (Non-material damage resulting from unlawful processing of data) - 4 May 2023

On those grounds, the Court (Third Chamber) hereby rules:

1. Article 82(1) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

must be interpreted as meaning that the mere infringement of the provisions of that regulation is not sufficient to confer a right to compensation.

2. Article 82(1) of Regulation 2016/679

must be interpreted as precluding a national rule or practice which makes compensation for non-material damage, within the meaning of that provision, subject to the condition that the damage suffered by the data subject has reached a certain degree of seriousness.

3. Article 82 of Regulation 2016/679

must be interpreted as meaning that for the purposes of determining the amount of damages payable under the right to compensation enshrined in that article, national courts must apply the domestic rules of each Member State relating to the extent of financial compensation, provided that the principles of equivalence and effectiveness of EU law are complied with.

Sentenza della Corte (Terza Sezione) nella causa C-300/21 | Österreichische Post (Danno immateriale inerente al trattamento di dati personali) - 4 maggio 2023

Per questi motivi, la Corte (Terza Sezione) dichiara:

1) L’articolo 82, paragrafo 1, del regolamento (UE) 2016/679 del Parlamento europeo e del Consiglio, del 27 aprile 2016, relativo alla protezione delle persone fisiche con riguardo al trattamento dei dati personali, nonché alla libera circolazione di tali dati e che abroga la direttiva 95/46/CE (regolamento generale sulla protezione dei dati),

deve essere interpretato nel senso che:

la mera violazione delle disposizioni di tale regolamento non è sufficiente per conferire un diritto al risarcimento.

2) L’articolo 82, paragrafo 1, del regolamento 2016/679

deve essere interpretato nel senso che:

esso osta a una norma o una prassi nazionale che subordina il risarcimento di un danno immateriale, ai sensi di tale disposizione, alla condizione che il danno subito dall’interessato abbia raggiunto un certo grado di gravità.

3) L’articolo 82 del regolamento 2016/679

deve essere interpretato nel senso che:

ai fini della determinazione dell’importo del risarcimento dovuto in base al diritto al risarcimento sancito da tale articolo, i giudici nazionali devono applicare le norme interne di ciascuno Stato membro relative all’entità del risarcimento pecuniario, purché siano rispettati i principi di equivalenza e di effettività del diritto dell’Unione.

The capacity for public authorities and external auditors to access the source code of Artificial Intelligence in an upcoming EU rulebook was restricted based on a digital trade agreement, according to internal documents from the European Commission.

The internal documents were obtained via a freedom of information request by Kristina Irion, a law professor at the University of Amsterdam, showing several requests from the Commission’s trade department to the digital policy department on the draft AI Act.

...

The EU Digital Markets Act (DMA) applies from today. Now that the DMA applies, potential gatekeepers that meet the quantitative thresholds established have until 3 July to notify their core platform services to the Commission.

...

TAKASAKI, April 30 (Reuters) - European Union tech regulation chief Margrethe Vestager said on Sunday the bloc will likely reach a political agreement this year that will pave the way for the world's first major artificial intelligence (AI) legislation.

This would follow a preliminary deal reached on Thursday on the EU's Artificial Intelligence Act.

In an interview with Reuters at a Group of Seven digital ministers' meeting in Takasaki, Japan, Vestager suggested legislative measures for the use of AI tools, such as "labelling obligations for AI-generated images".

...

STOCKHOLM, April 27 (Reuters) - Companies deploying generative AI tools, such as ChatGPT, will have to disclose any copyrighted material used to develop their systems, according to an early EU agreement that could pave the way for the world's first comprehensive laws governing the technology.

The European Commission began drafting the AI Act nearly two years ago to regulate emerging artificial intelligence technology, which underwent a boom in investment and popularity following the release of OpenAI's AI-powered chatbot ChatGPT.

...

SimpleX Chat

Abbiamo già scritto alcuni articoli sulle app di messaggistica istantanea che rispettano la privacy1.

In questo articolo presentiamo SimpleX Chat (già alla versione 5.0, ma seguiamo il progetto da tempo), che ha la particolarità - come si può leggere sul sito ufficiale - di essere il primo messenger senza ID utente. Va segnalato che anche Session non utilizza identificatori.

SimpleX Chat, fondato da Evgeny Poberezkin, è un progetto open-source sotto licenza AGPL-3.0, avviato nel 2020. Essendo un progetto open-source, è possibile accedere al suo repository GitHub per visualizzare e verificare il codice. Crediamo e sosteniamo l’open-source, considerandolo un valore considerevole. Pertanto, complimenti agli sviluppatori di Simplex Chat. Il progetto è ben curato e in continuo sviluppo, tanto che l’attuale SimpleX Chat v5.0 supporta video e file fino a 1GB.

...

SimpleX Chat

We already wrote some articles on instant messaging apps that respect privacy1.

In this article, we present SimpleX Chat (already to version 5.0, but we have been following the project since some time ago), which has the particularity - as you can read on the official website - to be the first messenger without user IDs. We should point out that Session also does not use identifiers.

SimpleX Chat, founded by Evgeny Poberezkin, is an open-source project under AGPL-3.0 license, started in 2020. Being an open-source project, you can access its GitHub repository to view and verify the code. We believe in and support open-source, considering it as a considerable value. Thus, kudos to Simplex Chat’s developers. The project is well attended and in continuous development, so much so that the current SimpleX Chat v5.0 supports videos and files up to 1GB.

...

Threat actors are advertising a new information stealer for the Apple macOS operating system called Atomic macOS Stealer (or AMOS) on Telegram for $1,000 per month, joining the likes of MacStealer.

"The Atomic macOS Stealer can steal various types of information from the victim's machine, including Keychain passwords, complete system information, files from the desktop and documents folder, and even the macOS password," Cyble researchers said in a technical report.

Among other features include its ability to extract data from web browsers and cryptocurrency wallets like Atomic, Binance, Coinomi, Electrum, and Exodus. Threat actors who purchase the stealer from its developers are also provided a ready-to-use web panel for managing the victims.

...

Looking for something to do in May? Why not come to EU Open Day to find out more about what we do to shape a safer digital future! Look back on our key achievements of the year 2022; discover or read up on Central Bank Digital Currency; listen to our new podcast; and more in this edition of the EDPS Newsletter!

During the EDPB’s plenary of 26 April 2023, the EDPB members running to become the new EDPB Chair presented their candidacy to the Board.

In accordance with the GDPR, the Board elects one Chair and two Deputy Chairs amongst its members, by simple majority for a term of office of five years, which is renewable once. The Chair is the official representative of the Board.

The terms of office of Chair Andrea Jelinek and Deputy Chair Ventsislav Karadjov, will be ending on 25 May 2023. Candidates for both positions were given a chance to present themselves to the other members of the Board a month ahead of the election. The position of Deputy Chair Aleid Wolfsen is not open for re-election, as he was elected on 15 May 2019 and his term will therefore end on 15 May 2024.

The following Heads of national data protection authorities (DPAs) expressed their interest to become the next EDPB Chair:

• Ventsislav Karadjov (Bulgarian DPA)
• Anu Talus (Finnish DPA)
• Aleid Wolfsen (Dutch DPA)

The following Heads of DPAs expressed their interest to become Deputy Chair:

• Irene Loizidou Nikolaidou (Cypriot DPA)
• Jekaterina Macuka (Latvian DPA)
• Zdravko Vukić (Croatian DPA)

The elections will take place during the EDPB plenary meeting on 25 May 2023, through secret ballot.

For more information on the election procedure, please consult the EDPB Rules of Procedure.

The EDPB has launched a Data Protection Guide to help small business owners on their way to become more data protection compliant. The Guide aims to raise awareness about the GDPR and to provide practical information to SMEs about GDPR compliance in an accessible and easily understandable format.

Andrea Jelinek said, “In this guide, SMEs will find various tools and practical tips to help them comply with the GDPR. It includes concrete examples gathered during our 5 years of experience with the GDPR.”

The Guide covers various aspects of the GDPR, from data protection basics, to data subject rights, data breaches, and more. It contains videos, infographics, interactive flowcharts, and other practical materials to help SMEs put data protection into practice. In addition, the Guide contains an overview of handy materials developed for SMEs by the national Data Protection Authorities.

The Guide is currently available in English and will be made available in other EU languages over time.

The Guide is one of the EDPB’s awareness raising actions for 2023 and was included as a key initiative in the EDPB’s 2021-2023 Strategy.

EDPS contribution in the context of the European Commission's initiative to further specify procedural rules relating to the enforcement of the General Data Protection Regulation.

Today, the Commission adopted the first designation decisions under the Digital Services Act (DSA), designating 17 Very Large Online Platforms (VLOPs) and 2 Very Large Online Search Engines (VLOSEs) that reach at least 45 million monthly active users. These are:

Very Large Online Platforms:

Alibaba AliExpress Amazon Store Apple AppStore Booking.com Facebook Google Play Google Maps Google Shopping Instagram LinkedIn Pinterest Snapchat TikTok Twitter Wikipedia YouTube Zalando Very Large Online Search Engines:

Bing Google Search The platforms have been designated based on the user data that they had to publish by 17 February 2023.

...

A financially-motivated North Korean threat actor is suspected to be behind a new Apple macOS malware strain called RustBucket.

"[RustBucket] communicates with command and control (C2) servers to download and execute various payloads," Jamf Threat Labs researchers Ferdous Saljooki and Jaron Bradley said in a technical report published last week.

The Apple device management company attributed it to a threat actor known as BlueNoroff, a subgroup within the infamous Lazarus cluster that's also tracked under the monikers APT28, Nickel Gladstone, Sapphire Sleet, Stardust Chollima, and TA444.

The connections stem from tactical and infrastructure overlaps with a prior campaign exposed by Russian cybersecurity company Kaspersky in late December 2022 likely aimed at Japanese financial entities using fake domains impersonating venture capital firms.

...

Abstract: This report provides an overview of the robotics industry in Europe, as well as a description of the definitions, typologies and main differences between industrial and service robots. The aim is to build up a stronger and updated knowledge of research questions, approaches and data that scholars and policy makers could use to study robotics around the world, and more specifically in Europe. It also identifies the necessary actions to merge heterogeneous data into a meaningful and consistent dataset to estimate the EU shares of robotics from the demand and supply perspectives, and for both industrial and service robots. Complementing these data with other sources to enhance the value and significance of the overall estimation exercise of the EU robotics market shares, provides a comprehensive overview of the production and adoption sides for both industrial and service robots. The three main objectives of the report are: to build a dataset including the market shares of robots in the EU; to describe the main trends that can be extracted from data; and, to sketch a conceptual framework to contextualise the results from the first two objectives.

...

Il gruppo di hacktivisti filorussi di NoName057(16) ha sferrato un nuovo attacco contro un nuovo obiettivo italiano attraverso un Distributed Denial of a Service (DDoS). Questa volta a farne le spese è il sito della ATM.

L’Azienda Trasporti Milanesi, di proprietà del Comune di Milano, gestisce il trasporto pubblico del capoluogo lombardo e in 51 Comuni della Provincia, al servizio di un territorio con una popolazione complessiva di oltre 2,4 milioni di cittadini.

NoName057(16) è un gruppo di hacker che si è dichiarato a marzo del 2022 a supporto della Federazione Russa dopo l’inizio della guerra tra Ucraina e Russia.

...

Parliament endorsed the first EU rules to trace crypto-asset transfers, prevent money laundering, as well as common rules on supervision and customer protection.

On Thursday, MEPs approved with 529 votes in favour to 29 against and 14 abstentions, the first piece of EU legislation for tracing transfers of crypto-assets like bitcoins and electronic money tokens. The text –which was provisionally agreed by Parliament and Council negotiators in June 2022- aims to ensure that crypto transfers, as is the case with any other financial operation, can always be traced and suspicious transactions blocked. The so-called “travel rule”, already used in traditional finance, will in future cover transfers of crypto assets. Information on the source of the asset and its beneficiary will have to “travel” with the transaction and be stored on both sides of the transfer.

...

The European Parliament is set to propose stricter rules for foundation models like ChatGPT and distinguish them from general purpose AI, according to an advanced compromise text seen by EURACTIV.

The AI Act is a landmark EU legislation to regulate Artificial Intelligence based on its capacity to cause harm. As AI solutions designed to handle a wide variety of tasks were not covered in the original proposal, the meteoric rise of ChatGPT has brutally disrupted the debate, leading to delays.

Although the file is close to finalisation, on Wednesday (19 April), the political meeting meant to certify an agreement was turned into a technical discussion on this part of the file, leading to the postponement of the key committee vote originally scheduled for 26 April.

Meanwhile, a revised text circulated Thursday indicates that MEPs are close to finalising their approach to ChatGPT and similar applications.

...

Il gruppo di hacktivisti filorussi di NoName057(16) ha sferrato un nuovo attacco contro un nuovo obiettivo italiano attraverso un Distributed Denial of a Service (DDoS). Questa volta a farne le spese è il sito del Consiglio Superiore della Magistratura.

NoName057(16) è un gruppo di hacker che si è dichiarato a marzo del 2022 a supporto della Federazione Russa dopo l’inizio della guerra tra Ucraina e Russia.

...

THE STUNNING CAPABILITIES of ChatGPT, the chatbot from startup OpenAI, has triggered a surge of new interest and investment in artificial intelligence. But late last week, OpenAI’s CEO warned that the research strategy that birthed the bot is played out. It's unclear exactly where future advances will come from.

...

The light and dark sides of AI have been in the public spotlight for many years. Think facial recognition, algorithms making loan and sentencing recommendations, and medical image analysis. But the impressive—and sometimes scary—capabilities of ChatGPT, DALL-E 2 and other conversational and image-conjuring artificial intelligence programs feel like a turning point.

...