The past week in data protection

It's time for another bite sized round-up of the week’s data protection related news:

• The EU’s landmark AI Act will finally become law in the next few weeks after it cleared the final step with the Council of Ministers giving approval. As a reminder, most of its provisions will not come into force for a couple of years.
• It looks as if the UK’s Data Protection and Digital Information Bill is now history as the UK Parliament will not have time to complete the legislative process before it is dissolved for the General Election on 4 July. Whilst the Bill did include some potentially useful provisions, overall I think most businesses will be relieved that UK data protection laws remain very closely aligned with the EU.
• Advocacy group eu travel tech has lodged complaints with the French and Belgian DPAs against Ryanair, concerning the airline’s use of biometric data for customer verification. Customers without existing accounts are required to submit to biometric image scanning to manage bookings and check-in online. Interestingly, the the DPAs are asked to make use of the urgency procedure under Art 66 GDPR and order Ryanair to immediately suspend the practice pending the outcome of the investigation.
• The ICO has fined the Police Service of Northern Ireland £750,000 for inadvertently publishing online the names and roles of all 9,483 serving PSNI officers (via a hidden tab on a spreadsheet). This is a reminder that data protection risk is very context specific. Whilst names and job titles may be fairly benign data in some cases, when it comes to policing in Northern Ireland the publication brought “tangible fear of threat to life”.
• Following an investigation into Snap’s “My AI” chatbot, the ICO has warned industry that organisations developing or using generative AI based chatbots must rigorously assess data protection risk from the outset. The ICO has now concluded its investigation and is satisfied with the risk assessment completed by Snap.
• Finally, a further plug for the latest episode of Legitimately Interesting in which Hannah Crowther and I tackle the problematic concept of joint control: