Privacy Navigator: Weekly Insights on Privacy, AI, and Compliance

2025-W22 Replica with EUR 5M Fine, Meta Wins Big, EU Commision Indecisive

Garante Slams Replika with a EUR 5M Fine The Italian Data Protection Authority (Garante) has imposed significant corrective measures, including EUR 5M fine and a potential ban on processing Italian users' data, against Luka Inc., the company behind the AI chatbot Replika. According to the decision, the Garante found multiple GDPR breaches: Lack of Legal Basis: Particularly for processing sensitive data inferred from user conversations, including emotional and health-related information (violating Articles 6 and 9). Transparency Failures: Insufficient information provided to users about how their data, especially chat content, would be used for training AI models (Article 13). Risks to Minors: Inadequate age verification systems, leading to the unlawful processing of children's data (Article 8). No DPIA: Failure to conduct a Data Protection Impact Assessment for what is clearly high-risk processing activity (Article 35). Data Protection by Design/Default Deficiencies: Principles of Article 25 not adequately implemented. The "black box" nature of some AI models won't fly if the fundamentals of GDPR – legal basis, transparency, risk assessment, and data protection by design – are not robustly addressed from the outset. For AI companions and similar services, inferred data is increasingly seen as sensitive, requiring explicit consent. Meta Pushes Ahead with EU User Data for AI Training This is the first time we report privacy news in favour of Meta. It’s odd. It seems that legitimate interest could be the way to go, after all, for AI training First, the Cologne Higher Regional Court in Germany made a significant ruling concerning Meta's use of publicly available user data for training its artificial intelligence systems. The court found that Meta's actions were lawful under Article 6(1)(f) of the General Data Protection Regulation (GDPR). The court recognized Meta's interest in training its AI as a legitimate aim. A key point in the ruling was the acknowledgement that training effective AI models requires vast quantities of data. Additionally, Meta has signaled its intention to train its AI with user data to the Irish DPC, which is the leading DPA. Again, Meta is expected to rely on "legitimate interests" (Article 6(1)(f) GDPR) as the legal basis for this processing. The Irish DPC issued a statement confirming it is engaging with Meta on these plans. Using opt-out for AI training data is raises many questions. Once data is ingested and used to train a foundational model, can it truly be "unlearned" or its influence fully erased if a user objects later? How to opt out? If you haven't already, here is how to opt out from Meta using your personal data for AI training. Here’s the direct link to submit your request to Meta. If for some reason the link doesn't work make sure to go to Privacy > Privacy Center > Privacy Topics > Submit an objection request You will have to do the same for each social media platform you use... Yes, it's infuriating. It's called malicous compliance. EU Commision Suggests EU AI Act Pause and GDPR Simplification While the EU AI Act is formally adopted and its phased entry into force continues, the path to full practical implementation is hitting some turbulence. Recent reports indicate that the development of harmonized technical standards, which are vital for companies to demonstrate compliance for high-risk AI systems, is taking longer than initially anticipated, with some now expected in 2026. Similarly, the Code of Practice for General-Purpose AI (GPAI) models has faced pushback and delays in finalization. Separately, but related to the AI ecosystem, on May 21, 2025, the European Commission announced a series of simplification measures aimed at reducing administrative burdens and cutting red tape for EU businesses, particularly Small and Medium-sized Enterprises (SMEs).

2025-W21 nyob vs Meta, Google with 1.3 Billion Settlement and Deepfakes law

AI Training & Privacy: nyob vs Meta Privacy advocacy group noyb (none of your business) has issued a "cease and desist" letter to Meta's Irish headquarters, threatening a class action lawsuit if the tech giant proceeds with its plan to train its AI models using EU user data without explicit opt-in consent. Meta's intention, set for May 27, 2025, is to use public data shared by adults across Facebook and Instagram for AI training, relying on an alleged "legitimate interest" under GDPR. Noyb argues that this "opt-out" approach is a clear violation of GDPR, which generally requires explicit consent for such extensive data processing, especially for AI training. They highlight that even if a small percentage of users opt-in, it would still provide Meta with vast amounts of data to learn EU languages and cultural references. Max Schrems, noyb's founder, stated that Meta's claim of "legitimate interest" is "neither legal nor necessary" and "laughable." This isn't the first time Meta has faced scrutiny over its reliance on "legitimate interest," as they were previously forced to shift to a consent-based approach for targeted advertising in the EU in 2023. Noyb also raises concerns about Meta's ability to technically differentiate between users who opt-out and those who don't, and the lack of clarity or approval from national data protection authorities. Texas vs. Google: A $1.375 Billion Privacy Win Texas Attorney General Ken Paxton announced a landmark $1.375 billion settlement with Google, resolving lawsuits alleging that Google illegally tracked and collected Texans' personal data without their consent. This record-breaking settlement is the largest ever secured by a state attorney general against Google for data privacy violations. The lawsuit, filed in 2022, accused Google of secretly tracking users' movements, private searches, and even voiceprints and facial geometry through its products and services. Paxton emphasized that "Big Tech is not above the law" and that the settlement sends a clear message that companies will be held accountable for abusing public trust. Google stated that the agreement settles various "old claims" related to product policies they have already changed and does not require any additional product changes. While a $1.375 billion settlement sounds substantial, it's crucial to look beyond the headline. Google, as is common in such settlements, admitted no wrongdoing. This allows them to avoid setting a legal precedent that could have wider implications. The fact that Google claims it doesn't need to make "any additional product changes" is also telling. This suggests that the financial penalty, while large, might be more of a cost of doing business rather than a catalyst for fundamental shifts in data collection practices. The "Take It Down Act" Signed into Law: A New Era for Deepfake Regulation President Trump recently signed the "Take It Down Act" (officially, the "Tools to Address Known Exploitation by Immobilizing Technological Deepfakes On Websites and Networks Act") into law. Championed by Melania Trump, this bipartisan bill addresses the non-consensual online publication of intimate visual depictions, explicitly covering AI deepfakes. Key provisions include: Prohibition & Penalties: Criminalizes the non-consensual online publication of intimate visual depictions (both authentic and computer-generated, termed "digital forgeries") with mandatory restitution and criminal penalties (prison, fine, or both). Threats to publish such depictions are also prohibited Platform Responsibilities: Requires "covered platforms" (public websites, online services, or applications primarily providing a forum for user-generated content) to establish a process for individuals to report and request removal of such content. Platforms must remove the content within 48 hours of notification. Learn more at https://conformally.com/privacy-navigator

2025-W07 Largest GDPR Civil Damages Awarded by the Irish Court

The Irish High Court recently awarded €7,500 in damages for a GDPR breach—reportedly the highest such court-awarded damages in Ireland (and Europe?) to date. While administrative fines from data-protection authorities often reach into the millions or even billions, this relatively modest figure highlights a key point: it represents only an individual claim. Where numerous people are similarly affected by a single breach, the potential exposure for organizations could be enormous.

2025-W06 UK ICO’S Pay or OK Framework – A Tight Balance or A Bad Compromise

The Consent or Pay model is now a reality in the UK, and the ICO has set out a framework for how businesses can implement it while remaining GDPR-compliant. At first glance, the approach seems balanced: users get a choice, companies get flexibility, and privacy remains protected—at least in theory. But here’s the real question: Is privacy something that can be bought and sold like any other commodity? If so, shouldn’t the market set the price? And if not, doesn’t that make the very concept of “paying for privacy” fundamentally flawed? The ICO tries to walk a tightrope between these two positions, but does it succeed? Or are we left with a framework that tries to regulate an uncomfortable reality without fully confronting its implications?

2025-W05 DeepSeek: A Quantum Leap in AI, A Dead End in GDPR Compliance

When news first broke that a small Chinese AI startup called DeepSeek managed to build a reasoning model better than OpenAI’s top-tier o1 model—and for around $6 million investment—everyone’s jaws dropped. How could such an underdog possibly outperform a tech giant that’s burned billions in research and development Not to mention it’s free. As you can imagine it went viral in a matter of days. But as we all know, there’s a dark side to these too-good-to-be-true stories. DeepSeek’s sudden stardom raised red flags among privacy regulators across Europe—especially once it became clear that this new AI powerhouse was more than happy to store and process your data on Chinese soil, in a manner that screams “GDPR… what’s that?” Let’s dive into this fiasco and see what lessons we, as privacy pros, can learn from DeepSeek’s swift rise and potential meltdown. Find all resources from this episode at: https://conformally.com/privacy-navigator Learn more about Conformally at https://conformally.com