Back to News Feed

Weekly Privacy News - Week #6

Published on 2023-2-7

Italian Regulator Bans Replika Chatbot Due to Concerns Over Children’s Data

The Italian data protection authority (DPA) has banned AI chatbot Replika, ordering its developers to immediately stop processing the personal data of people in Italy. The DPA claims that the app collected children’s data illegally and made no attempt to verify users’ ages.

The regulator found that Replika, which is marketed as an “AI companion” and “empathic friend”, also posed risks to emotionally vulnerable people. Luka Inc., Replika’s US-based developer, has 20 days to bring the app into compliance.


GDPR Enforcement Could Ramp Up as Commission Announces Review Process

The European Commission has committed to reviewing all “large-scale cross-border investigations under the GDPR” every two months following a complaint from the Irish Council for Civil Liberties (ICCL).

Johnny Ryans, ICCL Senior Fellow, said the process should “transform Europe’s data and digital enforcement” and that it “heralds the beginning of true enforcement of the GDPR, and of serious European enforcement against Big Tech.”


US Telehealth Provider Sanctioned for Sharing Data with Facebook and Google

The US Federal Trade Commission (FTC) issued a $1.5 million (€1.4 million) civil penalty against drug discount company GoodRx on Wednesday as part of the first ever enforcement under the Health Breach Notification Rule.

The FTC found that GoodRx shared data about its customers’ health with advertisers such as Google, Facebook, and Criteo, plus analytics firm Branch and communications company Twilio. In addition to the fine, GoodRX has been banned from sharing health data for advertising purposes.


UK Regulator Writes to Scottish Council Over Schools’ Facial Recognition Project

Nine Scottish schools that used facial recognition to manage lunch queues are “likely to have infringed data protection law”, according to a letter published on Wednesday by the UK DPA, the Information Commissioner’s Office (ICO).

North Ayrshire Council used third-party technology to process biometric data about pupils aged 11-18. According to the ICO, the scheme appeared to lack a legal basis and the council may have failed to provide parents and children with proper information. However, the regulator stopped short of issuing a sanction.


Israel’s EU Adequacy Decision Threatened by Judicial Reforms, Says Norwegian Regulator

Israel could lose its EU “adequacy” status if controversial justice reforms go ahead, a representative of Norway’s DPA has suggested. Tobias Judin, who leads the regulator’s international section, said Israel risked being placed “in the same category as China”.

Israel’s planned reforms would enable the legislature to overrule the country’s Supreme Court via a simple majority, which could put Israel below the standards for adequacy set out in Chapter V of the GDPR.


Enforcement Tracker

In addition to the decisions covered in some of the stories above, the following GDPR sanctions were announced by data protection authorities this week.


  • A dental clinic received two €1000 fines for:
    • Failing to provide proper notification of a data breach under Article 33 GDPR.
    • Processing special category data without a suitable legal basis under Articles 6 and 9 GDPR.
  • A design company received a €1000 fine for failing to comply with an individual’s request under Article 21 GDPR (the right to object).


  • Several unnamed controllers (private individuals) received fines of €180, €600, and €600 for using CCTV without providing proper information under Articles 13 and 14 GDPR.
  • A company called Miracle Ibiza received a €500 fine for installing CCTV that overlooked a neighbour’s property in violation of Article 5(1)(c) GDPR.
  • Getafe City Council received a warning for publishing confidential personal data in violation of Articles 5(1)(f), 32, and 33 GDPR.