EU/UK Privacy & Cybersecurity News Roundup – Week of February 27, 2023

Data privacy case law and legislation is constantly updated in the United Kingdom and European Union to address key issues. In order to track the latest developments, we have set out a brief overview of case law updates, legislation, guidance and news.

  1. Case Law Updates
    1. In October 2020, the ICO issued an Enforcement Notice to Experian Limited. On 20 February this year, the First-Tier Tribunal (Information Rights) announced its ruling on this action. Whilst the Tribunal supported the ICO in finding that Experian had processed 5 million individuals’ personal data in a way that was not transparent, fair and lawful, it rejected certain of the ICO’s assertions and held that Experian’s privacy notice was transparent, that using credit reference data for direct marketing purposes was not unfair and that Experian had properly assessed its lawful basis.
  1. Legislation
    1. The Act on the Protection of Whistleblowers, implementing the Directive on the Protection of Persons who Report Breaches of Union Law (Directive (EU) 2019/1937), entered into force in Slovenia (available here in Slovenian only).
    2. The European Parliament announced that it will debate a draft motion for a resolution on the European Commission’s draft adequacy decision in relation to the EU-US Data Privacy Framework, on 1 March 2023.
  1. Guidance & Draft Guidance
    1. On 20 February, Datatilsynet announced publication of its general guidelines on use of cookie walls. The guidance is only available in Danish, but can be found here.
    2. On 21 February, the Garante issued Opinion No. 24 on the draft decree of the Ministry of Health, regulating access to cross-border medical prescriptions. The opinion (only in Italian) can be found here.
    3. In France, the CNIL published a press release (only available in French) addressing uses and privacy considerations for the proposed optional electronic health insurance card. This is set to be proposed to all health insurance provides prior to the end of 2025 in a progressive roll-out.
    4. In Spain, the AEPD published a blog post in relation to anonymisation and the risk of re-identification, and compiled a list of related resources on these. The blog post can be accessed here.
    5. The European Data Protection Board announced, on 24 February, that it had adopted three sets of guidelines on transfers and social media interfaces. The guidelines have been updated following public consultation and include further explanations to address comments and feedback.
  1. Data Protection Authority Updates and Privacy News
  1. On 20 February, the European Data Protection Board (‘EDPB’) released a thematic document, ‘One-Stop-Shop case digest on right to object and right to erasure’, which considers a selection of final One-Stop-Shop decisions between August and November 2022, and decisions relating to Articles 17 (right to erasure) and 21 (right to object) of the EU GDPR. The document showcases supervisory authority cooperation to enforce the EU GDPR, and is based on information gathered through inspection activities.
  2. On 22 February, the EDPB announced publication of its 2023-2024 work programme. The EDPB highlighted that it will continue prioritisation of effective enforcement and European data protection authority cooperation, in addition to continued harmonisation and facilitation of compliance.
  3. On 20 February, Datatilsynet announced its decision in relation to Gul og Gratis’ use of cookie walls. It found the usage to be predominantly lawful, but ordered Gul og Gratis to demonstrate that its processing of personal data processing for statistical purposes, in reliance on Article 6(1)(a) EU GDPR, was lawful and in line with the requirement for voluntary consent (under Article 4(11) EU GDPR). The decision can be read here (in Danish only).
  4. Also on 20 February, Datatilsynet announced its decision (only in Danish) in relation to Jysk Fynske Medier, in which it found the company’s use of cookie walls to be in violation of Article 6(1)(a) EU GDPR. It also ordered Jysk Fynske Medier to demonstrate that its personal data processing was for statistical purposes under Article 6(1)(a) EU GDPR.
  5. On 21 February, the AP (the Dutch data protection authority) published a request (only available in Dutch) to the Ministry of Justice and Security to halt passenger name record processing. This was in line with the CJEU’s decision, in Case C-817/19 Ligue des droits humans ASBL v Conseil des minsters, which concerned Directive (EU) 2016/681 on the Use of Passenger Name Record (PNR) Data for the Prevention, Detection, Investigation and Prosecution of Terrorist Offences and Serious Crime (‘PNR Directive’). The AP highlighted that the processing of PNR data requires collection and automatic processing of large amounts of data; the individuals whose data is concerned do not belong to the group to which the database is actually intended. The AP requested that all necessary measures be taken to ensure that the PNR Directive national implementation can be brought into line.
  6. On 21 February, the Garante fined Edison Energia S.p.A. €4.9 million for unlawful marketing practices, for violation of articles 5(1)(a), 5(2), 6, 7, 12(1), 12(2), 12(3), 21(2), 24(1), 24(2), and 25(1) EU GDPR.
  7. On 22 February, the ICO published key questions for accountants to ask to SMEs, to ensure that they achieve data protection compliance. The press release can be found here.
  8. The AP published a statement, on 22 February, regarding the use of cameras in cars by Tesla Inc. The press release is only available in Dutch, and can be accessed here.
  9. In Spain, the Spanish data protection authority and the General Council of Psychology singed a general protocol, with the aim of cooperating to aid mental health online and to carry out training activities to promote privacy and personal data protection. The press release (in Spanish) is available here.
  10. In Germany, the Federal Commissioner for Data Protection and Freedom of Information announced that it had issued a warning to the Federal Press Office of the Federal Government, prohibiting (in German only) that Office from processing personal data on their Facebook fan page in violation of Articles 5(1)(, 5(2) and 6(1) and of EU GDPR.