EU/UK Privacy & Cybersecurity News Roundup – Week of March 27, 2023

Data privacy case law and legislation is constantly updated in the United Kingdom and European Union to address key issues. In order to track the latest developments, we have set out a brief overview of case law updates, legislation, guidance and news.

  1. Case Law Updates
    1. On 16 March 2023, the CJEU issued a press release concerning the Advocate General’s opinion in joint cases C-26/22 and C-64/22 SCHUFA Holding & Others. The AG viewed that, if a person decided to seek a remedy against the decisions of a supervisory authority, under the GDPR it would be for the courts to carry out judicial review. The CJEU detailed that a legally binding decision is subject to a full judicial review, which guarantees an effective judicial remedy. They also noted that the storage of insolvency data by a private credit information agency cannot be lawful once the personal data concerning insolvency has been erased from public registers. You can read the opinion here.
    2. On 16 March 2023, the Office of the Data Protection Ombudsman of Finland published its Decision in Case No. 2206/171/20, in which the Sanctions Board imposed corrective measures on Forenom Oy. The Ombudsman instructed Forenom, to the extent that data does not need to be stored to comply with other statutory obligations, to shorten the processing time of personal data it processes. You can read the decision here, available in French.
    3. On 17 March 2023, None of your business announced that the Federal Administrative Court (‘BVwG’) in Case No. GZ: W274 2248601-1/14E upheld the decision of the Austrian data protection authority in regard to access to traffic and location data under Article 15 of the GDPR. In particular, the decision highlights that the original complaint related to a request for information regarding traffic and/or location data of the complainant. You can read the decision, only available in German, here.
    4. On 21 March 2023, the Spanish Data Protection Authority (‘AEPD’) imposed a fine of €70,000 on Caixabank Payments & Consumer, EFC, EP, SAU, for violation of Article 6(1) of the GDPR following  a complaint from a customer of the company. The AEPD found that, despite the cancellation of the complainant’s contract, Caixabank continued to process the personal data of the complainant. You can read the decision, only available in Spanish, here.
  2. Legislation
    1. On 15 March 2023, in Italy, a new directive on whistleblowing was published in the Official Gazette following its final approval by the Council of Ministers on 9 March 2023. The decree will enter into force on 30 March 2023, and shall take effect on 15 July. You can read the legislative decree, available in Italian, here.
    2. On 17 March 2023, the German Bundestag issued a new draft Whistleblowing Protection Act and a draft law to supplement regulations on whistleblower protection. You can read the new draft of the Act here, and the draft supplementing law here.
    3. On 20 March 2023, the UK Department of Enterprise, Trade and Employment published the General  Scheme of the Digital Services Bill. You can read the Digital Services Bill here.
    4. On 21 March 2023, the Hungarian National Assembly was considering the transposition of The EU Whistleblowing Directive 2019. The proposal provides that anyone with a complaint or public interest report can contact the authorised body to proceed with the subject related to the complaint or the public interest report. You can read the proposal here and track its progress here, both available only in Hungarian.
    5. On 21 March 2023, the Hungarian National Assembly announced that a bill on cyber-security certification and oversight had been introduced. You can read the bill, only available in Hungarian, here.
  3. Guidance & Draft Guidance
    1. On 13 March 2023, the European Payments Council (‘EPC’) announced on 13 March 2023 the publication of the annual update of its Guidelines on Cryptographic Algorithms Usage and Key Management. In particular, the EPC outlined the guidelines specify recommendations and best practices on cryptographic algorithms, security protocols, confidentiality and integrity protection, and key management. The new version of guidelines relate to quantum computing and distributed ledger technologies. You can find the updated guidelines here.
    2. On 20 March 2023, the Danish Data Protection authority (‘Datatilsynet’) announced it had created new guidance on the GDPR for small businesses, which it will launch in a webinar on 4 May 2023. You can read the press release here, and sign up to the webinar here.
    3. On 21 March 2023, the European Union Agency for Cybersecurity published its first analysis of the cyber threat landscape in the transport industry. You can read the report here.
    4. On 22 March 2023, the Irish Council for Civil Liberties raised concerns about the proposed European Health Data Space. You can read their concerns here.
    5. On 23 March 2023, in the Czech Republic, the Office for Personal Data Protection published a blog post illustrating how natural persons can request deletion of their personal data from the public list of data mailbox holders. You can read the blog post, only available in Czech, here.
    6. On 23 March 2023, the Danish Data Protection Authority announced the creation of a new portal on its website featuring statistics on data breaches. You can access the portal here, only available in Danish.
    7. On 23 March 2023, the French data protection authority (‘CNIL’) published a thematic dossier on digital identity. You can read the dossier here, available in French.
    8. On 24 March 2023, The ICO announced that it had issued draft guidance on the Age Appropriate Design Code which applies to information society services likely to be accessed by children. You can read the draft guidance documents here.
  4. Data Protection Authority Updates and Privacy News
    1. On 16 March 2023, the ICO reached an agreement with EasyLife Ltd to reduce the monetary penalty notice for breaches of GDPR, to £250,000. This followed an investigation which found the company was making assumptions about customer’s medical conditions based on their purchase history, to sell them medical products. You can read the enforcement notice here.
    2. On 16 March 2023, the Norwegian data protection authority imposed a fine of 2.5 million NOK (£220,292) on Argon Medical Devices, for violation of Article 33(1) of GDPR. Argon became aware of a personal data breach 67 days before the notification was sent to Datatilsynet. You can read the announcement, only available in Norwegian, here, and the decision here.
    3. On 16 March 2023, the ICO issued a reprimand against the Metropolitan Police Service following issues around the uploading, amending and deleting of various criminal intelligence files. You can read the reprimand here.
    4. On 22 March 2023, the ICO issued an enforcement notice against the London Borough of Lewisham for failing to respond to hundreds of overdue requests made under the Freedom of Information Act 2000. You can read the enforcement notice here.
    5. On 23 March 2023, the Spanish Data Protection authority fined 70,000 on Orange Espagne SAU, for violations of Article 6(1) of the GDPR. You can read the decision, only available in Spanish, here.