EU/UK Privacy & Cybersecurity News Roundup – Week of May 8, 2023

Data privacy case law and legislation is constantly updated in the United Kingdom and European Union to address key issues. In order to track the latest developments, we have set out a brief overview of case law updates, legislation, guidance and news.

  • Case Law Updates and Fines
    • On 27 April 2023, the French CNIL announced the publication of Deliberation 2023-027 on the use of drones by law enforcement. In particular, the deliberation provides that law enforcement may use airborne cameras for preventing acts of terrorism, rescuing people, ensuring the safety of gatherings of people on public places, or the support of ground personnel, when gatherings are likely to cause serious disturbances to public order. You can read the press release here and deliberation here, both only available in French.
    • On 27 April 2023, the CJEU issued a press release concerning the Advocate General’s opinion in case 340/21 VB v Natsionalna agentsia za prihodite. The CJEU explained that the opinion was rendered in relation to a reference for preliminary ruling submitted by the Supreme Administrative Court of Bulgaria regarding the GDPR interpretation of the conditions for awarding compensation for non-material damages following a data breach. The Advocate General took the view that fear of potential misuse of personal data in the future may constitute non-material damage granting the right to compensation. You can read the press release here and opinion here.
    • On 4 May 2023, the CJEU announced its judgment in UI v Österreichische Post AG (C-300/21). The case arose in the context of a compensation claim for non-material damage lodged by a data subject. Österreichische Post had collected information on the political affinities of the Austrian population. The data subjects had not consented to the processing of their personal data. You can read the press release here and the judgment here.
    • On 4 May 2023, the CJEU announced it had rendered its judgment in FF v Austrian Data Protection Authority (‘DSB’) (C-487/21), further to a request for a preliminary ruling from the Federal Administrative Court of Austria. The Federal Administrative Court solicited clarifications on whether the right of access under Article 15(3) of the GDPR is fulfilled where the controller transmits personal data in the form of a summary table, or whether that obligation also entails the transmission of document extracts in which that data is reproduced. The CJEU took the view that the right to obtain a copy of personal data means that the data subject must be given a faithful and intelligible reproduction of all the data. You can read the press release here and the judgment here.
    • On 4 May 2023, the CJEU issued its judgment in National Public Health Centre under the Ministry of Health v State Data Protection Inspectorate (‘VDAI’) (C-683/21), further to a request for a preliminary ruling from the Regional Administrative Court of Vilnius. The case concerned the role played by the Health Centre in the development of a mobile application which collected the personal data of people who had been in contact with Covid patients. The CJEU examined the concepts of ‘controller’ ‘joint controllers’ and ‘processing’ and concluded that whether personal data is collected for testing IT systems contained in a mobile application or for another reason, this has no influence on whether the action in question qualifies as ‘processing’. You can read the judgment here.

 

  • Legislation
    • On 5 April 2023, the German Federal Government announced that it had initiated a mediation procedure with the Meditation Committee regarding the draft Whistleblowing Protection Act. In particular, the Government noted that a meeting on the whistleblower legislation is scheduled for 9 May 2023. You can read the press release, only available in German, here.
    • On 26 April 2023, in Hungary, Proposal No. T/3089 about complaints, reports in the public interest and rules relating to reporting abuse was passed to the Legislative Committee. The proposal transposes the Directive on the Protection of Persons who Report Breaches of Union Law and establishes specific requirements for internal whistleblowing systems. You can read the proposal here and track its progress here, only available in Hungarian.
    • On 28 April 2023, it was revealed that in Estonia, an Act on Amendments to the Penal Code 94 SE was published in the Official Gazette and will enter into force on 1 November 2023. Estonian law does not recognise administrative fines as reflected under Recital 151 of the GDPR. The Estonian legislative has initiated a draft Act amending the Penal code in order to allow for more effective implementation of fines as required by EU law. You can download the Act here, available in Estonian.
    • On 3 May 2023, the European Parliament announced that Regulation 2022/1925 of 14 September 2022 on Contestable and Fair Markets in the Digital Sector and Amending Directives (EU) 2019/1937 and (EU) 2020/1828 (Digital Markets Act) became applicable on 2 May 2023. The Parliament highlighted that the European Commission will designate the entities qualifying as gatekeepers under the Digital Markets Act by 6 September 2023. Gatekeepers will have a maximum of six months to comply with the new obligations. You can read the press release here.
    • On 4 May 2023, in Bulgaria, the Whistle-blower Protection and Public Disclosure Act entered into force. This transposes into Bulgarian law the Directive on the Protection of Persons who report Breaches of Union Law (Directive (EU) 2019/1937) (‘the Whistleblowing Directive’). You can read the Act, only available in Bulgarian, here.

 

  • Guidance & Draft Guidance
    • On 26 April 2023, the Irish Council for Civil Liberties (‘ICCL’) published a letter to the EU Ombudsman making a new complaint against the European Commission concerning the Commission’s failure to collect information for the full period of the GDPR application. In particular, the ICCL noted that the Commission’s failure to gather the necessary information put at risk the fundamental rights and freedoms of individuals within the EU. They requested that the Ombudsman launch an examination of whether the Commission has collected the necessary information to monitor Member States’ application of the GDPR. You can read the press release here.
    • On 27 April 2023, the European Data Protection Board (‘EDPB’) announced the launch of a guide to aid business compliance with GDPR. In particular, the EDPB outlined that the guide aims to raise awareness and provide practical information to small and medium companies. You can read the press release here, and the guide here.
    • On 27 April 2023, the Bavarian data protection authority issued guidelines on data protection as a criterion in procurement procedures. The guidelines outline procurement processes, and identify which gateways open up in procurement processes for data protection requirements. You can read the press release here and the guidelines here, both only available in German.
    • On 27 April 2023, the Organisation for Economic Co-operation and Development published a report on privacy and data protection rules for cross-border data flows. In particular, the report examines compliance challenges applicable to data flows, as well as legal bases and mechanisms for cross-border transfers. You can read the press release here.
    • On 28 April 2023, the Irish Data Protection Commission announced it had released guidance for employers regarding data protection in the workplace. In particular, they noted that guidance is aimed at assisting employers as data controllers regarding their data processing obligations and duties when processing personal data of their employees, former employees, and prospective employees. You can read the announcement here, and the guidance here.
    • On 30 April 2023, the Information Commissioner’s Office (‘ICO’) announced a call for opinions on its draft guidance on what is meant by a provider of an Information Society Service likely to be accessed by children, which falls within the remit of the Age Appropriate Design Code. In particular, the ICO stated that it had published case studies to help some sectors like the online dating industry understand how the guidance will apply in practice. You can read the announcement here, and the case studies here.
    • On 2 May 2023, the European Consumer Organisations (‘BUEC’) published a position paper on the European Commission Proposal for an AI Liability Directive. This paper highlights that the fault-based liability approach adopted in the directive is less protective of consumers when those consumers use new technologies. For consumers caused harm by an AI system, a non-fault-based liability regime should be the default option. You can read the position paper here.
    • On 3 May 2023, the European Consumer Organisations (‘BUEC’) published its response paper to the call for evidence on an EU initiative on virtual worlds. The paper suggests that the Commission assess whether proposals may be adapted to cater to new technological developments. The paper recommends that the Commission also assess what gaps in EU law exist to effectively protect consumers in virtual reality technologies. The response paper also suggests the Commission identify the limits of current legislation and whether further legislation will be needed. You can read the position paper here.
    • On 4 May 2023, the Danish data protection authority (‘Datatilsynet’) launched its new guidance suite targeted at small businesses. This allows companies to achieve better control of GDPR compliance. You can read the press release here and the guidance suite here, available in Danish.
    • On 4 May 2023, the Spanish Data Protection Authority (‘AEPD’) published a guide for companies and public administrations on approaching data spaces in light of the GDPR. In particular, the guide analyses the creation and use of data spaces in relation to personal data protection regulations, with a view to facilitate compliance with the rights and freedoms of natural persons across multiple initiatives. You can read the press release here, and the guide here, both only available in Spanish.

 

  • Data Protection Authority Updates and Privacy News
    • On 13 April 2023, the Hesse Data Protection Authority issued a press release stating that their data protection officer had asked OpenAI LLC to answer a questionnaire on data processing at ChatGPT. The questions relate to whether data processing complies with the basic principles of data protection law, whether this is based on valid legal bases, and whether it is sufficiently transparent for data subjects involved. The questionnaire also asks about the age limit set for the use of ChatGPT, whether usage data is used as training data in the context of machine learning, and which sources are used to obtain information about individuals. You can read the press release here, in German.
    • On 26 April 2023, the Spanish Data Protection Authority (‘AEPD’) published a blog post regarding federated learning techniques and compliance with data protection and privacy. In particular, the blog specifies that federated learning techniques fall under Privacy Enhancing Technologies, and allow the development of machine learning systems without the need to communicate personal data. The AEPD compiled a list of resources and pointed to its Innovation and Technology portal regarding Artificial Intelligence and data protection. You can read the blog post here.
    • On 28 April 2023, in the Czech Republic, the Office for Personal Data Protection (‘UOOU’) launched a public consultation on proposed methodology for designing and operating camera systems from the perspective of processing and protecting personal data. In particular, the UOOU noted that the aim of the proposed methodology is to provide better guidance to controllers and processors of personal data. You can read the press release here and the proposed methodology here, only available in Czech.
    • On 28 April 2023, the Italian Garante announced it had received a letter from OpenAI LLC, describing the measures the latter had implemented regarding ChatGPT in order to comply with their order of 11 April 2023. They noted that OpenAI had expanded the information provided to EU users/non-users, amended several mechanisms and enabled the right to opt-out of processing, and added a button that allows users to confirm they are at least 18 years of age prior to gaining access to the service. Based on these actions, the Garante authorised the reinstatement of ChatGPT for Italian users. You can read the press release, available in Italian and English, here.
    • On 28 April 2023, the EDPB published the minutes of its 77th plenary meeting. In particular the minutes provide that the EDPB discussed the ongoing procedure pursuant to Article 65 of the GDPR, on the dispute submitted by the Data Protection Commission concerning data transfers by Meta IE. You can read the minutes here.
    • On 3 May 2023, the Danish Datatilsynet announced its decision in which it found that Statens Serum Institut, a medical institution, violated Articles 14(1), 14(2), 14(3), and 14(4) of GDPR, and ordered the institution to comply with the requirements of the same articles following a complaint. The Datatilsynet found that the Institut had incorrectly relied on Article 14(5)(b) to refrain from complying with its information provision obligations. The Datatilsynet requested a statement from the Institut to explain what actions it will take to fulfil its information provision obligations within three months from the date of the decision. You can read the press release here and the decision here, both only available in Danish.
    • On 4 May 2023, the UK Competition and Markets Authority announced it is launching an initial review of competition and consumer protection considerations in the development and use of AI foundation models. The review focuses on understanding how foundation models, including large language models and generative AI, are developing. The review will examine how competitive markets could evolve, explore the risks that could arise for competition, and produce guiding principles to support competition and protect consumers as AI foundation models develop. You can read the press release here and the launch document here.
    • On 4 May 2023, the Croatian Personal Data Protection Agency (‘AZOP’) announced it had imposed a fine of €2,265,000 on B2 Kapital d.o.o. for violations of Articles 6(1), 13(1), 28(3), 32(1)(b), and 32(2) of the GDPR. The AZOP had received a USB stick with an anonymous report containing the personal data of over 77,000 persons who had outstanding debts with credit institutions. B2 Kapital failed to inform data subjects of the processing of their personal data and the legal basis for this. The failure to change the company privacy policy regarding the legal basis of processing also violated Article 6(1). B2 Kapital also failed to enter into a contract with a processor for the processing of personal data for bankruptcy monitoring purposes. You can read the press release, only available in Croatian, here.