EU/UK Privacy & Cybersecurity News Roundup – Week of May 15, 2023

Data privacy case law and legislation is constantly updated in the United Kingdom and European Union to address key issues. In order to track the latest developments, we have set out a brief overview of case law updates, legislation, guidance and news.

        Case Law Updates and Fines

    • On 4 May, the Spanish data protection authority fined GSMA Ltd €200,000 for violation of Article 35 of the GDPR. The decision can be accessed in Spanish here.
    • On 10 May, the Spanish data protection authority fined Marketing Accommodation Solutions FZ, L.L.C. €75,000 for violation of GDPR. The decision can be accessed in Spanish here.
    • On 10 May, the French data protection authority fined Clearview AI €5.2 million for non-compliance with an injunction they issued. The deliberation can be accessed in French here.
    • On 11 May, the Romanian data protection authority fined Libra Internet Bank €11,000 for multiple GDPR violations. The press release can be accessed in Romanian only here.

     

    Legislation

    • On 9 May, the European Parliament published their agenda for discussion for a motion for resolution on the adequacy of the protection afforded by the EU-US Data Privacy Framework. The motion can be accessed here.
    • On 9 May, the Spanish data protection authority announced modifications of the Organic Law 3/2018, of 5 December 2018, on the Protection of Personal Data and Guarantee of Digital Rights. The press release can be accessed in Spanish here.
    • On 4 May, the Bulgarian data protection authority released the model documents under the Whistleblower Protection and Public Disclosure Act. The announcement can be accessed here.
    • On 9 May, the German Mediation Committee (comprised of German Parliament and the Federal Council) announced that they had agreed on proposed amendments to the draft Whistleblowing Protection Act. The proposed amendments can be accessed in German here.
    • On 10 May, the UK government published supporting documents which assess the impact of the Data Protection and Digital Information (No.2) Bill. The press release can be accessed here.
    • On 11 May, the European Parliament announced that its Internal Market and Consumer Protection and Civil Liberties, Justice and Home Affairs Committees adopted a compromise text on the AI Act. The compromise text can be accessed here.
    • On 11 May, the German Data Protection Conference have highlighted the need for specific employee data protection law following the CJEU preliminary ruling in Principal Staff Committee for Teachers at the Hessian Ministry of Education v Hessian Ministry of Education. The resolution can be accessed, only in German here.

     

    Guidance & Draft Guidance

    • On 11 May, the German Data Protection Conference published a paper which outlines the criteria required to be able to speak of a ‘sovereign cloud’. The paper can be accessed in German here.

     

    Data Protection Authority Updates and Privacy News

    • On 9 May, the Danish data protection authority issued a press release addressing the exercise of the right of access in connection with a child in joint custody. The right belongs to the data subject, the child in this situation. However the request can be done by a parent on the child’s behalf. This is not something that the parent needs to seek consent from the other parent. The press release can be accessed in Danish here.
    • On 9 May, the Spanish data protection authority published guidelines on encryption as a valid security measure for data protection. Guidelines can be accessed in Spanish here.