EU/UK Privacy & Cybersecurity News Roundup – Week of June 19, 2023

Data privacy case law and legislation is constantly updated in the United Kingdom and European Union to address key issues. In order to track the latest developments, we have set out a brief overview of case law updates, legislation, guidance and news.

Case Law Updates and Fines

  • On April 13,  the Italian data protection authority (Garante) issued its decision No. 183, in which it imposed a fine of 7,631,175 on TIM S.p.A., for multiple violations of the General Data Protection Regulation and of the Personal Data Protection Code, containing provision to Adapt the National Legislation to the GDPR, following the receipt of several complaints from individuals alleging the unlawfulness of TIM’s telemarketing activities. The Garante found that TIM had not addressed several data subject rights requests, it did not have any valid documentation demonstrating the consent of the recipients of TIM’s commercial communications. They had also not complied with the information provision obligations under the GDPR in several instances. You can read the decision here, available in Italian.
  • On June 1, the European Commission announced its decision to refer Italy and Spain to the Court of Justice of the European Union (CJEU) for failing to transpose the Whistleblowing Directive before December 17, 2021. You can track the Commission’s infringement cases here.
  • On June 9, the Italian Garante announced its decision No. 181, as issued on April 14, 2023, in which it imposed a fine of €676,956 on Sorgenia SpA, for violations of the General Data Protection Regulation, following a complaint and reports from interested parties against the company. These concerns were about calls that Sorgenia had made for promotional purposes, in some instances to reserved users and users entered in the public do-not-call register, as well as its failure to respond to data subject rights. You can read the decision, only available in Italian, here.
  • On June 13, the Swedish Authority for Privacy Protection (IMY) published its Decision No. DI-2019-6696, as issued on June 12 in which it imposed a fine of SEK 58 million (approximately €4.98 million) on Spotify AB, for violations of GDPR. The IMY highlighted that it had received complaints regarding Spotify’s handling of data subject requests. It was found that the information provided under Spotify’s privacy notice had not been designed in such a way that the purpose of the right of access was fulfilled. Furthermore, this information was not sufficiently transparent. You can read the press release here, and the decision here, both only available in Swedish.
  • On June 13, the Spanish data protection authority (AEPD) published its decision fining Digi Spain Telecom S.L.U an amount of €210,000 for three separate cases involving violations of GDPR. The complainants had alleged that Digi had provided duplicates of their SIM cards to unauthorized third parties, who had conducted bank transfers from the complainants’ bank accounts. Digi failed to conduct sufficient due diligence on the identity of the individuals, and thus violated Article 6(1) of the GDPR. The AEPD dismissed Digi’s appeals for reconsideration. You can read the decisions here, here and here, all only available in Spanish.
  • On June 14, the Spanish AEPD published its decision imposing two fines of €70,000 each on Digi Spain Telecom SLU, for violations of GDPR following a complaint submitted by two individuals. The complainants had alleged that Digi had provided duplicates of their SIM cards to unauthorized third parties, which allowed those parties to conduct bank transfers from the complainants’ bank accounts. You can read the decisions here and here, in Spanish.
  • On June 15, the French Data Protection authority (CNIL) published its decision to impose a penalty of €150,000 on Societe KG COM for violations of GDPR and Act No. 78-17 of 6 January 1978 on Data Processing, Data Files and Individual Liberties, following a data breach. CNIL found that KG COM had systematically recorded phone calls between telephone operators and prospects, as well as between its employee fortune-tellers and customers. It had also retained bank account data of customers for longer than necessary, and failed to obtain prior consent from individuals to collect special categories of data such as health and sexual orientation. You can read the press release here, and the decision, only available in French, here.
  • On June 15, the Court of Justice of the European Union (CJEU) issued its Advocate General’s opinion in Case C-755/21 P Kočner v Europol, stating that Europol and a Member State can be held jointly and severally liable for damage resulting from unlawful data processing. Following the retrieval of data by Europol belonging to a suspect, this data was made available to the public. The Advocate General emphasized that a joint and several liability framework exists between Europol and a Member State, where the damage had occurred due to incorrect data processing by either Europol or the Member State. You can read the opinion here.
  • On June 15, the Romanian National Supervisory Authority for Personal Data Processing announced its decision imposing a fine of €8,000 and a corrective measure on Artima S.A. for violations of GDPR following a data breach notification The authority found that Artima had not implemented adequate technical or organization measures to ensure a level of security appropriate to the processing risk and to ensure the confidentiality of the data processing. You can read the press release, only available in Romanian, here.

Legislation

  • On December 2, 2022, the bill for the Amendment of the GDPR was introduced to the House of Representatives of the Netherlands. This bill stipulates that if Article 8 of GDPR does not apply, then provided the data subject is not yet 16, the consent of a subject’s legal representative is required. In addition, the Bill amends the processing of health data under the Civil Code, and refines Article 10 of the GDPR on the prohibition of processing sensitive personal data of a criminal nature. You can read the bill here and track its progress here, both only available in Dutch.
  • On June 9, the UK Parliament published a research briefing titled “Data Protection and Digital Information (No. 2) Bill: Commons stages” in which it outlines the progress of the bill in the House of Commons since its introduction. In particular, the Report provides a summary of the bill, and highlighted that the bill has ben considered by a Public Bill Committee over eight sittings between May 10 and 23, 2023, whereby mainly minor or technical government amendments were agreed, adding new clauses to the bill. There were some criticisms expressed against the bill, including that it does not address challenges posed by technological developments, it risks loss of data adequacy with the EU, it adds to the compliance burdens of business, and it reduces protection for citizens through diluting of subject access requests. You can read the Report here, and the amended bill here.
  • On 14 June, the European Parliament announced it had adopted its negotiating position on the Artificial Intelligence Act, with 499 votes in favour. The Parliament noted that the MEPs expanded the list of prohibited practices to include bans on intrusive and discriminatory uses of AI, such as real-time biometric identification systems, biometric categorization systems, predictive policing systems, emotion recognition systems and untargeted scraping of facial images from the internet. You can read the press release here.

Guidance & Draft Guidance

  • On May 31, the Hungarian National Authority for Data Protection and Freedom of Information (NAIH) issued guidance on the obligations of individuals providing accommodation services as data controllers. The NAIH explained that the GDPR will apply, including all transparency obligations under Articles 13 and 14 of the GDPR. The NAIH detailed that a Data Protection Impact Assessment may not be necessary, and a private individual providing accommodation may not need to appoint a data protection officer. You can download the notice, only available in Hungarian, here.
  • On June 7, the European Union Agency for Cybersecurity announced it had released four reports examining artificial intelligence and cybersecurity. These concern AI and cybersecurity research, multilayer framework for good cybersecurity practices for AI, medical imaging diagnosis, and forecasting demand on electricity grids. The report recommends treating the cybersecurity of AI systems as an additional effort to the organization’s information and communication technology security practices, noting that the existing cybersecurity practices need to be complemented with AI-specific practices. You can read the press release and access the reports here.
  • On June 8, the Information Commissioner’s Office in the UK (ICO) issued a statement warning that newly emerging neurotechnologies risk discriminating against people if those groups are not put at the heart of their development, together with its new report on neurotechnology. The ICO predicted that the use of technology to monitor neurodata, the information coming directly from the brain and nervous system, will become widespread over the next decade. You can read the statement here and the report here.
  • On June 8, the Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI) published frequently asked questions regarding Google’s plans to publish new image recordings on its service Google Street View. The HmbBfDI explained that Google intends to publish new image recordings from all over Germany that were taken by a Street View vehicle or on foot with a camera backpack. Data subjects can object to the processing of their personal data, in particular to the non-pixelated representation of house fronts, but also of individuals should they be recognizable in Street View pictures. You can read the FAQs here, available in German.
  • On June 13, the UK ICO announced the publication of the “Exploring Synthetic Data Validation – Privacy, Utility and Fidelity” research paper, which it had supported the Financial Conduct Authority and the Alan Turing Institute to produce. In particular, the paper explores the challenges and possible solutions to generating anonymous synthetic data in the financial services sector. The paper covers insights on validating the utility and fidelity of synthetic data, insights on validating the privacy of synthetic data, and approaches to advancing synthetic data. You can read the announcement here, and the paper here.
  • On June 13, the European Union Agency for Cybersecurity announced the publication of its report on supply chain cybersecurity good practices. The report offers a five-step systematic approach to the cybersecurity supply chain challenge, along with recommended security practices for each methodical phase. You can read the announcement here and download the report here.
  • On June 14, the Spanish AEPD launched a new version of its Gestiona tool. In particular the tool is aimed at small public or private entities and allows for managing treatments, carrying out risk management, and providing support for carrying out impact assessments. You can access the tool here.

Data Protection Authority Updates and Privacy News

  • On June 10, the Italian data protection authority (Garante) announced it had requested information from TikTok Technology Ltd regarding statements, recently reported in the press, on alleged access to TikTok users’ personal data by the Communist Party of China. In particular, the Garante invited TikTok to release, within 15 days, a statement on such reports and on the possible involvement of TikTok in the transmission of users’ data, including Italian and European users, to the Chinese government authorities. You can read the press release, only available in Italian, here.
  • On June 15, Margrethe Vestager, Executive Vice-President of the  European Commission for a Europe fit for the Digital Age, announced, on June 15, 2023, on Twitter, that the trilogue negotiations between the European Commission, the European Parliament, and the Council of the European Union on the Artificial Intelligence (AI) Act had begun on the same day. In particular, the Parliament adopted its negotiating position on the AI Act on June 14, 2023. You can read the announcement here.
  • On June 15, the UK ICO issued a statement in which it called for businesses to address privacy risks associates with generative artificial intelligence prior to the adoption of such technologies, noting that it will be conducting tougher checks on whether organizations are complaint with data protection laws. The ICO referred businesses to its recently updated Guidance on AI and Data Protection, which provides a roadmap to data protection compliance for developers and users of generative AI, its accompanying risk toolkit that helps organisations looking to identify and mitigate data protection risks, and its publication of eight questions organizations developing or using generative AI that processes personal data need to be asking themselves. You can read the press release here.