EU/UK Privacy & Cybersecurity News Roundup – Week of June 26, 2023

Data privacy case law and legislation is constantly updated in the United Kingdom and European Union to address key issues. In order to track the latest developments, we have set out a brief overview of case law updates, legislation, guidance and news.

Case Law Updates and Fines

  • On 15 June, the Court of Justice of the European Union released a press release containing a summary of the Advocate General (AG) Laila Medina’s opinion in Case C-333/22 Ligue des droits humains ASBL, BA v. L’organe de contrôle de l’information policière, concerning a reference for a preliminary ruling by the Brussels Court of Appeal. Read the press release here.
  • On 22 June, the CNIL fines Criteo €40M for unlawful processing of personal data. Read the press release here and the European Data Protection Board summary here, and the decision, only available in French, here.
  • On 21 June, the ICO found a tracing agent in breach of the DPA for obtaining personal information unlawfully. Read the press release here.
  • On 22 June, the CJEU held that data subjects have the right to access date and reason for consultations on personal data. Read the press release here and the judgment here.
  • On 19 June, in Romania, the National Supervisory Authority for Personal Data Processing announced the publication of its Decision No. 52 of May 17, 2023, on the approval of the accreditation requirements of code of conduct monitoring bodies pursuant to Article 41 of the GDPR. Read the press release here and the finalised decision here, both only available in Romanian.

Legislation

  • On 19 June, in Czech Republic, the draft cybersecurity law moved to the next phase. Read the press release here, access the NIS2 website here, and track and access the draft law here, all only available in Czech.
  • On 21 June, the European Council mandated two legislative proposals on collection and transfer of API. Read the press release here.

Guidance & Draft Guidance

  • On April 12, in Hungary, the National Authority for Data Protection and Freedom of Information issued guidance on the storage of employee documentation in line with the ISO Quality Management Systems Standard. Download the guidance in Hungarian here.
  • On 20 June, the Norwegian Consumer Council released a generative AI risks report. Read the announcement here and the report here.
  • On 19 June, the ICO issued new guidance on privacy enhancing technologies. Read the press release here and the guidance here.
  • On 16 June, the Dutch data protection authority issued advice on amendments to Decree on Electronic Health Data Exchanges. Read the press release here and the advice here in Dutch.
  • On 16 June, the CEDPO issued a FAQs guide on AI and personal data for DPOs. Read the press release here and the guidance here.

Data Protection Authority Updates and Privacy News

  • On 19 June, the European Data Protection Board published the agenda of its 81st plenary meeting, which is scheduled to take place on June 20, 2023. In particular, the EDPB will discuss the interplay between the AI Act and EU data protection law. Read the agenda here.
  • On 15 June, the Council of Europe (CoE) announced that the Permanent Representative of Slovakia to the CoE, had deposited the instrument to ratify the Protocol amending the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108+).  Read the CoE’s press release here, and the Office for the Protection of Personal Data for the Slovak Republic’s press release, only available in Slovak, here.
  • On 18 April, in Latvia, the Data State Inspectorate published its 2022 annual activity report. Read the report in Latvian here.
  • On 19 June, the ESAs launched its consultation on the first batch of DORA policy products. Read the policy products and instructions on the public consultation here.
  • On 19 June, in Turkey, the KVKK released a statement addressing protection of personal data and data breach incidents. Read the press release in Turkish here.
  • On 19 June, in Ireland, the ICCL defended complainants’ right to be heard in GDPR cases. Read the press release here and the letter here.
  • On 20 June, the European consumer organisations asked regulators to investigate generative AI risks. Read the press release here.
  • On 14 June, the Centre for Data Ethics and Innovation published a report on access to demographic data for fairness in AI systems. Read the press release here and the report here.
  • On 21 June, the EDPB adopted a complaint template and recommendations on BCR-Cs’ approval applications. Read the press release here.
  • On 20 June, the CDEI announced a new joint project with the ICO to develop a privacy enhancing technologies (PETs) cost-benefit analysis tool, following the ICO’s issuance of new PETs guidance. Read the press release here and the PETs adoption guide here.
  • On 21 June, in Switzerland, the FDPIC investigated Fedpol and FOCBS concerning potential serious violations of data protection regulations. Read the press release here.
  • On 22 June, in Denmark, the Datatilsynet authorised use of facial recognition systems by a football club. Read the press release here and the Datatilsynet’s response here, both only available in Danish.
  • On 21 June, the European Commission requested public comments on the DSA transparency database. Read the press release here.