EU/UK Privacy & Cybersecurity News Roundup – Week of July 10, 2023

Data privacy case law and legislation is constantly updated in the United Kingdom and European Union to address key issues. In order to track the latest developments, we have set out a brief overview of case law updates, legislation, guidance and news.

Case Law Updates and Fines

  • On 4 July 2023, the Court of Justice of the European Union (CJEU) delivered its ruling on case Case C-252/21 Meta Platforms and Others v German Federal Cartel Office (GFCO) after a request for a preliminary ruling from the Higher Regional Court of Düsseldorf. The CJEU concluded that national competition authorities may review whether a data processing operation complies with GDPR. This decision has important ramifications for the relationship between competition law and data protection, and the powers of competition authorities to consider the GDPR. You can read the judgment here, available in German and French, and the press release here.

Legislation

  • On July 2, 2023, the Whistleblowing Protection Act transposing the Whistleblowing Directive entered into force following approval by the German Parliament (Bundestag) and the Federal Council, (Bundesrat). The aims of the Act include providing protection of reporting persons, confidentiality and protection of the identity of the reporting persons, the prohibition of unjustified disadvantages for reporting persons, and the establishment of reporting points to which whistleblowers can turn to obtain legal protection. You can read the press release here, only available in German.
  • On July 4, 2023, the European Commission proposed a new regulation to support the effectiveness of enforcement of the General Data Protection Regulation in cross-border cases, by streamlining cooperation between data protection authorities and harmonising some aspects of their administrative procedures in cross-border cases. The proposed regulation aims to set up procedural rules for the data protection authorities when applying GDPR in cases that affect individuals in more than one Member State. It would introduce additional steps in the cooperation between authorities, to facilitate consensus-building and reduce the need for the dispute resolution mechanism under the GDPR. You can read the announcement here, its associated Q+A page here, and the proposed regulation here.

Guidance & Draft Guidance

  • On June 19, 2023, the German Commissioner for Data Protection and Freedom of Information (BfDI) released a brochure on data protection and telecommunications. This brochure details legal and technical issues around telecommunications data protection, and provides practical guidance on the relevant governing legislation. You can read the press release here and brochure here, both only available in German.
  • On June 20, 2023, in the Czech Republic, the Act on Protection of Whistleblowers was published in the Collection of Laws. This Act transposes the EU Whistleblowing Directive, and provides protection for employees, business partners, self-employed persons, interns, volunteers, and persons who help a whistleblower to report illegal conduct. Any retaliatory measures have been prohibited and the burden of proof has been reversed in disputes concerning retaliatory measures. The Act will take effect on August 1, 2023. You can read the Act and track its progress here, available in Czech.
  • On June 30, 2023, the Danish data protection authority (Datatilsynet) published new guidance on processing personal data in the context of direct marketing. The guidance is targeted at advisers and others with experience in data protection within companies, with the aim of clarifying how a large number of data protection rules must be understood in a marketing context. The guidance addresses such subjects as mapping marketing activities, the use of children’s data, electronic marketing, and legal bases for processing. You can read the press release here and guidance here, both only available in Danish.
  • On July 1, 2023, the Bavarian data protection authority (BayLfD) published a statement on data protection and spelling correction in web browsers. The statement outlines that writing support in web browsers can use artificial intelligence to make suggestions for improvement which can lead to the transmission of personal data to the browser provider. You can read the statement here, available in German.
  • On July 4, 2023, The European Consumer Organisation  (BEUC) issued a press release criticising the European Commission’s proposal for a regulation to support the effectiveness of enforcing the GDPR in cross-border cases. The BEUC stated that the proposal falls short of improving complainants’ right to be heard and to get access to timely information from the investigation a data protection authority carries out. The BEUC noted that it might worsen the current situation for consumers, the organisations representing them in cases against companies, and the data protection authorities themselves. You can read the press release here.
  • On July 4, 2023, the Dutch data protection authority (AP) announced the issuance of advice on amendments to the Youth Act Decree. The AP highlighted that amendments do not clarify under what circumstances persons who are involved in the provision of youth assistance have access to camera images of young persons. The advice recommends that the amendments specify whether the Health and Youth Care Inspectorate can inspect images of young persons. You can read the advice here, available in Dutch.
  • On July 4, 2023, the National Cyber Security Centre (NCSC) released its report of its Active Cyber Defense program. The report notes that the number of takedowns of malicious sites has grown every year since 2017, but in 2022 the number of takedowns fell, driven by a reduction in extortion mail servers and cryptocurrency investment. UK-Government phishing campaigns decreased, but phishing overall remains the most common type of cyberattack in the UK. You can read the report here.
  • On July 5, 2023, the European Union Agency for Cybersecurity (ENISA) published its first cyber threat landscape report for the health sector, providing for a comprehensive analysis of cyberattacks, and identifying threats, factors impacts and trends. The report found that ransomware emerged as one of the primary threats in the heath sector, accounting for 54% of incidents. Patient data including electronic health records were the most targeted assets. More generally nearly half of all incidents aimed at stealing organisations’ data. You can read the report here.
  • On July 5, 2023, the Council of Europe published guidelines aimed at supporting the integration of requirements of the Amending Protocol to the Convention for the Protection of Individuals with regard to the Processing of Personal Data, in the area of anti-money laundering/countering financing of terrorism (AML/CFT). The Council of Europe explained that the AML/CFT regime provides for several contexts of processing of personal data, and sets out detailed obligations on data controllers, extending to the processing of personal data by government authorities and private entities. You can read the announcement here, and guidelines here.
  • On July 6, 2023, the Spanish data protection authority (AEPD), issued a statement summarising key outcomes of its meeting on Current challenges for data protection. The AEPD outlined three challenges: the processing of personal data of minors, the impact of Artificial Intelligence, and the situation of the AEPD itself. You can read the press release here, available in Spanish.

Data Protection Authority Updates and Privacy News

  • On June 23, 2023, the BfDI published a working paper on authentication and risks in the telecommunications sector. The paper compiles potential risks in the telecommunications sector drawn from practical cases during the BfDI’s regulatory activities. You can read the press release, available in German, here.
  • On June 26, 2023, the Norwegian data protection authority (Datatilsynet) announced it had entered into a cooperation agreement with the Norwegian Accreditation on the accreditation of certification bodies under the GDPR. The Datatilsynet noted that the cooperation agreement represents one step closer to establishing a certification mechanism under GDPR. You can read the announcement, only available in Norwegian, here.
  • On June 27 2023, the BfDI and the Italian data protection authority (Garante) published a joint statement following a meeting of the International Working Group on Data Protection in Technology (The DP Group). The DP Group meeting hosted data protection authorities and other organisations from around the world. The meeting concerned important and upcoming future technologies, with the Garante informing the Berlin Group about its regulatory activities against Open AI LLC. You can read the joint statement here.
  • On June 27, 2023, the Polish data protection authority (UODO) published its decision imposing a fine on a mayor of an unnamed city, of PLN 30,000 (approx.. $7,300) for violations of GDPR, following a notification of a data protection breach. A ransomware attack had taken place because of vulnerabilities existing in the ICT system. The cause of the attack was an outdated virus database and the mayor had failed to adequately test, measure, and evaluate the effectiveness of measures to ensure security of the personal data processed in the IT systems. You can read the decision here, available in Polish.
  • On July 5, 2023, the Spanish data protection authority published its decision imposing a fine of €50,000 on DAS Defensa del Automovilista y de Siniestros-Internacional, SA de Seguros y Reaseguros DAS Lex Assistance SLU (DAS), which was subsequently reduced to €40,000. The complainant had signed  Alease contract for a commercial premise, and the contract was drawn up by an employee who was an exclusive agent of DAS. DAS had appointed a lawyer for eviction of the tenant for non-payment on behalf of the complainant, but the DAS had transferred the complainant’s data to the tenant without their consent, which constituted a breach of the duty of confidentiality under Article 5(1) (f) of the GDPR. You can read the decision here, only available in Spanish.
  • On July 5, 2023, the Spanish data protection authority imposed a fine of €70,000 on Vodafone Servicios SLU, which was subsequently reduced to €56,000, for violations of GDPR following a complaint submitted by an individual. The complainant alleged that a duplicate of their SIM card had been issued to an unauthorised individual seeking to access their bank account, and Vodafone had not conducted due diligence regarding the identity of the individual. You can read the decision here, in Spanish.