EU/UK Privacy & Cybersecurity News Roundup – Week of July 17, 2023

Data privacy case law and legislation is constantly updated in the United Kingdom and European Union to address key issues. In order to track the latest developments, we have set out a brief overview of case law updates, legislation, guidance and news.

Case Law Updates and Fines

  • On 7 July, the Supreme Administrative Court published its decision in Case No. 5515-21, as issued on February 6, 2023, in which it rejected the appeal of the Uppsala Municipality to carry out surveillance under the Camera Surveillance Act, following an appeal by the Swedish Authority for Privacy Protection. Read the decision here.
  • On 11 July, the Bavarian data protection authority published a statement addressing the question of whether the Court of Justice of the European Union’s preliminary ruling in case C-34/21 Principal Staff Committee for Teachers at the Hessian Ministry of Education v Hessian Ministry of Education, issued on March 30, 2023, has an impact on Bavarian personnel file law. The statement concludes that the ruling has no direct effect on the latter. Read the statement in German here.

Legislation

  • On 4 July, in Czech Republic, the National Office for Cyber ​​and Information Security announced that it had extended the deadline for submitting comments on the draft law on cybersecurity in response to requests for additional time. Read the press release in Czech here.
  • On 5 July, the Irish Council for Civil Liberties, together with Digital Rights Ireland, submitted a comprehensive list of amendments for the An Garda Síochána (Recording Devices) Bill to legislators. Read the press release here.
  • On 1 July, in Slovakia, Act No. 189/2019 Coll., which, among others, amends Act No. 54/2019 Coll. on the Protection of Whistleblowers, was passed on May 10, 2023, and came into effect on July 1, 2023, with some postponed provisions effective from September 1, 2023. Read the Amendment Act here and here, both in Slovak.

Guidance & Draft Guidance

  • On 7 July, the CNIL published recommendations on personal data sharing by APIs. Read the press release here and the recommendation here, both in French.
  • On 11 July, the Spanish data protection authority published an updated guide on the use of cookies to align it with the Guidelines 03/2022 on deceptive design patterns issued by the European Data Protection Board in February 2023. Read the press release here and the updated guide here, both in Spanish.
  • On 13 July, Datatilsynet expanded its guidance on the right to erasure from search engines. Read the announcement here and the guidance here, both in Danish.
  • On 13 July, the ICO Regulatory Sandbox published its exit report setting out its advice to the Betting and Gaming Council on the safeguards required to share personal data between different operators. Read the press releases here and here and the report here.

Data Protection Authority Updates and Privacy News

  • On 7 July, the  ICO announced adequate data protection for Guernsey’s law enforcement processing. Read the LinkedIn post here and the opinion here.
  • On 6 July, the ICO submitted the data protection and journalism code of practice to the Secretary of State at the Department for Science, Innovation, and Technology. Read the press release here and the code here.
  • On 10 July, the European Commission voted to adopt its adequacy decision for the EU-US Data Privacy Framework (DPF). In particular, the adequacy decision concludes that the US provides a level of protection essentially equivalent to that of the EU for personal data transferred under the EU-US DPF from a controller or a processor in the EU to certified organisations in the US. Read the press release here, the adequacy decision here, and a set of questions and answers here.
  • On 6 July, the Department for Science, Innovation, and Technology announced that the UK has become the first country to be granted ‘Associate’ status in the Global Cross Border Privacy Rules Forum. Read the DSIT’s announcement here and the Global CBPR Forum’s press release here.
  • On 6 July, the Department for Science, Innovation, and Technology announced that the UK has become the first country to be granted ‘Associate’ status in the Global Cross Border Privacy Rules Forum. Read the DSIT’s announcement here and the Global CBPR Forum’s press release here.
  • On 10 July, the European Data Protection Supervisor announced the implementation of organisational changes, adapting its approach and processes to ensure efficiency in a fast-changing data protection environment. Read the press release here.
  • On 5 July, the Portuguese data protection authority announced that it is seeking public comments on its draft Multi-Annual Plan of Activities for the period of 2024-2026. Read the press release here and the plan here, both in Portuguese.
  • On 6 July, the Garante published the 2022 activity report revealing increased inspections count. read the press release here and the annual report here, both in Italian.
  • On 7 July, the Data Protection Authority of Bavaria for the Private Sector published its 2022 activity report. Read the press release here and the report here, both in German.
  • On 7 July, the Council of Europe (CoE) announced that Bosnia and Herzegovina had transmitted the instrument of ratification of the Protocol amending the Convention for the Protection of Individuals with regard to the Automatic Processing of Personal Data (Convention 108+) to the CoE Secretary General, thus becoming the 27th State Party to join Convention 108+. Read the announcement here.
  • On 4 July, the Swedish Authority for Privacy Protection published a blog on the implications of employing privacy-friendly technologies, such as digital masking and pixelation, in camera surveillance systems. Read the blog in Swedish here.
  • On 11 July, the Federal Commissioner for Data Protection and Freedom of Information announced its appointment by the European Data Protection Board as its representative for the European Data Innovation Board. Read the press release in German here.
  • On 11 July, the Garante announced that it had launched an investigation into MG Freesites Ltd following a complaint lodged by a user. Read the announcement here.
  • On 12 July, the European Parliament endorsed the agreement with Council of the EU on information-sharing rules in terrorism cases. Read the announcement here, the regulation here, and the directive here.
  • On 11 July, the CNIL launched a new working group in charge of economic analysis. Read the announcement in French here.
  • On 3 July, in Turkey, the Personal Data Protection Authority (KVKK) announced the publication of the Turkish Journal of Privacy and Data Protection Volume: 5 – Issue: 1. Read the press release here and the journal here, both in Turkish.
  • On 29 June, in Georgia, the PDPS published its 2022 annual report. Read the announcement here, the report here, and its summary here, all in Georgian.
  • On 11 July, Ofcom called for evidence on categorisation of online services. Read the press release here and the call to evidence here.
  • On 26 June, the FDPIC launched a new reporting portal for DPOs. Read the press release here and access the portal here.