EU/UK Privacy & Cybersecurity News Roundup – Week of August 7, 2023

Data privacy case law and legislation is constantly updated in the United Kingdom and European Union to address key issues. In order to track the latest developments, we have set out a brief overview of case law updates, legislation, guidance and news.

Case Law Updates and Fines

  • On 28 July, the AEPD fined Open Bank €2.5M for security failures. Read the decision in Spanish here.
  • On 1 August, the CNIL published decision No. SAN-2023-012, as issued on July 13, 2023, in which it closed the injunction issued against Google LLC and Google Ireland Limited confirming compliance with Decision No. SAN-2021-023. Read the press release here and the decision, only available in French, here.
  • On 31 July, the CNIL issued an opinion on parental access controls. Read the opinion here, the Law here, and the Decree here, all only available in French.


  • On 1 August, in Czechia, the Act on the Protection of Whistleblowers transposing the Whistleblowing Directive (the Act), together with the Act Amending Certain Acts in Connection with the Adoption of the Act on the Protection of Whistleblowers (the Amendment Act) entered into force, following their publication in the Collection of Laws on June 20, 2023. Read the press release in Czech here.
  • On 27 July, in Ireland, the Minister for Public Expenditure amended the Protected Disclosures Act. Read the Regulations here.

Guidance & Draft Guidance

  • On 1 August, in Andorra, the APDA announced that it had issued guidelines for the personal and domestic activity exemption under Article 2(4)(a) of Law 29/2021, of 28 October, of Personal Data Protection (the Law), as further detailed by Article 2(2) of Implementing Decree 391/2022. Read the announcement here and the guidelines here, both only available in Catalan.

Data Protection Authority Updates and Privacy News

  • On 29 July, in Guernsey, the Office of the Data Protection Authority confirmed that it will pursue legal action against companies for failure to register under the Data Protection (Bailiwick of Guernsey) Law. Read the press release here.
  • On 27 July, in Turkey, the KVKK announced the Vestel Ticaret data breach. Read the press release in Turkish here.
  • On 24 July in Cyprus, the Digital Security Authority announced that it had signed a Memorandum of Understanding with the Chamber of Commerce and Industry, which aims to strengthen existing cooperation and seek opportunities in the field of IT and technology in relation to cybersecurity. Read the announcement in Greek here.
  • On 31 July, in Finland, the Ombudsman published its activity report for 2022. Read the press release here and the full report here, both only available in Finnish, and a summary of the report here.
  • On 31 July, the ICO issued a statement regarding WorldCoin’s launch in the UK. Read the statement here.
  • On 21 July, in Czechia, the NÚKIB released supporting materials for protection against threat in form of quantum computers. Read the press release here, the documents herehere, and here, all only available in Czech.
  • On 1 August, the EDPB responded to questions on certification and accreditation procedures. Read the letter here.
  • On 14 July, in Germany, the BSI published an updated standard on business continuity management. Read the press release here and the standard here, both only available in German.
  • On 12 July, in Germany, the Federal Financial Supervisory Authority published an article regarding its study on the risks of using artificial intelligence, machine learning, and algorithmic decision-making by banks for granting loans. Read the press release here.
  • On 28 July, the EDPB will discuss the dispute on the DPC’s TikTok decision in the 83rd plenary meeting. Read the agenda here.
  • On 31 July, the EU Commission launched a consultation on a template relating to reporting on consumer profiling techniques under the DMA. Access the consultation portal here and the template here.
  • On 2 August, the ICO announced the Government’s plans to ban cold calls on financial products. Read the press release here.
  • On 2 August, the ICO issued a statement on Meta’s plans to base behavioural advertising on users’ consent. Read the statement here.