EU/UK Privacy & Cybersecurity News Roundup – Week of August 21, 2023

Data privacy case law and legislation is constantly updated in the United Kingdom and European Union to address key issues. In order to track the latest developments, we have set out a brief overview of case law updates, legislation, guidance and news.

Case Law Updates and Fines

  • On August 3, the Polish data protection authority (UODO) announced that the Provincial Administrative Court in Warsaw had upheld the UODO’s decision to impose an administrative fine of PLN 16,000 (approx.. $3,952) on Esselmann Technika Pojazdowa Sp. Z. o ; o; Sp. K, for failing to report a data breach that led to the loss of employee personal data. The UODO had received a complaint about potential irregularities in personal data processing. An investigation revealed that a work certificate from the company employee’s personnel file had been lost. The company had considered that the event did not involve a risk of violating the rights or freedoms of the data subject and so had not reported the breach. However, it was held the company did not know where the certificate was, its content, who had access to it or whether it had been destroyed, so this did create a risk of infringement of the employee’s rights. You can read the UODO’s decision here, available in Polish.

Legislation

  • On July 26, the German Data Protection Conference (DSK) published its opinion, as adopted on June 21, 2023, on the European Parliament’s proposal for a Regulation on the transparency and targeting of political advertising, which is currently in the trilogue process. According to the DSK, the proposed Regulation would allow targeted political advertising within limited circumstances, e.g. only when the data subject has provided consent for political advertising. It would also restrict processing of special categories of personal data. Additionally, the DSK stated that online platforms could not process personal data in order to display political advertisements, but could only display them at random, within a targeted audience. The DSK stated that the proposed regulation would greatly reduce data processing risks, and allow the data subjects more control over their data while providing an example of how to regulate manipulative advertising applications. You can read the press release here.
  • On July 26, the DSK published its opinion on the draft regulation on consent management services under s. 26(1) of the Federal Act on the Regulation of Data Protection and Privacy in Telecommunications and Telemedia. The opinion states that the introduction of consent management services would be a sensible means of counteracting the danger of ‘consent fatigue’ on the part of website users. In fact, such services would enable website users to specify their consent preferences only once, in order to simplify consent processes on the websites visited. Thus, the draft regulation aims to avoid altogether the use of cookie banners. However, the opinion states that it is not possible to achieve this goal. If the draft regulation was enacted, consent banners would not become superfluous and disappear owing to the requirement to request consent in Articles 6(1)(a) and 49(1)(a) of GDPR. You can read the opinion here, in German.

Guidance & Draft Guidance

  • On 7 July, the German Ministry of Justice (BMJ) announced the release of a draft ordinance on the organization of the external federal reporting office under the Whistleblowing Protection Act, and launched a consultation on the same. The BMJ explained that whistleblower protection is designed to create an effective, confidential, and secure reporting channel to which potential whistleblowers can turn. In this regard, sections 19 to 31 of the Whistleblowing Protection Act allow for the establishment of external reporting channels. The draft ordnance would also set up an external reporting office at the Federal Office of Justice, and another external office for any reports that concern the Federal Office of Justice’s external federal reporting office itself. You can read the press release here and draft ordnance here, both available in German.
  • On 4 August, the German Federal Office for Information Security (BSI) announced the publication of technical guidelines on cyber resilience requirements for the software supply chain. In particular, the BSI explained that technical guidelines define formal and technical specifications for software parts (SBOM), thereby offering recommendations to software manufacturers for the design of SBOMs that serve to increase security in the software supply chain. The BSI pointed out that SBOMs are among the central requirements of the EU draft Cyber Resilience Act. You can read the technical guidelines here, only available in German.

Data Protection Authority Updates and Privacy News

  • On August 15, the UK National Cyber Security Centre (NCSC) announced the introduction of a new level to its Cyber Incident Response (CIR) scheme, which helps organisations experiencing cyber attacks identify vetted providers of incident response services. In particular, the NCSC noted that companies assured to offer CIR services will now be designated as Level 1 or Level 2. The NCSC highlighted that the change would make the CIR scheme available to more organisations, as previously the CIR scheme only assured companies that were able to provide incident response to critical infrastructure organisations. The CIR Level 1 companies will be able to provide incident response services for all organisations, and specifically those facing complex cyber attacks. The NCSC explained that CIR Level 2 companies will be capable of providing an incident response for private entities and smaller public bodies facing common attacks e.g. ransomware. You can access the CIR scheme here.
  • On August 16, 2023, the Croatian Institute for Information Systems Security (ZSIS) announced the adoption of an action plan for the implementation of the National Cyber Security Strategy, 2022. The ZSIS announced that the action plan analyses the implementation of measures in cybersecurity such as cybercrime, data protection, and computer security incidents. The action plan establishes goals for improving the handling of protected data by all those who do handle it. You can read the action plan here, and an annual report here, all available in Croatian.
  • On August 17, the Croatian data protection authority (AZOP) requested that the Hellenic data protection authority (HDPA) take action on a potential data breach. The AZOP highlighted that it had received reports that personal data including names, surnames, dates of birth, and parentage of Croatian criminals had been published in Greek, on a Greek portal. Accordingly, AZOP outlined that it had asked the HDPA to take action regarding the data controller of the Greek portal, to determine whether the publication of personal information related to criminal offences was in line with the GDPR. You can read the press release here, in Croatian.