Data privacy case law and legislation is constantly updated in the United Kingdom and European Union to address key issues. In order to track the latest developments, we have set out a brief overview of case law updates, legislation, guidance and news.
Case Law Updates and Fines
- On 25 August, the ICO fined This Is The Big Deal Limited £30,000 for unsolicited direct marketing. Read the monetary penalty notice here.
- On 28 August, in Spain, the AEPD fined Atresmedia €50,000 for unnecessary data processing. Read the decision, only available in Spanish, here.
- On 30 August, the AEPD fined GLS Spain €140,000 for unlawful data processing. Read the decision, only available in Spanish, here.
- On 30 August, the Swedish data protection authority (IMY) fined Trygg-Hansa SEK 35M for data security failures. Read the press release here and the decision here, both only available in Swedish.
- On 28 August, the High Court of Ireland issued its decision in the case of Johnny Ryan vs. Data Protection Commission [2023] IEHC 511. This case involved a challenge to the Data Protection Commission’s handling of a complaint made under the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 by Johnny Ryan, concerning Google Ireland Ltd’s data processing for targeted advertising through the Google Authorized Buyers Ad Exchange. Read the judgment here.
Legislation
- On 25 August, the European Commission announced that the Digital Services Act entered into force, on the same date, for large online platforms following its general entry into effect on November 16, 2022. Read the press release here and the DSA here.
- On 20 August, the CNIL issued its opinion on a draft decree relating to the use of algorithmic processing technologies relating to the Paris 2024 Olympics. Read the opinion, only available in French, here.
- On 1 September, in Switzerland, the Federal Act on Data Protection 2020 and the Ordinance on the Federal Act on Data Protection entered into force. For further information and resources on Switzerland, see Switzerland homepage.
Guidance & Draft Guidance
- On 29 August, the Danish data protection authority (Datatilsynet) published new guidance on the obligations of data controllers when the ‘auto-complete’ function is used in emails. Read the press release here and access the guidance here both only available in Danish.
- On 30 August, the ICO issued guidance on sending emails containing personal data. Read the press release here and access the guidance here.
- On 31 August, in Switzerland, the FDPIC released its factsheet on procedure for preparing a DPIA. Read the press release here and download the factsheet here.
- On 31 August, the ICO issued guidance on handling employee health data. Read the press release here and access the guidance here.
- On 25 August, in Norway, Datatilsynet released guidance on access to employees’ emails and electronically stored material. Read the press release here guidance here, both only available in Norwegian.
Data Protection Authority Updates and Privacy News
- On 28 August, the CNIL requested comments on the draft recommendation on processing presenting high risks. Read the press release here and the draft recommendation here, both only available in French.
- On 24 August, in Turkey, the Personal Data Protection Authority (KVKK) announced a data breach within Beşiktaş Sportif Ürünleri Sanayi ve Ticaret. Read the press release, only available in Turkish, here.
- On 29 August, in Serbia, the Commissioner for Information of Public Importance and Personal Data Protection (the Poverenik) announced that the Government of the Republic of Serbia had adopted the personal data protection strategy for 2023 to 2030. Read the press release here.
- On 29 August, the UK Culture, Media and Sport Committee published its report titled ‘Connected tech: AI and creative technology.’ Read the press release here, the report here, and a summary of the report here.
- On 22 August, in Spain, the Ministry of Finance and Public Function announced the approval by the Council of Ministers of a Royal Decree approving the statute for the creation of the National Artificial Intelligence Supervisory Agency. Read the press release, only available in Spanish, here.