EU/UK Privacy & Cybersecurity News Roundup – Week of September 11, 2023

Data privacy case law and legislation is constantly updated in the United Kingdom and European Union to address key issues. In order to track the latest developments, we have set out a brief overview of case law updates, legislation, guidance and news.

Case Law Updates and Fines

  • On 31 August, NOYB filed complaints against Fitbit in Austria, Netherland, and Italy in relation to data transfer consent. Read the report here.
  • On 5 September, the AEPD imposed a reduced fine of €80,000 on Vodafone España, S.A.U. for issuing a duplicate SIM card to an unauthorised third party. You can read the decision, only available in Spanish, here.
  • On 6 September, the Norwegian DPA (Datatilsynet) announced that the Oslo District Court rejected Meta Platforms Ireland Limited’s and Facebook Norway AS’s petition for a temporary injunction against the behaviour-based marketing ban. You can read the press release here and the ruling here, both only available in Norwegian.
  • On 6 September, the ICO issued an enforcement notice and monetary penalty notice to Simply Connecting Limited in relation to a £40,000 fine. You can read the enforcement notice here and the monetary penalty notice here.
  • On 6 September, the Dutch data protection authority (AP) published its draft decision regarding the Privacy Code of Conduct Access Policy for International Ship and Port Security companies. You can read the press release here, the draft decision here, and the Code of Conduct here, all only available in Dutch.
  • On 7 September, the French Member of European Parliament Philippe Latombe submitted challenges to the European Union General Court against the EU-U.S. Data Privacy Framework. Read the report here.


  • On 6 September, the European Commission announced designation of six gatekeepers under the Digital Markets Act (DMA): Alphabet, Amazon, Apple, ByteDance, Meta, and Microsoft. You can read the announcement here.

Guidance & Draft Guidance

  • On 8 August, the International Standards Organization (ISO) published guidance on consent record information structure. You can access the guidance here and read its preview here.
  • On 1 September, the ICO published a toolkit for sharing personal data with law enforcement bodies. Access the toolkit here.

Data Protection Authority Updates and Privacy News

  • On 1 September, the German Federal Office for Information Security (BSI) published a report on the status of cybersecurity in the automotive industry. You can read the press release here and the report here, both only available in German.
  • On 4 September, the CNIL adopted a recommendation relating to the terms of implementation of remote monitoring devices for online exams. You can read the press release here and the recommendation here, both only available in French.
  • On 4 September, the UK Parliament Northern Ireland Affairs Committee launched a probe into a data breach affecting the Police Service of Northen Ireland (PSNI). You can read the press release here.
  • On 4 September, the DSK published its application instructions on the European Commission’s adequacy decision for the EU-US Data Privacy Framework (DPF) of July 10, 2023. You can read the press release here and the instructions here, both only available in German.
  • On 7 September, the Department of Science Innovation and Technology (DSIT) Frontier AI Taskforce published its first progress report. You can read the press release here and the report here.
  • On 7 September, the ICO announced a review of period and fertility apps in relation to data security concerns. For the survey and more information, visit the ICO website here.

Other Privacy News

  • On 6 September, UK Minister Stephen Parkinson said the Office of Communications will not use the disputed powers within the proposed Online Safety Bill to scan messaging apps for harmful content until technology is developed with the capability. Read the report here.