EU/UK Privacy & Cybersecurity News Roundup – Week of September 18, 2023

Data privacy case law and legislation is constantly updated in the United Kingdom and European Union to address key issues. In order to track the latest developments, we have set out a brief overview of case law updates, legislation, guidance and news.

Case Law Updates and Fines

  • On June 22, 2023, the Hungarian National Authority for Data Protection and Freedom of Information (NAIH) issued its decision in Case No. NAIH-6427-1/2023, in which it fined Digi Telecommunications and Services Ltd HUF 80 million (approx. $223,104), for violations of the General Data Protection Regulation (GDPR), following an audit in connection with a reported data breach. You can download the decision, only available in Hungarian, here.
  • On June 23, 2023 the Hungarian National Authority for Data Protection and Freedom of Information (NAIH) issued its decision in Case No. NAIH-6364-1/2023, in which it fined Budapest Public Utilities Ltd HUF 16 million (approx. $44,630), for violations of the General Data Protection Regulation (GDPR), following a public interest notification. You can download the decision, only available in Hungarian, here.
  • On September 7, 2023, the Court of Justice of the European Union (CJEU) issued a press release on its judgment in Case C-162/22 A.G. v Lietuvos Respublikos generalinė prokuratūra, further to a reference for a preliminary ruling from the Supreme Administrative Court of Lithuania. You can read the press release here and the ruling here.
  • On September 7, 2023, Interactive Advertising Bureau (IAB) Europe announced that the Belgian Market Court had rendered an interim ruling and suspended its assessment of the Belgian Data Protection Authority’s (Belgian DPA) validation decision in relation to the Transparency & Consent Framework (TCF), pending the Court of Justice of the European Union’s (CJEU) preliminary ruling. You can read the press release here.
  • On September 11, 2023, the Italian data protection authority (Garante) announced, in its newsletter, its decision No. 322, as issued on July 18, 2023, in which it imposed a fine of €40,000 on Compara Facile S.r.l., for violations of the General Data Protection Regulation (GDPR) and the Personal Data Protection Code, Containing Provisions to Adapt the National Legislation to the GDPR (the Code), following a complaint by an individual. You can read the decision here and the newsletter here, both only available in Italian.
  • On September 11, 2023, the Finnish Office of the Data Protection Ombudsman (the Ombudsman) published its Decision in Case No. 8422/161/2021, as issued on July 6, 2023, in which its Sanctions Board imposed a fine of €23,000 on Suomen Yritysrekisteri Oy for violations of the General Data Protection Regulation (GDPR), following several complaints. You can read the press release here and the decision here, both only available in Finnish.
  • On September 12, 2023, the Spanish data protection authority (AEPD) published its decision in Proceeding No. PS-00456-2023, in which it imposed fines for a total of €70,000 on Banco Bilbao Vizcaya Argentaria, S.A. (BBVA) for violations of the General Data Protection Regulation (GDPR), following a complaint submitted by an individual. You can read the decision, only available in Spanish, here.
  • On September 13, 2023 the Croatian Personal Data Protection Agency (AZOP) announced that it had imposed an administrative fine of €25,000 on Zagrebački holding d.o.o., for violations of the General Data Protection Regulation (GDPR), following a complaint from an individual. You can read the decision, only available in Croatian, here.

Legislation

  • On September 11, 2023, the UKs Department for Science, Innovation, and Technology (DSIT) published draft amendments (the Amendments) to the UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018 (DPA 2018), as well as an Explanatory memorandum on the Amendments. You can read the announcement here, the Amendments here, the Explanatory memorandum here, and track the Amendments’ progress here.

Guidance & Draft Guidance

  • On September 6, 2023, the German Data Protection Conference (DSK) published its opinion on the draft law amending the Federal Data Protection Act, published on August 29, 2023, by the German Federal Ministry of Interior, Building, and Community (BMI). You can read the opinion here and the draft law here, both only available in German.
  • On September 7, 2023, the United Nations Education, Scientific and Cultural Organization (UNESCO) published Guidance for generative AI in education and research. You can read the press release here and download the Guidance here.
  • On September 7, 2023, Czechia’s National Office for Cyber and Information Security (NÚKIB) published a guide for supplier management in relation to cybersecurity risk assessment. You can read the press release here and the guide here, both only available in Czech.
  • On September 7, 2023, Israel’s Privacy Protection Authority (PPA) announced that it is seeking public comments on the draft guideline on the role of the board of directors in fulfilling the company’s obligations under the Protection of Privacy Regulations (Data Security) (the Regulations). You can read the press release here and the draft guidelines here, both only available in Hebrew.
  • On September 13, 2023, the UK’s Information Commissioner’s Office (ICO) announced via LinkedIn that it has published its Smart Data Foundry Regulatory Sandbox Final Report. You can read the LinkedIn post here and the report here.

Data Protection Authority Updates and Privacy News

  • On September 4, 2023, Germany’s Thuringian data protection authority (TLfDI) published its opinion on the German Data Protection Conference’s (DSK) application instructions on the European Commission’s adequacy decision for the EU-US Data Privacy Framework (DPF). You can read the press release, only available in German, here.
  • On September 6, 2023, the European Data Protection Supervisor (EDPS) issued its opinion on the European Commission’s Proposal for a Regulation on European Statistics, which aims at making the legal framework governing European statistics fit for the future and improving the responsiveness of the European Statistical System to data needs. You can read the opinion here.
  • On September 7, 2023, the Swedish data protection authority (IMY) published its Decision No. IMY-2022-6945, as issued on the same date, in which it determined the requirements that bodies tasked with monitoring compliance with codes of conduct must meet in order to be accredited under Article 41(2) of the General Data Protection Regulation (GDPR). You can read the press release here and the decision here, both only available in Swedish.
  • On September 7, 2023, the Council of Europe (CoE) announced that the President of the Swiss Confederation had transmitted the instrument of ratification of the Protocol of Amendment to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data ( Convention 108+). You can read the press release here and access Convention 108+ here.
  • On September 7, 2023, Israel’s Privacy Protection Authority (PPA) announced that it is seeking public comments on the draft guideline on the role of the board of directors in fulfilling the company’s obligations under the Protection of Privacy Regulations (Data Security) (the Regulations). You can read the press release here and the draft guidelines here, both only available in Hebrew.
  • On September 7, 2023, Türkiye’s Personal Data Protection Authority (KVKK) announced a data breach that occurred within Hotiç Ayakkabı San. ve Tic. A.Ş.. You can read the press release, only available in Turkish, here.
  • On September 7, 2023, the UK’s Information Commissioner’s Office (ICO) issued a statement in response to a report by Which? alleging that smart devices were harvesting consumers’ personal data. You can read the statement here.
  • On September 8, 2023, the UK’s Information Commissioner’s Office (ICO) announced on LinkedIn that it had published a summary of its data protection audit report of the Police Service of Northern Ireland (PSNI), which the ICO conducted in May 2023. You can read the statement here and the audit summary here.
  • On September 11, 2023, the Spanish data protection authority (AEPD) released a blog post providing insights into the realm of digital currencies, focusing on cryptocurrencies and Central Bank Digital Currencies (CBDCs). You can read the blog post, only available in Spanish, here.
  • On September 11, 2023, the Irish Data Protection Commission (DPC) announced the outcome of the prosecution proceedings against Chill Insurance Limited, Hidden Hearing Limited, the Multiple Sclerosis Society of Ireland, and Vodafone Ireland Limited. You can read the press release here.
  • On September 11, 2023, the Danish data protection authority (Datatilsynet) published, its decision in Case No. 2021-31-5667, as issued on March 27, 2023, in which it expressed criticism against OrderYOYO A/S, for violations of the General Data Protection Regulation (GDPR), following a complaint made to the Datatilsynet. You can read the press release here and the decision here, both only available in Danish.
  • On September 12, 2023, the UK’s Information Commissioner’s Office (ICO) announced that it had signed a Memorandum of Understanding (MoU) with the National Cyber Security Centre (NCSC) on the development of cybersecurity standards and guidance to improve the cybersecurity of organizations. You can read the press release here.
  • On September 12, 2023, the Dutch Consumers Association (the Consumentenbond) and the Data Privacy Foundation (the Data Privacy Stichting) announced that they had filed a court case against Google LLC., for violation of user privacy rights. You can read the press release here and the mass claim here, both only available in Dutch.
  • On September 12, 2023, the Danish data protection authority (Datatilsynet) published, its decision in Case No. 2022-31-6316, as issued on the same date, in which it expressed criticism against a housing association, for violations of the General Data Protection Regulation (GDPR), following a complaint made to the Datatilsynet. You can read the press release here and the decision here, both only available in Danish.
  • On September 13, 2023, the UK’s Information Commissioner’s Office (ICO) made an announcement regarding the sentencing of Rachel Anderton, a former family intervention officer at St Helens Borough Council for unlawfully accessing social services records. You can read the press releases here and here.

Other Privacy News

  • On September 11, 2023, the UK’s National Cyber Security Centre (NCSC) announced that it had published a white paper on ransomware, extortion, and the cybercrime ecosystem, in partnership with the National Crime Agency (NCA). You can read the press release here and the report here.
  • On September 11, 2023, Germany’s Federal Office for Information Security (BSI) published a draft update to the Technical Guideline (TG) TR -03170 on secure digital transmission of biometric photographs from service providers to passport, ID card, and immigration authorities, requesting comments on the same. You can read the announcement here and the draft update here, both only available in German.
  • On September 13, 2023, the European Commission published President Ursula von der Leyen’s 2023 State of the Union address, which discussed, among other things, the challenges and opportunities of artificial intelligence (AI). You can read the address here.