EU/UK Privacy & Cybersecurity News Roundup – Week of October 9, 2023

Data privacy case law and legislation is constantly updated in the United Kingdom and European Union to address key issues. In order to track the latest developments, we have set out a brief overview of case law updates, legislation, guidance and news.

Case Law Updates and Fines

  • The Office of the Commissioner for Personal Data Protection (the Commissioner) published, on May 3, 2023, its decision No. 11.17.001.010.045, as issued on January 16, 2023, in which it fined Politis newspaper €7,000 for violations of the General Data Protection Regulation (GDPR), following a complaint. You can read the press release here, and the decision here, all only available in Greek.
  • On May 11, 2023, the Advocate General (AG) Maciej Szpunar delivered their opinion in Case C 33/22 Austrian data protection authority (DSB) v. President of the National Council of Austria, in relation to a request for a preliminary ruling of the Court of Justice of the European Union (CJEU) lodged by Supreme Administrative Court of Austria. You can read the opinion, available in various languages, here.
  • The Information Commissioner’s Office (ICO) announced, on September 20, 2023, the issuance of a monetary penalty of £65,000, as well as an enforcement notice, to RHAP Limited, for violations of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR). You can read the press release here, the monetary penalty here, and the enforcement notice here.
  • The Norwegian Privacy Board (Personvernnemnda) issued, on September 27, 2023, its decision in which it upheld the Norwegian data protection authority’s (Datatilsynet) decision to impose a fine of NOK 65 million (approx. $6 million) on Grindr LLC for violations of Articles 6(1) and 9(2) of the General Data Protection Regulation (GDPR), following an appeal against the Datatilsynet’s decision. You can read the press release here and the decision here, both only available in Norwegian.
  • On September 28 2023, the Danish data protection authority (Datatilsynet) announced that the Eastern High Court imposed a fine of DKK 1 million (approx. $142,280) on Arp-Hansen Hotel Group A/S, in its judgment of September 26, 2023, for failure to delete the personal data of customers in violation of Article 5(1)(e) of the General Data Protection Regulation (GDPR). The High Court imposed a fine of DKK 1 million (approx. $142,280) on Arp-Hansen for the aforementioned violation. You can read the press release here and the judgment here, both only available in Danish.
  • On September 28, 2023, the Norwegian data protection authority (Datatilsynet) requested the European Data Protection Board (EDPB) provide a binding decision regarding its temporary ban on behavior-based marketing on Meta Platforms Ireland’s Facebook and Instagram services, following its decision in July 2023. You can read the press release, only available in Norwegian, here.
  • On September 28, 2023, the Danish data protection authority (Datatilsynet) published its decision, as issued on September 13, 2023, in which it expressed criticism against Zealand Region, for violations of the General Data Protection Regulation (GDPR), following a report. The Datatilsynet issued criticism against Zealand Region for the aforementioned violations. You can read the press release here and the decision here, both only available in Danish.
  • The Personal Data Protection Agency (AZOP) announced, on October 5, 2023, that it had imposed a fine of €5.7 million on EOS Matrix d.o.o. for violations of the General Data Protection Regulation (GDPR), following an anonymous petition. You can read the press release, only available in Croatian, here.
  • On October 5, 2023, the Swedish Authority for Privacy Protection (IMY) published its Decision No. DI-2021-5774, as issued on October 3, 2023, in which it imposed a fine of SEK 800,000 (approx. $72,500) on the Board of Education for the City of Stockholm, for violation of the General Data Protection Regulation (GDPR). You can read the press release here and the decision here, both only available in Swedish.
  • The French data protection authority (CNIL) announced, on October 5, 2023, the Deliberation of CNIL’s Restricted Committee No. SAN-2023-014 of September 28, 2023 (Deliberation of September 28). The Deliberation of September 28 closed the injunction issued against VOODOO SAS for compliance with the Deliberation of CNIL’s Restricted Committee No. SAN-2022-026 of 29 December 2022 (Deliberation of December 29), in which CNIL fined VOODOO €3 million for failing to obtain user consent for the use of technical identifiers, in violation of Act No.78-17 of 6 January 1978 on Data Processing, Data Files and Individual Liberties (as amended to implement the GDPR) (the Act). You can read the press release here and the Deliberation of September 28 here, both only available in French.
  • On October 5, 2023, the Federal Cartel Office (Bundeskartellamt) announced that, as a result of proceedings conducted based on Section 19a of the German Competition Act (GWB), Alphabet Inc., i.e., Google’s parent company, committed to giving users better choice as to how Google processes their data. You can read the press release here.
  • On October 6, 2023, the Danish data protection authority (Datatilsynet) announced, that it had reported Texas Andreas Petersen A/S to the police and recommended a fine of DKK 200,000 (approx. $28,292), for collecting and sharing personal data on website visitors without authorization. You can read the press release, only available in Danish, here.
  • The Austrian data protection authority (DSB) published a summary of the Federal Administrative Court’s (BVwG) judgment in Case No. GZ: W108 2251251-1/6E of March 15, 2023, in which the BVwG dismissed the complaint against the DSB’s decision regarding the production of photographs for evidence purposes in violation of the General Data Protection Regulation (GDPR). You can read the summary of the case by the DSB, only available in German, here.
  • The Austrian data protection authority (DSB) published a summary of the Constitutional Court (VfGH) judgment in Case No. GZ: G-287/2022 of December 14, 2022, as a result of which the Federal Administrative Court (BVwG) annulled a decision from the DSB. You can read the summary of the case by the DSB, only available in German, here.
  • The Austrian data protection authority (DSB) published a summary of the Federal Administrative Court’s (BVwG) judgment in Case No. GZ: W245 2263552-1/20E of February 7, 2023, in which the BVwG dismissed the respondent’s appeal against the decision of the DBS following a violation of the complainant’s right to secrecy. You can read the summary of the case by the BDS, only available in German, here.

Legislation

  • On September 11, 2023, Bill 257 SE for the Act on the protection of whistleblowers who report breaches of European Union law was introduced to the Estonian Parliament and thereafter referred by the Legal Committee, on September 26, 2023, to the plenary assembly for its first parliamentary reading, which is scheduled for October 18, 2023. You can download the bill and track its progress here, both only available in Estonian.
  • The European Consumer Organisation (BEUC) published, on October 5, 2023, its recommendations for the Cyber Resilience Act’s (draft Act) trialogue negotiations, further to the Council of the European Union’s and the European Parliament’s adoption of their respective positions on the European Commission’s proposal. You can read the recommendations here.

Guidance and draft Guidance

  • On September 27, 2023, the Information Commissioner’s Office (ICO) published advice and guidance to assist organizations in handling people’s information properly, following recent reprimands issued by the ICO for data breaches affecting victims of domestic abuse. You can read the recommendations here.
  • On September 27, 2023, the Federal Commissioner for Data Protection and Freedom of Information (BfDI) announced that it had published an opinion on the draft law relating to financial transaction investigations. You can read the press release here and the opinion here, both only available in German.
  • On September 28, 2023, the European Data Protection Supervisor (EDPS) released a blog post on the interplay between data protection and cybersecurity. In particular, the blog post notes that data protection and cybersecurity, as two sides of the same coin, provide a robust set of complementary measures and tools to protect individuals’ personal data, their privacy, and the EU’s digital ecosystem at large, and are instrumental to upholding EU values and democracy. You can read the blog post here.
  • On September 28, 2023, the Spanish data protection authority (AEPD) published a blog post entitled ‘Data Spaces, sovereignty and privacy by design’ regarding Privacy Enhancing Technologies (PETs). You can read the blog post here.
  • The Federal Office for Information Security (BSI) announced, on October 5, 2023, that it had published an information flyer for companies in the special public interest (UBI). You can read the press release here and the flyer here, both only available in German.
  • On October 3, 2023, the Danish data protection authority (Datatilsynet) announced that it had published its response, dated March 17, 2023, to a query it had received from the Region Central Jutland in 2022 on whether colocation server service providers are considered data processors for the organizations to which they provide services. You can read the press release here and the response here, both only available in Danish.
  • On October 3, 2023, the Information Commissioner’s Office (ICO) published a guidance to help employers fully comply with data protection law if they wish to monitor their workers. You can read the press release here and the guidance here.
  • On October 5, 2023, the Italian data protection authority (Garante) announced the publication of the latest update to its guidance on the processing of personal data in educational institutions. You can read the press release here and access the guidance here, both only available in Italian.
  • On October 5, 2023, the Information Commissioner’s Office (ICO) announced via LinkedIn that it had published its Our Future Health UK Regulatory Sandbox Final Report. The report looked at how to process the personal information of a large number of people taking part in the UK’s biggest health research program. You can read the LinkedIn post here and the report here.
  • On October 5, 2023, the Danish data protection authority (Datatilsynet) announced that it had published guidance on the development and use of artificial intelligence (AI) by public authorities, as well as a mapping report on public authorities’ use of AI. You can read the press release here, the guide here, and the report here, all only available in Danish.

Data Protection Authority Updates

  • On September 28, 2023, the Personal Data Protection Authority (KVKK) announced a data breach that occurred within Elca Kozmetik Limited Şirketi. In particular, the KVKK highlighted that Elca Kozmetik, notified them of a data breach, in accordance with Article 12(5) of the Law on Protection of Personal Data No. 6698. You can read the press release, only available in Turkish, here.
  • On October 2, 2023, the Information Commissioner’s Office (ICO) launched a public consultation on its draft Data Protection Fining Guidance. In particular, the guidance details how the ICO determines penalty notices and calculates fines under the UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018 (DPA 2018). You can read the press release here, access the online survey here, and the response document here.
  • The European Commission announced, on October 3, 2023, the adoption of a Recommendation on critical technology areas, including artificial intelligence (AI) for further risk assessment with Member States. The Recommendation identifies four technology areas considered highly likely to present the most sensitive and immediate risks related to technology security and technology leakage. You can read the announcement here.
  • On October 3, 2023, the National Cyber Security Centre (NCSC) announced the opening of a one-stop shop by three government agencies for reporting cyber threats and vulnerabilities. You can read the press release, only available in Dutch, here.
  • On October 5, 2023, the Spanish data protection authority (AEPD) launched a new tool, ‘ValidaCrypto GDPR,’ which helps evaluate encryption systems to facilitate regulatory compliance by analyzing each of the elements of the process. You can read the press release here, the tool here, and the guidelines here, all only available in Spanish.
  • On October 6, 2023, the Information Commissioner’s Office (ICO) announced that it had issued a preliminary enforcement notice against Snap Inc. and Snap Group Limited (Snap) over potential failure to properly assess the privacy risks posed by Snap’s generative artificial intelligence (AI) chatbot ‘My AI.’ You can read the press release here.

Other Privacy News

  • On September 28, 2023, the International Civil Liberties Center (ICCL) urged the Irish Government to ensure no appearance of conflict of interest in the selection of new leaders of the Data Protection Commission (DPC). You can read the press release here.
  • The Council of Europe (CoE) announced, on September 29, 2023, that the Bureau of the Committee of Convention 108 held its 59th meeting, from September 27 to 29, 2023. In particular, the Bureau discussed the interpretation of Article 11 of the Protocol of Amendment to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108+), the second module of the model contractual clauses for the transfer of personal data, and the draft guidelines on the processing of sensitive personal data for the purposes of voter registration and authentication. You can read the press release here and the meeting agenda here.