EU/UK Privacy & Cybersecurity News Roundup – Week of October 30, 2023

Case Law Updates and Fines

  • On May 29, 2023, the Hellenic Data Protection Authority (HDPA) published Decision No. 20/2023, in which it fined WIND Hellas Telecommunications S.A. (now NOVA Telecommunications & Media Monoprosopi SA) €150,000, for violations of the General Data Protection Regulation (GDPR), following a complaint. You can read the press release here and the decision here, both only available in Greek.
  • On September 20, 2023, the Polish data protection authority (UODO) announced that the Supreme Administrative Court (the Supreme Court) upheld the UODO’s decision to impose an administrative fine of PLN 943,000 (approx. $217,880) on Bisnode Polska (now Dun & Bradstreet), for processing data without informing the persons whose data it processed. You can read the press release, only available in Polish, here.
  • The Hellenic Data Protection Authority (HDPA) published, on September 25, 2023, its decision No. 30/2023, as issued on September 25, 2023, in which it imposed a fine of €50,000, as well as a reprimand, to Athens Urban Transport Organization S.A. (OASA), for violations of the General Data Protection Regulation (GDPR), following an ex officio inspection. You can read the press release here and the decision here, both only available in Greek.
  • On October 10, 2023, the Italian data protection authority (Garante) announced in its newsletter its Decision No. 393, as issued on July 18, 2023, in which it imposed a fine of €75,000 and a corrective order on Università e-Campus, for violations of the General Data Protection Regulation (GDPR) and the Personal Data Protection Code, Containing Provisions to Adapt the National Legislation to the GDPR (the Code), following the submission of complaints by multiple individuals. You can read the newsletter here and the decision here, both only available in Italian.
  • The French data protection authority (CNIL) issued, on October 12, 2023, its decision No. SAN-2023-015, in which it imposed a fine of €600,000 on Groupe Canal + SA, for violations of the General Data Protection Regulation (GDPR) and the Post and Electronic Communications Code (Communications Code), following numerous complaints. You can read the decision, only available in French, here.
  • On October 19, 2023, the Austrian data protection authority (DSB) issued a decision, in which it found Google LLC in violation of the General Data Protection Regulation (GDPR), following its investigation of Google’s product, Google Fonts. You can read the press release, only available in German, here.
  • On October 19, 2023, the Swedish Authority for Privacy Protection (IMY) published its Decision No. DI-2020-10545, as issued on October 17, 2023, in which it imposed a fine of SEK 350,000 (approx. $31,850) on Hennes & Mauritz GBC AB (H&M), for violation of the General Data Protection Regulation (GDPR). You can read the press release here and the decision here, both only available in Swedish.
  • On October 20, 2023, the Polish data protection authority (UODO) announced that the Provincial Administrative Court in Warsaw upheld the UODO’s decision to impose an administrative fine of PLN 1.6 million (approx. $380,260) on P4 Sp. z o.o. (formerly Virgin Mobile Poland Spz o.o) for violations of the General Data Protection Regulation (GDPR). You can read the press release, only available in Polish, here.
  • On October 20, 2023, the Court of Amsterdam published its judgment, as issued on October 18, 2023, in which it held that Criteo is unable to place cookies on an individual’s computer and/or other devices without their consent, pursuant to the General Data Protection Regulation (GDPR). You can read the Court decision, only available in Dutch, here.
  • The Italian data protection authority (Garante) announced, on October 23, 2023, in its newsletter, its decision No. 427, as issued on September 28, 2023, in which it imposed a fine of €10 million on Axpo Italia S.p.A., for violations of the General Data Protection Regulation (GDPR), following multiple complaints from individuals. You can read the newsletter here and the decision here, both only available in Italian.
  • On October 23, 2023, the Italian data protection authority (Garante) announced in its newsletter its decision No. 426, as issued on September 28, 2023, in which it imposed a fine of €30,000 on the Local Health Authority Napoli 3 Sud, for violations of the General Data Protection Regulation (GDPR), following the submission of a data breach notification by the Local Health Authority. You can read the newsletter here and the decision here, both only available in Italian.
  • On October 25, 2023, the Norwegian data protection authority (Datatilsynet) announced that Meta Platforms Ireland Limited had taken action against the Datatilsynet’s decision to ban behavior-based marketing on Facebook and Instagram in the Oslo District Court. You can read the press release, only available in Norwegian, here.
  • The Court of Justice of the European Union (CJEU) announced, on October 26, 2023, its judgment in case FT v DW (C-307/22), as issued on the same date. In particular, the judgment follows a request for a preliminary ruling from the German Federal Court of Justice, in relation to a case brought before the same by a patient seeking to obtain, free of charge, a copy of their medical records from their dentist, with a view to triggering the dentist’s liability for errors allegedly made in providing the patient with dental care. You can read the press release here and the judgment, only available in German and French, here.

Legislation

  • On October 20, 2023, the European Commission announced that it had adopted a delegated regulation with rules on independent audits to assess compliance of very large online platforms and search engines with the Digital Services Act (DSA). You can read the press release here and the delegate regulation here.
  • The European Data Protection Supervisor (EDPS) published, on October 24, 2023, its final recommendations for the Proposal for a Regulation of the European Parliament and of the Council Laying Down Harmonised Rules on Artificial Intelligence (the AI Act), as this enters the final stages of negotiations between the EU co-legislators. You can read the press release here and the recommendations here.
  • On October 26, 2023, the Office of Communications (Ofcom) announced that the Online Safety Act had become law after receiving Royal Assent. Ofcom noted that it would now enforce the Act and that it had published its implementation approach and timelines, outlining how Ofcom would drive changes aligned with the Act’s objectives and support services to comply with their new legal obligations. You can read the press release here, the Act here, and Ofcom’s implementation approach here.

Guidance and draft Guidance

  • The Federal Office for Information Security (BSI) announced, on October 18, 2023, the launch of a new publication series to assist companies’ executives with current cybersecurity issues. You can read the announcement here, the first document here, and the second document here, all only available in German.
  • The European Consumer Organisation (BECU) published, on October 19, 2023, a research study for the purpose of optimizing choice screen design and evaluating effective compliance with Article 6(3) of the Digital Markets Act (DMA). You can read the study here.
  • The Council of Europe (CoE) released, on October 19, 2023, its revised draft Model Two Contractual Clauses for cross-border data transfers, based on the Protocol amending the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (Convention 108+). You can read the draft model clauses here.
  • The European Union Agency for Cybersecurity (ENISA) announced, on October 19, 2023, the publication of its 2023 Threat Landscape report. In particular, the report outlines that ENISA recorded approximately 2,580 incidents during the period from July 2022 to June 2023, and an additional 220 incidents specifically targeting two or more EU Member States. You can read the press release here and download the report here.
  • On October 25, 2023, the Department of Science, Innovation and Technology (DSIT) published a document titled ‘Capabilities and risks from frontier AI – A discussion paper on the need for further research into AI risk.’ You can read the announcement here and the discussion paper here.
  • On October 25, 2023, the Department of Science, Innovation and Technology (DSIT) published the first phase of an evaluation of the implementation of the International Data Transfer Agreement (IDTA). You can read the press release here and the evaluation here.
  • On October 26, 2023, the Competition and Markets Authority (CMA) published its latest update report on the implementation of Google’s commitment to address competition concerns resulting from Google’s proposals to remove third-party cookies and other functionalities from its Chrome browser and replace them with a Privacy Sandbox. You can read the press release here and the update report here.
  • On October 27, 2023, the Supervisory Authority of Liechtenstein (DSS) published guidelines on using chatbots in compliance with data protection requirements. You can read the guidelines, only available in German, here.

Data Protection Authority Updates

  • On October 17, 2023, the Federal Ministry for Digital and Transport (BMDV) issued a statement regarding its digital strategy. In particular, the BMVD stated, among other things, that the Federal Government is playing a key role in the regulation of artificial intelligence (AI) in the EU, and the BMDV is negotiating a possible voluntary commitment (Code of Conduct) for AI developers at the G7 level. You can read the press release here and the digital strategy here, both only available in German.
  • On October 20, 2023, the Belgian data protection authority (Belgian DPA) released a checklist to help organizations align their cookie practices with current regulations. You can read the press release, available in both French and Dutch, here, and access the checklist, only available in French, here.
  • On October 23, 2023, the European Consumer Organisation (BEUC) released a statement expressing concerns over the potential adoption of weak and unclear regulations for generative artificial intelligence (AI) systems, like ChatGPT or Bard, by the EU institutions. You can read the press release here.
  • On October 24, 2023, the Swedish Authority for Privacy Protection (IMY) announced its opinion, published on October 20, 2023, on the use of biometric information for criminal investigation. You can read the press release here and the opinion here, both only available in Swedish.
  • On October 26, 2023, the United Nations (UN) announced the creation of the AI Advisory Body. In particular, the Body is composed of 39 experts from across the world, and is expected to make recommendations on areas of international governance of artificial intelligence (AI), shared understanding of risks and challenges, and key opportunities and enablers to leverage AI to accelerate the sustainable development goals (SDGs). You can read the press release here.
  • On October 26, 2023, the Personal Data Protection Authority (KVKK) announced that it signed a cooperation and information sharing protocol with the Competition Authority. In particular, the KVKK noted that the increasing processing of personal data through big data technologies may raise significant concerns in terms of competition and the protection of personal data, necessitating cooperation between relevant authorities. You can read the press release, only available in Turkish, here.
  • On October 26, 2023, the Rhineland-Palatinate data protection authority (LfDI Rheinland-Pfalz) announced that it had sent additional questions to OpenAI, L.L.C., the company that manages ChatGPT, following its initial request for information regarding its processing activities. You can read the press release, only available in German, here.
  • The Italian data protection authority (Garante) announced, on October 27, 2023, that it had met with the Icelandic data protection authority (Persónuvernd) for a two-day study event. The Garante explained that both authorities outlined the main activities carried out to protect minors’ data, focusing on the risks minors may incur online and on effective age verification systems. You can read the press release, only available in Italian, here.
  • On October 27, 2023, the Department of Science, Innovation and Technology (DSIT) published the results of an international survey on public opinion towards artificial intelligence (AI) safety. The survey finds that, overall, respondents from the general public in nine countries (Canada, France, Germany, Italy, Japan, Singapore, South Korea, the UK, and the USA) expressed support for AI safety testing. You can read the press release here and download the survey here.
  • On October 30, 2023, the Swedish Authority for Privacy Protection (IMY) published its opinion on the government proposal SOU 2023:22 concerning data storage and access to electronic information. You can read the press release here, the opinion here, and the proposal here, all only available in Swedish.

Other Privacy News

  • The Council of Europe (CoE) announced, on October 19, 2023, that Hungary joined the Protocol amending the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (Convention 108+), becoming the 30th country to do so. You can read the press release here and access Convention 108+ here.
  • The Global Privacy Assembly (GPA) met in Bermuda for its 45th annual meeting from October 15 to 20, 2023, to talk about critical privacy challenges and how authorities may work together to preserve privacy in an increasingly data-driven society.
  • The Global Privacy Assembly (GPA) published, on October 26, 2023, various resolutions adopted during its 45th meeting, held from October 15 to 20, 2023, including addressing risks of generative AI. You can read the resolutions here.
  • The European Data Protection Board (EDPB) published, on October 25, 2023, the agenda for its 86th plenary meeting, which will take place on October 27, 2023. The agenda notes that the EDPB will discuss the urgent binding decisions requested by the Norwegian data protection authority (Datatilsynet) for the ordering of final measures regarding Meta Platforms Ireland Limited. You can read the agenda here. You can read the press release here.
  • On October 28, 2023, the European Commission announced that it had concluded an agreement with Japan focused on cross border data flows. The Commission explained that the agreement will enable both parties to handle data efficiently without cumbersome administrative or storage requirements, highlighting that the agreement removes costly data localization requirements. You can read the press release here.
  • On October 30, 2023, the Group of Seven (G7) announced their agreement to commit to International Guiding Principles on Artificial Intelligence (the Principles) and an International Code of Conduct for Organizations Developing Advanced AI Systems (Code of Conduct). You can download the G7 statement here, the Principles here, and the Code of Conduct here.