ARTICLE
29 October 2024

Data Protection - Technology And Innovation Client Update: July To September 2024

AC
Arthur Cox

Contributor

Arthur Cox is one of Ireland’s leading law firms. For almost 100 years, we have been at the forefront of developments in the legal profession in Ireland. Our practice encompasses all aspects of corporate and business law. The firm has offices in Dublin, Belfast, London, New York and Silicon Valley.
Data Protection - Technology And Innovation Client Update: July to September 2024
Worldwide Privacy

Data Protection Commission ("DPC") Decision - Meta Platforms Ireland Limited ("Meta")

DATE OF UPDATE: 27 September 2024

LINKS

Irish Data Protection Commission fines Meta Ireland €91 million | 27/09/2024 | Data Protection Commission

CURRENT STATUS

The DPC announced its final decision following an inquiry into Meta, which was launched in April 2019. The inquiry arose after Meta notified the DPC that it had inadvertently stored certain passwords of social media users in 'plaintext' on its internal systems (i.e. without cryptographic protection or encryption). The DPC found that Meta had infringed Article 33(1), Article 33(5), Article 5(1)(f); and Article 32(1) GDPR. A reprimand and €91 million fine has been issued to Meta.

WHY IS THIS APPLICABLE TO CLIENTS?

This decision considers the level of security appropriate to the risks associated with the processing of passwords. When the full decision is published, the findings of the Commission will be instructive for other data controllers that process users' passwords.

NEXT STEPS

Await publication of the full decision and review.

CJEU Decision in Case C-768/21

DATE OF UPDATE: 26 September 2024

LINKS

Personal data protection: the supervisory authority is not obliged to exercise a corrective power in all cases of breach and, in particular, to impose a fine (europa.eu)

Recent CJEU Data Protection Decisions - Arthur Cox LLP

The Right to Compensation Under the GDPR: Key Takeaways from Recent Case Law of the Court of Justice of the European Union - (arthurcox.com)

CURRENT STATUS

The Court of Justice of the European Union ("CJEU") rules in Case C-768/21 | Land Hessen (Obligation of the data protection authority to act) that the supervisory authority is not obliged to exercise a corrective power in all cases of breach and to impose a fine. It may refrain from doing so where the controller has already taken the necessary measures on its own initiative.

WHY IS THIS APPLICABLE TO CLIENTS?

This preliminary ruling is of interest as it confirms that a data breach need not always result in a fine, depending on the circumstances and the measures are taken to deal with the breach.

DPC Cross-Border statutory inquiry - AI

DATE OF UPDATE: 12 September 2024

LINKS

Data Protection Commission launches inquiry into Google AI model | 12/09/2024 | Data Protection Commission

CURRENT STATUS

The DPC announced that it has commenced a Cross-Border statutory inquiry into Google Ireland Limited under Section 110 of the Data Protection Act 2018. The statutory inquiry concerns the question of whether Google has complied with any obligations that it may have had to undertake a DPIA assessment, pursuant to Article 35 GDPR, prior to engaging in the processing of the personal data of EU/EEA data subjects associated with the development of its foundational AI model, Pathways Language Model 2 (PaLM 2).

WHY IS THIS APPLICABLE TO CLIENTS?

The inquiry will be of interest to all data controllers processing the personal data of EU/EEA data subjects to assist with the development of their large language models.

NEXT STEPS

Review the decision once published if appropriate to the organisation.

EDPB 'Consent or Pay' Opinion - Event

DATE OF UPDATE: 12 September 2024

APPLICABLE DATES: The event will take place on 18 November 2024.

LINKS

Express your interest to take part in the EDPB stakeholder event on upcoming guidelines on 'Consent or Pay' | European Data Protection Board (europa.eu)

Link to White Paper published by Arthur Cox

EUR-Lex - 62024TN0319 - EN - EUR-Lex (europa.eu)

CURRENT STATUS

In April 2024, the European Data Protection Board ("EDPB") adopted an opinion (08/2024) on what circumstances 'consent or pay' models relating to behavioural advertising can be implemented by large online platforms in a way that constitutes valid and freely given consent. The opinion has been the subject of considerable debate among academics, practitioners, businesses and privacy activists.

In June, Meta Platforms Ireland Limited brought an action against the EDPB in the European General Court seeking to annul the opinion (Case T-319/24). The EDPB now seeks to collect stakeholders' input for its broader guidelines on the application of data protection legislation in the context of 'consent or pay' models. Registration for the stakeholder event in November opened on 12 September.

WHY IS THIS APPLICABLE TO CLIENTS?

The outcome of the event is intended to feed into forthcoming EDPB guidelines, which will be of interest to controllers seeking to process personal data for the purposes of behavioural advertising.

NEXT STEPS

Registration is now closed. Monitor developments if appropriate to the organisation.

ePrivacy – Prosecution of marketing offices

DATE OF UPDATE: 3 September 2024

LINKS

Data Protection Commission welcomes latest successful prosecutions of marketing offences | 06/09/2024 | Data Protection Commission

CURRENT STATUS

Supermac's Ireland Limited pleaded guilty to five charges of sending unsolicited marketing emails to a customer after they notified the company that they did not wish to receive such emails.

The DPC had previously issued a warning in February 2023 following investigations carried out on foot of previous complaints to the Office. In lieu of a conviction and fine, the company was asked to make a contribution of €3,500.

WHY IS THIS APPLICABLE TO CLIENTS?

The DPC continues to pursue organisations for unsolicited marketing communications.

EU-U.S. Data Privacy Framework

DATE OF UPDATE: 19 July 2024

LINKS

Joint Press Statement: Commissioner Didier Reynders and US Secretary of Commerce Gina Raimondo on the first periodic review of the EU-U.S. Data Privacy Framework - European Commission (europa.eu)

EU-US Data Privacy Framework: report of the Commission on how the framework is functioning (europa.eu)

CURRENT STATUS

Representatives from the United States Government, the European Commission, and EU data protection authorities met on July 18 and 19 to conduct the first review of the EU-U.S. Data Privacy Framework ("DPF").

The first review takes place one year after the DPF's inception, to verify that all relevant elements have been fully implemented in the US legal framework and are functioning effectively in practice. The Commission will adopt a report with its findings and conclusions. This public report will be submitted to the European Parliament and the Council.

On 12 August, the European Commission launched a call for evidence on the Report on the first review of the DPF.

WHY IS THIS APPLICABLE TO CLIENTS?

The report on the DPF will be relevant not only to the more than 2,800 enterprises that have joined the framework, but also to data controllers and processors transferring personal data to the U.S. using the other tools laid out in Chapter V GDPR.

EDPB Statement on AI

DATE OF UPDATE: 17 July 2024

LINKS

Statement 3/2024 on data protection authorities' role in the Artificial Intelligence Act framework | European Data Protection Board (europa.eu)

CURRENT STATUS

During its July plenary, the European Data Protection Board adopted a statement on the Data Protection Authorities' ("DPAs") role in the EU Artificial Intelligence Act (Regulation (EU) 2024/1689) framework.

WHY IS THIS APPLICABLE TO CLIENTS?

The Statement identifies the need, in principle, to consider the AI Act and data protection legislation as complementary and mutually reinforcing instruments. Notably, the EDPB also recommends that DPAs would have a supervisory role under the AI Act.

EDPB - New European Data Protection Seal

DATE OF UPDATE: 17 July 2024

LINKS

EDPB adopts statement on DPAs role in AI Act framework, EU-U.S. Data Privacy Framework FAQ and new European Data Protection Seal | European Data Protection Board (europa.eu)

CURRENT STATUS

During its July plenary, the EDPB adopted an opinion approving the EuroPriSe Criteria Catalogue for the certification of processing activities by processors, resulting in a European Data Protection Seal.

In September 2022, the EDPB had adopted an opinion on the EuroPriSe certification criteria, enabling their recognition in Germany as certification criteria for processing operations by processors. Following an update of the scheme, this new opinion approves the criteria as being applicable in the whole EU/EEA, and as a European Data Protection Seal.

WHY IS THIS APPLICABLE TO CLIENTS?

GDPR certification contributes to the demonstration of compliance efforts and may be of interest to procurement and compliance teams.

EU-Japan Data Transfers

DATE OF UPDATE: 1 July 2024

LINKS

EU-Japan deal on data flows enters into force | Shaping Europe's digital future (europa.eu)

CURRENT STATUS

In October 2023, the EU and Japan concluded a deal on cross-border data flows to be included in the EU-Japan Economic Partnership Agreement ("EPA"). These new rules on data flows entered into force on 1 July.

WHY IS THIS APPLICABLE TO CLIENTS?

The EPA will be of interest to data controllers transferring personal data between the EU and Japan.

NEXT STEPS

Assess whether the EPA applies to data transfers made by the organisation and the implications for these transfers under the new rules.

Data Protection – Commission v EDPS

DATE OF UPDATE: 1 July 2024

LINKS

EUR-Lex - 62024TN0262 - EN - EUR-Lex (europa.eu)

EDPS decision on the investigation into the European Commission's use of Microsoft 365 | European Data Protection Supervisor (europa.eu)

CURRENT STATUS

The European Commission has filed 13 pleas against the European Data Protection Supervisor ("EDPS") in its action before the EU General Court to annul the EDPS's decision regarding the commission's use of Microsoft 365. The EDPS decision adopted on 8 March 2024 found that the Commission infringed several provisions of Regulation (EU) 2018/1725, the EU's data protection law for EU institutions, bodies, offices and agencies, including those on transfers of personal data outside the EU/European Economic Area (EEA).

WHY IS THIS APPLICABLE TO CLIENTS?

The decision of the Court, particularly its position on the safeguards put in place for transfers outside the EU/EEA, will be of interest to data controllers transferring data outside the EU/EEA.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More