Data privacy case law and legislation is constantly updated in the United Kingdom and European Union to address key issues. In order to track the latest developments, we have set out a brief overview of case law updates, legislation, guidance and news.
Case Law Updates and Fines
- On May 22, 2023, the Irish Data Protection Commission ('DPC') announced that it had issued its decision on May 12 in which it fined Meta Platforms Ireland Limited ?1.2 billion for breach of Article 46(1) of GDPR relating to its data transfers to its US counterpart, Meta Platforms Inc. The transfers had been made by incorporating the European Commission's 2021 Standard Contractual Clauses, and included a Transfer Impact Assessment noting a record of safeguards. The DPC consulted with its peer regulators in the EU, and ordered that these transfers should be suspended. The DPC specified that US law does not provide a level of protection that is essentially equivalent to EU law, that the SCCs cannot compensate for that inadequate protection provided by US law, and that the measures set out in Meta's record of safeguards also could not compensate for that inadequate protection. You can read the press release here, the decision here, and Meta's response here.
- On May 23, the Dutch Consumers Association and Data Privacy Foundation announced the launch of a mass privacy claim against Google LLC for violation of user privacy rights. In particular, they allege that Google collects user data though services such as Google Search, Google Chrome, Gmail and Google Maps without user consent. They demand that Google change its privacy practices to no longer be in violation of the law, including by applying effective Privacy by Design, assessing the legal basis of user consent for the processing of personal data, and no longer sending personal data to the US. You can read the press release here and the mass claim here, both available in Dutch.
- On April 28, in Bulgaria, the rules to amend and supplement the Regulations for the activities of the Bulgarian Commission for Personal Data Protection ('CPDP') and its administration were published and entered into force. These Rules introduce new provisions to powers assigned to the CPDP by the Whistle-blower Protection and Public Disclosure Act. The CPDP acts as the central authority for external whistleblowing reporting and for protection of persons disclosing information on violations of Bulgarian law. The rules also provide for the establishment of an external reporting channel unit to assist the CPDP in the exercise of these powers. You can read the Rules here, available in Bulgarian.
- On May 24, the European Commission published a statement ahead of the fifth anniversary of the GDPR. The Commission highlighted that it announced in its 2023 Work Programme that it would propose a legislative initiative to improve cooperation between data protection authorities when enforcing GDPR, which will establish targeted harmonization of key aspects of administrative procedures applied in cross-border cases. You can read the statement here.
Guidance & Draft Guidance
- On April 21, the Hamburg Commissioner for Data Protection and Freedom of Information ('Commissioner') published a manual to clarify essential aspects of the operation of a website and facilitate compliance with data protection requirements. The manual clarifies the obligations under German law to obtain a user's consent before placing cookies, which applies regardless of whether personal data is processed. The manual also specifies that the first layer of any consent banner should provide a blanket consent option, an equally prominent rejection function, and the option to obtain more detailed information. The manual also focuses on third-party content integration, and notes that consent must be obtained when maps, videos, fonts and social media are integrated into a website. You can read the manual here, available in German.
- On May 19, the Irish Deputy Data Protection Commission ('DPC') announced the publication of a report on 'One-Stop-Shop Cross-Border Complaint Statistics: 25 May 2018 - 30 April 2023'. The report provides an overview of cross-border complaint-handling processes, including number of complaints received, numbers concluded, and outcomes achieved. There were 1,496 cross-border complaints received directly by the DPC, 1,293 of which concerned the DPC as a lead supervisory authority. You can read the LinkedIn post here, and the report here.
- On May 19, the Confederation of European Data Protection Organisations ('CEDPO') published considerations on the EDPB questionnaire on the designation and position of data protection officers. The guidance aims to assist organizations in completing the European Data Protection (EDPB) Questionnaire. You can read the guidance here.
- On May 22, the Belgian Data Protection Authority ('Belgian DPA') announced the publication of its 2022 annual activity report. The report notes that in the reporting year, the Belgian DPA receive 604 complaints, slightly fewer than the 808 received in 2021. Most complaints were related to direct marketing, photos and camera usage, and the Dispute Chamber of the Belgian DPA issued 189 decisions in 2022, including fines totaling ?738,900. The Belgian DPA received 1,420 data breach notifications. You can read the report in Dutch here, and in French here.
- On May 23, the French Data Protection Authority ('CNIL') published its annual report for 2022. CNIL highlighted it had dealt with 13,160 complaints and had issued 21 sanctions and 147 formal notices, which amounted to a total of ?101 million. CNIL also emphasized that since entry into force of GDPR, the total amount of penalties issued exceeded ?500 million. You can read the press release here, and download the report here, in French.
- On May 24, the Spanish Data Protection Authority ('AEPD') announced it had joined the European Association for Digital Transition's initiative to raise awareness on, and guide parents through, the risks minors face on the internet. The objective of the initiative is to encourage a more active role for parents in the online activity of minors, alerting them to its risks and peculiarities of business models, based on the commercialization and profiling of data from children and adolescents. The initiative assembles information for parents and minors on its website, including practical advice on how to navigate the digital space and information management. You can access the initiative here, available in Spanish.
- On May 25, the UK National Cyber Security Centre ('NCSC') launched two new e-learning packages aimed at assisting procurement specialists, risk owners, and cybersecurity professionals to manage risks across supply chains. The NCSC stated that packages are designed to accompany existing guidance on 'Mapping your supply chain' which is the process of recording, storing and using information gathered from suppliers who are involved in a company's supply chain, and on 'Gaining confidence in supply chain cyber security'. You can access the packages here.
- On May 25, the German Federal Commissioner for Data Protection and Freedom of Information ('BfDI') published a statement on generative Artificial Intelligence. The BfDI clarified that it has the responsibility to consider and evaluate technological developments and new technologies with a disruptive character, such as generative AI, from a data protection perspective. The statement answers 18 questions on personal data to train foundation models, automated decision making, risk assessments, measures to protect minors, and the regulatory impact of a draft European AI Act. You can read the statement, only available in German, here.
- On 17 May, Datatilsynet announced its decision in which it found Radius Elnet A/S's processing of personal data to be in accordance with the GDPR and national data protection rules, following complaints from individuals. Read the press release here and the decision here, both only available in Danish.
Data Protection Authority Updates and Privacy News
- On May 16, the Maltese Office of the Information and Data Protection Commissioner ('IDPC') issued a reprimand against C-Planet (IT Solutions) Limited for violation of Article 15(1) and 15(3) of GDPR. A complaint was lodged alleging that the company had refused to provide complainant with information on the source of the personal data it processed that had not been collected directly from them. The IDPC stated that C-Planet had incorrectly relied on the Subsidiary Legislation 586.09 to restrict the complainant's right of access and that C-Planet was a data controller in relation to processing of the complainant's personal data. As such, the IDPC found that C-Planet had failed to provide the complainant with a copy of their personal data and information concerning the source of such data. You can read the decision here.
- On May 22, the Interactive Advertising Bureau ('IAB') called for a new transatlantic data agreement in response to the Irish Data Protection Commission's decision to impose a fine of ?1.2 billion on Meta Platforms Ireland Limited. They emphasized that the far-reaching implications of this decision for all American companies that transfer data from EU markets to the US means there is an urgent need to set up a data agreement facilitating commerce between the EU and US. Concerns were raised over the undermining of Standard Contractual Clauses as a data transfer safeguard. The IAB notes that the proposed Transatlantic Data Privacy Framework aligns with data privacy and security standards, and would benefit small and medium-sized businesses. You can read the press release here.
- On May 22, the Finnish Office of the Data Protection Ombudsman published its Decision in Case No. 7684/171/22, imposing a corrective measure on the Finnish Meteorological Institute ('FMI') for violations of Articles 35, 44, and 46 of the GDPR. A data breach notification had been reported to the Ombudsman following a security incident involving the personal data of 330,000 individuals. It was found that the FMI had used Google Analytics and reCAPTCHA services on its website, and had transferred personal data to the US without a valid basis for doing so. The FMI had not carried out a Data Protection Impact Assessment. Consequently, the Ombudsman instructed the FMI to ensure that personal data transferred to the US without a legal basis is deleted. You can access the decision here, available in Finnish.
- On May 23, the Spanish Data Protection Authority ('AEPD') published its decision in Proceeding No. PS-00500-2022, imposing a fine of 70,000 on Digi Spain Telecom for violation of Article 6(1) of GDPR. A complainant had alleged that Digi had provided a duplicate of their SIM card to an unauthorized third party which allowed that party to conduct bank transfers from the complainant's bank account. Digi had not performed sufficient due diligence regarding the identity of the individual requesting a duplicate SIM card. You can read the decision, only available in Spanish, here.
- On May 23, the UK Information Commissioner's Office ('ICO') published the Information Commissioner's speech at the European Parliament's Committee on Civil Liberties, Justice and Home Affairs. It was emphasized that the ICO takes responsibility for protecting Europeans' personal data in the UK seriously throughout the process of law reforms currently underway, noting that the ICO now supports the UK Data Protection and Digital Information (No. 2) Bill as it currently stands. It was noted that the Bill now jeopardizes the UK's adequacy position with the EU, but the ICO countered that it will have greater diversity and resilience at the senior level, preserving the independence required to regulate the private and public sectors. You can read the speech here.
- On May 23, the Electronic Privacy Information Centre ('EPIC') published a report 'Generating Harms: Generative AI's Impact & Paths Forward' outlining harms flowing from AI tools to privacy, transparency, and racial/economic justice. To illustrate the challenges, the report includes case studies, examples, recommendations, and an Appendix demonstrating the likely harms, providing a common lexicon for understanding the various harms that new technologies like generative AI can produce. You can read the report here.
- On May 23, the Data Protection Commission of Ireland ('DPC') addressed the European Parliament's Committee on Civil Liberties, Justice and Home Affairs ('LIBE Committee') for the first time. The DPC discussed their enforcement work and ongoing investigations, including those related to TikTok Technology Limited. The address highlighted the positive collaboration between the DPC and the LIBE Committee, promoting fair data protection enforcement and fundamental rights. You can read the press release here.
- On May 24, the UK Information Commissioner's Office ('ICO') published new guidance on responding to data subject access requests for employers. The ICO specified that the right of access gives data subjects the right to request a copy of their personal data from organizations, where failure to respond would amount to an offense. The guidance covers the considerations employers are expected to assess with regards to disclosure of emails workers are copied into, the disclosure of information across the employer's social media platforms, and any third-party interests. You can read the press release here and the guidance here.
- On May 25, the European Data Protection Board announced via Twitter the election of Anu Talus, from the Finnish Ombudsman, as its new Chair. Talus will be appointed to a five-year mandate. You can read the announcement here.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.