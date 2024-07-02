ARTICLE
2 July 2024

Two-Minute Recap Of Data Protection Law Matters Around The Globe

Gen Temizer

The Finnish Data Protection Authority investigated an online retail company following a complaint by a customer and subsequently imposed an administrative fine of EUR 856,000.
Huge Fine from  Finnish Authority

The Finnish Data Protection Authority  investigated an online retail company following  a complaint by a customer and subsequently  imposed an administrative fine of EUR 856,000.  It found that the company's data controller  required users to register as customers before  making purchases and did not allow purchases  through its website without the creation of a  customer account. The Authority also observed  that data relating to customer accounts were  stored indefinitely.

Spain's DPA  imposes multiple  fines

The Spanish Data Protection Authority fined  a telecom company EUR 56,000 for sharing  another customer's personal data when  responding to a customer's right of access  request. The data subject requested a copy of  their commercial telephone contract from the  company in 2021, claiming that the company  had not applied the tariff in the contract. The  company, however, sent the applicant an email  containing the contract and audio recordings of  another customer.

In another decision, the Authority fined a bank  EUR 600,000 for inadequate security measures,  including lack of two-factor authentication  when approving loans.

Finally, the Authority fined a football club  EUR 200,000 for processing fingerprint data  on the grounds that it lacked legal basis and  breached the requirements of necessity and  proportionality.

Greek voter data  leaked

In May 2024, The Greek Data Protection Authority  fined the country's Interior Ministry EUR 400,000  for a data breach involving thousands of voters'  email addresses in June 2023.

Very busy month  for the EDPB

The European Data Protection Board  ("EDPB") issued a statement on the European  Commission's ("EC") legal regulation on access  to financial data and payments. According to the  EDPB, there should be more clarity regarding  recording and sharing of personal data,  obligations of account and payment initiation  service providers, and the definition of sensitive  payment data.

The EDPB also published its preliminary  investigative report into ChatGPT. It argues  that the legal basis for data scraping of  publicly available personal data may be based  on legitimate interest under General Data  Protection Regulation ("GDPR") rules. Most recently, it issued an opinion on the use  of facial recognition technology to facilitate  passenger processing at airports in which it  discussed four scenarios where the technology  could be used and their respective legality  under the GDPR.

Italian data  scraping  guidelines  published

The Italian Data Protection Authority  published guidelines for the protection of  personal data streamed online from data  scraping. They include instructions regarding  the indiscriminate collection of data on the  internet by third parties for the training of  generative artificial intelligence models.

EC's DSA and DGA  work continues

The EC requested information on Microsoft  Bing's generative artificial intelligence  features under the European Union's Digital  Service Act ("DSA"). The EC underlined that  it "suspects that Bing may have infringed  the DSA due to risks linked to generative  artificial intelligence, such as so-called  "hallucinations", viral spread of deepfakes  and automated manipulation".

The EC also sent a formal warning to  18 member states, including Germany,  France and Italy, for not implementing  necessary measures to comply with the Data  Governance Act ("DGA"). The countries have  two months to implement the necessary  measures and transparency requirements to  ensure compliance.

Telecoms  companies face  penalties

The US Federal Communications Commission  fined various telecom operators a total of  USD 200 million for sharing geolocation data  without users' consent.

