Gibson Dunn | Europe | Data Protection – August 2024
Client Alert | September 11, 2024
Europe
08/06/2024
Council of Europe | Report | Neural data
The Council of Europe reported on the data protection challenges linked to neurotechnology and neural data from the perspective of the Convention 108+.
The report highlights the challenges posed by neural data and neurotechnology, including the impact it may have on human rights and fundamental freedoms, in particular the right to privacy and to the protection of personal data. It provides a legal and technical description of neurotechnology and neural data and suggests solutions to address privacy concerns related to neural data processing.
For further information: Council of Europe Website
08/01/2024
European Commission | EU AI Act
The European Artificial Intelligence Act (“AI Act”) came into force.
The European Commission announced that the AI Act came into force on August 1, 2024. The majority of rules of the AI Act will start applying on August 2, 2026.
For more information: European Commission Website
Belgium
08/23/2024
Belgian Supervisory Authority | Sanction | Access Request
The Belgian Supervisory Authority (“APD”) imposed a fine of €100,000 on a telecom operator for late reply to a right to access request.
The APD determined that the telecom operator failed to appropriately process and reply to the individual’s access request by providing a response 14 months after the access request was submitted.
For more information: EDPB Website
Denmark
08/26/2024
Danish Supervisory Authority | Decision | AI
On August 26, 2024, the Danish Supervisory Authority (“Datatilsynet”) published its decision allowing an insurance company to record and use artificial intelligence for analyzing incoming telephone calls.
Following its investigation in March 2023 on the insurance company and its use of artificial intelligence to analyze customer service calls, the Datatilsynet found that the insurance company complies with GDPR rules. Finally, the Datatilsynet’s decision recalls that the processing must comply with data protection rules, particularly with regard to obtaining consent and the information given to data subjects.
For more information: Datatilsynet Website [DA]
France
08/27/2024
French Supervisory Authority | Monitoring Tool | Binding Corporate Rules
The French Supervisory Authority (“CNIL”) published a monitoring tool for Binding Corporate Rules (“BCR”).
The CNIL makes available to BCR holders a self-assessment tool to verify their level of compliance with BCR requirements and specifies the steps for its deployment.
For more information: CNIL Website
Germany
08/30/2024
Saxony Supervisory Authority | Recommendation | Technical and Organizational Measures
On August 30, 2024, the Saxon Supervisory Authority (“SDTB”) published its recommendation on the redaction of documents.
The SDTB pointed out that it is often necessary to delete or anonymize personal data (for example when publishing documents containing sensitive data) and that, in such cases, technical and organizational measures, including document redaction, must be implemented for data protection. In particular, the recommendation describes the possible sources of error and solutions relating to redaction.
For more information: SDTB Website [DE]
08/28/2024
Rhineland-Palatinate Supervisory Authority | Press Release | Customer Account
The Rhineland-Palatinate Supervisory Authority (“LfDI Rheinland-Pfalz”) announced in a press release that it has sent an information letter to 13 e-shops on the necessity of providing guest access when placing an order.
While recognizing the advantages of creating a customer account (e.g., ordering without having to enter the same data again or reviewing orders), the LfDI Rheinland-Pfalz points out that individuals should always have an equal alternative when shopping online. It further considers that online shops have an obligation to implement a guest ordering process which results from the provisions of Articles 5 and 6 of the GDPR.
For more information: LfDI Rheinland-Pfalz Website [DE]
08/15/2024
BfDI | Press Release | Messenger Services Standard Test Catalogue
The Federal Commissioner for Data Protection and Freedom of Information (“BfDI”) has launched a public consultation process on the creation of a uniform test for messenger services regarding their compliance with the GDPR.
The BfDI has initiated the development of a uniform standard test regarding the GDPR compliance of messenger services. This is especially important due to their widespread use both in private life and for work related purposes. So as to create a useful uniform standard test, the BfDI now invites specialist users or deployers and the civil society to comment on and participate in the development of criteria for the published draft test.
For more information: BfDI Website [DE]
08/01/2024
Saxony Supervisory Authority | Guidelines | Data Subject Access Requests
On August 1, 2024, the Saxon Supervisory Authority (“SDTB”) published guidelines for local authorities and administrative bodies on how to handle data subject access requests under Article 15 of the GDPR.
The SDTB’s guidelines are intended to provide guidance on how to comply with requests regarding the right of access of data subjects. It incorporates the latest higher court’s and especially the Court of Justice of the European Union’s case law.
For more information: SDTB Website [DE]
Italy
08/09/2024
Italian Supervisory Authority | Sanction | Unlawful access to a database
The Italian Supervisory Authority (“Garante”) published its decision of June 6, 2024, imposing a fine of €1 million on a financial institution for unlawful processing.
The Garante received a complaint where an individual claimed having been blacklisted and denied financing for a long-term car rental, following verifications in a database. The complainant requested to the car rental company and its parent company, a financial institution, information on the reasons behind the backlisting in the context of a request to exercise his rights under the GDPR but received no response. Upon investigation, the Garante found that the financial institution, which proceeded to verifications on behalf of the car rental company, did not have the authorization from the Ministry of Economy and Finance to access the centralized fraud prevention system (“SCIPAFI”) and concluded that the complainant’s personal data had been unlawfully processed.
For more information: Garante Website [IT]
08/09/2024
Italian Supervisory Authority | FAQ | Right to be forgotten
The Italian Supervisory Authority (“Garante”) announced having released frequently asked questions (“FAQs”) on the “right to be forgotten in oncology”.
The FAQs aim to clarify the provisions of the Law No. 193 of 7 December 2023 on “right to be forgotten in oncology”, which allows individuals who have recovered from an oncological disease not to provide information or be investigated regarding their previous condition to access to banking, financial, investment and insurance services, to insolvency procedures, as well as to employment and professional training. The Garante will be in charge of the enforcement of these provisions.
For more information: Garante Website [IT]
Switzerland
08/14/2024
Swiss Federal Council | Adequacy Decision | Swiss-US Data Privacy Framework
The Swiss Federal Council adopted its decision of adequacy regarding the USA under the Swiss-US Data Privacy Framework (“DPF”).
Over a year after the European Commission, the Swiss Federal Council has now also adopted its adequacy decision for US-companies certified under the DPF and thus facilitates the transfer of personal data to the USA in compliance with data protection regulations. This will enter into force on 15 September 2024.
For more information: Federal Council Website
United Kingdom
08/21/2024
Department for Science, Innovation and Technology | Blog | Privacy-Preserving Federated Learning
The Department for Science, Innovation and Technology (“DSIT”) published a blog post on implementation challenges in Privacy-Preserving Federated Learning (“PPFL”).
The blog highlights challenges to developing deployable PPFL, which are due to several factors such as real-world conditions for deployment (e.g., insufficient computational power) or flaws in the system design which can lead to privacy breaches.
For more information: UK Government Website
08/13/2024
UK Supervisory Authority | Report | Privacy Enhancing Technologies
The UK Supervisory Authority (“ICO”) published a report entitled “Tackling Barriers to Privacy-Enhancing Technologies Adoption”.
Privacy-Enhancing Technologies (“PETs”) are defined by the ICO as technologies supporting data privacy by minimizing the use of personal data and increasing their security. The report explains, in particular, the barriers to adopting such technologies and provides recommendations on how to support and promote their use across organizations.
For more information: ICO Website
08/07/2024
UK Supervisory Authority | Sanction | Ransomware Attack
The UK Supervisory Authority (“ICO”) issued a provisional decision to impose a fine of £6.09 million (approximately €7,14 million) on a software provider following a ransomware attack which occurred in 2022.
The ICO explained that hackers accessed the company’s health and care systems through a customer account which was not protected via multi-factor authentication. The attack led to the exfiltration of personal data from 82,946 individuals, including phone numbers, medical records, and information on how to gain entry to the homes of 890 people receiving home care. Critical services had also been disrupted. The ICO’s findings are provisional, and a final decision has not yet been made. If issued, this will notably be the first time that the ICO issues a fine to a processor for a breach of its obligations under data protection laws.
For more information: ICO Website
08/02/2024
UK Supervisory Authority | Statement | Children protection
The UK Supervisory Authority (“ICO”) issued a statement calling on social media platforms (“SMPs”) and video-sharing platforms (“VSPs”) to improve their children’s data privacy practices.
The ICO stated that it has reviewed 34 SMPs and VSPs focusing on the process children go through to sign-up for accounts. The ICO found different levels of compliance with the Children’s Code, and sent some of the platforms questions on issues relating to default privacy settings, geolocation, age assurance and targeted advertising.
For more information: ICO Website
Ahmed Baladi – Partner, Co-Chair, PCCP Practice, Paris ([email protected])
Joel Harrison – Partner, Co-Chair, PCDI Practice, London ([email protected])
Vera Lukic – Partner, Paris ([email protected])
Lore Leitner – Partner, London ([email protected])
Kai Gesing – Partner, Munich ([email protected])
Clémence Pugnet – Associate, Paris ([email protected])
Thomas Baculard – Associate, Paris ([email protected])
Hermine Hubert – Associate, Paris ([email protected])
Billur Cinar – Associate, Paris ([email protected])
Christoph Jacob – Associate, Munich ([email protected])
Yannick Oberacker – Associate, Munich ([email protected])
Sarah Villani – Associate, London ([email protected])
Miles Lynn – Associate, London ([email protected])
© 2024 Gibson, Dunn & Crutcher LLP. All rights reserved. For contact and other information, please visit us at www.gibsondunn.com.
Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials. The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel. Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.