August 9, 2024
Europe
07/25/2024
European Commission | GDPR | Report
On July 25, 2024, the European Commission published the Second Report on the application of the GDPR.
The report highlights a significant uptick in enforcement activity by supervisory authorities in recent years. The report considers that, to ensure strong protection for individuals and the free flow of personal data within and outside the EU, there is a need to focus on, among other things: proactive support by supervisory authorities in compliance efforts; consistent application of the GDPR across the EU; effective cooperation between supervisory authorities; establishing cooperation with sectoral regulators on issues with an impact on data protection; and implementing efficient and targeted working arrangements for guidelines, opinions, and decisions; and prioritizing key issues to reduce the burden on supervisory authorities.
For more information: European Commission Website
07/16/2024
European Data Protection Board | Statement | Role of DPA & EU AI Act
On July 16, 2024, the European Data Protection Board (“EDPB”) adopted a statement 3/2024 on data protection authorities’ role in the Artificial Intelligence Act framework.
The EDPB recommends that Data Protection Authorities (“DPAs”) should be designated as Market Surveillance Authorities (“MSAs”) for the high-risk AI systems mentioned in Article 74(8) of the AI Act. Further, the EDPB recommends that Member States consider appointing DPAs as MSAs for the other high-risk AI systems, particularly where those high-risk AI systems are in sectors likely to impact natural persons’ rights and freedoms with regard to the processing of personal data, unless those sectors are covered by a mandatory appointment required by the AI Act (e.g. the financial sector).
For more information: EDPB Website
07/16/2024
European Data Protection Board | FAQ | EU-US Data Privacy Framework
On July 16, 2024, the European Data Protection Board (“EDPB”) adopted two Frequently Asked Questions (“FAQ”) documents regarding the EU-U.S. Data Privacy Framework (“DPF”).
The FAQ for individuals provides information on the functioning of the DPF (e.g., how to benefit from it, how to lodge a complaint) and the FAQ for businesses notably explains which U.S. companies are eligible to join the DPF and what to do before transferring personal data to a company in the U.S. which is, or claims to be, certified under the DPF.
For more information: EDPB FAQ for individuals and for businesses
France
07/18/2024
French Supervisory Authority | FAQ | Generative AI
On July 18, 2024, the French Supervisory Authority (“CNIL”) published a series of frequently asked questions (“FAQ”) on the deployment of generative artificial intelligence.
The FAQ include information on the benefits and limitations of generative AI, the way to implement the use of a generative AI system, and the way to ensure compliance of an AI model with the GDPR and the AI Act.
For more information: CNIL Website
07/12/2024
French Supervisory Authority | FAQ | EU AI Act
On July 12, 2024, the French Supervisory Authority (“CNIL”) published a series of frequently asked questions (“FAQ”) on the EU Regulation on Artificial Intelligence following its publication in the Official Journal of the European Union.
The FAQ include information on the specific provisions of the AI Act, the compliance monitoring authorities, as well as the interplay between the GDPR and the AI Act.
For more information: CNIL Website
07/10/2024
French Supervisory Authority | Audit results | Dark Patterns
On July 10, 2024, the French Supervisory Authority (“CNIL”) published the results of the Global Privacy Enforcement Network audit.
Twenty-six of the world’s data protection authorities, including the CNIL, members of the Global Privacy Enforcement Network (“GPEN”), audited 1,010 websites and mobile applications as part of a joint operation: the GPEN Sweep. This audit reveals that websites make extensive use of “dark pattern” mechanisms, hindering users’ ability to make informed decisions about privacy protection.
For more information: CNIL Website [FR]
07/04/2024
French Supervisory Authority | Study | Advertising Models
The French Supervisory Authority (“CNIL”) published a study on alternative advertising models.
On July 4, 2024, the CNIL announced that it commissioned an economic study of the possible consequences of the end of third-party cookies for certain browser and presented the main conclusions. The study, among other things, aims to provide indications on what the new advertising business models will be after the removal of third-party cookies and what risks these evolutions entail for data protection.
For more information: CNIL Website [FR]
Germany
07/31/2024
Hamburg Supervisory Authority | “Pay or OK” System
The Hamburg Data Protection Authority (“Hamburgische Beauftragte für Datenschutz und Informationsfreiheit”) granted the Spiegel Magazine permission to use the so-called “Pay or OK” system.
With the “Pay or OK” system, visitors to the website either have to consent to the use of their personal data or agree to a paid subscription model. This decision is now being challenged by an affected data subject.
For more information: Hamburg BfDI Website [DE]
07/30/2024
Saxon Data Protection and Transparency Officer | Guideline | Video Surveillance in Private and Public Spaces
On July 30, 2024, the Saxon Supervisory Authority (“LfDI Saxony”) published an updated version of its guideline on the use and regulation of video surveillance both in public and private spaces by private individuals and public authorities.
This new version has been created due to numerous complaints by data subjects. The LfDI Saxony includes examples for possible use cases and their limits in connection with video surveillance.
For more information: LfDI Saxony Website [DE]
07/19/2024
German Data Protection Authorities | Guidance | AI & Data Protection
In July, multiple data protection authorities published information on the AI Act and also discuss the arising responsibilities. In addition, the Baden-Wuerttemberg Supervisory Authority (“LfDI Baden-Wuerttemberg”) published an “Orientation Navigator AI & Data Protection”.
The Federal Commissioner for Data Protection and Information Security (“BfDI”) and the supervisory authority of North Rhine-Westphalia (“LDI North Rhine-Westphalia”) state that new responsibilities and tasks arise for the data protection supervisory authorities under the AI Act. A group of experts from the supervisory authority of Lower Saxony (“LfD Lower Saxony”) has also begun its discussions on data protection compliance of AI training data. In addition, the LfDI Baden-Wuerttemberg published a tool that organizes selected regulatory documents on AI. It is intended as an aid for responsible bodies such as authorities but also for private companies.
For more information: LfDI Baden-Wuerttemberg Website [DE]; BfDI Website [DE]; LDI North Rhine-Westphalia Website [DE]; LfD Lower Saxony [DE]
07/15/2024
Hamburg Supervisory Authority | Discussion Paper | GDPR & Large Language Models
On July 15, 2024, the Hamburg Supervisory Authority (“HmbBfDI”) published a discussion paper on the relationship between the GDPR and Large Language Models (“LLMs”).
The paper aims to support companies and authorities dealing with data protection issues related to LLM technologies and contains an explanation of the technical aspects of LLMs and their evaluation in light of the relevant case law of the Court of Justice of the European Union on personal data under the GDPR. Additionally, the paper discusses the difference between LLMs as an artificial intelligence model and as a component of an AI system in accordance with the AI Act.
For more information: HmbBfDI Website [DE]
Ireland
07/18/2024
Irish Supervisory Authority | Recommendation | AI & Data Protection
On July 18, 2024, the Irish Supervisory Authority (“DPC”) published an article on artificial intelligence, large language models (“LLMs”), and data protection.
The article highlights the increase in popularity of AI, particularly generative AI chatbots. The DPC warns about the inherent risks associated with AI, particularly concerning personal data processing, including: use of large amounts of personal data unnecessarily and without knowledge, agreement, or permission during training phases; issues arising from the accuracy and retention of personal data used or generated by AI systems; risks of personal data being shared without proper security or authorization; potential biases due to inaccurate or incomplete training data, affecting decision-making processes; and exposure to risks when new personal data is incorporated into training datasets for updated models.
For more information: DPC Website
Lithuania
07/02/2024
Lithuanian Supervisory Authority | Sanction | Data Subjects Rights
The Lithuanian Supervisory Authority (“SDPI”) fined an online retail company €2,385,276 million for several breaches relating to the right to be forgotten and the right of access.
The SDPI found that the Company had not dealt fairly and transparently with the deletion requests it had received, by refusing erasure request on the sole grounds that individuals did not cite one of the criteria provided for by the GDPR in their request and, in cases where it refused to erase the data, without informing the individuals of the reasons for such refusal. The SDPI also found that the Company had unlawfully implemented a “shadow blocking” mechanism, making the activity of a user who does not respect the platform’s rules invisible to other users, without the user being notified. In addition, the Company did not take sufficient technical and organizational measures to demonstrate that it had taken (or reasonably refused to take) action regarding right of access.
For more information: SDPI website
Netherlands
07/31/2024
Dutch Supervisory Authority | Guidance | AI
The Dutch Supervisory Authority (“AP”) published a guidance on the EU Artificial Intelligence Act (“AI Act”) for AI developers and users.
The AP clarified that, with the entry into force of the AI Act, various requirements will gradually apply on AI developers and users from February 2025. The AP highlights priorities for AI developers, in particular regarding prohibited AI systems that must be withdrawn from the market and no longer be in use by February 2025 and high-risk AI systems which must comply with specific requirements.
For more information: AP Website [NL]
07/16/2024
Dutch Supervisory Authority | Sanction | Cookies
On July 16, 2024, the Dutch Supervisory Authority (“AP”) announced its decision, as issued on May 2, 2024, to impose a fine of €600,000 on a company regarding its use of cookies.
Following its investigation, the AP determined that cookies were placed on user devices without their knowledge or consent. Due to the specific nature of the products that may be purchased on the website (drugstore products), the AP considered that the company collected and used sensitive data of millions of website visitors in violation of the applicable rules.
For more information: AP Website [NL]
Poland
07/19/2024
Polish Supervisory Authority | Opinion | Data Breach
On July 19, 2024, the Polish Supervisory Authority (“UODO”) issued an opinion advising controllers following the global cloud service outage that occurred on the same date.
The UODO states that not every interruption to personal data access is a personal data breach. Interruption to cloud services’ access and the resulting interruption to data access may, in some situations, result in a violation of the rights and freedoms of individuals. The UODO therefore recommends conducting a risk analysis before reporting the personal data breach to the authority.
For more information: UODO Website [PL]
07/08/2024
Polish Supervisory Authority | Guidance | Children Protection
On July 8, 2024, the Polish Supervisory Authority (“UODO”) published a guide to support institutions and organizations in ensuring better protection for children in the digital age.
The guide, entitled “Children’s Image on the Internet. Publish or not?”, notably includes tips to be used to protect children’s photos and videos on the Internet and the list of potential risks associated with publication of children’s images on the Internet.
For more information: UODO Website [PL]
Spain
07/10/2024
Spanish Supervisory Authority | Report | Addictive patterns
On July 10, 2024, the Spanish Supervisory Authority (“AEPD”) issued a report on addictive patterns in the processing of personal data.
The report highlights how, in many cases, service providers implement misleading and addictive design patterns, including to increase the amount of personal data collected about users. The report emphasizes that the adverse impact of addictive strategies is considerably greater when they are used to process the personal data of vulnerable people, such as children.
For more information: AEPD Website [ES]
United Kingdom
07/23/2024
Ofcom | Discussion Paper | Generative AI
On July 23, 2024, the British Office of Communications (“Ofcom”) published a discussion paper on the evaluation of vulnerabilities in Generative Artificial Intelligence models.
The discussion paper discusses “red teaming” as a type of evaluation method that seeks to find vulnerabilities in generative artificial intelligence models to protect users from harmful content.
For more information: Ofcom Website
07/23/2024
Ofcom | Discussion Paper | Deepfake
On July 23, 2024, the British Office of Communications (“Ofcom”) published a discussion paper on deepfakes.
Among other things, the discussion paper highlights the different types of deepfakes that can cause harm and the steps organizations can take to mitigate the risks of deepfakes.
For more information: Ofcom Website
07/17/2024
British Government | King’s Speech | Digital Information and Smart Data
The British Government plans to introduce Digital Information and Smart Data Bill.
On July 17, 2024, the Government announced, as part of the King’s Speech, that it planned to introduce the Digital Information and Smart Data Bill. The Government explained that the bill would, among other things, enable new innovative uses of data to be safely developed and deployed, reform data sharing and standards, improve data laws, and give the Information Commissioner’s Office (“ICO”) new, stronger powers.
For more information: Government Website
Ahmed
Baladi – Partner, Co-Chair, PCDI Practice, Paris ([email protected])
Joel Harrison, – Partner, Co-Chair, PCDI Practice, London ([email protected])
Vera Lukic – Partner, Paris ([email protected])
Lore Leitner – Partner, London ([email protected])
Kai Gesing – Partner, Munich ([email protected])
Clémence Pugnet – Associate, Paris ([email protected])
Thomas Baculard – Associate, Paris ([email protected])
Hermine Hubert – Associate, Paris ([email protected])
Billur Cinar – Associate, Paris ([email protected])
Christoph Jacob – Associate, Munich ([email protected])
Yannick Oberacker – Associate, Munich ([email protected])
Sarah Villani – Associate, London ([email protected])
Miles Lynn – Associate, London ([email protected])
© 2024 Gibson, Dunn & Crutcher LLP. All rights reserved. For contact and other information, please visit us at www.gibsondunn.com.
Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials. The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel. Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.