Gibson Dunn | Europe | Data Protection – Q1 2023
Client Alert | April 17, 2023
Personal Data | Cybersecurity | Data Innovation
Europe
03/14/2023 – European Union Agency for Cybersecurity | Report | Cybersecurity of AI and Standardisation
On 14 March 2023, the European Union Agency for Cybersecurity published a report on Cybersecurity of AI and Standardisation.
The objective of the report is to provide an overview of standards (existing, being drafted, under consideration and planned) related to cybersecurity of artificial intelligence, assess their scope and identify gaps in standardisation.
For further information: ENISA Website
03/14/2023 – European Parliament | Regulation | Data Act
On 14 March 2023, the European Parliament adopted the draft Data Act.
The Data Act aims to boost innovation by removing barriers obstructing access by consumers and businesses to data.
For further information: European Parliament Website
02/28/2023 – European Data Protection Board | Opinion | EU-US Data Privacy Framework
On 28 February 2023, the European Data Protection Board adopted its opinion on the draft adequacy decision regarding the EU-US Data Privacy Framework.
The European Data Protection Board welcomes substantial improvements such as the introduction of requirements embodying the principles of necessity and proportionality for US intelligence gathering of data and the new redress mechanism for EU data subjects. At the same time, it expresses concerns and requests clarifications on several points.
For further information: EDPB Website
02/24/2023 – European Data Protection Board | Guidelines | Transfers, Certification and Dark Patterns
On 24 February 2023, the European Data Protection Board published final version of three guidelines.
Following public consultation, the European Data Protection Board has adopted three sets of guidelines in their final version: the Guidelines on the interplay between the application of Article 3 and the provisions on international transfers as per Chapter V GDPR; the Guidelines on certification as a tool for transfers; and the Guidelines on deceptive design patterns in social media platform interfaces.
For further information: EDPB Website
02/15/2023 – European Commission | Decision | Whistleblowing
On 15 February 2023, the European Commission announced its decision to refer eight Member States to the Court of Justice of the European Union for failing to transpose the Directive (EU) 2019/1937 on the Protection of Persons who Report Breaches of Union Law before 17 December 2021.
The relevant Members States include the Czech Republic, Germany, Estonia, Spain, Italy, Luxembourg, Hungary, and Poland.
For further information: European Commission Website
01/18/2023 – European Data Protection Board | Report | Cookie Banner Taskforce
On 18 January 2023, the European Data Protection Board adopted its final report of the cookie banner task force.
The French Supervisory Authority and its European counterparts adopted the report summarizing the conclusions of the task force in charge of coordinating the answers to the questions on cookie banners raised by the complaints of the None Of Your Business Association. The main points of attention that were discussed concern the modalities of acceptance and refusal to the storage of cookies and the design of banners.
For further information: EDPB Website
01/16/2023 – European Union | Regulation | Digital Operational Resilience Act
The Digital Operational Resilience Act (“DORA”) entered into force on 16 January 2023.
The DORA aims to ensure that financial-sector information and communication technology (“ICT”) systems can withstand security threats and that third-party ICT providers are monitored.
For further information: Official Journal Website
01/12/2023 – Court of Justice of the European Union | Decision | Right of access
On 12 January 2023, the Court of Justice of the European Union ruled that everyone has the right to know to whom their personal data has been disclosed.
The data subject’s right of access to personal data under the GDPR entails, where those data have been or will be disclosed to recipients, an obligation on the part of the controller to provide the data subject with the actual identity of those recipients, unless it is impossible to identify those recipients or the controller demonstrates that the data subject’s requests for access are manifestly unfounded or excessive within the meaning of the GDPR, in which cases the controller may indicate to the data subject only the categories of recipient in question.
For further information: Press Release
Austria
02/01/2023 – Austrian Parliament | National Council | Whistleblowing
On February 1st 2023, the Directive (EU) 2019/1937 on the protection of persons who report breaches of union law (“the Whistleblowing Directive”) was implemented by the Austrian National Council.
For further information: Austrian Parliament Website
Belgium
02/15/2023 – House of Representatives | Legislation | Whistleblowing
On 15 February 2023, the Whistleblowing law for the private sector which partially transposes the Whistleblowing Directive entered into force.
For further information: Whistleblowing Law
Bulgaria
01/27/2023 – Bulgarian National Assembly | Legislation | Whistleblowing
On 27 January 2023, the Bulgarian National Assembly (“CPDP”) adopted the Whistleblower Protection and Public Disclosure Act (“PWIPDA”) transposing the Whistleblowing Directive.
For further information: CPDP Website [BG]
Czech Republic
03/07/2023 – Czech Supervisory Authority | FAQ | Cookies
On 7 March 2023, the Czech Supervisory Authority (“UOOU”) published a FAQ on cookie banners and consent.
For further information: UOOU Website [CZ]
Denmark
02/20/2023 – Danish Supervisory Authority | Decision | Cookie Walls
The Danish Supervisory Authority issued two decisions regarding the use of cookie walls on websites and published general guidelines for the use of such consent solutions.
The Danish Supervisory Authority generally found that a method whereby the website visitor can access the content of a website in exchange for either giving consent to the processing of his personal data or paying an access fee, meets the requirements of the data protection rules for a valid consent.
For further information: Danish DPA Website [DK]
01/20/2023 – Danish Supervisory Authority | Guidelines | Storage and Consent
On 20 January 2023, the Danish Supervisory Authority has prepared guidance dealing with the storage of personal data with the aim of being able to demonstrate compliance with data protection rules on consent.
For further information: Danish DPA Website [DK]
Finland
02/17/2023 – Finnish Supervisory Authority | Sanction | GDPR Violation
On 17 February 2023, the Finnish Supervisory Authority issued an administrative fine of €440,000 against a company for failing to comply with the authority’s order to rectify its practices.
In particular, the authority stated that the company failed to erase inaccurate payment default entries saved into the credit information register due to inadequate practices. The authority stresses that the processing of payment default information has a significant impact on the rights and freedoms of individuals.
For further information: Finnish DPA Website
France
03/28/2023 – French Supervisory Authority | Sanction | Geolocation Data
On 28 March 2023, the French Supervisory Authority (“CNIL”) announced that it imposed a fine of €125,000 on a company of rental scooters because it geolocated its customers almost permanently.
The CNIL noted a failure to comply with several obligations, namely to ensure data minimization, to comply with the obligation to provide a contractual framework for the processing operations carried out by a processor, to inform the user and obtain his or her consent before writing and reading information on his or her personal device.
For further information: CNIL Website
03/15/2023 – French Supervisory Authority | Investigation | Smart Cameras
On 15 March 2023, the French Supervisory Authority (“CNIL”) announced setting “smart” cameras, mobile apps, bank and medical records as priority topics for investigations in 2023.
The CNIL carries out investigations on the basis of complaints received, current events, but also annual priority topics. In 2023, it will focus on the use of “smart” cameras by public actors, the use of the file on personal credit repayment incident, the management of health files and mobile apps.
For further information: CNIL Website
02/09/2023 – French Supervisory Authority | Guidance | Data Governance Act
On 9 February 2023, the French Supervisory Authority (“CNIL”) published a guidance on the economic challenges of implementing the Data Governance Act.
For further information: CNIL Website
01/26/2023 – French Supervisory Authority | Statement | Artificial Intelligence
On 26 January 2023, the French Supervisory Authority (“CNIL”) announced creating an Artificial Intelligence (“AI”) Department and starting to work on learning databases.
The CNIL is creating an AI Department to strengthen its expertise on these systems and its understanding of the risks to privacy while preparing for the implementation of the European regulation on AI. In addition, the CNIL has announced that it will propose initial recommendations on machine learning databases.
For further information: CNIL Website
01/24/2023 – Ministry of Home Affairs | Legislation | Cyberattack Risk Insurance
On 24 January 2023, the French Parliament adopted the LOPMI Act that authorizes the insurability of “cyber-ransoms” paid by victims, subject to the prompt filing of a complaint.
For further information: LOPMI
01/04/2023 – French Supervisory Authority | Sanction | Consent
On 4 January 2023, the French Supervisory Authority (“CNIL”) imposed an administrative €8 million fine on a technology company because it did not collect the consent of French users before depositing and/or writing identifiers used for advertising purposes on their terminals.
The CNIL found that the advertising targeting settings were pre-checked by default. Moreover, the user had to perform a large number of actions in order to deactivate this setting.
The CNIL explained the amount of the fine by the scope of the processing, the number of people concerned in France, the profits the company made from advertising revenues indirectly generated from data collected by these identifiers and the fact that since then, the company has reached compliance.
For further information: CNIL Website
01/17/2023 – French Supervisory Authority | Sanction | Consent
On 17 January 2023, the French Supervisory Authority (“CNIL”) imposed a €3 million fine on a company which publishes video games for smartphones.
The company was using an essentially technical identifier for advertising purposes without the user’s consent.
For further information: CNIL Website
Germany
03/22/2023 – Supervisory Authorities| Opinion | “Pure Subscription Models”
The Conference of the Independent Data Protection Authorities of Germany (DSK) adopted an opinion on so-called “pure subscription models” on websites.
The opinion assesses pure (no-tracking) subscription models and alternative free consent-based tracking models and provides criteria to assess these alternative access instruments on websites.
For further information: DSK Website [DE]
03/15/2023 – Supervisory Authorities| BfDI | Activity Report
The Federal Commissioner for Data Protection and Freedom of Information (BfDI), Ulrich Kelber, has presented the BfDI’s Activity Report for 2022.
For further information: BfDI [DE]
03/15/2023 – Supervisory Authorities| Activity Reports
The Commissioners for Data Protection and Freedom of Information of Baden-Württemberg, Hamburg and Schleswig Holstein have presented their activity reports on the year 2022.
The activity reports cover various data protection and information freedom topics. For example in Schleswig-Holstein data breaches remained frequent while the number of complaints dropped, with video surveillance being the main cause of complaints. The reports emphasize the need to proactively address risks such as artificial intelligence and data sharing.
For further information: ULD Website [DE] and LfDI-BW Website [DE] and HmbBfDI Website [DE]
03/01/2023 – Supervisory Authorities| Opinion | EU-US Privacy Framework
The Hamburg Supervisory Authority (on 1 March 2023) and the German Supervisory Authority (on 28 February 2023) both issued an opinion on the draft adequacy decision on the EU-US Data Privacy.
For further information: Bundestag Website [DE] and BfDI [DE]
02/13/2023 – German Competition Authority | Decision | US Data Transfers
On 13 February 2023 the German Competition Authority (“BKartA”) issued a ruling on data transfers under the GDPR.
In particular, the authority ruled that a company relying on a German subsidiary of a US parent company as a data processor cannot be excluded from a contract bid due to possible violations of the GDPR.
For further information: BKartA Website [DE]
02/09/2023 – ArbG Oldenburg | Decision | Claim for Damages
On 9 February 2023, the Oldenburg Labor Court has ordered a company to pay a former employee damages in the amount of 10,000 euros under Article 82 of the GDPR for failing to comply with an information request under Article 15 (1) of the GDPR without establishing any additional (immaterial) harm.
In the opinion of the court the violation of the GDPR itself already resulted in immaterial harm to be compensated; according to the court, no additional proof of harm was required.
Italy
03/30/2023 – Italian Supervisory Authority | Temporary limitation | AI Chatbot
The Italian Supervisory Authority (“Garante”) imposed an immediate temporary limitation on the processing of Italian users’ data by an US-based company developing and managing an AI chatbot.
The Garante opened a probe over a suspected breach of GDPR. The authority alleged “the absence of any legal basis that justifies the massive collection and storage of personal data in order to ‘train’ the algorithms underlying the operation of the platform”. The authority also accused the company of failing to check the age of its users.
For further information: Garante Website [IT]
03/09/2023 – Council of Ministers | Legislation | Whistleblowing
On 9 March 2023, the Italian Council of Ministers approved the whistleblowing legislative decree.
The Council of Ministers announced, on 9 March 2023, the approval, after final review, of the legislative decree to transpose into Italian law the Whistleblowing Directive.
For further information: Governo Italiano Website [IT]
02/21/2023 – Italian Supervisory Authority | Sanction | Marketing Practices
The Italian Supervisory Authority (“Garante”) announced, on 21 February 2023, that it issued, on 15 December 2022, a €4.9 million fine against an energy company for various non-compliances with the GDPR, including unlawful marketing practices.
For further information: Garante Website [IT]
02/03/2023 – Italian Supervisory Authority | Temporary limitation | AI Chatbot
The Italian Supervisory Authority (“Garante”) issued an order on an AI chatbot noting that tests performed identified risks for minors and vulnerable individuals.
The US-based developer was ordered to terminate processing of data relating to Italian users and to inform the Garante within 20 days on any measures taken to implement its orders.
For further information: Garante Website
Ireland
02/27/2023 – Irish Supervisory Authority | Sanction | Security
On 27 February 2023, the Irish Supervisory Authority (“DPC”) imposed a fine of €750,000 on a banking company for inadequate data security measures.
The inquiry was initiated after the notification to the DPC of a series of 10 data breaches. In this context, the DPC found that the technical and organizational measures in place at the time were not sufficient to ensure the security of the personal data processed.
For further information: #DPC Website
02/23/2023 – Irish Supervisory Authority | Sanction | Security
On 23 February 2023, the Irish Supervisory Authority (“DPC”) imposed a €460,000 fine against a health care provider.
The DPC initiated an enquiry after receiving a personal data breach notification related to a ransomware attack affecting patient data (70,000 people). The DPC considered that the health care provider failed to ensure that the personal data were processed in a manner that ensured appropriate security.
For further information: DPC Website
01/16/2023 – Irish Supervisory Authority | Sanction | CCTV
On 16 January 2023, the Irish Supervisory Authority (“DPC”) imposed a €50,000 fine and a temporary ban on the processing of personal data with CCTV cameras on a company for violations of the GDPR.
For further information: DPC Website
Netherlands
02/22/2023 – Dutch Supervisory Authority | Statement | Camera Settings
The Dutch Supervisory Authority (“AP”) published a statement on changes made by a car manufacturer in the settings of the built-in security cameras of its cars, following an investigation of these cameras by the AP.
For instance, the car may still take camera images, but only when the user activates that function.
For further information: AP Website [NL]
02/18/2023 – House for Whistleblowers | Legislation | Whistleblowing
On 18 February 2023, the House for Whistleblowers announced the entry into force of the Whistleblower Protection Act.
For further information: AP Website [NL]
Norway
03/01/2023 – Norwegian Supervisory Authority | Preliminary conclusion | Analytics Tool
On 1st March 2023, the Norwegian Supervisory Authority (“Datatilsynet”) published its preliminary conclusion on a case related to the use of the analytics tool of a US-based company considering that the use of this tool is not in line with the GDPR.
For further information: Datatilsynet Website [NO]
02/06/2023 – Norwegian Supervisory Authority | Sanction | GDPR Violation
On 6 February 2023, the Norwegian Supervisory Authority (“Datatilsynet”) fined a company operating fitness centers NOK 10 million (approximately €912,940) for various GDPR violations (e.g., lawfulness of processing, transparency and data subjects rights).
For further information: Datatilsynet Website [NO]
Portugal
01/27/2023 – Portuguese Supervisory Authority | Guidelines | Security Measures
The Portuguese Supervisory Authority (“CNPD”) published guidelines on security measures in order to minimize consequences in case of attacks on information systems.
These guidelines aim to inform controllers and processors about their legal obligations, with the increase of cyberattacks on information systems, listing organizational and technical measures that must be considered by organizations.
For further information: Press release [PT]
Romania
03/28/2023 – President of Romania | Legislation | Whistleblowing
The Law No. 67/2023 which amends article 6 (2) of the Law no. 361/2022 on the protection of whistleblowers in the public interest, was published in the Official Gazette on 28 March 2023 and entered into force on 31 March 2023.
For further information: CDEP Website [RO]
Spain
03/16/2023 – Spanish Supervisory Authority | Sanction | Data Minimization
The Spanish Supervisory Authority (“AEPD”) published, on 16 March 2023, its decision in which it imposed a fine of €100,000 on a telecommunications company for violation of the data minimization principle.
For further information: AEPD Website [ES]
03/15/2023 – Spanish Supervisory Authority | Sanction | GDPR Violation
The Spanish Supervisory Authority (“AEPD”) fined a bank €100,000 for violation of the GDPR.
In particular, the bank used the information provided by the claimant and her child to open several accounts in the name of the child without consent and while it was not necessary for the services requested.
For further information: AEPD Website [ES]
03/15/2023 – Spanish Supervisory Authority | Sanction | Data Portability
The Spanish Supervisory Authority (“AEPD”) published, on 15 March 2023, a decision in which it imposed a fine of €136,000 on a telecommunications company for completing a data portability request without ensuring the security of the personal data of the client.
For further information: AEPD Website [ES]
03/13/2023 – Spanish Senate | Legislation | Whistleblowing
The Spanish Law 2/2023 implementing the EU Whistleblower Directive was published in the Official Gazette on 20 February 2023 and entered into force on 13 March 2023.
For further information: BOE Website [ES]
United Kingdom
03/28/2023 – UK Supervisory Authority | Guidance | Direct Marketing
On 28 March 2023, the UK Supervisory Authority (“ICO”) issued guidance to businesses operating in regulated private sectors (e.g., finance, communications or utilities) on direct marketing and regulatory communications.
The guidance aims to help businesses identify when a regulatory communication message might count as direct marketing. If the message is direct marketing, it also covers what businesses need to do to comply with data protection and ePrivacy law.
For further information: ICO Website
03/16/2023 – UK Supervisory Authority | Sanction | GDPR Violations
The UK Supervisory Authority (“ICO”) reached an agreement with a retailer to reduce the monetary penalty notice issued for breaching the GDPR from £1,350,000 to £250,000.
The ICO found that the company was making assumptions about customers’ medical conditions, based on their purchase history, to sell them further health related products. The processing involved special category data and the ICO concluded that the processing had been conducted without a lawful basis. The retailer appealed the decision which led to an agreement to reduce the monetary penalty notice, taking into account that the retailer has stopped the unlawful processing.
For further information: ICO Website
03/15/2023 – UK Supervisory Authority | Guidelines | AI and Data Protection
The UK Supervisory Authority (“ICO”) announced on 15 March 2023 that it had updated its guidance on artificial intelligence (“AI”) and data protection.
The ICO indicates that the changes respond to requests from UK industry to clarify requirements for fairness in AI.
For further information: ICO Website
03/13/2023 – UK Supervisory Authority | Guidance | Data Protection by Default
The UK Supervisory Authority (“ICO”) has produced new guidance to help user experience designers, product managers and software engineers embed data protection into their products and services by default.
The guidance looks at key privacy considerations for each stage of product design, from kick-off to post-launch. It includes both examples of good practice and practical steps that organisations can take to comply with data protection law when designing websites, apps or other technology products and services.
For further information: ICO Website
03/08/2023 – UK Government | Legislation | Cookies
The government re-introduced new laws on 8 March 2023 aiming to cut down paperwork for businesses and reduce unnecessary cookie pops-up.
The Data Protection and Digital Information Bill was first introduced last summer and paused in September 2022 so ministers could engage in a co-design process with business leaders and data experts. According to the government, this was to ensure that the new regime built on the UK’s high standards for data protection and privacy, and seeks to ensure data adequacy while moving away from the “one-size-fits-all” approach of the European Union’s GDPR.
For further information: UK Government Website
02/16/2023 – UK Supervisory Authority | Guidance | Protection of Children
The UK Supervisory Authority (“ICO”) issued a series of recommendations to game developers to ensure the protection of children and compliance with data protection laws.
For further information: ICO Website
This newsletter has been prepared by the EU Privacy team of Gibson Dunn. For further information, you may contact us by email:
- Ahmed Baladi – Partner, Partner, Co-Chair, PCCP Practice, Paris ([email protected])
- Vera Lukic – Partner, Paris ([email protected])
- Kai Gesing – Partner, Munich ([email protected])
- Joel Harrison – Partner, London ([email protected])
- Alison Beal – Partner, London ([email protected])
- Thomas Baculard – Associate, Paris ([email protected])
- Roxane Chrétien – Associate, Paris ([email protected])
- Christoph Jacob – Associate, Munich ([email protected])
- Yannick Oberacker – Associate, Munich ([email protected])
- Clémence Pugnet – Associate, Paris ([email protected])
© 2023 Gibson, Dunn & Crutcher LLP
Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice. Please note, prior results do not guarantee a similar outcome.