Gibson Dunn | Europe | Data Protection – Q3 2023

Client Alert  |  September 11, 2023


Personal Data | Cybersecurity | Data Innovation

Europe

08/25/2023 – Digital Services Act | Regulation | Very Large Online Platforms and Very Large Online Search Engines 

On 25 August 2023, the Digital Services Act (“DSA”) started to apply to very large online platforms and very large online search engines.

As a reminder, on 25 April 2023, the European Commission designated nineteen providers of very large online platforms and of very large online search engines. The DSA will apply to the designated providers from four months after the notification of the designated decisions

For further information: DSA Regulation; European Commission Website


07/25/2023 – European Consumer Organisation | Position Paper | AI Act 

The European Consumer Organisation (“BEUC”) published a position paper urging EU legislators to ensure that consumers can expect a high level of protection when using AI systems as they enter the final legislative stage on the Artificial Intelligence Act (“AI Act”).

For further information: BEUC Website


07/18/2023 – European Data Protection Board | Information note | EU-US Data transfers

The European Data Protection Board (“EDPB”) published an information note on data transfers to the United States after the adoption of the adequacy decision on 10 July 2023.

The EDPB outlines that transfers to entities in the US which are not included in the “Data Privacy Framework List” cannot be based on the adequacy decision and will require appropriate data protection safeguards, enforceable rights and effective legal remedies for data subjects (e.g., through standard data protection clauses, binding corporate rules), in accordance with Article 46 GDPR.

For further information: EDPB Website


07/12/2023 – European Commission | Strategy | Metaverse

The European Commission issued its strategy for “Virtual Worlds”, commonly referred to as metaverses.

For further information: European Commission Website


07/10/2023 – European Commission | Press Release | EU-US Data Transfers

The European Commission has formally adopted the adequacy decision for the EU-US Data Privacy Framework.

This decision finds that the EU-US Data Privacy Framework provides an adequate level of protection, comparable to that of the European Union, for data transfers from the EU to US companies under the new framework. As a result, personal data can flow safely from the EU to US companies participating in the framework, without having to put in place additional data protection safeguards.

For further information: European Commission Website


07/05/2023 – Council of Europe | Guidelines | Data Processing for Financial Services

The Council published guidelines on data protection for the processing of personal data for Anti-Money Laundering/Countering Financing of Terrorism (“AML/CFT”) purposes.

The purpose of these guidelines is to provide orientation on how to integrate the requirements of Convention 108+ in the area of AML/CFT in order to provide for an appropriate level of data protection while facilitating transborder data flows, and to highlight certain areas in the AML/CFT context where data protection safeguards should be strengthened.

For further information: Council of Europe Website


07/04/2023 – Court of Justice of the European Union | Decision | Antitrust, Competition & GDPR enforcement

The Court of Justice of the European Union (“CJEU”) ruled that a competition authority of a Member State may identify a violation of the GDPR in order to establish the existence of an abuse of a dominant position.

For further information: CJEU decision


07/04/2023 – European Commission | Proposal for Regulation | GDPR Enforcement

The European Commission has proposed to adopt a new regulation “to streamline cooperation between data protection authorities” with regards to GDPR enforcement in cross-border cases.

The regulation aims to further harmonize procedural rules in cross-border cases. It contains provisions regulating the rights of complainants, the rights of the parties under investigation as well as provisions to streamline the cooperation and dispute resolution process. According to the European Commission, the proposed regulation will lead to “swifter resolution of cases” and enhance the efficiency of GDPR enforcement.

For further information: European Commission Website


06/28/2023 – European Parliament/Council of the EU | Regulation | Data Act

The European Parliament and the Council of the EU have reached a political agreement on the European Data Act. This new legislation aims at “boosting” the EU’s data economy by ensuring a competitive European data market.

The proposal contains provisions regulating data access rights, unfair contractual terms as well as rules governing the switch between cloud data-processing service providers among other things. The draft EU Data Act complements the Data Governance Act of November 2020 and is expected to enter into force in late 2024. The next step in the legislative process is the formal passing of the law by the European Parliament and the Council, which is expected later this year.

For further information: European Commission Website


06/22/2023 – Court of Justice of the European Union | Judgement | Data Subject Rights

The Court of Justice of the European Union (“CJEU”) ruled that the fact that a data controller is engaged in the business of banking and acts within the framework of a regulated activity and that the data subject whose personal data has been processed in his capacity as a customer of the controller was also an employee of that controller has no effect on the scope of the right granted to the data subject.

For further information: CJEU Website


06/21/2023 – European Data Protection Board | Recommendations | Binding Corporate Rules

The European Data Protection Board (“EDPB”) adopted a final version of the Recommendations on the application for approval and on the elements and principles to be found in Controller Binding Corporate Rules (“BCR-C”).

For further information: EDPB Website


06/07/2023 – European Data Protection Board | Guidelines | Calculation of Administrative Fines

The European Data Protection Board (“EDPB”) adopted a final version of the guidelines 04/2022 on the calculation of administrative fines following public consultation.

For further information: EDPB Website


05/24/2023 – European Commission | News Announcement| EU-ASEAN Data Transfers

The European Commission announced that the EU and the Association of Southeast Asian Nations (“ASEAN”) issued a joint guide identifying commonalities between the EU Standard Contractual Clauses (“SCCs”) and the ASEAN Model Contractual Clauses for cross-border data transfers.

The objective of the guide is to assist companies operating across the ASEAN and EU regions understand the similarities and differences between the respective contractual clauses, thereby facilitating compliance with ASEAN and EU data protection laws as applicable.

For further information: European Commission Website


05/22/2023 – European Data Protection Board | Case Digest | Right to Object and Erasure

The European Data Protection Board (“EDPB”) published a case digest on the right to object and erasure.

In particular, the case digest examines a selection of one-stop-shop decisions taken from the EDPB’s public register relating to Articles 17 and 21 of the GDPR. Most of the complaints under those articles concern minor violations where the data controller shows active cooperation, with spontaneous remediation of the infringement. Hence, the decisions analyzed often result in reprimands. Although in some cases the lead supervisory authorities have imposed specific sanctions on data controllers, this is usually due to a large number of infringements of the GDPR, with a minor role played by violations of Articles 17 and 21.

For further information: EDPB Website


05/04/2023 – Court of Justice of the European Union | Decision | Right to Compensation

The Court of Justice of the European Union ruled that a mere infringement of the GDPR does not give rise to a right to compensation.

Overall, the Court stated that the right to compensation under the GDPR is subject to three cumulative conditions: an infringement of the GDPR, material or non-material damage resulting from that infringement and a causal link between the damage and the infringement. Moreover, the right to compensation is not limited to non-material damage that reaches a certain threshold of seriousness. Finally, as the GDPR does not contain any rules governing the assessment of damages, it is for each Member State to prescribe them, in particular, the criteria for determining the extent of compensation payable in that context, provided that the principles of equivalence and effectiveness are complied with.

For further information: CJEU Website


05/04/2023 – Court of Justice of the European Union | Decision | Data Subjects Rights

The Court of Justice of the European Union ruled that the data subject’s right to obtain from the controller a “copy” of the personal data undergoing processing as per Article 15(3) GDPR means that the data subject must be given a faithful and intelligible reproduction of all those personal data.

In particular, that entails the right to obtain copies of extracts from documents or even entire documents or extracts from databases, if the provision of such copy is essential to enable the data subject to exercise effectively the right granted to him/her by that regulation, taking into account the rights and freedoms of others.

For further information: CJEU Website


04/26/2023 – European Union General Court | Decision | Pseudonymized Data

The General Court of the European Union ruled that in order to determine whether information constitutes personal data, it is necessary to determine whether the information relates to “identifiable persons”. The European Data Protection Supervisor (“EDPS”) has appealed this decision before the Court of Justice of the European Union (“CJEU”) on 5 July 2023.

The EDPS argues, that the General Court has not interpreted the relevant provisions correctly. Therefore, the EDPS seeks that the CJEU sets aside the General Court’s judgement in its entirety as well as give a final judgment in the dispute.

For further information: Official Journal of the European Union Website; CJEU Website


04/19/2023 – European Data Protection Board | Report | 101 NOYB Data Transfer Complaints

The European Data Protection Board (“EDPB”) published a report of the work undertaken by the supervisory authorities within the 101 Task Force.

The report sets out the common positions agreed by the supervisory authorities taking part in the task force with a view to handling the “101 complaints” received from NOYB in the aftermath of the Schrems II ruling. Notably, several supervisory authorities have ordered website operators to comply with the requirements of Chapter V of the GDPR, and if necessary, to stop the transfer at stake.

For further information: EDPB Website


04/17/2023 – European Data Protection Board | Guidelines | Right of Access

The European Data Protection Board (“EDPB”) published a final version of the guidelines 01/2022 on data subjects’ right of access, following a public consultation.

For further information: EDPB Website


04/17/2023 –European Data Protection Board | Guidelines | Lead Supervisory Authority

The European Data Protection Board (“EDPB”) published a final version of the guidelines 8/2022 on identifying a controller or processor’s lead supervisory authority.

For further information: EDPB Website


04/13/2023 – European Protection Data Board | Guidance | Data Subject Rights

The European Data Protection Board (“EDPB”) published a guide for exercising data subjects’ rights, compiled by the Schengen Information System (“SIS”) II Supervision Coordination Group.

For further information: EDPB Website


04/04/2023 – European Data Protection Board | Guidelines | Personal Data Breach Notification

The European Data Protection Board released a new version of its guidelines 9/2022 on personal data breach notification under the GDPR.

For further information: EDPB Website


04/04/2023 – European Commission | Statement | Japan-EU Mutual Adequacy Arrangement

The European Commission released a joint press statement on the successful conclusion of the first review of the Japan-EU mutual adequacy arrangement.

In 2019, the EU and Japan recognized each other’s data protection systems as “equivalent”, thereby allowing personal data to flow freely between them. This arrangement created the world’s largest area of free and safe data flows.

For further information: European Commission Website


Austria

05/10/2023 – Austrian Supervisory Authority | Sanction | GDPR Violations

The Austrian Supervisory Authority issued a sanction against an American facial recognition company for multiple breaches of the GDPR, but did not issue a fine.

The facial recognition company reportedly owns a database including over 30 billion facial images from all over the world, which are extracted from public web sources. The complainant found out that his image data was processed by the company and lodged a complaint. In particular, the Austrian Supervisory Authority found that the processing carried out by the company serves a completely different purpose from the original publication of the complainant’s personal data (especially photographs).

For further information: EDPB Website


Belgium

05/24/2023 – Belgian Supervisory Authority | Press Release | Personal Data Transfers

The Belgian Supervisory Authority announced the prohibition of transfers of personal data of Belgian “Accidental Americans” by the Belgian Federal Public Service Finance to the US tax authorities under the intergovernmental Foreign Account Tax Compliance Act (“FATCA”) agreement.

The Litigation Chamber of the Belgian Supervisory Authority held that the generalized and undifferentiated transfer of tax data provided under FATCA breaches the principle of purpose limitation (FATCA does not contain exact objectives for the transfer of data), as well as the principles of proportionality and data minimization of the GDPR.

For further information: ADP Website


05/22/2023 – Belgian Supervisory Authority | Announcement | 2022 Annual Activity Report

The Belgian Supervisory Authority announced the publication of its 2022 annual activity report.

In particular, the report highlights that, in 2022 the Authority received 604 complaints and the main topics of the complaints and requests for mediation in 2022 were direct marketing as well as photos and cameras. The Dispute Chamber of the Authority issued 189 decisions in 2022, including fines totaling €738,900. As for data breaches, the Authority opened 1426 data leak files.

For further information: ADP Website [FR]


Denmark

07/13/2023 – Danish Supervisory Authority | Guidance | Right to erasure

The Danish Supervisory Authority expanded its guidance on what applies when an individual wants to have a search result related to him/her deleted from a search engine (e.g. Google and Bing).

For further information: Datatilsynet Website [DK]


06/27/2023 – Danish Supervisory Authority | Guidance | Video Surveillance

The Danish Supervisory Authority published new guidance on video surveillance used by companies.

For further information: Datatilsynet Website [DK]


03/29/2023 – Danish Supervisory Authority | Guidance | Employment Relationships

The Danish Supervisory Authority published an updated guidance on data protection in employment relationships.

For further information: Datatilsynet Website [DK]


Finland

08/08/2023 – Finnish Supervisory Authority | Press Release | Data transfers

The Finnish Supervisory Authority announced that it has issued an order to an international platform which provides taxi services to suspend its data transfers from Finland to Russia temporarily and to cease the processing of the personal data.

The Authority considers that this order is necessary because of a legislative reform that will enter into force in Russia will significantly weaken the protection of customers’ personal data when using the platform. For instance, the Russian intelligence service will have the right to receive data processed in taxi operations.

For further information: Ombudsman Website


France

06/22/2023 – French Supervisory Authority | Sanction | GDPR Violations

The French Supervisory Authority published a decision which was issued on 15 June 2023 and imposed a €40 million fine to an advertising company, for several GDPR violations.

The company specializes in “behavioral retargeting”, which consists of tracking the navigation of Internet users in order to display personalized advertisements. In particular, the Authority considered that the advertising company had failed to demonstrate that the data subjects gave their consent.

For further information: CNIL Website


06/15/2023 – French Supervisory Authority | Sanction | GDPR Violations

The French Supervisory Authority published a decision issued on 8 June 2023, imposing a €150,000 fine to a company which provides clairvoyance consultation through its website (by chat or telephone), for failing to comply with its obligations under the GDPR and the French Data Protection Act.

In particular, the Authority found that the company collected excessive data, as well as sensitive data without prior and explicit consent, and did not sufficiently ensure the security of the data.

For further information: CNIL Website


05/26/2023 – French Supervisory Authority | Decision | Consent

The French Supervisory Authority published a decision issued on 11 May 2023, in which it closed the injunction issued on a technology company.

On 19 December 2022, the company was fined 60 million euros by the Authority, which also required the company, within three months, to allow users of its search engine located in France to give their consent to the use of trackers to combat advertising fraud, as soon as they arrived on the website. The company responded within the timeframe and made technical modifications so that tracking linked to the fight against advertising fraud would be inactive in the absence of specific consent from French users.

For further information: CNIL Website


05/17/2023 – French Supervisory Authority | Sanction | Health Data and Cookies

The French Supervisory Authority published a decision issued on 11 May 2023, imposing a €380,000 fine to a health and well-being website for several breaches of the GDPR and of the French Data Protection Act.

Following a complaint by an association, the Authority carried out investigations into the company. The Authority identified several infringements, namely a failure to store data for no longer than necessary, failure to obtain consent from individuals to collect their health data, failure to provide a formal legal framework for the processing operations carried out jointly with another data controller, failure to ensure the security of personal data and a failure to comply with obligations related to the use of cookies.

For further information: CNIL Website


05/16/2023 – French Supervisory Authority | Action Plan | Artificial Intelligence

The French Supervisory Authority published its action plan for the deployment of AI systems that respect individuals’ privacy.

In 2023, the Authority will extend its action on augmented cameras and wishes to expand its work to generative AIs, large language models and derived applications (especially chatbots). Its action plan is structured around four strands: (i) understand the functioning of AI systems and their impact on people, (ii) enable and guide the development of privacy-friendly AI, (iii) federate and support innovative players in the AI ecosystem in France and Europe, and (iv) audit and control AI systems and protect people. This work will also allow to prepare for the entry into application of the draft European AI Regulation currently under discussion.

For further information: CNIL Website


05/10/2023 – French Supervisory Authority | Sanction | Compliance

The French Supervisory Authority published a decision issued on 17 April 2023, imposing a €5,2 million fine to a facial recognition company, for failing to comply with the injunction issued in its October 2022 sanction decision.

The Authority had fined the company €20 million and enjoined the company to refrain from collecting and processing the data of individuals in France without a legal basis, and to delete the data of these individuals after responding to requests for access. The injunction was accompanied by an penalty of 100,000 euros per day of delay at the end of the two-month period. The Authority considered that the company had not complied with the order and imposed an overdue penalty payment.

For further information: CNIL Website [FR]


05/09/2023 – French Supervisory Authority | Publication | Data Protection Officers

The French Supervisory Authority announced that as part of a coordinated enforcement framework at the European level, it is conducting audits on public and private organizations to verify the role and means entrusted to their Data Protection Officer (“DPO”).

For its assessment, the Authority sent a dozen surveys in April to public institutions, local authorities and private companies, particularly in the luxury and transport sectors. The answers provided by the organizations will be analyzed in coordination with the Authority’s European counterparts. Depending on the results of these initial checks, on-site inspections may be carried out to complete the findings.

For further information: CNIL Website [FR]


04/03/2023 – French Supervisory Authority | Guidelines | Security of Personal Data

The French Supervisory Authority published updated guidelines relating to personal data security.

This guidelines aim to support actors dealing with personal data by reminding them of the basic precautions to be taken. The updated guidelines take into account the latest recommendations of the Authority regarding passwords and login.

For further information: CNIL Website [FR]


03/21/2023 – French Supervisory Authority | Publication | Connected Vehicles

The French Supervisory Authority announced the creation of a “compliance club” dedicated to players in the connected vehicle and mobility sectors, as part of its industry support initiative.

This privileged forum for dialogue will enable regular exchanges on issues affecting the daily lives of French individuals, and encourage innovation that respects their privacy.

For further information: CNIL Website [FR]


Germany

08/17/2023 – German Federal Ministry of the Interior and Community | Regulation | Federal Data Protection Act

The German Federal Ministry of the Interior and Community is working on an amendment to the Federal Data Protection Act. The Ministry’s current legislative draft has become public following a request under Germany’s Freedom of Information Act (“IFG”).

The draft is still at a very early stage and aims at institutionalizing the German Data Protection Conference (“Datenschutzkonferenz” / DSK), a body consisting of representatives from each of the German data protection authorities. Additionally, the proposed provisions include various changes, e.g. simplifications in terms of determining which authority is competent.

For further information: FragDenStaat [DE]


08/02/2023 – Berlin Supervisory Authority | Sanction | Data Protection

The Berlin Supervisory Authority announced imposing a €215,000 fine to a company for illegally documenting a list of information about employees on probationary period including sensitive data.

The authority found that in order to determine whether to continue employment of the data subjects, the company was processing health and non-company related justifications that would conflict with flexible shift scheduling.

For further information: BlnBDI [DE]


06/06/2023 – German Federal Labour Court | Decision | Data Protection Officers

The German Federal Labour Court has ruled that a chairman of the works council usually cannot serve as a data protection officer at the same time. The German Federal Labour Court argues, that these positions would typically lead to a conflict of interest.

For further information: German Federal Labour Court Press Release [DE]


06/02/2023 – German Parliament | Regulation | Whistleblowing Directive

The Law to improve the protection of whistleblowers and to implement the directive on the protection of persons who report violations of Union law transposing the Whistleblowing Directive was published in the Federal Gazette.

For further information: Official Gazette [DE]


05/31/2023 – Berlin Supervisory Authority | Sanction | GDPR Violations

The Berlin Supervisory Authority announced issuing a fine of €300,000 on a bank for lack of transparency regarding an automated individual decision.

In particular, the complainant informed the Authority that the bank’s algorithm rejected its application for a credit card without providing any specific justification, preventing the complainant from challenging the automated decision.

For further information: BlnBDI Website [DE]


04/19/2023 – Schleswig-Holstein Supervisory Authority | Questionnaire | Artificial Intelligence Chatbot

The Schleswig-Holstein Supervisory Authority published the questionnaire that was sent by German Supervisory Authorities to an AI chatbot company in relation to its data processing.

For further information: UDL Website [DE]


04/14/2023 – Federal Office for Information Security | Guide | Security and Artificial Intelligence

The Federal Office for Information Security (“BSI”) published a Practical AI-Security guide.

The guide contains a brief and clear presentation of the current state of research in the area of attacks on AI and developers are also presented with possible defenses against attacks.

For further information: BSI Website [DE]


Ireland

08/21 /2023 – Irish Supervisory Authority | Sanction | Data minimization

The Irish Supervisory Authority published a decision imposing a reprimand and corrective measures on an online platform providing intermediation service, for infringing the principle of data minimization.

In particular, the Authority found that the platform’s retention of a copy of the complainant’s identity documentation following the successful completion of the identity verification process infringed the principles of data minimization.

For further information: DPC website


04/28/2023 – Irish Supervisory Authority | Guidance | Data Protection in the Workplace

The Irish Supervisory Authority announced the publication of guidance for employers, regarding data protection in the workplace.

This new guidance is specifically aimed at assisting employers as data controllers regarding their data processing obligations and duties when processing the personal data of their employees, former employees and prospective employees.

For further information: DPC website


04/19/2023 – Irish Supervisory Authority | Guidance | Records of Processing Activities

The Irish Supervisory Authority announced the publication of guidance on records of processing activities.

For further information: DPC website


Italy

07/06/2023 – Italian Supervisory Authority | Annual Report

The Italian Supervisory Authority published its annual report for the year 2022.

The report outlines the need for ensuring the protection of data subjects’ rights and freedoms against the risks resulting from large-scale processing activities based on AI tools, as well as actions of the Authority in this regard.

For further information: Guarante Website [IT]


06/22/2023 – Italian Supervisory Authority | Sanction | GDPR violation

The Italian Supervisory Authority announced that a concessionaire for the construction and management of toll motorways was fined €1 million for violating the GDPR.

In this ruling, the Authority considered that the concessionaries violated the principles of correctness and transparency, given the failure to provide adequate information in relation to the processing, as well as the misclassification of the GDPR status.

For further information: Guarante Website [IT]


06/09/2023 – Italian Supervisory Authority | Sanction | GDPR Violations

The Italian Supervisory Authority published a decision issued on 14 April 2023, in which it imposed a fine of €676,956 to an energy provider company for data protection failures with regard to promotional calls.

The Authority outlined that, by virtue of the principle of accountability and privacy by design, the data controller should prepare suitable measures to guarantee, at any time and, even more so, at the request of the Authority, the traceability of all operations carried out.

For further information: Guarante Website [IT]


04/20/2023 – Italian Supervisory Authority | Press Release | Dark Patterns

The Italian Supervisory Authority published information on deceptive design patterns that can influence online browsing behavior and hinder data protection.

The Authority launched an information page which is part of a large information and awareness project on data protection, digital education and safety, for a conscious use of the Internet and new technologies.

For further information: Guarante Website [IT]


04/14/2023 – Italian Supervisory Authority | Sanction | Unlawful Telemarketing Activities

The Italian Supervisory Authority issued a decision on 13 April 2023 imposing a €7,631,175 fine to a telecommunications company, for multiple GDPR violations.

In particular, the Authority found that the company had failed to reply to data subject access requests, lacked valid documentation demonstrating the consent of the company’s commercial communications, failed to act on a data breach and remained inactive over time.

For further information: Guarante Website [IT]


Netherlands

05/17/2023 – Dutch Supervisory Authority | Annual Plan 2023

The Dutch Supervisory Authority published its annual plan for the year 2023.

In 2023, the Authority will pay particular attention to (i) algorithms & AI, (ii) big tech, and (iii) freedom & security.

For further information: AP Website [NL]


04/13/2023 – Dutch Supervisory Authority | Sanction | Inadequate Identity Checks

The Dutch Supervisory Authority announced imposing a fine of €150,000 on the organization which implements national insurance schemes in the Netherlands, for failure to adequately confirm the identity of callers to its telephone helpdesk and disclosed personal data to unauthorized individuals.

The organization has now taken measures to address the matter.

For further information: AP Website [NL]


Norway

07/27/2023 – Norwegian Supervisory Authority | Advice | Analytics and Tracking

The Norwegian Supervisory Authority published an advice on the use of website analytics and tracking.

As analytics and tracking tools on the market are not all legal, the Authority provides guidance to websites (e.g., regarding cookie banner requirements, the use of consent as a legal basis, data transfers).

For further information: Datatilsynet Website [NO]


Portugal

04/20/2023 – Portuguese Supervisory Authority | Press Release | Security Incidents

The Portuguese Supervisory Authority published an overview of the security incidents in Portugal for the year 2022.

In 2022, 37 security incidents were reported to the Authority by electronic communications network and service companies and impacted approximately 6,4 million subscribers.

For further information: ANACOM Website [PT]


Spain

08/22/2023 – Council of Minister | Authority Appointment | Artificial Intelligence

The Council of Ministers has approved the statute of the Spanish Agency for the Supervision of Artificial Intelligence (AESIA).

With the creation of the AESIA, Spain becomes the first European country to have such an entity and anticipates the entry into force of the European Artificial Intelligence Act.

For further information: Government Website [ES]


08/21/2023 – Spanish Supervisory Authority | Sanction | Sub-processing

The Spanish Supervisory Authority published a decision imposing a €120,000 fine (reduced €72,000) against a transport company for unlawful sub-processing.

The Authority found that it was clear that the subcontracting did not comply with the provisions of the GDPR due to the lack of formalization of contracts or legal acts, as well as the lack of authorizations prior to their formalization.

For further information: AEPD Website [ES]


07/28/2023 – Spanish Supervisory Authority | Sanction | Security

The Authority issued a €2,5 million fine against a bank for failing to implement appropriate security measures.

In particular, the Authority considered that the technical and organizational measures implemented by the bank did not guarantee a level of security appropriate to the risk, due to the nature of the personal data processed, which deserve special protection in terms of their confidentiality and integrity.

For further information: AEPD Website [ES]


07/11/2023 – Spanish Supervisory Authority | Guidance | Cookies

The Spanish Supervisory Authority released an updated cookie guide taking into account the EDPB guidelines on deceptive design patterns.

For further information: AEPD Website [ES]


05/09/2023 – Spanish Supervisory Authority | Guidelines | Encryption

The Spanish Supervisory Authority published guidelines for the validation of cryptographic systems in data protection processing.

For further information: AEPD Website [ES]


Sweden

06/27/2023 – Swedish Supervisory Authority | Press Release | Profiling

The Swedish Supervisory Authority published its decision, issued on 26 June 2023, imposing a fine of SEK 13 million (approx. €1,09 million) on a publishing company, for profiling its customers and web visitors without consent.

For further information: IMY Website


06/12/2023 – Swedish Supervisory Authority | Sanction | GDPR Violations

The Swedish Supervisory Authority issued a decision imposing a SEK 58 million (approx. €4,9 million) fine to a company providing an audio streaming service for shortcomings regarding the right of access.

The Authority considered that the company does not provide information about how it uses the personal data it processes upon a request of access of individuals and specifies that this information must be easy to understand. In addition, personal data that is difficult to understand, such as those of a technical nature, may need to be explained not only in English but in the individual’s own, native language. The Authority has further found that the company had failed in its handling of requests for access related to two out of three of the complaints examined.

For further information: NOYB Website


Switzerland

05/11/2023 – Swiss Supervisory Authority | Press Release | Revised Federal Act on Data Protection | Website Update

The Swiss Supervisory Authority updated the content of its website in anticipation of the new Data Protection Act coming into force on 1 September 2023. At the same time, it is launching the “DataBreach Portal” for reporting security vulnerabilities.

For further information: FDPIC Website


United Kingdom

08/30/2023 – UK Supervisory Authority | Guidance | Email Communications

The UK Supervisory Authority published new guidance for organisations sending bulk communications by email.

For further information: ICO Website


08/24/2023 – UK Supervisory Authority | Guidance | Data Scraping

The UK Supervisory Authority released a joint statement on data scraping and the protection of privacy with agencies from Australia, Canada, Hong Kong, Switzerland, Norway, New Zealand, Columbia, Jersey, Morocco, Argentina and Mexico.

The statement calls for the protection of people’s personal data from unlawful data scraping taking place on social media sites. It also sets expectations for how social media companies should protect people’s data from unlawful data scraping.

For further information: ICO Website


08/18/2023 – UK Supervisory Authority | Guidance | Biometric Data

The UK Supervisory Authority published draft guidance on biometric data and biometric technologies, which is open for public consultation until 20 October 2023.

For further information: ICO Website


07/17/2023 – UK Supervisory Authority| Blog | Unlawful Marketing

The UK Supervisory Authority released a blog post on its ongoing work to tackle unlawful marketing calls and messages.

The UK Supervisory Authority has issued more than £2,4 million in fines (approx. €2,8 million) since April 2022, through the enforcement of the UK Privacy and Electronic Communications Regulations 2003, against companies responsible for nuisance calls, texts and emails.

For further information: ICO Website


07/06/2023 – National Cyber Security Centre | Report | Risk Management

The National Cyber Security Centre announced the release of its sixth annual report providing a retrospective summary of the work carried out as part of the Active Cyber Defense program.

For further information: NCSC Website


06/19/2023 – UK Supervisory Authority | Guidance | Privacy-Enhancing Technologies

The UK Supervisory Authority issued guidance which discusses privacy-enhancing technologies (“PETs”).

As a reminder, PETs are technologies that embody fundamental data protection principles by (i) minimizing personal data use, (ii) maximizing information security, or (iii) empowering people.

For further information: ICO Website


06/08/2023 – UK Supervisory Authority | Sanction | Unlawful Marketing Calls

The UK Supervisory Authority announced it fined two energy companies a total of £250,000 (approx. €291,577) for bombarding people and businesses on the UK’s “do not call” register with unlawful marketing calls.

The UK Supervisory Authority also issued an enforcement notice to both companies to stop calling people and businesses on the UK’s “do not call” register, or who had previously objected to such calls.

For further information: ICO Website


06/08/2023 – UK Government | Press Release | UK-US Data Transfers

The UK and US have reached a commitment to establish the UK Extension to the Data Privacy Framework, that will create a “data bridge” between the two countries.

US companies who are approved to join the framework, would be able to receive UK personal data under the new data bridge.

For further information: UK Government Website


05/30/2023 – UK Supervisory Authority | Guidance | Children Data

The UK Supervisory Authority announced that it updated its guidance on edtech and the Children’s code to clarify when an edtech service may be in the scope of the Children’s code.

For further information: ICO Website


05/24/2023 – UK Supervisory Authority | Guidance | Access Requests and Employers

The UK Supervisory Authority published new guidance for businesses and employers on responding to data subject access requests (“SARs”).

For further information: ICO Website


05/19/2023 – UK High Court of Justice | Decision | Loss Of Control Over Personal Data

The High Court struck out a class action claim for damages in relation to loss of control over personal data against a technology company and its AI company, and ordered summary judgment in their favor.

For further information: Royal Courts of Justice Website


04/14/2023 – UK Supervisory Authority | Sanction | Consent

The UK Supervisory Authority announced imposing a £130,000 (approximately €150,000) fine against a job search website provider for sending 107 million spam emails targeting jobseekers.

The UK Supervisory Authority established in its decision that the company had not obtained valid consent to send direct marketing in accordance with the UK Privacy and Electronic Communications Regulations 2003.

For further information: ICO Website


04/13/2023 – National Cyber Security Centre | Guidance | Security by Design and by Default

On 13 April 2023, the National Cyber Security Centre (“NCSC”) as well as agencies from the US, Australia, Canada, Germany, the Netherlands and New Zealand issued a new joint guide on security by design and by default.

In particular, the guide encourages software manufacturers to embed secure-by-design and by-default principles into their products to help keep customers safe.

For further information: NCSC Website


This newsletter has been prepared by the EU Privacy team of Gibson Dunn. For further information, you may contact us by email:

© 2023 Gibson, Dunn & Crutcher LLP.  All rights reserved.  For contact and other information, please visit us at www.gibsondunn.com.

Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials.  The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel.  Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.