EU/UK Privacy & Cybersecurity News Roundup – Week Of July 31, 2023

Data privacy case law and legislation is constantly updated in the United Kingdom and European Union to address key issues. In order to track the latest developments, we have set out a brief overview of case law updates, legislation, guidance and news.

Case Law Updates and Fines

On July 19, the Polish data protection authority (UODO) announced its decision in Case No. DKN.5131.8.2021, as issued on May 31, 2023, in which it fined an unnamed company PLN 47,000 (approx.. $10,000) for violations of the General Data Protection Regulation, following the anonymous notification of a personal data breach to the UODO. You can read the press release here and the decision here, both available in Polish.
On July 24, the Lithuanian State Data Protection Inspectorate (VDAI) published its decision of April 20, 2023, in which it imposed a fine of €20,000 on a company for violation of the GDPR, following a complaint from an individual. The personal data of over 50,000 data subjects was compromised. The VDAI found that the company's information systems had not implemented measures to ensure proper access control and the authentication of IT system administrators. The company was found to be in violation of Article 32(1)(b) of GDPR, in failing to ensure ongoing confidentiality, integrity, availability and resilience of data processing systems, and Article 32(1)(d) of GDPR for failing to ensure regular testing evaluation and review of technical and organisational measures. You can read the decision, available in Lithuanian, here.
On July 26, the Italian Garante announced in its newsletter its Decision No. 246, imposing a fine of €40,660 on RCS Mediagroup S.p.a. for violation of the GDPR, and the Personal Data Protection Code, as well as the Deontological Rules relating to Processing of Personal Data in the Exercise of Journalistic Activity, following a complaint from an individual. The Garante reported that the magazine 'Oggi' published by RCS Mediagroup, had released photographs of the complainant taken from a car parked on the street, portraying the complainant inside their flat in a private situation. The Garante found RCS Mediagroup in breach of Articles 5(1)(a) and 5(1)(c) of the GDPR, for violations of basic principles of processing, as well as Italian laws on personal data processing. You can read the newsletter here and decision here, both available in Italian.
On July 26, the Italian data protection authority (Garante) announced its Decision No. 231, in which it imposed a fine of €20,000 on Ew Business Machines S.p.A. (Ew) for violation of the GDPR and the Personal Data Protection Code, following a complaint from an individual. The Garante explained that Ew had installed an alarm system whose activation and deactivation were based on the use of fingerprints, a video surveillance system, and an application for geolocation of its employees. The Garante found that this processing had not been necessary to fulfil the obligations and rights of the data controller, and the surveillance had been massive, prolonged, and indiscriminate. You can read the decision here, only available in Italian.
On July 27, the Polish data protection authority (UODO) announced its decision in Case No. DKE. 561.37.2022 fining an unnamed company PLN 14,148 for violations of the GDPR by failing to cooperate with the UODO. The UODO stated it had received a complaint from an unnamed person that the company had published the personal data of the complainant in a letter and other documents sent to third parties. At the end of its investigation, the UODO determined that the company had violated Articles 31 and 58(1), letters (a) and (e) of the GDPR by failing to cooperate with the UODO and to provide information to aid the same in its investigation. You can read the decision here, available in Polish.
On July 27, the Polish data protection authority (UODO) announced its decision in Case No. DOKE.561.1.2023, as issued on June 21, 2023, in which it fined the company PLN 33,012 (approx. $8,174) for violating the General Data Protection Regulation (GDPR), by failing to cooperate with the UODO. As part of its investigation, the UODO noted that it sent several letters to the company requesting further information, including on the legal basis and purpose of processing the complainant's personal data. However, according to the UODO, the company did not respond to any of the letters. In light of the above, the UODO found that the company had violated the GDPR and fined it PLN 33,012 (approx. $8,174). You can read the decision here, available in Polish.

Legislation

On July 25, the European Consumer Organisation (BEUC) released a position paper in which it called EU legislators to ensure a high level of consumer protection ahead of the final phase of negotiations on the Artificial Intelligence Act (the AI Act). The BEUC issued the following recommendations, among others. The position paper notes that the AI Act should go back to the Commission's proposal. In this sense, AI systems should automatically be classified as "high risk" if they are mentioned in Annex III of the AI Act. The position paper also recommends following the approach of the Parliament in relation to regulating generative AI systems and foundation models, which among other things, should be subject to a set of specific rules and not only be regulated when used in a high-risk context. You can read the position paper here.
On July 26, the Cyprus Office of the Commissioner for Personal Data Protection announced it had signed a Memorandum of Understanding with the Communications Commissioner. The Commissioners noted the aim of establishing a framework of procedures and adopting and implementing appropriate mechanisms for more efficient and effective cooperation in receiving and/or processing data breach notifications and incidents from service and infrastructure operators. You can read the announcement in Greek, here.

Guidance & Draft Guidance

On July 20, the Information Commissioner's Office (ICO) published a blog post on achieving its objective of promoting openness, transparency, accountability, and good practices in public organisations in relation to its duties under the Freedom of Information Act and its Codes of Practice. To achieve this, the ICO noted that it needed to support public organisations to perform their statutory duties and prevent breaches of access to information legislation. The ICO stated it had worked closely with freedom of information practitioners and public organisations and published a report highlighting the common issues faced by public organisations in getting access to information. The ICO identified key themes, namely working with key organisations to produce new tools, guidance and training, increasing engagement with the Freedom of Information Community, promoting ease of access and supporting compliance with proactive disclosure. The ICO noted that it will continue to share learnings and best practices through case studies. You can read the press release here.
On July 18, 2023, the Future of Privacy Forum (FPF) announced the publication of the latest update of its report titled "The Spectrum of Artificial Intelligence - Companion to the FPF AI Infographic" accounting for the development and use of advanced generative artificial intelligence (AI) tools. The report focuses on generative AI, analysing the operation and development of the technology, generative AI's use of personal information, the ability of individuals to meaningfully utilise access, correction or deletion rights, as well as means and methods available to minimise inaccurate information and hallucinations in outputs. The purpose of the report is to gain a better understanding of the kinds of AI systems and how they benefit organisations policymakers and general public. You can read the press release here, and the report here.
On July 21, the French data protection authority (CNIL) announced it had opened a sandbox dedicated to artificial intelligence (AI). CNIL highlighted that the sandbox is aimed at organisations facing new issues related to personal data regulation but does not allow for legal constraints to be lifted. Alternatively, CNIL noted that organisations will benefit from extensive support of the project. Specifically, the sandbox aims to develop appropriate regulations for the use of AI in public services, for the purposes of achieving an improvement of the public service offered. Notably, the sandbox is open to organisations that use AI in the context of public services including public and private bodies so long as the project is carried out with public actors or is specifically deemed as fulfilling a need identified by public actors. Applications for the sandbox are open until September 30, 2023. You can read the press release, only available in French, here.
On July 21, the National Anti-Corruption Authority of Italy announced on Twitter that it had launched the new portal dedicated to whistleblowing reports under Decree No. 24 of 10 March 2023, Implementing the EU Whistleblowing Directive. Notably, the Whistleblowing Decree entered into force on March 30, 2023 and its provisions took effect on July 15 2023. You can read the announcement here, and the portal here, available in Italian.
On July 21, the French data protection authority (CNIL) requested public comments on the draft recommendation on mobile applications. In particular, the draft recommendation applies to professionals working in mobile apps, including app publishers and developers, software development kid vendors, operating system vendors and app store providers. Specifically the draft recommendation aims to help professionals determine their legal status under the GDPR. Public comments can be submitted here until October 8, 2023. You can read the draft recommendation here, available in in French.
On July 25, the Spanish data protection authority (AEPD) published a blog post on the Digital Citizens' Folder, which is an online single access point for citizens to know what data is held by which public entity as well as data exchanged between administrations. The AEPD explained that the Digital Citizens' Folder simplifies and facilitates the exercise of the right of access. This will enhance transparency between citizens and public administrations, and allow citizens to access and have control over their personal data. You can read the blog post here.
On July 27, the French CNIL announced the development of a report on artificial intelligence (AI). In particular, CNIL reminded that it issued an action plan on AI in May 2023 to clarify queries surrounding the use of personal information by AI and the application of the GDPR. More specifically, CNIL outlined that it aims to collect contributions on questions including the purpose of general-purpose AI, the methods of selection, cleaning and minimisation of data available at the state of the art, any approaches to consider for data protection by default and design, and the criteria to consider if legitimate interest is the legal basis for database training. Any private or public actor can participate in the request for contributions. You can read the press release, only available in French, here.
On July 27, the UK National Cyber Security Centre (NCSC) released guidance on shadow IT. In particular, the guidance, aimed at system owners and technical staff, assists in identifying and reducing the levels of shadow IT in organisations and mitigate the presence of unknown IT assets. You can read the guidance here.
On July 27, the Norwegian data protection authority (Datatilsynet) published its advice on the use of website analytics and tracking. In particular, Datatilsynet explained that while there are many analytics and tracking tools on the market, organisations should assess whether it is legal to use such tools on their website. You can read the advice, only available in Norwegian, here.
On July 27, the Welsh Government published a digital and data strategy for health and social care in Wales to improve the delivery of health services, through the use of technology and data. The Welsh government noted that the strategy would launch the ongoing NHS Wales application to support citizens' health management, implement and embed standards across digital health, and focus on digital infrastructure and connectivity. The Welsh government also noted that it will develop a comprehensive single digital health and social care record for Wales, and publish and implement standards-based rules governing access to a share health and social care record for Wales. You can read the strategy here.

Data Protection Authority Updates and Privacy News

On July 26, the Information Commissioner's Office (ICO) issued a statement regarding concerns about banks sharing personal information with the media. According to the ICO, John Edwards wrote to UK banks after an incident regarding the sharing of personal financial information to remind banks of their duty of confidentiality and responsibilities to the public. Edwards added that banks should not discuss personal information with the media, use information in ways that are unduly unexpected, or hold any more information than necessary. Edwards specified that the ICO is working with HM Treasury and the Financial Conduct Authority regarding rules about information that banks gather around politically exposed persons. You can read the press release here.
On July 27, None of your Business (NOYB) announced it had filed a complaint with the Spanish data protection authority (AEPD) against Ryanair DAC for violations of GDPR. NOYB explained that the claimant had booked a flight with Ryanair through a travel agency. Following the booking the claimant received an email requiring them to go through a 'verification process' which involved facial recognition. You can read the press release here and the complaint, only available in Spanish, here.