The European Commission initiated the formal process for adopting an adequacy decision on the EU-US Data Privacy Framework on Tuesday (13 December). But the third attempt to underpin transatlantic data transfers is bound to face more legal challenges. Read here →
The top adviser to the sanctioning body of the French Data Protection Authority (CNIL) recommended a 6 million euro ($6.3 million) fine for Apple’s (AAPL.O) breach of privacy rules, as reported by Reuters. Read about this on our Blog →
The OECD countries approved the first intergovernmental agreement on shared approaches to protecting the privacy and other human rights and freedoms when accessing personal data for national security and law enforcement purposes. Read here →
The first Tech Horizons Report from the UK Data Protection Authority (ICO) has been released. The yearly report examines the implications of some of the most significant technological developments for privacy over the next two to five years including consumer healthcare, Internet of Things devices, and immersive technology. Access here →
2) Notable Case Law
The Spanish Data Protection Authority (AEPD) fined Vodafone España, S.A.U. for €70,000, subsequently reduced to €56,000, due to the processing of personal data without a legal basis thus in violation of Article 6 (1) of the EU General Data Protection Regulation (GDPR). Read about the decision here → (in Spanish)
The Portuguese Data Protection Authority (CNPD) imposed a €4.3 million fine on the National Institute of Statistics for the violations of GDPR obligations with regard to the unlawful processing of personal data relating to health and religion and the failure to inform data subjects about the latter, the international transfer of data and the failure to carry out a Data Protection Impact Assessment. The Authority’s summary can be found here → (in Portuguese)
3) New and Upcoming Legislation
The European Commission has announced a public consultation to draft an implementing regulation for the Digital Markets Act, in particular addressing the obligations and procedures under Article 46 of the DMA. Comments can be submitted via the dedicated portal before January 6, 2023. See the draft here →
The National Assembly of the Republic of Slovenia, the “Drzavni Zbor”, voted 50-8 to adopt the law on the protection of personal data. The legislation transposes the EU General Data Protection Regulation (GDPR) into Slovenian legislation, as the country has met all the requirements to fully implement the GDPR. The law refers to Article 38 of the country’s constitution. Reported here → (in Slovenian)
During a board meeting on December 16, the California Privacy Protection Agency Executive Director Ashkan Soltani said the final regulations will likely be released in late January while the CPRA takes effect on January 1, 2023. The regulations will then be reviewed by the California Office of Administrative Law and take effect around April. Read more here →
4) Strong Impact Tech
Microsoft Corp (MSFT.O) announced that beginning January 1, 2023, its European Union cloud customers would be able to process and store portions of their data in the region. Read here →
According to Axios, Samuel Levine, the director of the US Federal Trade Commission’s Bureau of Consumer Protection, warned that the agency “is not afraid to take companies to court” over data practices. Reported here →
Senator Ron Wyden (D-Ore.) has urged the Federal Trade Commission to look into whether an Internet infrastructure provider violated millions of people’s privacy rights by selling their data to the federal government. See here →
Elon Musk is reportedly considering forcing Twitter users to accept personalized advertising, barring an opt-out for ads if they subscribe, according to a report by Platformer. Read here →
Other key information from the past weeks
Transparency in the online advertising market, dark patterns, and “cookie fatigue” are all topics that the European Commission might regulate in the next mandate.
The Court of Justice of the European Union (CJEU) decided that Google must remove inaccurate information from an online search if users can prove it wrong.
The UK data protection authority (ICO) launched a new direct marketing hub containing, among others, guidance and resources on direct marketing and a step-by-step guide specifically for small and medium businesses.