The use of cloud-based services by the public sector was the focus of a report on the findings of the European Data Protection Board’s first coordinated enforcement action. The EDPB stresses the importance of full GDPR compliance on the part of public entities and offers guidance for public sector organisations adopting cloud-based goods and services. A summary of the steps data protection authorities (DPAs) have already done in the area of cloud computing is also made public.
Additionally, the EDPB adopted a report on the work done by the Cookie Banner Task Force, in which the DPAs agreed on their interpretation of the provisions of the GDPR and the ePrivacy Directive that apply to issues like reject buttons, pre-ticked boxes, banner design, and withdraw. Read here →
CNIL has initiated a public consultation on the economics of data collecting in mobile applications. Access here →
The Danish Data Protection Authority, Datatilsynet, has prepared a guidance text which will aid data controllers, as it clarifies the framework for the storage of personal data. Check out the guidance here →
2) Notable Case Law
WhatsApp Ireland Limited was fined a further 5.5 million euros — adding to the 225 million euro fine levied back in September 2021 — by the Irish Data Protection Commission (DPC) for GDPR breaches, since it forced users to consent to the processing of their data in the Terms of Service. Read about this on our blog →
The Greek Data Protection Authority (HDPA) imposed a fine of 50,000 euros on tech company Intellexa SA for non-cooperation and ordered that specific information be furnished immediately. The Authority‘s summary can be found here → (in Greek)
The Region Central Jutland has come under the investigation of the Danish Data Protection Authority, Datatilsynet, due to Aarhus University Hospital’s publication of patients’ pictures on their Instagram accounts. Reported here → (in Danish)
3) New and Upcoming Legislation
The AI Act is a proposed European law on Artificial Intelligence. The regulations will apply to any AI system within the European Union. It will apply to “providers, users, importers, and distributors of AI systems and also to non-EU companies that supply AI systems in the EU.” Access here →
US Law Updates
Senate Bill 745 introduced the Massachusetts Data Privacy Protection Act, (the Act) which borrows from the U.S. Congress’ proposed American Data Privacy & Protection Act. The Act establishes the private right of action, which right would however only come into effect 12 months following enactment of this Act.
New York Senate Bill 2277 aims to amend general business law, executive law, state finance law and education law in relation to enacting the Digital Fairness Act which was referred to the Senate Committee on Internet And Technology.
The New York Biometric Privacy Act was introduced pursuant to Bill 1362, which serves to amend general business law vis-à-vis in relation to biometric privacy and was referred to the Committee on Consumer Affairs and Protection.
Hawaii introduced Senate Bill 21 which aims to amend Hawaii’s constitution and introduce the right to own one’s own data.
4) Strong Impact Tech
Twitter is being closely scrutinised by the European Commission in an effort to ensure its compliance with data protection rules. The European Commissioner for Transparency and Democracy has said that “European digital laws need to be respected by everyone” and Twitter’s owner Elon Musk “should not underestimate the Commission’s efforts to make big platforms responsible”. Considering that the Digital Services Act will be enforced this year, “Twitter could face sanctions of up to 6% of its global turnover if it does not comply with the EU rules”. Read more on this story on our blog →
Developers implementing new technologies are being encouraged by the ICO to consider privacy at an early stage, in an effort to maintain public trust and confidence. The Tech Horizons Report which was published last month aims to help people understand how new technologies fit in with the UK’s data protection framework. Official press release →
A recent blog by the Deputy Commissioner of Regulatory Supervision of the UK ICO addressed concerns about the use of AI by local authorities. Access the blog here →
Other key information from the past weeks
Following the approval by the Belgian Data Protection Authority of the new action plan, IAB Europe CEO Townsend Feehan said the mandated implementation will come over the next six months.
The US and UK governments announced that an inaugural meeting was attended by four senior government officials and concentrated on the US-UK Comprehensive Dialogue on Technology and Data.
The Swedish Presidency of the Council of the European Union circulated potential compromises for outstanding issues with the proposed Data Act.