The Portuguese National Data Protection Commission (Comissão Nacional de Proteção de Dados, CNPD), has published guidelines on organizational and security measures. These guidelines are applicable to the processing of personal data, in terms of Article 32 of GDPR (security of processing) to ensure that a level of security appropriate to the risk level is reached. Read here → (in Portuguese)
Italy’s Data Protection Authority “Garante” published guidelines on the interpretation and application of the so-called “Transparency Decree” (Legislative Decree No. 104 of 27.06.2022) in relation to data protection and enforcement concerning transparent and predictable working conditions. Access here →
The ICO held data protection day on 28.01.2023 and in anticipation offered SMEs across the UK advice through its dedicated SME hub. This advice reflects the completion of a pilot program named SME Data Essentials, carried out by the ICO with 60 UK SMEs. The pilot forms part of ICO25, which is the ICO’s three-year strategic plan to assist UK businesses in the management of their data compliance. Official report here →
The Saudi Arabian Data and Artificial Intelligence Authority opened a public consultation for its Secondary Data Use Guidelines. The objective of this consultation is to establish “the legal framework for sharing data for research, development, and innovation purposes” within the transport and communications sector. The consultation period runs until 09.02.2023. Access the guidelines here →
2) Notable Case Law
Location data has been confirmed as personal data by the Spanish Courts, in a case brought forward by NOYB against the Spanish AEPD concerning location data held by the telecommunications provider Virgin telco, on its customers. Read about the decision here →
Finnish SA imposed an administrative fine of the 750,000 euros on the collection agency, Alektum Oy, for data protection violations and failure to respond to requests to exercise the data subject’s rights. Alektum Oy was also reprimanded. The Authority’s summary can be found here →
3) New and Upcoming Legislation
By addressing topics like scope, trade secrets, business-to-government (B2G) data access, international transfers, and compensation, The Swedish presidency of the EU Council proposed a new compromise on the Data Act. Reported here →
The implementation of the “Digital Services Act (DSA),” which comes into force at the beginning of 2024, is being prepared by the EU Commission for national authorities. The DSA’s governance architecture, the selection of huge online platforms, and an information-sharing system were all topics covered in a presentation made by the EU executive to state authorities. Read about it here →
The EU Health Council has agreed on amendments concerning secondary use of data in the EU health data space. Access the amendments here →
Privacy reform is on the agenda in Ukraine and there are currently talks of a GDPR-like privacy regulation in the pipeline, further to the Privacy Bill which was submitted in October 2022. If adopted, the Privacy Bill would come into effect on 01.01.2024. Reported here →
US Law Updates
Vermont:House Bill 121 (“H 121”) for an act relating to enhancing consumer privacy was introduced on 26.01.2023 and referred to the Commerce and Economic Development Committee. In particular, H 121 would establish amongst others: General requirements for the collection and use of data, a new Data Broker Security Breach Notice Act and protection for the processing of biometric data.
Washington:House Bill 1616, the Washington People’s Privacy Act, was reintroduced and referred to the House Committee on Civil Rights and Judiciary. The opt-in bill is modelled after Brazil’s General Data Protection Law and carries a private right of action.
4) Strong Impact Tech
Dutch officials have been told not to use the TikTok app since the Chinese-owned video-sharing platform poses privacy risks. The Netherlands wants the Chinese app to clean up its act on data protection before government services can use it. Reported here →
GoTo, the parent company of password management service LastPass, has confirmed that hackers stole some customers’ encrypted data backups during a security breach last November. Access the story here →
In response to worries that EU legislation is not adequately shielding the creative industries from quickly evolving generative AI technologies like ChatGPT, artist groups are organizing a drive for legal amendments. Read about this on our blog →
Other key information from the past weeks
CNIL has initiated a public consultation on the economics of data collecting in mobile applications.
The AI Act is a proposed European law on Artificial Intelligence. The regulations will apply to any AI system within the European Union.
Twitter is being closely scrutinized by the European Commission in an effort to ensure its compliance with data protection rules.
