Iubenda logo
Start generating


Table of Contents

DPO Newsletter: Data Protection & Privacy News (issue #106)

DPO Newsletter: Global Data Protection & Privacy News

We’ve compiled the latest in Data Protection and Privacy news for your convenience below.

1) Newly Published Documentation

  • Following the 101 Task Force set up as a result of the CJEU Schrems II judgement and the 101 complaints filed by the NGO noyb regarding the “Google Analytics and Facebook Business Tools on websites, and the subsequent processing of personal data transfers to the U.S.”, EU Data Protection Authorities have issued a report which highlights the common position reached by the respective supervisory authorities. Read here →
  • The EDPB has adopted a final version of the guidelines on Data Subjects’ Right of Access, which analyze and provide clarification on the right of access in terms of Article 15 of the GDPR and Article 8 of the EU Charter of Fundamental Rights. Access here →
  • The Irish Data Protection Commission (DPC) has published a guidance note to better assist controllers in complying with Article 30 of the GDPR and maintain well drafted Records of Processing Activities (RoPA). Read here →
  • The Agencia Española de ProtecciĂłn de Datos (AEPD), has released a list of several public administration offices that have been sanctioned for failure to comply with the GDPR. The AEPD noted that not only were citizens’ rights not upheld in certain instances, however the relevant offices even failed to comply with the AEPD’s information requests or the appointment of a data protection officer in some cases. Access here → (in Spanish)

2) Notable Case Law

  • Further to a complaint filed by an individual, the Agencia Española de ProtecciĂłn de Datos (AEPD), fined Vodafone España, S.A.U. the sum of 140,000 euros subsequently reduced to 112,000 euros pursuant to a reduction for voluntary payment, for violating Article 6(1) of the GDPR. Read about the decision here → (in Spanish)
  • The Federal Canadian Court did not uphold the Federal Privacy Commissioner’s “attempt to enforce its 2019 finding that Facebook violated the Personal Information Protection and Electronic Documents Act (PIPEDA) by having inadequate data privacy safeguards over how third-party apps played with the data of Facebook users,” which data landed in the hands of Cambridge Analytica.

    In a landmark judgment (which is subject to appeal by the Federal Privacy Commission), the judge’s two part ruling concerned two main points. Firstly, that the commissioners’ evidence was not satisfactory in proving that Facebook had not obtained the adequate consent for sharing user data with third-party apps. Secondly, whilst Facebook had an obligation towards user’s data, such obligation however shifted to the creators of the third party apps once the user had agreed to partake in that app.

    The Commissioner pointed out that PIPEDA deems that “an organization is responsible for information in its possession or custody, including information that is transferred to a third party for processing.” However, the judge concluded that PIPEDA “does not impose a responsibility over information disclosed in all instances.”

3) New and Upcoming Legislation

  • The Internal Market and Consumer Protection Committee (IMCO) and the Civil Liberties, Justice and Home Affairs Committee (LIBE) voted on the draft report on the Proposal for a Regulation of the European Parliament and of the Council Laying Down Harmonized Rules on Artificial Intelligence (AI Act). Reported here →
  • The European Commission has adopted a proposal for the EU Cyber Solidarity Act with the aim to “better detect, prepare for and respond to significant or large-scale cybersecurity incidents.” Read here →
  • Some UK MPs are criticizing the Data Protection and Digital Information (No. 2) Bill, warning it could hamper data transfer flows to the EU, but the UK government has called for written evidence from people with expertise or a special interest in the Bill to submit their views to the House of Commons Public Bill Committee. Access here →
  • Argentina’s Agencia de Acceso a la InformaciĂłn PĂşblica (AAIP) has approved the amending Protocol to the Convention 108+, becoming the 23rd country to do so. Reported here →

US Law Updates:

  • The Online Privacy Act (OPA) has been refiled by U.S. Representatives Anna Eshoo and Zoe Lofgren. The proposed act:
    • includes user data rights,
    • requires limitations and obligations on data practices,
    • establishes a data protection authority,
    • includes a legislative floor that allows state legislatures to go beyond OPA provisions as they see fit.
  • Florida Representative Kathy Castor reintroduced the “Protecting the Information of our Vulnerable Children and Youth Act,” also called the “Kids PRIVACY Act”. Previous versions were already introduced in 2020 and 2021. The bill would serve to restrict online companies from collecting teen’s data for the purposes of behavioral targeting.
  • Tennessee: House Bill 1181 in relation to the Information Protection Act has passed Senate
  • Florida: House Bill 591 relating to social media protection for minors passes Committee and is added to the Special Order Calendar
  • California: Senate Bill 845 for the protection of minors on social media entitled Let Parents Choose Protection Act of 2023 was read for second time and amended
  • Indiana: Senate Bill 5 on consumer data protection was signed by the presiding officer of State Senate
  • Montana: Senate Bill 384 establishing the consumer privacy act has been sent to the Governor for signature

4) Strong Impact Tech

  • In an effort to ensure that the risk management requirements contemplated under the Digital Services Act (DSA) are met by “Very Large Online Platforms and Very Large Online Search Engines”, the European Commission has launched the European Center for Algorithmic Transparency (ECAT). Read here →
  • Media Post has reported that Google is presently testing artificial intelligence models to optimize ad targeting without the use of third-party cookies in an effort to find a third-party cookie alternative.

Other key information from the past weeks

  • The Garante’s recent enforcement action, imposed against Open AI in relation to ChatGPT, has led the EDPB to launch “a dedicated task force to foster cooperation and to exchange information on possible enforcement actions conducted by data protection authorities.”
  • The Spanish Agencia Española de ProtecciĂłn de Datos (AEPD) has initiated an investigation into ChatGPT’s owner, OpenAI, for a possible breach of data protection regulations.
  • The first state-wide TikTok ban was approved in the unprecedented Senate Bill 419 by the Montana House of Representatives.

đź‘Ť Enjoyed this issue? Share it on LinkedIn and subscribe for weekly updates

About us


Attorney-level solutions to make your websites and apps compliant with the law across multiple countries and legislations.