The Belgian Data Protection Authority published a report on data protection in smart cities. The report highlights how the Smart Cities project would process citizens’ personal and sensitive data – such as travel patterns and location – and raises questions about the protection of their privacy.Access the press release here →
The UK Information Commissioner’s Office (ICO) has published a new audit framework to help organizations assess their compliance with key requirements under data protection law.
The European Data Protection Board (EDPB) adopted Guidelines on the processing of personal data based on legitimate interest. In order to rely on legitimate interest, the controller needs to meet three conditions: the controller (or a third party) must have a legitimate reason for processing the data, the data must be necessary to fulfill this interest and the interest should never take precedence over the rights of individuals.
The EDPB also chose the topic for the fourth Coordinated Enforcement Action (CEF): the implementation of the right to erasure by controllers. Data Protection Authorities will join the CEF voluntarily, and the action will be launched at the beginning of 2025. Read more here →
2) Notable Case Law
The Spanish Data Protection Authority (AEPD) has fined the bank Santander Consumer Finance, S.A. €50,000 for not complying with the right to object under the GDPR. The bank failed to fulfill a user’s request, who had previously objected to receiving advertising at his home address. Read about the decision here →(in Spanish)
After five years, the German Federal Cartel Office (Bundeskartellamt) closed its case against Meta. In 2019, Meta was prohibited from combining user data from different sources without consent. The EU Court of Justice confirmed that the competition authority could enforce GDPR rules, leading Meta to take measures such as separating data from different services and improving consent options. Meta withdrew its legal appeal, making the decision final. Access the press release here →
3) New and Upcoming Legislation
European Union: The European Council adopted the Cyber Resilience Act. The Act aims to ensure that products with digital elements – like home cameras, TVs, and toys – are safe before being sold on the market. Read more here →
European Union: On October 9, 2024, the European Commission published the first periodic review of the EU-US Data Privacy Framework (DPF). The review follows the Commission’s request for feedback in August 2024. Download the report here →
4) Strong Impact Tech
The European Commission held a workshop to gather input on protecting minors under the Digital Services Act (DSA). A group of experts discussed a variety of topics – such as cyberbullying, access to age-inappropriate content, and the proliferation of child sexual abuse material – and identified best practices to mitigate risks. The Commission plans to publish draft guidelines for public consultation in early 2025 and adopt them later in the year. Read more here →