The Norwegian Data Protection Authority (Datatilsynet) announced that Meta will introduce a new alternative to the “consent or pay” model. Users will be able to access Instagram and Facebook without paying a fee and will see ads based on the collection of less personal data. Read here →(in Norwegian)
The Hamburg Commissioner for Data Protection and Freedom of Information highlighted key rulings on the right to be forgotten under GDPR. These include a 20-year limit on public register entries, requirements for legitimate interest in third-party access after this period, and specific notice for search engines to remove content. Access here →(in German)
The Danish Digital Agency published a white paper on “Responsible use of AI assistants in the public and private sector“. The paper provides a framework for the development, implementation and use of AI in Denmark, in line with the EU AI Act and the GDPR. Access the paper here →
The Dutch Data Protection Authority (AP) and the UK Information Commissioner’s Office (ICO) signed a Memorandum of Understanding, to strengthen collaboration on personal data protection laws. Read more here →
2) Notable Case Law
The Spanish Data Protection Authority (AEPD) fined SEAT SA €12,000 for installing non-technical cookies without users’ consent. The company’s website placed cookies on the users’ devices even after they withdrew their consent. Access the Authority’s decision here (in Spanish) →
The Polish Supreme Administrative Court upheld the fine of PLN 201,599.50 (approximately €46,000) imposed on ClickOuickNow by the Data Protection Authority, UODO. The company made it difficult to withdraw consent for processing personal data by using complicated technical solutions. Read the press release here (in Polish) →
3) New and Upcoming Legislation
California – The California Privacy Protection Agency adopted new regulations for Data Broker Registration. The regulations also update the California Consumer Privacy Act and establish new requirements for businesses – such as cybersecurity audits and risk assessments – and enhance consumer rights to access and opt out of the use of automated decision-making technologies. Read the press release here →
4) Strong Impact Tech
The UK Information Commissioner’s Office (ICO) issued recommendations for developers and providers of AI recruitment tools following an audit that identified concerns about fairness, excessive data collection, and indefinite retention of personal data. Access the press release →
The OECD released a report titled “Assessing potential future artificial intelligence risks, benefits and policy imperatives“, which highlights AI’s potential to improve information flow, transparency, and services in healthcare and education. However, it also warns of risks such as cyber threats, misinformation, safety issues, privacy breaches, and governance challenges. Read it here →
Other key information from the past weeks
The Spanish DPA fined the bank Santander Consumer Finance €50,000 for not complying with the right to object under the GDPR. Read more →(in Spanish)
The Italian Garante announced the creation of a task force to ensure the protection of databases. Press release → (in Italian)
The Irish Data Protection Commissioner fined LinkedIn Ireland Unlimited Company €310 million for GDPR violations. Read here →