The European Data Protection Board (EDPB) adopted “Guidelines 3/2022 on Dark patterns in social media platform interfaces: How to recognize and avoid them” which are now open for public consultation until May 2, 2022. Access the guidelines here →
The EDPB adopted guidelines on Art. 60 GDPR within its “Strategy and Work Programme 2021-2022” to support the effective enforcement and efficient cooperation between national supervisory authorities (SAs). In the same program, the EDPB also adopted a toolbox on essential data protection safeguards for enforcement cooperation between EEA and third-country SAs. Read the guidelines here →
The CNIL published a guide for Data Protection Officers, which provides information and suggestions on the following topics: the role of the DPO, the appointment of the DPO, the performance of its function, and the CNIL’s support for DPOs. The guide can be found here →
The Spanish DPA (AEPD) published guidance on smart contracts in blockchain and personal data in relation to Art. 22 of the GDPR. See the guidance here →
2) Notable Case Law
The Irish Data Protection Authority (DPC) imposed a fine of €17 million on Meta Platforms for the failure of having appropriate technical and security measures in place, thereby infringing specific requirements of the GDPR. The infringements emerged in twelve data breaches notified between June and December 2018. The Authority’s summary can be found here →
The Irish DPA (DPC) has been sued by the Irish Council for Civil Liberties (ICCL) before the High Court for its inaction over Google’s “Real-Time Bidding” online advertising system, which is defined as “the largest data breach ever.” The inaction refers to the failure of the DPC to investigate the security complaint filed against Google in 2018, the year when the GDPR came into force. Reported here →
3) New and Upcoming Legislation
Privacy legislation in the US states:
Iowa – The House of Representatives has approved a bill for An Act relating to consumer data protection. The Bill is expected to enter into force on January 1, 2024, and it does not include provisions on opt-out and private right of action.
Florida – The Bill SB1864 has failed to pass the State Senate and has been withdrawn.
4) Strong Impact Tech
The Federal Trade Commission (FTC) has tried to identify ways to address fraudulent digital data practices. FTC has settled on algorithmic destruction, which could significantly influence IT businesses. Read more here →
Other key information from the past weeks
Wojciech Wiewiórowski, the European Data Protection Supervisor, made a blog post urging more oversight and regulation of the advertising technology space, in particular, targeted advertising which shall be controlled through the principles of transparency and accountability as laid down in the proposed Digital Services Act.
In a letter to the European Commission, the European Data Protection Board (EDPB) issued several recommendations about the Artificial Intelligence Act (AI Act) recently proposed by the EU Commission. It referred to the recent joint opinion adopted on the AI Act with the European Data Protection Supervisor (EDPS).
The UK government has indicated that legislation to create an Office of Digital Identities and Attributes will be introduced. The legislation will establish an accreditation and certification process for businesses to demonstrate that they meet the security and privacy requirements for using digital identities.
