• GL
Choose your location?
  • Global Global
  • Australian flag Australia
  • French flag France
  • German flag Germany
  • Irish flag Ireland
  • Italian flag Italy
  • Polish flag Poland
  • Qatar flag Qatar
  • Spanish flag Spain
  • UAE flag UAE
  • UK flag UK
  • GL
Choose your location?
  • Global Global
  • Australian flag Australia
  • French flag France
  • German flag Germany
  • Irish flag Ireland
  • Italian flag Italy
  • Polish flag Poland
  • Qatar flag Qatar
  • Spanish flag Spain
  • UAE flag UAE
  • UK flag UK
Back to Articles

DWF Data Protection Insights June 2024

16 July 2024
Here is our round-up of the top data protection and cyber security stories for June 2024, together with practical advice on what we're seeing in practice.

This month in review:

This month, the key themes focus on enforcement action taken by EU Data Protection Authorities against organisations for various GDPR infringements. There have also been updates from the European Commission and the European Data Protection Supervisor in the form of guidance and public consultations, particularly regarding the use of AI technologies.

Our trends

Also this month, we've identified some key themes emerging from our work with clients. We thought we'd share these to provoke some thoughts amongst readers, so please do reach out to us for advice or assistance in relation to:

  • Regulatory audits by the ICO – we're continuing to advise our clients through the process. In case you missed it, we shared our invaluable insights into this process at our Breakfast Briefing in May and you can read our summary of the session by clicking here.
  • Data subject access requests (which seem to be here to stay following the Data Protection and Digital Information Bill being dropped) – we're continuing to support our clients with delivery, training, strategy and process in relation to these requests. Ask JP Buckley for more details. 
  • Overseas data transfers – we're advising clients on the rules governing transfers of personal data outside of the UK and the appropriate model clauses. 

Our contents this month:

Our events and articles

Mastering cyber incident response: Strategies for the modern digital landscape

In this article, our Legal Operations team discuss the importance of having a robust response plan in place to protect organisations from cyber attacks. Click here to read about how our Legal Operations team can use their expertise and cutting-edge technology to support your business needs.

The GDPR application outside of the European Union: websites

DWF's Milan office discuss the recent order from the Italian Data Protection Authority ("DPA") on the application of the GDPR to entities located outside of the EU that offer services to individuals within the EU.

Data Protection & Cyber Security Breakfast Briefings

On 27 June, we hosted our latest Breakfast Briefing session which focused on the operation of ISO standards and how they can be applied to data protection-related enforcements. Click here to read our summary article.

Our next Breakfast Briefing will be held on Thursday 25 July in our London office, where our team will consider some of the recent developments in data protection case law from the Court of Justice of the European Union ("CJEU"). If you are interested in attending this session, please reach out to us at DPCS@dwf.law.

General updates

Poland: Polish DPA provides opinion on the EU judgment on surveillance laws

In the case of Pietrzak, Bychawska-Siniarska and others v Poland, the European Court of Human Rights ("ECtHR") held that the extensive surveillance and retention of personal data, under Polish law, to prevent crime and threats to national security violated individuals' right to a private life. The Polish DPA ("UODO") recognised the Polish Government's commitment to make the legislative changes in light of this judgment. You can read more information (only available in Polish) by clicking here.

Austria: none of your business ("NOYB") files two complaints with Austria's DPA against Microsoft for violating children's privacy

Both complaints relate to the use of Microsoft 365 Education software within school environments. In the first complaint, NYOB alleges that Microsoft has incorrectly deflected their responsibility as a data controller to respond to data subject right requests under the GDPR on to schools as the user of the Microsoft 365 Education software. As a result, NOYB claims that Microsoft has violated Articles 5(1)(a) and 12 to 15 of the GDPR. The second complaint alleges that Microsoft has been using cookies without an appropriate lawful basis and without sufficient transparency regarding the technologies used.

France: CNIL announces nine enforcement decisions totalling €83,000

The French DPA ("CNIL") has announced that since March 2024, it has imposed fines totalling €83,000 for various GDPR violations. Whilst the enforcement decisions have not been published, the CNIL has revealed these decisions highlight 3 key areas of concern: a lack of compliance with the 'data minimisation' principle; unlawful processing of sensitive data; and the inability for users to easily refuse cookies. You can find out more information (only available in French) by clicking here.

Spain: AEPD publishes list of resources for complying with data protection obligations

On June 5, 2024, the Spanish DPA ("AEPD") released a variety of new tools to assist data controllers and processors to comply with the GDPR. Examples of the new resources include: an online questionnaire for low-risk personal data processing; tools to manage risk and management (including the completion of data protection impact assessments); and a tool to understand the application of whether to notify the AEPD of a breach. These tools are designed to assist organisations with understanding the risks involved in processing personal data and their obligations under the GDPR. You can find out more information about the new tools (only available in Spanish) by clicking here

EU: The European Union Agency for Fundamental Rights ("FRA") publish report on GDPR best practices

Following numerous interviews with the DPAs of 27 EU Member States, the FRA has published its report which addresses the challenges faced by DPAs, suggested solutions and also best practice recommendations.  

France: CNIL provides a recommendation on the health data processing notification procedure

The CNIL has noted some instances (subject to other conditions being met) where the requirement to obtain formal authorisation prior to processing health data is not required. Some examples are: where explicit consent is obtained; the processing is necessary to protect the vital interests of a data subject who is incapable of giving consent; or the processing is necessary for the purposes of various services carried out by a health professional. The CNIL also outlined that new consent or new authorisation may be required where ‘substantial modifications’ are made to the processing of health data. Click the links to find out more about the ‘substantial modifications’ and the formalities required for processing health data (only available in French).

EU: CJEU publishes judgment on the right to compensation for non-material damages based on fear

In the particular case, a tax consultancy company had disclosed the tax returns of its clients to third parties in error. The CJEU held that right to receive compensation under Article 82 of the GDPR is not automatic; there must be evidence that the GDPR infringement caused damage, although this does not have to be serious. The CJEU also noted that it is sufficient for the infringement to cause a person to fear that their personal data has been disclosed to third parties, regardless of whether or not it has actually been disclosed.

EU: EC sends preliminary findings to Apple and opens additional non-compliance investigation under the Digital Markets Act ("DMA")

The EC has preliminarily found that Apple's App Store does not comply with the DMA, as app developers are unable to freely inform their customers of alternative, cheaper channels. Apple now has the opportunity to respond to the EC's preliminary findings. The EC has since initiated a new non-compliance investigation against Apple into its new contract terms for app developers, particularly in relation to technology fees, the download and installation process and the eligibility requirements for developers. The EC also commented that alongside this, it will be continuing to investigate Apple’s processes for validating apps and app stores.

EU: EC seeks feedback on draft implementing act under the NIS2 Directive

The EC is seeking feedback on the draft implementing Act under the NIS2 Directive, which aims to enhance cybersecurity across various critical sectors such as public electronic communications, digital services, and public administration. The feedback period will remain open until 25 July 2024 and the EC plans to adopt the implementing act by 17 October 2024. You can submit your comments here.

Adtech and direct marketing

EU: Marketing sits in a grey zone under EU Artificial Intelligence Act

At the IAPP AI Governance Global 2024 event, a key speaker from the European Parliament highlighted the challenges that the EU Artificial Intelligence Act ("EU AI Act") will bring to the use of AI technology to generate advertising and marketing content, with further clarity not expected until 2026. However, the general view was that most everyday marketing activities would likely remain unaffected when the EU AI Act is implemented.

EU: LinkedIn discontinues targeted advertising based on special category data

Following the EC's Request for Information under the Digital Services Act ("DSA"), LinkedIn has disabled its function that allowed targeting advertising materials to be sent to users based on group membership in the EU. The EC has welcomed LinkedIn's proactive step and the DSA's role in effecting unprecedented change.

AI and innovation

EU: Cooperation required for AI legislation's success

At IAPP’s AI Governance Global Conference, which was held in Brussels earlier this month, key leaders commented that governance of the EU AI Act is a big issue, since member states have a say in how AI technology is regulated. It was emphasised that there was a need for greater cooperation amongst all stakeholders during the Act's enforcement, to ensure clear governance structures are in place. There is also a need to increase awareness around the privacy implications of AI technology, particularly in prioritising investment into safety rather than solely into development. The European Data Protection Supervisor ("EDPS") has also recently released guidance to help inform EU institutions of AI best practices.  

EU: EDPS published guidance on generative AI

The guidelines are designed to assist EU institutions, bodies, offices and agencies to comply with their data protection obligations when using or developing generative AI technology, including the importance of anticipating the risks and challenges associated with such tools. 

France: CNIL asks for feedback on its recommendations on the use and development of AI technology

The CNIL is seeking feedback on 7 of its recommendations, which it made in April 2024 on the development of AI systems. These recommendations concern the use of legitimate interest as a lawful basis, data scraping, the transparency requirement to inform individuals of how their personal data is used, managing data subject rights requests, data annotation and ensuring data security within AI systems. The consultation will remain open for public comments until 1 September 2024. The recommendations (which are only available in French) can be viewed here.

EU: EC seeks feedback on the use of AI technology in the financial sector

The EC has requested feedback on the use AI technology in the financial sector to gather insights on its use, benefits, barriers, and associated risks. The consultation will remain open for public comments until 13 September 2024.

EU: EDPB releases five projects as part of its Support Pool of Experts programme

The EDPB's 'Support Pool of Experts' programme ("Programme") was developed as part of its 2021-2023 Strategy to enhance the enforcement capacity of DPAs by providing access to a wide pool of experts and developing common tools. The five new projects that have been released as part of the Programme include: (1) Standardised Messenger Audit Report; (2) Data Protection Officer Training; (3) AI Auditing; (4) AI Risks; and (5). Report on the use of SPE External Experts.

Cyber, breach and ransomware

International: UK and Canadian regulators launch a joint investigation into the 23andMe Data Breach

The UK ICO and the Privacy Commissioner of Canada (“OPC") have started a joint investigation into the October 2023 data breach at 23andMe, which will focus on the extent of the breach and potential harm to individuals, the adequacy of 23andMe's data protection measures, and whether 23andMe properly notified regulators and affected individuals according to Canadian and UK laws. This collaboration underscores the regulators’ commitments to collaborate on protecting the fundamental right to the data protection of individuals across jurisdictions.

EU: The EU has strengthened its cooperation and information exchange through signed Memorandum of Understanding

On June 5 2024, the European Union Agency for Cybersecurity announced a multilateral Memorandum of Understanding ("MoU") with the European Banking Authority, the European Insurance and Occupational Pensions Authority, and the European Securities and Markets Authority. The MoU establishes a framework for (1) co-operation and exchange of information on policies, incident reporting and oversight of critical ICT third-party providers, (2) promoting regulatory convergence; and (3) facilitating cross-sectoral learning, capacity building and sharing information on emerging technologies.

Poland: UODO provides opinion on CJEU judgement on liability for damages

On June 7 2024, the UODO commented on a recent judgment from the CJEU's concerning the interpretation of liability and compensation principles under the GDPR. According to the CJEU, for non-pecuniary damage compensation under Article 82(1) of the GDPR, a violation alone is insufficient; there must also be damage to the data subject, regardless of its severity. The UODO stated that while this judgment does not affect Polish law, it is crucial for interpreting liability for data protection violations. You can find out more information (only available in Polish) by clicking here

Employment and Data Subject Rights

Belgium: DPA fines a company €172,431 for non-compliance with rights to object and erasure

This case stemmed from a complaint about unsolicited direct marketing and the company's failure to honour the complainant's requests for data erasure and to object to further marketing. The Belgian DPA found that the company violated Articles 5(1)(a), 5(2), 17, 21, and 24 of the GDPR by not respecting these rights and not taking appropriate measures. The DPA also ordered the company to comply with the complainant's requests. You can read the decision (only available in French) by clicking here.

UK: High Court rules that data subjects have right to know identities of recipients of personal data

On June 7, 2024, the High Court ruled in the case of Harrison v Cameron & Another that under the UK GDPR, data subjects have the right to know the specific identities of their personal data recipients, not just the categories. However, this must be balanced against the rights of others who might be affected by such disclosures, especially where there was a realistic threat of those individuals being harassed or otherwise intimidated.

Public sector

UK: ICO published blog on the information commonly requested from public authorities

The ICO has analysed more than 15,000 Freedom of Information Act requests that were made in 2022 and has identified 5 common themes of the most commonly-requested types of data. The ICO has published a blog which breaks this down into 5 different sectors (including Health, Local Government, Education, Central Government and Emergency Services), with the aim of encouraging organisations to engage in proactive disclosure by publishing more information falling within these categories in order to reduce its request caseload.

UK: ICO statement on its public sector approach trial

On 26 June 2024, the ICO announced that it is reviewing its public sector approach following the expiry of the 2-year trial period, which commenced in June 2022. The ICO expects to make a decision later this year but has stated that in the meantime its approach will remain the same.

If you have any questions relating to this article, please reach out to our authors below. 

Related Authors

JP Buckley DWF

JP Buckley

Partner // Regional Data Protection & Cyber Security Leader

 

Related Sectors

Related Services

Further Reading

India market and business update: August 2024
Insights
India market and business update: August 2024 14 Aug 2024

India’s 2024 budget, presented by Finance Minister Nirmala Sitharaman, marks a significant shift in the government’s priorities, focusing on rural development, job creation, and agriculture. We summarise our key highlights and the key considerations for the legal sector:

 
DWF appoints Pro Bono and Community Special Counsel
Press release
DWF appoints Pro Bono and Community Special Counsel 14 Aug 2024

DWF, the global provider of integrated legal and business services, is delighted to announce the appointment of Rebecca McMahon as DWF's first dedicated Pro Bono and Community Special Counsel. 

 
Northern Ireland employment law: Consultation on the "Good Jobs" Employment Rights Bill
Insights
Northern Ireland employment law: Consultation on the "Good Jobs" Employment Rights Bill 13 Aug 2024

By way of reminder the "Good Jobs" Employment Rights Bill consultation is ongoing and we would strongly encourage engagement with the process.