?? 2024-W38: New SCCs Will Address Missing Rules, Swedish Bank Penalized for Transferring Customer Data to Meta, €2.4 Fine Against Google and more
Eli Atanasov, CIPP/E, PhD
?? I help businesses and their DPOs put privacy compliance on autopilot, saving them time and money in the process.
Hi privacy navigators,
Here is the latest from the ???Privacy Navigator?- your one-stop destination for everything privacy. Another week full of news and resources passed by.
In today’s edition:
- 2025 Update: New SCCs Will Address Missing Rules for Cross-Border Data Transfers
- Swedish Bank Penalized €1.3 million for Transferring Customer Data to Meta
- EU Court Upholds €2.4 Billion Fine Against Google for Abusing Market Power
- Belgian DPA Enforces GDPR Compliance on Cookie Banners After noyb Complaints
2025 Update: New SCCs Will Address Missing Rules for Cross-Border Data Transfers
What happened
The European Commission has announced plans to introduce new Standard Contractual Clauses (SCCs) by the second quarter of 2025 to address gaps in the current data transfer regulations under the GDPR.
These new clauses will apply to cases where both the data exporter and the data importer are subject to the GDPR, a scenario not fully covered by the existing SCCs.
Currently, the existing SCCs focus on transferring data from an EU-based entity to a non-EU entity not subject to the GDPR, leaving organizations in a legal gray area when both parties are GDPR-compliant.
This new initiative by the Commission aims to close this gap and provide clearer rules for international data transfers.
Why it matters
The new SCCs will close the existing regulatory gap, ensuring that organizations handling GDPR-regulated data outside the EEA can legally transfer personal data, providing clear compliance guidance and legal certainty for businesses.
Read more here.
PRO TIP OF THE WEEK
Did you know that Privacy Navigator gives you much more than news in your inbox?
Research any topic using the Privacy Navigator in three easy steps:
- Start an advanced search
Click the advanced search button below the search bar. If you want to make your search quicker you can start typing directly in the search bar.
2. Narrow down your search
For this example, let’s research data protection impact assessments [1]. After briefly browsing the resources, you can narrow them down by keyword [2], or resource type [3]. You can always reset the filters [4].
In this case, let’s show only guidelines.
3. ?Check the latest DPA decisions
To complete your research, you can find DPA decisions across the EU and the UK by using our Fine Tracker. Simply Select the country [1], sector [2], or the type of violation [3]. If you want a broader search, you can skip some of the filters.
The last step is to open the file by clicking “see more†[4].
All the above research tools are completely free. No subscription, no registration.
领英推è
Swedish Bank Penalized €1.3 million for Transferring Customer Data to Meta
What happened
A Swedish bank has been fined €1.3 million by the Swedish Supervisory Authority (SA) for transferring customer data to Meta (formerly Facebook) due to an error with the Meta Pixel. The pixel was installed on the bank’s website and app to improve marketing efforts.
However, incorrect settings caused a data breach, leading to the unintended transfer of personal information to Meta between November 15, 2019, and June 2, 2021. The transferred data included sensitive information like securities holdings, loan amounts, account numbers, and social security numbers of up to one million customers.
Once the issue was discovered, the bank disabled the Meta Pixel, and Meta confirmed that it deleted the improperly collected data.
Why it matters
This breach underscores the critical need for businesses to ensure proper data security measures, as even small misconfigurations can lead to significant GDPR violations and financial penalties.
Read more here.
EU Court Upholds €2.4 Billion Fine Against Google for Abusing Market Power
What happened
The Court of Justice of the EU has upheld a €2.4 billion fine imposed on Google for abusing its dominant position in the online comparison shopping market.
The European Commission found that Google gave preferential treatment to its own comparison shopping service by prominently displaying its results with images and text, while competing services were shown as simple blue links.
This conduct occurred in 13 EEA countries, where Google’s algorithms demoted the results of rival comparison shopping services, making it harder for them to compete.
Google and its parent company, Alphabet, challenged the decision, but the Court of Justice dismissed their appeal, confirming the fine.
Why it matters
By abusing its dominant position in search results, Google restricted competition, which can harm consumers by limiting their choices and innovation in the market. The ruling reinforces the importance of fair competition in the EU's digital marketplace.
Read more here.
Belgian DPA Enforces GDPR Compliance on Cookie Banners After noyb Complaints
What happened
In a win for noyb, the Belgian Data Protection Authority (DPA) has turned a previous “settlement†into proper legal orders against four major Belgian news websites requiring them to bring their cookie banners into GDPR compliance.
The sites, operated by Mediahuis, must now add a “reject†button to the first layer of their cookie banners and remove misleading color schemes that pushed users to accept cookies. If Mediahuis does not comply within 45 days, it faces a daily fine of €50,000 per site, potentially adding up to €10 million.
This action follows noyb's 2023 complaints, which challenged deceptive cookie banners on 15 Belgian news sites. Initially, the DPA closed the case with a €10,000 settlement, without requiring any changes to the unlawful banners.
However, the DPA has now reversed course and issued enforceable legal orders.
Why it matters
This case marks a ?victory for GDPR enforcement and warns that deceptive cookie practices will no longer be tolerated. Businesses across the EU must ensure their cookie consent mechanisms are fully transparent and compliant, or risk hefty fines and regulatory action.
Read more here.
That's all for now, see you next week!
Eli
email:?eli@conformally.com