Here are the highlights that you may have missed in March, April and May.
Its been a bit busy at work so I was unable to post in March and April. I have posted the key highlights in those month's
The Supreme Court of Spain published a decision in Case STS 1401/2024 regarding the right to request the erasure of partially inaccurate data of a deceased person. The Supreme Court held that certain data subject rights can be claimed by the relatives and heirs of the deceased data subject. However, the general rules regarding the right to be forgotten, as prescribed under Article 17 GDPR, continue to apply, meaning the right is not absolute and must be balanced against other fundamental rights, such as freedom to expression and of information and scientific and technical creation and production.
The German Health Data Use Act is in effect. This Act is intended to make health data accessible for research and set up a decentralized health data infrastructure with a central data access and coordination point for the use of health data.
Singapore’s PDPC published Advisory Guidelines on Children's Personal Data.
- The ICO signed a new international multilateral agreement with the Global Cooperation Arrangement for Privacy Enforcement to cooperate in cross-border data protection and privacy enforcement. The Agreement supplements the Asian Pacific Economic Cooperation Cross-border Privacy Rules, which facilitates cooperation and assistance in privacy and data security investigations among APEC's Asian Pacific countries. Along with Canada on 9 April,? Taiwan on 9 May and the Dubai International Financial Centre on 18 April.
- South Korea’s Personal Information Protection Commission published guidelines for overseas businesses on the application standards and requirements for compliance with the Personal Information Protection Act, focusing on matters that overseas businesses must adhere to for the protection of the personal information of South Korean citizens.
The European Parliament announced that it adopted its negotiating position on the additional procedural rules relating to the enforcement of the GDPR.
- The CJEU published its decision in case C?741/21 whereby it clarifies the right to compensation for non-material damage. In particular, Article 82(1) GDPR must be interpreted as meaning that an infringement of provisions of that regulation which confer rights on the data subject is not sufficient, in itself, to constitute 'non-material damage' within the meaning of that provision, irrespective of the degree of seriousness of the damage suffered by that person.'The CJEU confirmed that the three cumulative conditions must be met:
1.??? the existence of 'damage' which has been 'suffered;'
2.??? the existence of an infringement of the GDPR; and
3.??? a causal link between that damage and that infringement.
- The CJEU published the Advocate General's Opinion in case C-768/21 on the obligation of supervisory authorities to act on the discovery of a data breach. The AG noted that the DPA must act when it discovers a personal data breach in the course of investigating a complaint but actions must be appropriate, necessary, and proportionate to the situation and DPAs are allowed to waive measures if justified by specific circumstances of the case (e.g. where the data controller has already taken certain measures).?
- The Latvia’s Data State Inspectorate published a guide for employers on personal data processing considerations during the recruitment stage (here and here).
- The EDPB published its opinion on 'consent or pay' models, in response to the Norwegian, Dutch, and Hamburg data protection authorities' request for an opinion. In the opinion, the EDPB states that it will not be possible for large online platforms to comply with the requirements for valid consent if they confront users with a binary choice between consenting to the processing of personal data for behavioral advertising purposes and paying a fee. Alternatively, large online platforms should consider providing individuals with an 'equivalent alternative' that does not entail the payment of a fee, advocating for a free alternative without behavioral advertising (e.g., with a form of advertising involving the processing of less or no personal data).
- The National Cyber Security Centre published the latest version of its Cyber Assessment Framework, which provides a systematic approach to assessing the extent to which cyber risks to essential functions are being managed by an organization.
- South Korea’s Personal Information Protection Commission published a guide for Personal Information Impact Assessments. The guide contains details regarding evaluation items, including how the evaluation system has changed and standards for measuring personal information safety.
- The EDPB published a reply to the ICO’s letter on sharing information on the passage of the Data Protection and Digital Information Bill as it enters the latter stages of consideration by the UK Parliament.
- The Digital Regulation Cooperation Forum launched the AI and Digital Hub pilot. The Hub aims to support innovators working on AI or digital products by providing informal advice on complex regulatory questions.
- The Bermuda Office of the Privacy Commissioner published a blog outlining the conditions under which organisations may use personal information according to the Personal Information Protection Act 2016. These are (1) consent; (2) a reasonable person would not expect that an individual would object, and there is no prejudice to the individual's rights; (3) needs information to fulfil a contract; (4) a legal requirement to collect and/or use the information; (5) the information is publicly available and will be used for the same purpose that it was made public; (6) the use of the personal information is necessary to respond to an emergency; and (7) the use of the personal information is necessary for the context of employment.
- The European Data Protection Board published a reply to the ICO, sharing information on the passage of the Data Protection and Digital Information Bill as it enters the final stages of consideration by the UK Parliament.
- The European Data Protection Board? published Rules of Procedure for the 'Informal Panel of EU DPAs' according to the EU-US Data Privacy Framework. In particular, the EDPB highlighted that the panel provides binding advice for US organizations following unresolved Framework complaints from individuals about the handling of personal information that has been transferred from the EU. The panel will provide advice within 60 days of receiving an unresolved complaint from an individual or a referral from the organization concerned. (See complaint form here). In cases of non-compliance with the advice of the panel, the panel will refer such cases to the U.S. Department of Commerce, which may remove organizations from the DPF list, or for possible enforcement by the FTC or U.S. Department of Trade.
- The Court of Justice of the European Union published the Advocate General's Opinion in Case C-21/23 on the interpretation of provisions of the GDPR regarding remedies and 'data concerning health.' The AG concluded that the data of the customers of a pharmacist, which are transmitted when an order is placed on an online sales platform for pharmacy-only but non-prescription medicines, do not constitute 'data concerning health' within the meaning of Article 4(15) and Article 9 of the GDPR.
- The Court of Justice of the European Union published the Advocate General's Opinion in Case C-446/21 regarding the use of public statements for personalized marketing purposes. The Advocate General proposed that the CJEU rule that the GDPR precludes the processing of personal data for the purposes of targeted advertising without restriction as to time. In this regard, national courts must assess, based on the principle of proportionality, the extent to which the data retention period and the amount of data processed are justified having regard to the legitimate aim of processing for the purposes of personalized advertising. Moreover, the Advocate General noted that the fact that Schrems made a statement concerning his sexual orientation during a public panel discussion may constitute making that data manifestly public but this does not permit the processing of such data for the purposes of personalized advertising.
The Brazilian data protection authority published Resolution CD/ANPD No. 15 of April 24, 2024, which approved the Data Breach Notification Regulation. The Regulation further provides that a data breach may represent a significant risk or damage to individuals when it (a) significantly affects the interests and fundamental rights of data subjects and (b) includes the processing of (i) sensitive data; (ii) minors' or elderly persons' personal data; (iii) financial data; (iv) authentication data; (v) data protected by legal, judicial, or professional secrecy; or (vi) large-scale data. The Regulation also notes that controllers are obligated to notify the ANPD of data breaches that may lead to significant risk or damage to data subjects. The ANPD must be notified of data breaches within three working days from the moment the data controller becomes aware of the data breach, except as otherwise provided by law. The deadline is doubled for small processing agents.
- South Korea’s PIPC publishes manual for personal information leaks
- The National Cyber Security Centre published a blog on the Product Security and Telecommunications Infrastructure Act 2022 and the Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023. The Act requires manufacturers to ensure that all smart devices meet basic cybersecurity requirements, including (1) not suppling devices that use default passwords, which can be easily discovered online and shared; (2) providing a point of contact for the reporting of security issues which, if ignored, could make devices exploitable by cybercriminals; and (3) state the minimum length of time for which the device will receive important security updates.
- The European Commission announced that it launched two whistleblower tools for the Digital Services Act and the Digital Markets Act. The tools allow individuals to provide, without fear of reprisals, information to identify and uncover harmful practices of online platforms.
- South Korea’s PIPC published guidelines for writing personal information processing policies. The PIPC states that overseas businesses subject to PIPA must establish and disclose a personal information processing policy and refer to these guidelines.?
- The ICO published its strategic approach to AI regulation. The ICO explained that its approach sets out how it will implement the principles set out in the Government's AI Regulation White Paper, which emphasizes a risk-based approach to the use of AI.
The House of Lords' Communications and Digital Committee published the Government's response to the Committee's report on large language models and generative AI. The response largely agrees with the report's recommendations for balancing the opportunities and risks of AI.
The ICO launched a privacy notice tool to help sole traders, start-ups, charities, and small-medium enterprises create privacy notices, replacing its privacy notice template.
- The AEPD published a Guidance on processing incorporating WiFi tracking technology. The guidelines analyze both technically and legally the implications of the use of WiFi tracking, identify the main associated risks, and offer specific recommendations for responsible use, compatible with data protection regulations.
- Latvia’s Data State Inspectorate published a guide on processing personal data to assess creditworthiness and discussed the associated data subject rights.
- Taiwan’s National Communication Commission announced that it joined the Global Cooperation Arrangement for Privacy Enforcement (Global CAPE).
- The UK National Cyber Security Centre published a blog post on ransomware attacks, detailing the tactics used by cybercriminals as well as the emerging trend of data theft and extortion.
- The Ukraine Parliamentary Commissioner for Human Rights published clarifications for data controllers on their obligations.
- The UK National Cyber Security Centre published a blog post on ransomware attacks, detailing the tactics used by cybercriminals as well as the emerging trend of data theft and extortion.
The ICO published its 'Learning from the mistakes of others' report which analyses the data breach reports the ICO has received and provides advice on how organizations can manage common cybersecurity failures.
The ICO launched the fourth chapter of its consultation series on generative AI. The fourth chapter focuses on data subject rights, particularly in relation to the training and fine-tuning of generative AI.
- The AEPD published an updated guide on the use of cookies to align it with Opinion 08/2024 on valid consent in the context of consent or pay models implemented by large online platforms issued by the EDPB in April 2024.
- The CNIL published guidance on the provision of public internet access. CNIL stated that organizations providing public internet access are subject to legal obligations regarding the retention of traffic data.
- The CNIL published guidance regarding the collection of paralympic athletes' sensitive data. The CNIL highlighted that the collection of health data, including any information on disability, is considered sensitive data under Article 9(1) GDPR.
The Department for Science, Innovation and Technology launched a public consultation on two voluntary codes of practice, one on AI cybersecurity and another on software cybersecurity.
- The Office of the Privacy Commissioner of New Zealand published guidance on the 72-hour timeframe within which companies are to notify of a serious privacy breach as soon as they become aware of it.
- The CNIL published a questionnaire as part of its public consultation on the development of new standards for the processing of health data.
The EDPB published its EDPB Data Protection Guide for small businesses in French and German.
The UK National Cyber Security Centre announced that it had published guidance on business email compromise attacks. The guidance provides actions that organizations can take to reduce the likelihood of being affected by BEC, and details steps an organization can take if they think they have already been compromised including (1) reducing the digital footprint of senior staff and executives; (2) help staff and users to identify and detect phishing emails; (3) implementing two-step verification for accounts; and (4) applying the principle of least privilege.
The AEPD launched a new version of its Manage GDPR tool, which helps to manage the records of personal data processing activities, evaluate and manage risks through a catalog of privacy measures, and, if necessary, assist in carrying out DPIAs.
The European Data Protection Board announced that it adopted an Opinion on the use of facial recognition technologies by airport operators and airline companies to streamline the passenger flow at airports, following a request from the French data protection authority.
- The Danish data protection authority published guidance on the requirements for notification to data subjects following a data breach.
- The EDPB published Statement 2/2024 on the financial data access and payments package, as adopted on May 23, 2024.
- Latvia’s Data State Inspectorate published a guide to remind organizations of the necessary actions to be taken after a DPO has been appointed as the point of contact between the organization, the DVI, and data subjects.
The CJEU published the Advocate General's opinion in Case C-200/23 regarding the right to the erasure of personal data. The AG outlined that Articles 17 and 23(1) of the GDPR must be interpreted as precluding national legislation or a national practice that makes the right of a natural person to obtain, from the authority responsible for keeping the commercial register of a Member State, the erasure of the personal data concerning them in acts made available to the public in such register.
I hope you found this useful. Catch you soon with more legal updates.
