EU/UK Privacy & Cybersecurity News Roundup – Week Of September 18, 2023 – Data Protection

Data privacy case law and legislation is constantly updated in
the United Kingdom and European Union to address key issues. In
order to track the latest developments, we have set out a brief
overview of case law updates, legislation, guidance and news.

Case Law Updates and Fines

• On June 22, 2023, the Hungarian National Authority for Data
  Protection and Freedom of Information (NAIH) issued its decision in
  Case No. NAIH-6427-1/2023, in which it fined Digi
  Telecommunications and Services Ltd HUF 80 million (approx.
  $223,104), for violations of the General Data Protection Regulation
  (GDPR), following an audit in connection with a reported data
  breach. You can download the decision, only available in
  Hungarian, here.

• On June 23, 2023 the Hungarian National Authority for Data
  Protection and Freedom of Information (NAIH) issued its decision in
  Case No. NAIH-6364-1/2023, in which it fined Budapest Public
  Utilities Ltd HUF 16 million (approx. $44,630), for violations of
  the General Data Protection Regulation (GDPR), following a public
  interest notification. You can download the decision, only
  available in Hungarian, here.

• On September 7, 2023, the Court of Justice of the European
  Union (CJEU) issued a press release on its judgment in
  Case C-162/22 A.G. v Lietuvos Respublikos
  generalinė prokuratūra, further to a reference for a
  preliminary ruling from the Supreme Administrative Court of
  Lithuania. You can read the press release here and the ruling here.

• On September 7, 2023, Interactive Advertising Bureau (IAB)
  Europe announced that the Belgian Market Court had rendered an
  interim ruling and suspended its assessment of the Belgian Data
  Protection Authority’s (Belgian DPA) validation decision in
  relation to the Transparency & Consent Framework (TCF), pending
  the Court of Justice of the European Union’s (CJEU) preliminary
  ruling. You can read the press release here.

• On September 11, 2023, the Italian data protection authority
  (Garante) announced, in its newsletter, its decision No. 322, as
  issued on July 18, 2023, in which it imposed a fine of €40,000
  on Compara Facile S.r.l., for violations of the General Data
  Protection Regulation (GDPR) and the Personal Data Protection Code,
  Containing Provisions to Adapt the National Legislation to the GDPR
  (the Code), following a complaint by an individual. You can read
  the decision here and the newsletter 
  here, both only available in Italian.

• On September 11, 2023, the Finnish Office of the Data
  Protection Ombudsman (the Ombudsman) published its Decision in Case
  No. 8422/161/2021, as issued on July 6, 2023, in which its
  Sanctions Board imposed a fine of €23,000 on Suomen
  Yritysrekisteri Oy for violations of the General Data Protection
  Regulation (GDPR), following several complaints. You can read the
  press release here and the decision here, both only available in Finnish.

• On September 12, 2023, the Spanish data protection authority
  (AEPD) published its decision in Proceeding No. PS-00456-2023, in
  which it imposed fines for a total of €70,000 on Banco Bilbao
  Vizcaya Argentaria, S.A. (BBVA) for violations of the General Data
  Protection Regulation (GDPR), following a complaint submitted by an
  individual. You can read the decision, only available in
  Spanish, here.

• On September 13, 2023 the Croatian Personal Data Protection
  Agency (AZOP) announced that it had imposed an administrative fine
  of €25,000 on Zagrebački holding d.o.o., for violations
  of the General Data Protection Regulation (GDPR), following a
  complaint from an individual. You can read the decision, only
  available in Croatian, here.

Legislation

• On September 11, 2023, the UKs Department for Science,
  Innovation, and Technology (DSIT) published draft amendments (the
  Amendments) to the UK General Data Protection Regulation (UK GDPR)
  and Data Protection Act 2018 (DPA 2018), as well as an Explanatory
  memorandum on the Amendments. You can read the announcement here, the Amendments here, the Explanatory memorandum here, and track the Amendments’
  progress here.

Guidance & Draft Guidance

• On September 6, 2023, the German Data Protection Conference
  (DSK) published its opinion on the draft law amending the Federal
  Data Protection Act, published on August 29, 2023, by the German
  Federal Ministry of Interior, Building, and Community (BMI). You
  can read the opinion here and the draft law here, both only available in German.

• On September 7, 2023, the United Nations Education, Scientific
  and Cultural Organization (UNESCO) published Guidance for
  generative AI in education and research. You can read the press
  release here and download the Guidance here.

• On September 7, 2023, Czechia’s National Office for Cyber
  and Information Security (NÚKIB) published a guide for
  supplier management in relation to cybersecurity risk assessment.
  You can read the press release here and the guide 
  here, both only available in Czech.

• On September 7, 2023, Israel’s Privacy Protection Authority
  (PPA) announced that it is seeking public comments on the draft
  guideline on the role of the board of directors in fulfilling the
  company’s obligations under the Protection of Privacy
  Regulations (Data Security) (the Regulations). You can read the
  press release here and the draft guidelines here, both only available in Hebrew.

• On September 13, 2023, the UK’s Information
  Commissioner’s Office (ICO) announced via LinkedIn that it has
  published its Smart Data Foundry Regulatory Sandbox Final Report.
  You can read the LinkedIn post here and the report here.

Data Protection Authority Updates and Privacy News

• On September 4, 2023, Germany’s Thuringian data protection
  authority (TLfDI) published its opinion on the German Data
  Protection Conference’s (DSK) application instructions on the
  European Commission’s adequacy decision for the EU-US Data
  Privacy Framework (DPF). You can read the press release, only
  available in German, here.

• On September 6, 2023, the European Data Protection Supervisor
  (EDPS) issued its opinion on the European Commission’s Proposal
  for a Regulation on European Statistics, which aims at making the
  legal framework governing European statistics fit for the future
  and improving the responsiveness of the European Statistical System
  to data needs. You can read the opinion here.

• On September 7, 2023, the Swedish data protection authority
  (IMY) published its Decision No. IMY-2022-6945, as issued on the
  same date, in which it determined the requirements that bodies
  tasked with monitoring compliance with codes of conduct must meet
  in order to be accredited under Article 41(2) of the General Data
  Protection Regulation (GDPR). You can read the press
  release here and the decision here, both only available in Swedish.

• On September 7, 2023, the Council of Europe (CoE) announced
  that the President of the Swiss Confederation had transmitted the
  instrument of ratification of the Protocol of Amendment to the
  Convention for the Protection of Individuals with regard to
  Automatic Processing of Personal Data ( Convention 108+). You can
  read the press release here and access Convention 108+ here.

• On September 7, 2023, Israel’s Privacy Protection Authority
  (PPA) announced that it is seeking public comments on the draft
  guideline on the role of the board of directors in fulfilling the
  company’s obligations under the Protection of Privacy
  Regulations (Data Security) (the Regulations). You can read the
  press release here and the draft guidelines here, both only available in Hebrew.

• On September 7, 2023, Türkiye’s Personal Data
  Protection Authority (KVKK) announced a data breach that occurred
  within Hotiç Ayakkabı San. ve Tic. A.Ş.. You can
  read the press release, only available in Turkish, here.

• On September 7, 2023, the UK’s Information
  Commissioner’s Office (ICO) issued a statement in response to a
  report by Which? alleging that smart devices were harvesting
  consumers’ personal data. You can read the statement here.

• On September 8, 2023, the UK’s Information
  Commissioner’s Office (ICO) announced on LinkedIn that it had
  published a summary of its data protection audit report of the
  Police Service of Northern Ireland (PSNI), which the ICO conducted
  in May 2023. You can read the statement here and the audit summary here.

• On September 11, 2023, the Spanish data protection authority
  (AEPD) released a blog post providing insights into the realm of
  digital currencies, focusing on cryptocurrencies and Central Bank
  Digital Currencies (CBDCs). You can read the blog post, only
  available in Spanish, here.

• On September 11, 2023, the Irish Data Protection Commission
  (DPC) announced the outcome of the prosecution proceedings against
  Chill Insurance Limited, Hidden Hearing Limited, the Multiple
  Sclerosis Society of Ireland, and Vodafone Ireland Limited. You can
  read the press release here.

• On September 11, 2023, the Danish data protection authority
  (Datatilsynet) published, its decision in Case No. 2021-31-5667, as
  issued on March 27, 2023, in which it expressed criticism against
  OrderYOYO A/S, for violations of the General Data Protection
  Regulation (GDPR), following a complaint made to the Datatilsynet.
  You can read the press release here and the decision here, both only available in Danish.

• On September 12, 2023, the UK’s Information
  Commissioner’s Office (ICO) announced that it had signed a
  Memorandum of Understanding (MoU) with the National Cyber Security
  Centre (NCSC) on the development of cybersecurity standards and
  guidance to improve the cybersecurity of organizations. You can
  read the press release here.

• On September 12, 2023, the Dutch Consumers Association (the
  Consumentenbond) and the Data Privacy Foundation (the Data Privacy
  Stichting) announced that they had filed a court case against
  Google LLC., for violation of user privacy rights. You can read the
  press release here and the mass claim here, both only available in Dutch.

• On September 12, 2023, the Danish data protection authority
  (Datatilsynet) published, its decision in Case No. 2022-31-6316, as
  issued on the same date, in which it expressed criticism against a
  housing association, for violations of the General Data Protection
  Regulation (GDPR), following a complaint made to the Datatilsynet.
  You can read the press release here and the decision here, both only available in Danish.

• On September 13, 2023, the UK’s Information
  Commissioner’s Office (ICO) made an announcement regarding the
  sentencing of Rachel Anderton, a former family intervention officer
  at St Helens Borough Council for unlawfully accessing social
  services records. You can read the press releases here and here.

Other Privacy News

• On September 11, 2023, the UK’s National Cyber Security
  Centre (NCSC) announced that it had published a white paper on
  ransomware, extortion, and the cybercrime ecosystem, in partnership
  with the National Crime Agency (NCA). You can read the press
  release here and the report here.

• On September 11, 2023, Germany’s Federal Office for
  Information Security (BSI) published a draft update to the
  Technical Guideline (TG) TR -03170 on secure digital transmission
  of biometric photographs from service providers to passport, ID
  card, and immigration authorities, requesting comments on the same.
  You can read the announcement here and the draft update here, both only available in German.

• On September 13, 2023, the European Commission published
  President Ursula von der Leyen’s 2023 State of the Union
  address, which discussed, among other things, the challenges and
  opportunities of artificial intelligence (AI). You can read the
  address here.