The Spanish Data Protection Authority (AEPD) has issued an updated version of its guide on the use of cookies to reflect the Guidelines on deceptive design patterns issued by the EDPB in February 2023. Read here → (in Spanish)
The EPDB held their 82nd EDPB meeting, wherein the focus of the EDPB Members was on the EU-U.S. Data Privacy Framework (DPF). An update on the adequate level of protection of personal data under the EU-U.S. DPF was made, together with an information note on data transfers under the GDPR to the United States after the adoption of the Adequacy Decision. Access here →
With the aim of offering alternatives to third-party cookie use, Google’s “Privacy Sandbox” has now come under the review of the French data protection authority, CNIL, which has published some recommendations and considerations in particular to publishers. CNIL noted that the basic purpose and use cases for the sandbox will be available to all parties in the third quarter of 2023 once third-party cookies are deprecated. Read here → (in French)
The Italian Garante has published its 2022 activity report, which indicates that there has been an increase in the number of inspections, totaling to 140 inspections and tripling the 2021 figures. The report noted that 442 collective measures had been adopted and 9,218 complaints had been responded to. 81 opinions on regulatory and administrative acts had been issued, together with 317 corrective actions in terms of article 58(2) of the GDPR. The total amount of collected penalties amounted to approximately €9.5 million. Press release here → (in Italian)
The Danish data protection authority (Datatilsynet) has expanded its guidance on the right to erasure in terms of Article 17(1) of the GDPR in relation to search engines. The Datatilsynet receives several inquiries on this matter from citizens who are unsure whether they have the right to request the deletion of their information from search engines, and more importantly how such right can be exercised. Press release here → (in Danish)
2) Notable Case Law
The Norwegian Data Protection Authority, Datatilsynet, has invoked the urgent procedure mechanism and issued a temporary ban effective from August 4, 2023 until October 2023 prohibiting “Meta from adapting advertising based on monitoring and profiling of users in Norway,” unless Norwegian users have validly consented to behavior-based advertising on Facebook and Instagram services. Failure to comply with the ban may subject Meta to a compulsory fine of up to NOK one million per day. Press release here → (in Norwegian)
The cookie paywall model, which is commonly adopted by news sites, was once again declared unlawful, this time by the Data Protection Authority of Lower Saxony (LfD), unless the consent banner properly informed users prior to granting their consent and also gave easily accessible options to revoke consent. Read about the decision here → (in German)
Further to a user’s complaint, the Italian data protection authority, Garante, has given the company MG Freesites Ltd. twenty days within which to clarify its tracking systems as well as user profiling. The Authority’s summary can be found here → (in Italian)
3) New and Upcoming Legislation
US law updates:
Colorado: The Colorado Attorney general has launched the enforcement of the Colorado Privacy Act by notifying businesses that the Colorado Department of Law will begin enforcing the Act, which went into effect on 1 July. The Attorney General directed businesses to educational resources to assist with compliance. Full story here →
Rhode Island: Senate Bill 5684 which amends the Criminal Offenses – Identity Theft Protection Act of 2015 has entered into effect.
4) Strong Impact Tech
Further to delay over GDPR compliance issues, Google’s Bard has launched within the EU. The generative artificial intelligence platform will require Google to submit a report to the Irish Data Protection Commission within 3 months from its launch. Google’s Product Director said that “discussions with data protection authorities resulted in a focus on transparency around data use and giving users a choice over Google’s use of their information.” Reported here →
Pursuant to a Microsoft Outlook flaw, 26 countries have allegedly been hit by the Chinese hacking group Storm-0558. GovInfoSecurity has reported that the Chinese hackers have reportedly accessed and stolen emails from both U.S. government agencies and around 25 European Governments. Read here →
Other key information from the past weeks
The European Commission adopted its adequacy decision on the EU-US Data Privacy Framework (DPF) on July 10, 2023.
The European Commission has proposed the introduction of the GDPR Procedural Regulation, which, if adopted, will support the enforcement of the GDPR in cross-border cases.
Further to release in the US, UK and several other countries, Meta has delayed the release of Threads within the European Union (EU) further to uncertainty over personal data use.
