The Datatilsynet, Denmark’s data protection authority, has issued a guide on managing access rights. This guide specifically covers the topic of rights management, a concept that involves controlling access to an organization’s IT systems and physical locations, as well as determining the specific information that individual users are allowed to access. Read the press release here → (in Danish)
The Dutch data protection authority, Autoriteit Persoonsgegevens, has released a Privacy guide advising companies on privacy policies and emphasizing transparency in data protection. The guide stresses the importance of demonstrating GDPR compliance and robust data management for building trust in online businesses. Access here → (in Dutch)
2) Notable Case Law
The EU Court of Justice (CJEU) ruled in terms of Article 22 of the General Data Protection Regulation (GDPR) against automated decision-making systems like Germany’s SCHUFA, which uses personal data for scoring creditworthiness. The Court declared such practices illegal if they significantly impact individuals’ lives, especially when these scores play a ‘decisive’ role in decisions by entities like banks. Read about the decision here →
The CJEU determined that administrative fines under the GDPR can only be imposed for wrongful infringements, either intentional or negligent. This ruling, responding to inquiries from Lithuanian and German courts, clarifies that data controllers are may also be liable for fines resultant of their processors’ actions. The press release can be found here →
The Belgian Data Protection Authority settled with four media websites, L’Avenir, RTBF, Mediafin, and IPM regarding their cookie usage, following noyb’s complaints. While fines were not imposed, the companies must modify their cookie banners to include a ‘refuse all’ button, avoid emphasizing the ‘accept all’ option, and simplify the consent revocation process. Except for Mediafin, all must also clarify the use of essential cookies and the effect of withdrawing consent, within one month to implement these changes. Read more here on our blog →
The EDPB published its urgent binding decision against Meta for GDPR violations in behavioral advertising. The EDPB identified ongoing breaches in Meta Ireland’s use of contract and legitimate interest for data processing and non-compliance with DPAs’ decisions. Consequently, the EDPB instructed the Irish DPA to enforce a ban on Meta Ireland’s data processing for behavioral advertising based on these legal grounds. Press release here →
3) New and Upcoming Legislation
The California Privacy Protection Agency has released proposed amendments to the current California Consumer Privacy Act. These updates aim to expand the scope and penalties of the act, and include modifications regarding dark patterns and responsibilities pertaining to the rights of data subjects. Access here →
4) Strong Impact Tech
Meta, Facebook’s parent company, is facing a €550 million lawsuit from AMI, an association representing 83 Spanish media outlets. The lawsuit accuses Meta of unfairly dominating the advertising market through the extensive and systematic exploitation of user data from Facebook, Instagram, and WhatsApp. They allege it is often collected without explicit consent, violating data protection laws and constituting unfair competition. Reported here →
The U.S. Federal Trade Commission has urged a federal appellate court to deny Meta’s plea for a temporary suspension of their legal dispute concerning user data monetization. The FTC argues that Meta’s request is an attempt to evade a potential FTC directive that might bar the company from monetizing the data of minors. Read more here →
Other key information from the past weeks
Italy’s data protection authority, Garante, is conducting an investigation into the data collection methods used for training algorithms. This investigation targets both public and private organizations, aiming to ensure they implement adequate security measures to protect against the webscraping of personal data. There is a 60-day public consultation underway to discuss potential security strategies to prevent data scraping. Read here → (in Italian)
The UK Information Commissioner’s Office has sent warning letters to the country’s top websites, urging them to enhance their third-party cookie practices within 30 days or face enforcement actions. “Companies must make changes now or face consequences,” stated ICO Executive Director of Regulatory Risk. More here →
