Guidelines for calculating administrative fines under the GDPR were released by the European Data Protection Board. The updated guidelines are accessible for public consultation until June 27, 2022. The following five steps make up the calculation system:
Identification of processing operations and assessment of the application of Article 83(3) of the GDPR
Identifying the basis for calculating the sanction based on the violation, its magnitude, and the company’s turnover
Evaluation of aggravating and mitigating circumstances relating to the company’s previous or current behavior
Identifying the applicable legal ceilings for various processing procedures
Analyze if the estimated sanction’s final amount meets the effectiveness, dissuasiveness, and proportionality standards.
The EDPS issued two Opinions, one on the Proposal for a Regulation setting forth measures for a high common level of cybersecurity in EU Institutions, bodies, offices, and agencies (‘Cybersecurity Proposal’) and the other on information security in EUIs (‘Information Security Proposal’). Access the guidelines here →
2) Notable Case Law
Google sued in the High Court for exploiting 1.6 million Britons’ NHS data ‘without their knowledge or consent.’ The data was obtained in 2015 from the Royal Free NHS Trust in London with the aim of testing a smartphone app called Streams by the company’s artificial intelligence branch, DeepMind. Reported here →
Google LLC has been fined ten million euros by the Spanish Data Protection Authority (AEPD) for transmitting personal data to third parties without a legal basis and obstructing the exercise of the right to erasure, in violation of Articles 6 and 17 of the GDPR. Google LLC sent information about user requests to the Lumen Project group without a solid legal basis, including the citizen’s identity, email, the reasons cited, and the claimed URL. Read more →
The Italian Data Protection Authority (Garante) fined Uber B.V. (NL) and its parent firm Uber Technologies Inc . (USA) EUR 2.120.000 each. The DPA discovered that the information supplied to data subjects in the privacy notice was insufficient and incorrect following an inquiry launched after the firm experienced a data breach in 2016. The authority’s decision can be found here → (in Italian)
Clearview AI Inc was fined £7,552,800 by the Information Commissioner’s Office (ICO) for collecting photographs of individuals from the web and social media to construct a worldwide online database that could be used for face recognition. Access the decision here →
3) New and Upcoming Legislation
Following the European Parliament, the Council approved a new law today to encourage data availability and create a trustworthy environment for their use in research and the development of creative new services and products. The Data Governance Act (DGA) would provide rigorous procedures to allow for the reuse of certain types of protected public-sector data, strengthen confidence in data intermediation services, and promote data altruism across the EU. Read the press release here →
4) Strong Impact Tech
In an attempt to get a share of the $18 billion (£14.4 billion) biometrics industry, Mastercard is launching a controversial initiative that will allow consumers to pay at the register with only a smile or a wave of the hand. While face recognition technology has long been a source of concern for civil rights advocates, the payments giant announced that it was moving forward with a biometric checkout program that it claimed would speed up payments, reduce queues, and provide greater security than a standard credit or debit card. Read more here →
Seven Italian websites, both institutional and commercial enterprises, were knocked offline on the 11th of May by a hacking attack claimed on Telegram by a pro-Russian IT organization called “Killnet,” including the Senate, the Higher Institute of Health, and the Italian Automobile Club. Find out more on this topic here →
Other key information from the past weeks
The US State and Local Government Cybersecurity Act, which passed the Senate in January, was passed by the House on Tuesday and now awaits President Joe Biden’s signature
