The European Commission has published its Work Program 2023, which sets out its agenda for the targeted actions to complete the objectives of the mandate in terms of political strategy and key legislative proposals, among others. Read here →
The European Data Protection Board (EDPB) released its revised Guidelines 9/2022 on notifying the public of a personal data breach under the General Data Protection Regulation and is now looking for feedback from the general public. Access here →
2) Notable Case Law
The Court of Justice of the European Union (CJEU) issued its judgment in Case C-77/21 Digi Távközlési és Szolgáltató Kft. v. Nemzeti Adatvédelmi és Információszabadság Hatóság, concerning the request for a preliminary ruling submitted by the Court of Budapest-Capital. Read about the decision here →
The Italian data protection authority (Garante Privacy) found that a U.S. company unlawfully disclosed email accounts and health data relating to about 2,000 Italian diabetic patients and committed additional infringements of data protection laws. In particular, after downloading the app, users were expected to accept, by a single click, the terms of use of the service jointly with the contents of the privacy policy. The Authority’s summary can be found here → (in Italian)
Following complaints from NGOs, the French data protection authority (CNIL) fined Clearview AI €20 million in accordance with EU privacy rules and directed it to stop collecting data in France and destroy any data that had already been obtained. Read more on our blog →
The Danish data protection authority (Datatilsynet) published a decision expressing criticism against SmartResponse A/S for violations of Articles 5(1)(e), 6, 12(1), 13 of the General Data Protection Regulation following an investigation of the SmartResponse’s data processing practices. Access here → (In Danish)
3) New and Upcoming Legislation
The Czech Presidency of the Council of the European Union has prepared its latest compromise text for the proposed Artificial Intelligence Act, Euractiv reports. The text, now in its fourth drafting, features, among other things, updates on requirements for the use of AI by law enforcement, additional transparency requirements, and different factors for calculating penalties. The text will be discussed by the Council Working Group on Telecommunications and the Information Society on October 25 and, if no issues are raised, could be approved by mid-November. Reported here →
4) Strong Impact Tech
According to a Forbes article, ByteDance’s Internal Audit and Risk Control department, which looks into allegations of employee misconduct, intended to “collect TikTok data about the location of a U.S. citizen who had never had an employment relationship with the company” in at least two instances. Access the article here →
Meta has made public an internal security report that has found apps designed to steal Facebook login information are rampant on both of the big two app stores. The company says that it has found over 400 malicious apps of this nature between Android and iOS, which manage to stay afloat with a combination of professional artists and fake positive reviews to lend them an appearance of legitimacy. Read more here →
According to Government Security reports, U.S. Cybersecurity and Infrastructure Security Agency Director Jen Easterly called on organizations to push their users to adopt multi-factor authentication (MFA). Easterly called MFA “the seatbelt of the information highway” and suggested that companies should “forcefully push” users toward it. See here →
Twitter has asked a U.S. District Court judge in the Northern District of California to dismiss a class action complaint that the company collected users’ contact data and used it for advertising targeting, according to MediaPost reports. The company said its use of the data was consistent with its privacy policy and that it “did not sell or even disclose” information. The complaint follows the U.S. Federal Trade Commission’s $150 million fine against Twitter. Reported here →
Other key information from the past weeks
In response to a complaint made, the Italian DPA (Garante Privacy) fined Intesa Sanpaolo Vita S.p.A. €20,000 for violating Articles 5(1)(a) and 5(1)(f) of the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR).
The EU lawmaker leading on the cloud-related provisions of the Data Act wants to remove the obligation that cloud providers must ensure an equivalent level of service when a client changes provider.
The fashion e-commerce platform Shein has been fined $1.9 million by the attorney general of the state of New York for a data breach, according to a notice from the state’s Attorney General office.
