The European Data Protection Board (EDPB) adopted an opinion regarding ‘consent or pay‘ models associated with behavioral advertising typically used by major online platforms. This opinion addresses whether such models genuinely offer users a free choice as mandated by GDPR standards further to a request from the Dutch, Norwegian & Hamburg Data Protection Authorities.
Spain’s Agencia Española de ProtecciĂłn de Datos (AEPD) has released its annual reports, revealing a significant surge in data protection complaints in 2023. According to the Action Report, the AEPD received a total of 21,590 complaints, marking a 43% increase from 2022 and a 55% increase from 2021. The most frequent complaints involved issues with unwanted advertising, internet services, video surveillance, and the sectors of commerce, transport, hospitality, and financial institutions.Read here → (In Spanish)
The Danish data protection authority, Datatilsynet, released its 2023 annual report, which underscores a year of heightened activity, complex cases, and extensive international engagements. The report notes the publication of 22 national guidelines and web pages, focusing on areas such as direct marketing and television surveillance, providing targeted guidance to private companies, public authorities, and housing associations.Access the press release here → (In Danish)
France’s data protection authority, CNIL, has released its first guidelines on using artificial intelligence (AI) while ensuring personal data protection. These guidelines cover legal and technical requirements for AI under the GDPR, including the necessity for a legal basis to process data and conducting tests on reused data, helping organizations comply with data protection standards. Read here →(In French)
2) Notable Case Law
In a nonbinding opinion, Advocate General Priit Pikamäe of the Court of Justice of the European Union has highlighted a lapse by the Hessian Data Protection and Freedom of Information Commissioner. The criticism came after the Commissioner failed to take corrective action when a local savings bank employee accessed a citizen’s personal data without consent. Advocate General Pikamäe stated that upon notification of such data mishandling, the regulator is obliged to identify and implement appropriate corrective measures to address the infringement.Read the press release here →
France’s data protection authority, CNIL, has imposed a fine of €525,000 on the technology retail chain Hubside.Store for its unauthorized use of phone calls and text messages for promotions. The company was found to have acquired personal data from data brokers and websites without obtaining proper consent from individuals, in violation of GDPR’s requirements. Specifically, Hubside.Store breached Article 6, lacking a legal basis for commercial prospecting, and Article 14, failing to properly inform individuals about the use of their data.The Authority’s decision can be found here →(in French)
3) New and Upcoming Legislation
The European Parliament has endorsed new procedural rules to enhance the enforcement of the General Data Protection Regulation (GDPR). Concerned with the inconsistent enforcement across member states, Parliament aims to restore public trust by reducing lengthy legal processes. The proposed adjustments focus on improving cooperation among national data protection authorities, refining dispute resolution mechanisms, and standardizing procedural rules across the EU. Access here →
Nebraska (US): The omnibus bill (Legislative Bill 1074) passed its final reading on April 11, and includes a proposed comprehensive privacy statute which mirrors Texas’ comprehensive law, including dedicated language for universal opt-out mechanisms and dark patterns, a 30-day cure period as well as particular coverage thresholds. If enacted, the privacy bill would take effect on January 1, 2025.
4) Strong Impact Tech
DuckDuckGo is set to introduce a new privacy tool that enables consumers to request the deletion of their personal data from people-search websites, according to Wired. Reported here →
Hackers have found a way to access online accounts without passwords by exploiting stolen third-party cookies. Adrianus Warmenhoven, a member of NordVPN’s Security Advisory Board, warns that if an attacker acquires an active cookie, they can log into accounts bypassing both passwords and multifactor authentication. This vulnerability underscores the need for enhanced security measures concerning cookie management and digital privacy. Read the full story here →
Other key information from the past weeks
The Information Commissioner’s Office (ICO) is stepping up its efforts to safeguard the online privacy of children. Read here →
ICO Expands Global Reach in Data Protection with Global CAPE Membership The Information Commissioner’s Office (ICO), the UK’s guardian of data privacy, has taken a significant step in international collaboration by joining the Global Cooperation Arrangement for Privacy Enforcement (Global CAPE). Continue reading →
