News

English Summary }}}} A court awarded €3,000 to a data subject after finding a news portal violated her privacy under [[Article 5 GDPR]] by publishing her personal data unnecessarily and disproportionately, despite claims of public interest.A court awarded €3,000 in damages to a data subject after finding that a news portal violated her right to privacy by publishing her personal data unnecessarily and disproportionately in two articles, despite the controller’s claims of public interest. == Engl

Report from EFF, Center for Just Journalism, and IPVM Helps Cut Through Sales HypeSAN FRANCISCO — A new report released today offers journalists tips on cutting through the sales hype about police surveillance technology and report accurately on costs, benefits, privacy, and accountability as these invasive and often ineffective tools come to communities across the nation. The “Selling Safety” report is a joint project of the Electronic Frontier Foundation (EFF), the Center for Just Journalism (

Surveillance technology vendors, federal agencies, and wealthy private donors have long helped provide local law enforcement “free” access to surveillance equipment that bypasses local oversight. The result is predictable: serious accountability gaps and data pipelines to other entities, including Immigration and Customs Enforcement (ICE), that expose millions of people to harm. The cost of “free” surveillance tools — like automated license plate readers (ALPRs), networked cameras, face recognit

Federal agencies like Immigration and Customs Enforcement (ICE) and Customs and Border Protection (CBP) have descended into utter lawlessness, most recently in Minnesota. The violence is shocking. So are the intrusions on digital rights. For example, we have a First Amendment right to record on-duty police, including ICE and CBP, but federal agents are violating this right. Indeed, Alex Pretti was exercising this right shortly before federal agents shot and killed him. So were the many people wh

Dangerously unchecked surveillance and rights violations have been a throughline of the Department of Homeland Security since the agency’s creation in the wake of the September 11th attacks. In particular, Immigration and Customs Enforcement (ICE) and Customs and Border Protection (CBP) have been responsible for countless civil liberties and digital rights violations since that time. In the past year, however, ICE and CBP have descended into utter lawlessness, repeatedly refusing to exercise or

Spyware continues to spread across Europe despite years of scandals and undisputable evidence of fundamental rights violations. As the European Commission remains inactive, civil society, journalists and some lawmakers at the European Parliament are stepping up pressure for accountability. In this context, EDRi is launching a document pool to centralise resources that tracks abuse and support the growing push for a full EU-wide ban of spyware. The post EDRi launches new resource to document abus

Brussels, 21 January - The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) have adopted a Joint Opinion on the European Commission’s Proposal for the ‘Digital Omnibus on AI’. The Proposal seeks to simplify the implementation of certain harmonised rules under the AI Act to ensure their effective application.The EDPB and the EDPS support the objective of addressing practical challenges relating to the implementation of the AI Act. Administrative simplificat

Permanent link: The responsible party did not respond adequately and provided unclear information or referred the individual to third parties. As a result, the individual filed a complaint with the Data Protection Authority. The responsible party did not respond adequately and provided unclear information or referred the individual to third parties. As a result, the individual filed a complaint with the Data Protection Authority. The Data Protection Authority has issued a final decision in which the responsible party is warned for violating Article 6(1) of the GDPR and Article 5(1).

Vaste link: De verantwoordelijke partij reageerde niet adequaat en verstrekte onduidelijke informatie of verwees de betrokkene naar derden. Hierdoor heeft de betrokkene een klacht ingediend bij de Autoriteit Persoonsgegevens. De verantwoordelijke partij reageerde niet adequaat en verstrekte onduidelijke informatie of verwees de betrokkene naar derden. Hierdoor heeft de betrokkene een klacht ingediend bij de Autoriteit Persoonsgegevens. De Autoriteit Persoonsgegevens heeft een definitief besluit uitgevaardigd waarin de verantwoordelijke partij wordt gewaarschuwd voor het overtreden van artikel 6(1) van de AVG en artikel 5(1).

Fixed Link The controller did not respond adequately, providing unclear information or referring the data subject to third parties. As a result, the data subject lodged a complaint with the DPA.The controller did not respond adequately, providing unclear information or referring the data subject to third parties. As a result, the data subject lodged a complaint with the DPA. The DPA issued a final decision warning the controller for violating [[Article 6(1) GDPR|Article 6(1)]] and [[Article 5(1)

join the international community, including the UN’s Independent International Fact-Finding Mission, in calling on Iran to immediately restore internet and mobile communications and in demanding accountability and transparency for the grave human rights violations documented in the country The post #KeepItOn: Iran plunged into digital darkness, concealing human rights abuses appeared first on Access Now.

}}}} An Austrian media company was fined €6,820 by the Data Protection Authority for negligently failing to implement a binding order to modify its website’s cookie banner, delaying user consent options despite all appeals being rejected.The DPA fined a media company €6,820 for failing to bring its cookie banner into compliance by implementing a visually equivalent option to reject cookies. The DPA previously ordered the controller to do so in accordance with Article 58(2)(d) GDPR. == English Su

Ruling === Ruling ====== Ruling === The Data Protection Authority (AP) has ruled that the responsible party violated Article 58(2)(d) of the GDPR. This article grants supervisory authorities the power to issue binding instructions to controllers to ensure compliance with the GDPR. The violation occurred because the responsible party failed to implement a binding instruction, namely to modify the cookie banner on the website so that users can easily reject cookies as well as accept them. The AP has ruled that the responsible party violated Article [[A...

}}}} Een Oostenrijks mediabedrijf is door de Autoriteit voor Gegevensbescherming een boete van 6.820 euro opgelegd, omdat het nalatig was bij het implementeren van een bindende aanwijzing om het cookiebanner op zijn website te wijzigen. Hierdoor werden de opties voor toestemming van gebruikers vertraagd, ondanks dat alle bezwaren werden afgewezen. De Autoriteit voor Gegevensbescherming heeft een mediabedrijf een boete van 6.820 euro opgelegd omdat het cookiebanner niet was aangepast om te voldoen aan de wetgeving, en er geen visueel gelijkwaardige optie was om cookies te weigeren. De Autoriteit had eerder aan het bedrijf opgedragen dit te doen, in overeenstemming met artikel 58(2)(d) van de AVG.

Holding === Holding ====== Holding === The DSB held that the controller violated [[Article 58 GDPR#2d|Article 58(2)(d) GDPR]], which grants supervisory authorities the power to issue binding instructions to data controllers to ensure compliance with the GDPR. The violation arose from the controller’s failure to implement the binding instruction requiring modification of the website cookie banner to allow users to refuse consent as easily as giving it.The DSB held that the controller violated [[A

Uitspraak === Uitspraak ====== Uitspraak === De Autoriteit Persoonsgegevens (AP) heeft geoordeeld dat de verantwoordelijke partij artikel 58(2)(d) van de AVG heeft overtreden. Dit artikel geeft toezichthoudende autoriteiten de bevoegdheid om bindende instructies te geven aan verantwoordelijken om ervoor te zorgen dat de AVG wordt nageleefd. De overtreding ontstond doordat de verantwoordelijke partij er niet voor zorgde dat de bindende instructie werd uitgevoerd, namelijk het aanpassen van de cookiebanner op de website, zodat gebruikers toestemming net zo gemakkelijk kunnen weigeren als geven. De AP heeft geoordeeld dat de verantwoordelijke partij artikel [[A...

An Austrian media company has been fined €6,820 by the Data Protection Authority because it failed to implement a binding instruction to modify the cookie banner on its website. This resulted in delays in providing users with consent options, despite all objections being rejected. The Data Protection Authority imposed a fine of €6,820 on the media company because the cookie banner had not been adjusted to comply with the law, and there was no visually equivalent option for users to reject cookies. The Authority had previously instructed the company to do so, in accordance with Article 58(2)(d) of the GDPR.

Commentary CoC are a voluntary accountability tool providing for specific data protection rules for categories of controllers and processors. In other words, CoC can provide a rule book for a group of controllers and processors describing how a GDPR compliant processing operation looks like in the specific processing situation.<ref>EDPB, ‘Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679’, 4 June 2019 (Version 2.0), margin number 7 (available [https://ww

(3) Processors and controllers that do not fall under the territorial scope of the GDPR. The focus on a specific sector is intended to provide a cost-effective way to comply with privacy legislation, taking into account all the specific characteristics of data processing that occurs within that sector, with particular attention to the needs of micro, small, and medium-sized enterprises. <ref>EDPB, 'Guidelines 1/2019 on Codes of Conduct and Supervisory Authorities under Regulation 2016/679', June 4, 2019 (version).</ref>

(3) Controllers and Processors not Subject to the Territorial Scope of the GDPR The focus on a particular sector is supposed to allow for a cost effective way to achieve data protection compliance by taking into account all the specific characteristics of processing carried out in that sector - with particular emphasis on the needs of micro, small and medium enterprises.&lt;ref&gt;EDPB, ‘Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679’, 4 June 2019 (Version

Access Now,together with several human rights organizations, are calling on MTN Group to protect mobile service subscribers and ensure transparency and accountability for data breaches perpetuated by their subsidiaries in the Republic of Congo. The post MTN Group must answer for dangerous bounty SMS campaign in the Republic of Congo appeared first on Access Now.

The European Parliament has approved the EU-Singapore digital trade agreement and rejected a motion to request an opinion from the Court of Justice of the European Union regarding its legality. This decision weakens the Union's ability to guarantee privacy, data protection, and accountability with regard to software systems, at a time when the pressure to ease regulations is increasing across Europe. The article "The EU concludes a digital trade agreement with Singapore, despite warnings: a setback for digital rights and democratic control" originally appeared on European D.

The European Parliament has approved the EU–Singapore Digital Trade Agreement, rejecting a motion to seek a Court of Justice opinion on its legality. This decision weakens the Union’s capacity to safeguard privacy, data protection, and accountability over software systems, at a time when deregulation pressures are increasing across Europe. The post EU adopts Digital Trade Agreement with Singapore despite warnings: a setback for digital rights and democratic oversight appeared first on European D

Brussels, October 20th - During its latest plenary meeting, the EDPB (European Data Protection Board) adopted two opinions on the draft decisions of the European Commission regarding the extension of the validity of the decisions on the adequacy of the United Kingdom, as stipulated in the General Data Protection Regulation (GDPR) and the Law Enforcement Directive (LED), until December 2031. The EDPB opinions, requested by the Commission under Article 70(1)(s) of the GDPR and Article 51(1)(g) of the LED, address the proposed six-year extension of the two decisions on the adequacy of the United Kingdom, which are currently due to expire.

Brussel, 20 oktober - Tijdens de laatste plenaire vergadering heeft het EDPB (Europees Comité voor de bescherming van de persoonlijke levenssfeer) twee adviezen aangenomen over de conceptbesluiten van de Europese Commissie met betrekking tot de verlenging van de geldigheid van de besluiten over de adequaatheid van het Verenigd Koninkrijk, zoals vastgelegd in de Algemene Verordening Gegevensbescherming (AVG) en de Richtlijn Handhaving en Gerechtelijke Samenwerking (LED), tot december 2031. De adviezen van het EDPB, op verzoek van de Commissie op grond van artikel 70(1) onder (s) van de AVG en artikel 51(1) onder (g) van de LED, behandelen de voorgestelde verlenging van zes jaar van de twee besluiten over de adequaatheid van het Verenigd Koninkrijk, die op dit moment aflopen.

Background information Following a complaint by the PRIVACY INTERNATIONAL association, the CNIL carried out four investigations into DOCTISSIMO. The doctissimo.fr website mainly offers articles, tests, quizzes and discussion forums related to health and well-being for the general public. During its investigations, the CNIL noted several infringements, in particular concerning the duration of data retention, the collection of health data via online tests, the security of data as well as the wayco

> The harms from so-called AI are real and present and follow from the acts of people and corporations deploying automated systems. Regulatory efforts should focus on transparency, accountability and preventing exploitative labor practices. By Angelina McMillan-Major, Emily M. Bender, Margaret Mitchell and Timnit Gebru for DAIR on March 31, 2023

> The growth of generative artificial intelligence systems has led EU lawmakers to focus on General Purpose AI in drafting the AI Act, which will set the framework governing artificial intelligence in the European Union. As previously reported, the EU Parliament has already broadened the definition of artificial intelligence for the purposes of the AI Act… The post Is the AI Act caging ChatGPT and other General Purpose Artificial Intelligence systems? appeared first on GamingTechLaw.

> Spain’s data protection authority, the Agencia Española de Protección de Datos, published guidance for anonymizing data. The guidance called for a trained professional to handle the anonymization of a personal data set who also has experience in reidentification attacks. Even though “residual probability” of reidentification will always exist, a data controller must apply accountability to the anonymization process “with appropriate measures to ensure compliance taking i

Since May 2018, the GDPR has been directly applicable in the European Economic Area, including the member states of the European Union, Liechtenstein, Norway, and Iceland. Four years later, awarding damages for GDPR violations is still not a common practice in the Netherlands, despite the fact that news reports regularly mention data breaches and other GDPR violations. This article analyzes Dutch case law over the past four years to see what factors may influence the awarding of damages under th

The purpose limitation principle does not preclude a controller from capturing and storing in a test database established for testing and error correction purposes personal data previously collected and stored in another database. However, such "further processing" of personal data must be compatible with the specific purposes for which the personal data were originally collected. The principle of storage limitation precludes the retention of personal data in that test database for longer than n

> On October 14, 2022, the Federal Trade Commission announced it is extending the deadline by one month to submit comments on its Advanced Notice of Proposed Rulemaking on commercial surveillance and lax data security practices.

The GDPR incorporates the RBA for all obligations of the controller in the GDPR. Where the transfer rules are stated as obligations of the controller (rather than as absolute principles), the RBA of Article 24 therefore applies. Other than the DPAs assume, this is not contradicted by the ECJ in Schrems II nor by the EDPB recommendations on additional measures following the Schrems II judgment, according to Lokke Moerel, Professor of Global ICT Law at Tilburg University and a Dutch Cyber Security

De AVG (Algemene Verordening Gegevensbescherming) omvat de verantwoordingsplicht (RBA) voor alle verplichtingen van de verantwoordelijke partij zoals die in de AVG zijn vastgelegd. Waar de overdrachtsregels worden beschreven als verplichtingen van de verantwoordelijke partij (in plaats van als absolute principes), is de verantwoordingsplicht van artikel 24 dus van toepassing. Volgens Lokke Moerel, professor in het internationaal ICT-recht aan de Universiteit van Tilburg en expert op het gebied van cyberbeveiliging, wordt dit niet tegengesproken door het vonnis van het Europees Hof van Justitie in de zaak Schrems II, noch door de aanbevelingen van het EDPB (European Data Protection Board) over aanvullende maatregelen na het vonnis Schrems II.

The Danish Data Protection Agency has looked into the tool Google Analytics and its settings, and the terms under which the tool is provided. On the basis of this review, the Danish Data Protection Agency concludes that the tool cannot, without more, be used lawfully. Lawful use requires the implementation of supplementary measures in addition to the settings provided by Google.

The European Data Protection Supervisor ordered Europol to hand over personal data to Dutch activist Frank van der Linde. The decision is the result of a two-year investigation into Europol's possession and storage of van der Linde's personal data.

> The fine is the result of an investigation that began in 2020 and focused on the company’s processing of children’s personal data. Based on press reports, the investigation focused on children between the ages of 13 and 17 who were allowed to operate business or creator Instagram accounts. As a result, children’s phone numbers and email addresses were publicly accessible.

> The current version of the Bill seeks to maintain the majority of key principles that underpin the UK data protection law framework, while at the same time modifying certain key provisions in relation to accountability, lawful grounds for processing, data subject access requests and cookies, amongst others. A [consolidated redline version of the UK GDPR by Hogan Lovells](https://www.engage.hoganlovells.com/knowledgeservices/attachment_dw.action?attkey=FRbANEucS95NMLRN47z%2BeeOgEFCt8EGQJsWJiCH

> The proposed fine follows complaints filed by privacy NGO ‘Privacy International’ against Criteo. […] Under the CNIL’s sanction procedure, Criteo has the right to respond to the report, both with respect to the alleged infringements and the proposed sanction.

> Het onderzoek laat zien dat de duidelijkheid en toegankelijkheid van de UAVG kritisch wordt beoordeeld. Mede de ‘beleidsneutrale’ invulling van de wet en de korte tijd waarin deze tot stand moest komen hebben daartoe geleid. Wanneer wordt bezien hoe AP en de jurisprudentie nader invulling hebben gegeven aan de normen in de wet is de conclusie dat dit deels is gebeurd, maar voor een ander deel ook nog verder dient te worden uitgewerkt. In het onderzoeksrapport worden daarvan op verschillende pl

> European supervisory authorities’ varying practices of calculating GDPR administrative fines can be viewed, on the one hand, as inconsistent and in conflict with the principle of uniform interpretation and application of the GDPR in general and uniform sanction for GDPR infringements in particular, as enshrined in GDPR recital 10, 11 and 13.

Lawfully collected and stored personal data may be retained in an additional internal database, to the extent that it pursues the same data processing purposes as the original data collection. That is the opinion of Advocate General Pikamäe to the EU Court in response to questions from a Hungarian judge.

It is part of the exercise of judicial functions by a court within the meaning of the AVG to make documents originating from a judicial proceeding -in which personal data are included- temporarily available to journalists in order to enable them to better report on the course of that proceeding. This is the EU Court's answer to preliminary questions from the Dutch court.

The collection by the tax authority of a Member State of personal data concerning the advertisements for the sale of vehicles placed on the website of an economic operator falls within the material scope of the General Data Protection Regulation (AVG). Thus, that authority will also have to comply with the principles on the processing of personal data laid down in the AVG. However, a tax authority can derogate from the AVG in certain cases, even if the right to derogate is not granted by nationa