Our top five European data protection developments from June are:
- Non-material damage under GDPR: The CJEU clarified the scope of compensation for non-material damage in the context of identity theft and data subjects’ fear that their personal data had been exposed. Businesses may wish to review their policies and procedures for responding to compensation requests for non-material damage to ensure that they reflect the latest understanding of the scope of that right in light of this caselaw.
- Enforcement for data erasure request failings: Data controllers must provide sufficient support and resources to their Data Protection Officers (“DPOs”), as highlighted by recent enforcement action in Belgium.
- Swedish DPA fines bank for unlawful transfer of personal data to Meta: The Swedish DPA fined Avanza Bank AB for failing to secure the integrity, confidentiality and security of personal data when it inadvertently allowed the transfer of personal data, including personal IDs and financial information, to Meta.
- BaFin publishes guide on incident reporting under DORA: BaFin has published guidance on incident reporting under DORA, calling on businesses in the financial services sector in Germany to adapt their existing reporting mechanisms to comply with additional requirements under the new cyber resilience regime ahead of the 16 January 2025 deadline.
- French guidance on development of AI systems: The French CNIL published new “how-to” sheets and a survey on the development of AI systems. While public consultation is still ongoing, the CNIL’s guides helpfully consolidate the authority’s approach to data protection issues raised by AI systems.
These developments, and more, are covered below.
CJEU clarifies the right to compensation
What happened: The CJEU clarified the scope of non-material damage that may lead to compensation in the context of “identity theft” and fear of data exposure (see our December 2023 and January 2024 roundups for previous developments).
The CJEU held that theft of personal data, without actual misuse of such data by a third party, does not give rise to compensable “identity theft” within the meaning of the GDPR. Two data subjects brought compensation claims for non-material damage caused by the theft of their personal data from a trading platform, including their: (i) names; (ii) dates of birth; (iii) addresses; (iv) email addresses; and (v) digital copies of their identity cards. Although the threat actors had seized the personal data, there was no evidence that such data had been misused. The applicants could thus not claim compensation for non-material damage on this basis. The CJEU pointed out that compensation for non-material damage caused by theft of personal data was not confined to instances of “identity theft”.
In a separate case, the CJEU held that a data subject’s fear that their personal data had been unlawfully disclosed to a third party could warrant compensation. The claim involved a tax consultancy sending a letter with the claimant’s tax returns to the wrong address. It was not possible to establish whether the letter was read. The claimants sought compensation for the distress caused by this unauthorised disclosure. The CJEU reiterated that the mere infringement of the GDPR does not, in itself, entitle affected individuals to compensation, as previously discussed here. The court concluded that a data subject’s fear that their personal data has been exposed to third parties could warrant compensation if that fear, with its negative consequences, is proven. It was not necessary to establish that the unlawful disclosure did in fact occur, but the affected individuals had to demonstrate actual non-material damage.
What to do: Businesses may wish to review their policies and procedures for responding to compensation requests for non-material damage to ensure that they reflect the latest understanding of the scope of that right.
Belgian DPA fines data controller for inadequate response to data erasure request
What happened: The Belgian DPA fined an unnamed company €172,431 for, among other things, failing to comply with a data erasure request in the context of direct marketing and failing to provide adequate resources to its DPO.
After receiving an unexpected charge on a bill from the data controller, a data subject objected to direct marketing and made an erasure request. The controller agreed to the erasure but failed to action the objection to direct marketing, and the data subject continued to receive marketing materials.
The Belgian DPA identified various failings by the data controller’s DPO in relation to the erasure request, including: (i) giving incorrect instructions to the data processor (leading to the relevant data being restricted rather than deleted); (ii) failing to respond to the DPA during mediation; and (iii) failing adequately to process and internally disseminate correspondence from the DPA and data subject. The DPA noted that the DPO was employed on a part-time basis and was significantly overburdened. In finding a breach of GDPR Arts. 5(2) and 24 by the data controller, the DPA highlighted GDPR Art. 38(2), which states that data controllers shall provide the necessary resources and allocate adequate time for the DPO to carry out its duties.
What to do: Businesses may wish to review their processes for responding to direct marketing-related and erasure requests to ensure that they are communicated promptly and accurately internally. In particular, data controllers may wish to review whether their DPOs have sufficient support, training and resources to meet the requirements of their role.
Swedish DPA fines bank for unlawful transfer of personal data
What happened: The Swedish DPA fined Avanza Bank AB SEK 15 million (approximately USD 1.4 million) for transferring data to Meta in a way that did not ensure appropriate integrity, confidentiality and security. Between 15 November 2019 and 2 June 2021, the DPA found that Avanza inadvertently activated a Meta Pixel analytics function to track the effectiveness of Facebook ads and user activity, which led to unauthorised transfer of personal data to Meta. Though Avanza had activated the tool by mistake, the Swedish DPA found that Avanza failed to follow its procedures and detect these unauthorised data transfers promptly. The DPA also noted that the data transfer included sensitive information concerning a very large number of people and that most of the data was transferred in plain text, which posed a high risk to data subjects. Avanza only became aware of the data transfer to Meta when notified by a third party.
What to do: Businesses should ensure that they carefully assess and monitor changes to software with access to personal data. This includes being vigilant about data transfer permissions in contracts with third-party vendors. The fine also serves as a reminder that having policies and procedures around the transfer of personal data is only useful in so far as transfers are actually detected. Ultimately, Avanza’s failure to detect and prevent the data transfer indicated insufficient security measures.
BaFin publishes guide on incident reporting under DORA
What happened: The German Federal Financial Supervisory Authority (“BaFin”) published guidance for Germany financial services entities on reporting major incidents related to information communication technology and serious cyber threats under the EU’s Digital Operation Resilience Act (“DORA”). The guidance builds on the regulatory and implementing technical standards (the “Technical Standards”), which were previously discussed here.
BaFin will become the relevant competent authority in Germany for DORA-regulated firms. It expands on the incident-reporting framework by specifying the information which the initial notification must contain, including: (i) a description of the incident; (ii) a list of affected services; (iii) how long the incident is likely to last; and (iv) how serious the incident is based on the firm’s assessment at the time of making the initial notification. The guidance provides helpful examples of what BaFin would consider a serious incident, such as a long-term disruption to stock exchange trading or payment systems. The guidance also clarifies the information that should be included in the intermediate notification which must be made within 72 hours of classifying the incident as major, focusing on incident recovery and business continuity.
What to do: DORA-covered entities in Germany may wish to consider adapting their existing incident response and reporting mechanisms to comply with additional requirements under DORA and the Technical Standards in light of BaFin’s guidance.
CNIL publishes new practical guides on the development of AI systems
What happened: The French CNIL published a second set of AI-related “how-to” sheets, open for public consultation until 1 September 2024. As previously reported, the CNIL had already recommended seven steps to AI system providers dealing with personal data. The new “how-to” sheets cover: (i) relying on the legitimate interests lawful basis to develop AI systems; (ii) considering the impact of open-source models when relying on legitimate interests; (iii) considering the impact of web scraping when relying on legitimate interests; (iv) informing data subjects about the use of their personal data to train AI models; (v) facilitating the exercise of data subjects’ rights; (vi) the impact on personal data rights of data annotation (i.e., labelling or tagging data to provide context and meaning for training an AI model); and (vii) data security when developing an AI system. The CNIL also published a survey regarding the conditions under which AI models could be considered anonymous or should be regulated by the GDPR.
What to do: AI is a focus area for the CNIL: in May 2023, it had published its AI action plan, and it has since been polishing its recommendations in consultation with AI actors. The intersection between AI and data protection – especially under the GDPR – can be challenging to navigate, and these recommendations are meant to help professionals reconcile innovation and individuals’ rights. Businesses that are developing AI systems in France may wish to review the CNIL’s recommendations to help ensure they meet local regulatory expectations and comply with applicable data protection laws. In particular, businesses should be aware of the French DPA’s focus on the impact of personal data rights at every stage of AI development.
To subscribe to the Data Blog, please click here.
The cover art used in this blog post was generated by DALL-E.