Relevant privacy headlines

Deloitte publishes article on implementation requirements of AI Act

As we are counting down the days until AI Act is published in the EU Official Journal and officially enters into force, Deloitte has summarized and explained the implications and requirements for implementing the AI Act Requirements. If your organization are considering implementing an AI System, or if you just are curious, the full article is available here. If you want to discuss the implications for your organization, don’t hesitate to reach out! We are currently assisting our clients with frameworks for using and developing AI as well as with risk classification of AI systems and are happy to get in touch.   

Finnish online retailer imposed administrative fine of EUR 856 000 

On March 6, 2024, the Finnish supervisory authority (“The Data Protection Ombudsman”) imposed an administrative penalty of EUR 856 000 against a retail company after the company was found to have inadequately set retention periods for its customers’ personal data. In addition, the company’s requirement for customers to create an account to shop through the company's web store was deemed to be a violation of GDPR. The investigation commenced following formal complaints from a customer of the company. The company asserted that each customer could easily close their account and thereby delete all customer data. However, the Data Protection Ombudsman contended that customer data could have been stored for an extended period without being automatically deleted by the company. 

In its decision, the Data Protection Ombudsman considered that the company had left it to the customers to determine the duration for which their data should be stored, requiring them to take active steps to have the data removed. 

Note: The decision is not yet final, and the company has announced that it will appeal the decision in the Finnish administrative courts. For further information, see the press release from the Data Protection Ombudsman here.

EDPB outlines priorities for 2024-2027 

On April 18, 2024, the European Data Protection Board (EDPB) adopted their general strategy for 2024 to 2027. A common theme found throughout the strategy is the EDPB’s commitment to further harmonize procedural rules relating to the enforcement of the GDPR. This commitment builds on EDPB’s “wish list” to the EU Commission which, among other aspects, called for clearer procedural deadlines for supervisory authorities in handling cases. 

EDPB’s press release can be read here.  

Czech cybersecurity company imposed a fine of approximately EUR 14 million

On April 10, 2024, the Czech supervisory authority (“UOOU”) imposed an administrative fine of CZK 351 000 000 (approximately EUR 14 000 000) against a major multinational cybersecurity company. In 2019, the company transferred personal data of around 100 million users to its sister company. Although the company claimed that the transferred personal data was anonymous, it was discovered that this was not the case, as the data could potentially be used to identify the individuals concerned. 

In its decision, UOOU highlighted the fact that the company is an expert in cybersecurity, and that its customers could not have anticipated that the company would transfer their personal data. Furthermore, the UOOU concluded that the reason for the personal data transfer was not solely out of statistical purposes, as the company had argued. As a result, UOOU concluded that the customers had been misled regarding the purpose of the data transfer. UOOU’s press release can be read here.

Council of the EU agrees position on rules regarding harmonized GDPR enforcement

On June 13, 2024, the Council reached an agreement on their position on a new law to further harmonize and promote an effective enforcement of the GDPR. In general terms, the new law will promote clearer timelines for supervisory authorities in cross-border cases, aim to reduce administrative burden for more straight-forward cases and introduce an “early resolution mechanism”. As for the next steps, the Council will start negotiations with the EU Parliament to agree on a final text for the new law.

EDPB publishes its opinion on Meta’s “Pay or Okay”-model 

In a recent opinion from the EDPB, the board made public its view on the so-called “Pay or Okay”- or “Consent or Pay”-model. The model, implemented by Meta (among others), entails a situation where the data subject must either consent to the processing of their personal data for a certain purpose (such as for behavioral advertising ) or pay a fee to not have their personal data processed. 

In the board’s view, in cases where “Pay or Okay”-models are utilized by large online platforms, the consent given cannot be considered given freely as required under article 4.11 and 7 of the GDPR in most cases. 

Questions?

The Deloitte Privacy Team has extensive experience in the privacy field and regularly advices on data protection and information security matters. You are very welcome to contact us if you need our help or if you have any questions. 

Contact us

Lisa Bastholm
Senior Manager | Deloitte Legal
lbastholm@deloitte.se
+46 70 080 20 66

Michelle Smed
Consultant | Deloitte Legal
msmed@deloitte.se
+46 70 080 29 64

Jacob Ossmark
Associate | Deloitte Legal
Jossmark@deloitte.se
+46 70 080 33 96