Relevant privacy headlines

Italian supervisory authority notifies OpenAI of breaching data protection law 

On January 29th, the Italian supervisory authority Garante notified the company behind ChatGPT, - OpenAI, of breaches against the GDPR. OpenAI must now submit its counterclaims to Garante regarding the alleged breaches within 30 days. In the public statement, Garante has informed that it will consider the work by the EDPB task force for OpenAI when the determining the case. The task force is an initiative launched by the EDPB, with an aim to foster cooperation and to exchange information on enforcement actions on ChatGPT by EU member states data protection authorities. For further information, see the press release from Garante here. 

EDPB issues report on designation and position of Data Protection Officers 

During the previous year, the European Data Protection Board (“EDBP”) administrated a Coordinated Enforcement Framework (“CEF”), aiming to streamline enforcement and cooperation of the member states supervisory authorities work regarding Data Protection Officers (“DPO”s). The EDPB has now published its report on the effort. Twenty-five of the EEA member states supervisory authorities investigated the DPO’s role in a national context. The EDPB report includes a list of recommendations due to the observations. For example, one common observation was that the DPO was often missing even if mandatory. Further, the DPOs frequently had insufficient resources and lacked expert knowledge. Other observations found were that DPOs are not being fully entrusted with the tasks required under the GDPR, and the CEF result showed risks of possible conflict of interest. A repeated recommendation by the EDPB is for the supervisory authorities to be more active, e.g., by initiatives and actions, further guidance, and training sessions for the DPO. For more information, the EDPB report can be found here.  

French supervisory authority (CNIL) issues administrative fine against major online retailer 

On December 27, 2023, the French supervisory authority CNIL issued an administrative fine of EUR 32 million against an international online retail company for, among other infringements, non-compliance with GDPR’s data minimization principle. In its investigation, CNIL found that the company’s system for monitoring employee productivity was collecting excessive amounts of personal data in relation to its purpose. In addition, CNIL noted that temporary workers were not sufficiently informed, in accordance with articles 12 and 13 GDPR, of the collection of personal data taking place in the context of measuring their performance. Further, it was found that employees and visitors of the company were not sufficiently informed of the video surveillance systems in place, as a privacy notice was not provided on notice boards or in other documents. The decision from CNIL can be found here (in French).        

EDPB issues statements on the success and challenges of GDPR 

On December 15th, the EDPB adopted its contribution to the European Commission’s report on the application of the GDPR. In the contribution, the EDPB remarks that since its adoption, “the application of the GDPR in the first 5 and a half years has been successful.”. Further, the EDPB notes that while strengthening and harmonizing data protection principles and rights across the EU, the application of the GDPR has considerable challenges ahead. As the technological landscape continues to evolve, the EDPB notes that it is important that national supervisory authorities as well as the EDPB are given sufficient resources to carry out their tasks. In its conclusion, EDPB considers that there is currently no need to revise the legislative text of GDPR. EDPB’s contribution to the European Commission’s report on the application of the GDPR can be read here.  

The DSA enters into full force on February 17, 2024

The EU legislation Digital Services Act (DSA), which aims to create a safer digital space and a level playing field to promote innovation, growth and competitiveness in the European single market will enter into force for all affected operators (e.g. marketplaces, social network, content-sharing platforms, app stores, and online travel and accommodation platforms) on February 17, 2024. The DSA aims to protect consumers from (among other things) dangerous goods or illegal content, impose restrictions on personalized advertising and simplify online terms of use. The rules of the DSA have already started to apply to some major operators (major online platforms and search engine providers). The DSA contains further obligations for providers of intermediary services. These include for example acting against illegal content upon receipt of an order from a designated regulator. Providers also need to include detailed information in their general terms and conditions about the restrictions applied to the use of services, details of any policies, procedures, measures, and tools used for content moderation. For more information regarding the DSA, see the EU Commission page here. We have also published an article on the topic.

Questions?

The Deloitte Privacy Team has extensive experience in the privacy field and regularly advices on data protection and information security matters. You are very welcome to contact us if you need our help or if you have any questions. 

Contact us

Lisa Bastholm
Senior Manager | Deloitte Legal
lbastholm@deloitte.se
+46 70 080 20 66

Michelle Smed
Consultant | Deloitte Legal
msmed@deloitte.se
+46 70 080 29 64

Jacob Ossmark
Associate | Deloitte Legal
Jossmark@deloitte.se
+46 70 080 33 96