Welcome to the AI digital and privacy recap of privacy news for week 36 of 2024 (1-8 September)!
This edition at a glance:
🚖 Dutch DPA Fines Uber €290 Million Over Data Transfers
The Dutch Data Protection Authority (DPA) fined Uber €290 million for violating the GDPR. The investigation found that between August 2021 and November 2023 Uber had transferred EU drivers’ personal data to the United States without adequate safeguards, breaching Chapter V of the GDPR, particularly Article 44. Uber had removed the Standard Contractual Clauses (SCCs) from its agreements in 2021, based on EU Commission’s statement that the SCCs cannot be used when the importer is under GDPR directly, and relied on Article 49 GDPR derogations. AP deemed this insufficient.
Read more here.
⚖️ Swedish DPA Fines Apoteket and Apohem for Meta Pixel Misuse
On 29 August 2024, the Swedish Privacy Protection Authority (IMY) imposed fines on Apoteket AB (SEK 37 million) and Apohem AB (SEK 8 million) for GDPR violations. Both pharmacies were penalized for transferring sensitive customer data to Meta using Meta Pixel, an analytics tool on their websites. The data included purchases of non-prescription products, such as treatments for sexual health issues and self-tests. The breaches occurred due to improper activation of Meta Pixel’s “Advanced Matching” function, exposing customers’ sensitive information. The companies have since improved their privacy protocols.
Read more here.
📑 ECtHR Finds Privacy Violation in Monitoring of Legal Documents Exchanged between Prisoners and Lawyers
On 3 September 2024, the European Court of Human Rights (ECtHR) ruled in Hallaçoğlu v. Türkiye that the monitoring of documents exchanged between a prisoner and their lawyer by Turkish prison authorities violated Article 8 of the European Convention on Human Rights. Ruhi Hallaçoğlu challenged the legality of this surveillance, which was based on emergency laws following the 2016 coup attempt. The Court found the Turkish legislation vague and insufficiently foreseeable, violating the Convention’s requirement for lawfulness.
Read more here.
🛑 Dutch DPA Fines Clearview AI for Illegal Facial Recognition
The Dutch Data Protection Authority (DPA) has fined Clearview AI €30.5 million for building a facial recognition database with billions of photos, including images of Dutch citizens, without proper consent. Clearview, a U.S.-based company, scrapes public photos from the internet and converts them into biometric data. The Dutch DPA condemned the company for violating GDPR and also warned against using its services. Non-compliance could result in an additional penalty of €5.1 million.
Read more here.
🛡️ Norwegian University Fined for Weak Access Controls in Microsoft Teams
The Norwegian Data Protection Authority (DPA) has imposed a NOK 150,000 fine on the University of Agder (UiA) for violating GDPR rules regarding access controls and internal data security. From 2018 to 2024, sensitive personal information, including data on 16,000 employees and students, was improperly stored in open Microsoft Teams folders, accessible to unauthorized staff. The DPA found that UiA lacked sufficient access controls, logging, and staff training for using Teams. UiA has since taken corrective actions and notified affected individuals.
Read more here.
🏢 IAPP Organizational Digital Governance Report 2024
IAPP’s Organizational Digital Governance Report dives into the complexities of organizational digital governance as digital technologies evolve. As regulation grows across sectors like privacy, AI, and cybersecurity, organizations face challenges in creating coherent governance structures. The report emphasizes the importance of coordinated approaches, highlighting interviews with over 20 senior leaders across major tech-driven organizations. Leaders are focusing on managing risks, aligning internal processes, and responding to the pressures of increasing regulatory demands. Digital governance is rising as a key strategic priority in today’s tech landscape.
Read more here.
⚖️ AG de la Tour’s Opinion on ‘Excessive’ GDPR Complaints
On 5 September 2024, Advocate General Richard de la Tour issued an opinion in Österreichische Datenschutzbehörde (C-416/23), advising the Court of Justice that a high volume of complaints does not automatically make them “excessive” under GDPR. The case involved an individual who submitted 77 complaints within 20 months, which the Austrian Data Protection Authority refused to handle, citing administrative burden. De la Tour argued that supervisory authorities must prove abusive intent before dismissing complaints and should consider charging a fee rather than refusing to act outright.
Read more here.
📱 ECtHR Rules Search of Mobile Phone Violated Article 8 Rights
On 5 September 2024, the European Court of Human Rights (ECtHR) ruled in Mukhtarli v. Azerbaijan and Georgia. The case focused on the search of journalist Afgan Mukhtarli’s mobile phone during his detention in Azerbaijan, conducted without judicial authorization. The Court found this search violated Mukhtarli’s rights under Article 8 of the European Convention on Human Rights, which protects private life and correspondence. The ECtHR emphasized that such a search requires judicial oversight, as investigators cannot act with unfettered discretion.
Read more here.
🤖 CoE’s Framework Convention on Artificial Intelligence and Human Rights, Democracy and The Rule of Law has been opened for signature
On 5 September the Council of Europe opened for signature the landmark Framework Convention on Artificial Intelligence and Human Rights, Democracy and The Rule of Law. It was already signed by Andorra, Georgia, Iceland, Norway, the Republic of Moldova, San Marino, the United Kingdom, Israel, the United States of America and the European Union.
Read more here.
European Commission Issues FAQs on the Data Act
On 6 September 2024, the European Commission published a set of FAQs about the Data Act, which will come into effect on 12 September 2025. The FAQs clarify that, in cases where the General Data Protection Regulation (GDPR) and the Data Act conflict, GDPR will take precedence. They also detail how the Data Act governs access and use of data, with specific rules for the Internet of Things (IoT), noting that certain data types, such as highly enriched data or data covered by intellectual property rights, fall outside the Act’s scope. The FAQs also outline the obligations of data holders and address the protection of trade secrets.
Read more here.
👇 That’s it for this edition. Thanks for reading, and subscribe to get the full text in a single email in your inbox! 👇
♻️ Share this if you found it useful.
💥 Follow me on Linkedin for updates and discussions on privacy education.
📍 Subscribe to my newsletter for weekly updates and insights – subscribers get an integrated view of the week and more information than on the blog.
