Enforcement

The Court of Justice of the European Union ruled in merged cases C-182/22 and C-189/22 Scalable Capital, addressing compensation for non-material damage under GDPR Article 82(1) due to theft of personal data. The court clarified that compensation to individuals is purely compensatory, not punitive, and the severity of GDPR infringements by controllers is irrelevant for compensation purposes. The court emphasized that data breaches causing non-material damage are significant and may warrant minimal compensation even if not serious, provided they fully address the harm suffered.

CJEU Ruling on Compensation for Data Breach [C-182/22 and C-189/22 Scalable Capital]

CJEU, Enforcement, EU law, GDPR |

The Court of Justice of the European Union ruled in merged cases C-182/22 and C-189/22 Scalable Capital, addressing compensation for non-material damage under GDPR Article 82(1) due to theft of personal data. The court clarified that compensation to individuals is purely compensatory, not punitive, and the severity of GDPR infringements by controllers is irrelevant for compensation purposes. The court emphasized that data breaches causing non-material damage are significant and may warrant minimal compensation even if not serious, provided they fully address the harm suffered.

CJEU Ruling on Compensation for Data Breach [C-182/22 and C-189/22 Scalable Capital] Read More »

On 18 June 2024, the Norwegian Data Protection Board ruled that the Norwegian Data Protection Authority (DPA) cannot impose daily fines on Meta for not complying with a ban on behavioral marketing on Facebook and Instagram. This decision challenges the DPA's authority under Norwegian law, which allows daily fines. The Board determined that such fines could only apply to Norwegian companies, not international ones. The ban on behavioral advertising remains, but the ruling raises concerns about enforcement disparities between domestic and international businesses.

The Norwegian Data Protection Authority cannot impose daily fines in cross-border cases

Enforcement, EU law, Facebook, GDPR, Meta, Norway |

The European Data Protection Board published its final Guidelines on Article 37 of the Law Enforcement Directive (LED). These guidelines establish standards for appropriate safeguards in data transfers by competent authorities, focusing on legally binding instruments with third countries. Key points include selecting transfer mechanisms, evaluating transfer risks to data subjects, and maintaining enhanced accountability. The guidelines emphasize legal certainty and the necessity of ensuring equivalent data protection levels when personal data is transferred outside the EU.

The Norwegian Data Protection Authority cannot impose daily fines in cross-border cases Read More »

Avanza Bank fined 1.34M EUR in Sweden for misconfiguration of Meta pixel

Enforcement, EU law, GDPR, IMY, Meta, Sweden |

Meta has paused the launch of its AI tools in Europe after a request from Ireland’s Data Protection Commission (DPC). This decision comes after the digital rights group Noyb filed complaints in 11 European countries, criticizing Meta’s vague AI plans and the opt-out requirement for users. Meta planned to use public posts from Facebook and Instagram to train AI models. The DPC’s decision, welcomed by other European authorities, followed intensive discussions with Meta. Meta expressed disappointment, noting it had incorporated regulatory feedback since March.

Avanza Bank fined 1.34M EUR in Sweden for misconfiguration of Meta pixel Read More »

noyb Files Complaint Against Google’s Privacy Sandbox

noyb Files Complaint Against Google’s Privacy Sandbox

Enforcement, EU law, GDPR, Google, noyb |

noyb has filed a complaint with the Austrian data protection authority against Google. The complaint argues that Google misled users into enabling an “ad privacy feature” through deceptive pop-ups, which actually track users via the new Privacy Sandbox API. The API replaces third-party cookies with first-party tracking within the Chrome browser. Google used manipulative design techniques, known as dark patterns, to secure user consent, violating GDPR requirements for informed and transparent consent. The complaint demands Google’s compliance with GDPR and suggests imposing a significant fine.

noyb Files Complaint Against Google’s Privacy Sandbox Read More »

noyb Files Complaint Against Microsoft for Violating Children's Privacy

noyb Files Complaint Against Microsoft for Violating Children’s Privacy

Enforcement, EU law, GDPR, Microsoft, noyb |

noyb filed a complaint with the Austrian Data Protection Authority against Microsoft on 4 June 2024, alleging that Microsoft’s 365 Education services violate children’s privacy rights. The complaint claims that Microsoft shifts GDPR responsibilities to schools, which lack control over data processing. Microsoft’s use of tracking cookies without proper consent from minors or their guardians breaches GDPR. noyb calls for an investigation and penalties, arguing that Microsoft’s practices harm children’s data protection rights.

noyb Files Complaint Against Microsoft for Violating Children’s Privacy Read More »

Scroll to Top