The Top 5 Privacy Updates for Q2, 2024
Stay informed about data privacy. Explore the top 5 privacy updates from Q2 2024, including regulatory framework adjustments and significant judicial rulings that impact data protection.
IMY supervisory decisions from 2023
During Q2 2024 IMY has published several decisions from 2023. Where infringements have been found, these have been deemed to be of a less serious nature and hence resulted in reprimands and not administrative fines. However, there are some interesting conclusions to note from the published decisions:
– The supervisory audit of Nordea Bank Abp, filial i Sverige, concerned the right of access and in particular phone recordings. IMY concluded that the voice of the data subject constitutes personal data, but as the voice of the employee does not constitute personal data of the data subject, that part of the recording does not have to be provided to the data subject. Since Nordea offered the phone recording consisting of the complainants’ voice and a transcription of the call, IMY made the assessment that the right of access had been met. IMY’s decision is in line with a ruling by the Svea Court of Appeal on the same topic.
-The decisions related to Lensway Group AB, CDON AB and MAG Interactive AB are similar and concerned the modalities available for the exercising of the data subject rights under GDPR. All companies asked their customer for additional information as part of their process to confirm their identity before answering the complainant’s request. IMY assessed that the additional information was unnecessary and too cumbersome to facilitate the rights of the data subject and thus in violation of the GDPR.
–Expressen Lifestyle AB received a reprimand for having collected the data subject’s consent even though the company mainly relied on contract or legitimate interest as legal basis for the processing activity.
– In the decision regarding SJ AB, relating to the right of access, IMY concluded that:
- the time period of one month should count from the first receipt of a request, even though the required authentication of the data subject is performed at a later stage;
- the data controller is required to search on all reasonable identifiers and not only the registered e-mail address and phone number of the data subject, to locate personal data that is processed, and
- the response to an access request can be provided in layers, but only if initial information is provided regarding the layered approach and how the data subject easily can obtain the different parts of the information.
See the full updates here.
IMY’s position on their supervisory authority for search engines with a publishing license
Following recent rulings by the European Court of Justice and Swedish courts, a significant shift is currently occurring in the regulatory framework for search engines with publishing licenses. Historically, these services have been protected by the Swedish constitutional law – the Fundamental Law on Freedom of Expression – and have not been subject to GDPR oversight. In combination with the Swedish principle of public access to information, this means that personal data such as name, home address, phone number, age, income and even criminal records have been made available to the public via these search engines. However, recent court decisions have challenged this exemption and clarified that a balance-of-interest assessment must be made in each case, weighing the interest of data protection against the freedom of expression and information. In addition, IMY’s obligation to investigate and act on complaints, as well as the position for complainants, have been strengthened.
Based on the recent developments, IMY has clarified in a legal position (Rättsligt ställningstagande IMYRS 2024:1) that IMY is authorised to initiate a supervisory activity based on complaints related to search engines with a publishing license. Whether or not further actions can be taken by IMY remains to be seen and will be further assessed by IMY in the upcoming investigations. In parallel, the Swedish government has initiated a public committee to recommend exemptions from the constitutional right to expression for certain forms of publication of privacy sensitive data. Hence, the conditions for offering these kinds of services are challenged from several sides and expected to change going forward.
See the full update here.
EDPB opinion on “consent or pay” models
The European Data Protection Board (EDPB) recently issued an opinion stating that large online platforms employing pay-or-consent models will, “in most cases”, not meet the GDPR requirements for valid consent. This opinion, although nonbinding, suggests that these models do not allow users to make fully informed and free choices regarding their personal data. The EDPB emphasizes that real choice must be provided to users, criticizing the current models for essentially forcing users to either surrender all their data or pay for privacy. If the choice is to be truly free – which is a prerequisite for a valid consent under the GDPR – online platforms should consider offering yet another alternative, free of monetary charge and without behavioral advertising.
See the full update here.
AI Act adopted
The Artificial Intelligence (AI) Act has now been adopted also by the EU Council and will enter into force 20 days after its publication in the official Journal. The AI Act, which is a landmark law that introduces several important provisions related to AI will be fully applicable 2 years later, with some exceptions (6-36 months).
See the full update here.
Guidance from Danish DPA
The Danish Data Protection Authority has provided useful guidance on
– Templates for data protection impact assessments
– Data breach communication to data subjects
Learn more about our Privacy offering here.