The Top 5 Privacy Updates Q1 2024

The Top 5 Privacy Updates Q1 2024

Stay informed about data privacy. Explore the top 5 privacy updates from Q1 2024, including regulatory framework adjustments and significant judicial rulings that impact data protection.

IMY 2024 supervisory framework

The 2024 supervisory framework for Integritetsskyddsmyndigheten (IMY) was published during March and encompasses five key areas for the planned supervision, two of which are more focused on the public sector:
processing of personal data in municipalities and in the Visa/Schengen Information Systems (VIS/SIS). The
remaining three areas are more relevant to the private sector, including the processing of personal data in the
context of working life (HR related processing), the use of biometric data, and the review of new technical
solutions within camera surveillance.

In addition to the planned supervision, IMY will focus on supervision based on specific complaints and also
based on risks identified via e.g. an incident report or media attention. As basis for the risk-based
supervision, IMY will consider specific risk criteria, such as the risk for serious privacy intrusion, if many
individuals are affected or if there is a significant need for guidance. See the full update here.

KR – Klarna case

On 11th March, the Administrative Court of Appeal (KR) ruled in the Klarna case. Two years ago, IMY fined
Klarna SEK 7.5M for an insufficient privacy notice. In April 2023, the Administrative Court largely agreed with
IMY’s decision but reduced the fine to SEK 6M. KR has now reinstated the original fine of SEK 7.5M but at
the same time clarified several points in favour of Klarna:

– Categories of recipients do not need to be specified into local/foreign
– Third countries do not need to be specified
– Data subjects’ rights do not need to be explained, only that they exist
– Factors leading to predetermined outcomes, such as automated credit rejections, do not need to be specified
– The identified deficiencies do not constitute a breach against art 5.1.a (principle of transparency)

In summary, the infringements by Klarna are confirmed by KR to be the following:

– Lack of information about legal basis for all purposes of processing
– Lack of information about how to obtain information regarding the security measures applied for third country transfers
– Incomplete information on how personal data will be stored
– Missing information about the use of a scoring model and what data it processes
– Unclear or not easily accessible information by providing information in different parts of the notice and in different documents, and by bundling information on certain data subject rights

The infringements are deemed by KR to be serious, and to ensure an efficient, proportionate and deterrent
sanction, the maximum fine (as requested by IMY) of SEK 7.5M was deemed justified. See the reference to
the court case here.

EDPB coordinated enforcement actions

In January, The European Data Protection Board (EDPB) published its report on the findings of the coordinated enforcement action regarding the designation and position of Data Protection Officers (DPOs). This follows investigations by several national data protection authorities (DPAs), including IMY, where questionnaires were sent out to selected data controllers. The EDPB identified several issues, such as insufficient resources allocated to the DPO, insufficient expert knowledge, lack of independence of the DPO and lack of reporting by the DPO to the highest management level.

The report provides a list of recommendations that organisations, DPOs and/or DPAs can consider in order to
address the identified challenges. See the full report here.

The EDPB has also launched the next coordinated enforcement action, this time on the right of access. This enforcement action will investigate how well organisations comply with the GDPR requirements and EDPB guidelines related to the right of access in practice. The investigations, which will be performed by national DPAs, may involve both questionnaires and formal investigations.

The coordinated enforcement actions are initiatives under the Coordinated Enforcement Framework (CEF), which aims to streamline enforcement and cooperation among DPAs. See the full update here.

EU Commission’s use of M365

The European Data Protection Supervisor (EDPS) has found that the European Commission’s processing of data in Microsoft 365 is non-compliant with the data protection rules in the regulation (EU) 2018/1725, the EU’s data protection law for EU institutions, bodies, offices and agencies. The main issues were related to purpose limitation, transfers outside the EU/EEA, and unauthorized disclosures, and the regulation contains similar provisions to those in the GDPR. The focus was primarily on the Commission’s actions (or lack of actions), not on Microsoft or its M365 services.

These findings underscore the need for thorough mapping and risk assessments. See the full update here.

AI Act approved by EU Parliament

The Members of the European Parliament recently adopted the Artificial Intelligence (AI) Act, which is a landmark law that introduces several important provisions related to AI.The regulation is currently undergoing a final lawyer-linguist check and is expected to be officially adopted before the summer. The law will come into effect 20 days after its publication in the official Journal and will be fully applicable 2 years later, with some exceptions (6-36 months). See the full update here.

Cecilia Frank

Director, Data Privacy

Ashton Papaioannou

Senior Associate