EU GDPR News Update: Three Legal Cases and AI Guidance

In this blog, we look at some of the latest GDPR (General Data Protection Regulation) stories that have made the headlines recently.

Address trader sues data protection authority

The German address trader Acxiom has requested an interim injunction against the data protection authority for the German state of Hesse – the HBDI – to prevent the privacy rights group noyb (none of your business) from accessing files relating to a complaint noyb filed against Acxiom and the credit reference agency CRIF Bürgel.

According to noyb, Acxiom sells personal data originally collected for marketing purposes to CRIF Bürgel, which CRIF Bürgel uses to calculate people’s credit scores.

This, noyb says, “is usually done without ever informing people and without their consent” – in violation of the GDPR’s purpose limitation and lawfulness of processing principles, as confirmed by guidance issued by the German Data Protection Conference.

In a blog published in 2021, when it made its complaint, noyb observed that 62 million private individuals in Germany – “almost everyone in the country” – were potentially affected. Despite the scale of the issue, however, the case is still pending with the data protection authorities two years later.

Wishing “to get an idea of the current state of those cases, noyb requested access to the case files from the Hessian authority”. However, before the HBDI could comply, it was sued by Acxiom – action that noyb calls a “procedural sideshow”, designed to “delay a decision by the Hessian data protection authority”.

noyb says it “will not back down and is ready to file further complaints” against organisations like Acxiom that “believe that the legal system can be absued [sic] to maintain unlawful business models”.

TikTok granted permission to challenge €345 million DPC fine

Ireland’s High Court has granted TikTok permission to challenge a €345 million fine issued by the Irish DPC (Data Protection Commission).

The DPC announced its intention to fine TikTok on 15 September, following an inquiry into the organisation’s failure to comply with the GDPR when processing children’s personal data, which found the following:

  • Child user accounts’ profile settings were set to ‘public’ by default, so anyone could view content posted by the child user.
  • The ‘Family Pairing’ setting allowed non-child users to pair their account with a child user’s account, even if they were not a parent or guardian. This enabled adults to send direct messages to child users.
  • Child users’ profiles being set to ‘public’ by default also posed several possible risks to children under the age of 13 who accessed the platform.
  • TikTok did not provide sufficiently transparent information to child users.
  • TikTok nudged users towards choosing more privacy-intrusive options when registering accounts and posting videos.

TikTok said it would appeal the fine, arguing that it had already introduced measures to remediate these issues before the DPC investigation.

Now, Ms Justice Niamh Hyland has granted TikTok leave to bring an action against the DPC.

According to the Irish Times, “TikTok claims the DPC’s decisions and findings should be set aside as they are flawed, unconstitutional and in breach of its rights, including its right to a fair hearing.”

TikTok also wants the court to declare that sections of the 2018 Data Protection Act, which enacts the EU GDPR in Ireland, are “incompatible with the Constitution and the Charter of Fundamental Rights of the European Union”, and that sections of the GDPR itself are “incompatible with the Charter and European Convention on Human Rights”.

The matter was adjourned until December.

Clearview AI avoids UK GDPR fine

An appeals court has found that the UK’s ICO (Information Commissioner’s Office) was outside its jurisdiction when it fined Clearview AI £7.5 million (about €8.6 million) in May 2022 for “using images of people in the UK, and elsewhere, that were collected from the web and social media to create a global online database that could be used for facial recognition”.

As a result of a 2020 settlement, Clearview AI’s only clients are law enforcement and national security agencies.

The court therefore found that, although the ICO does have the power to take action against non-UK data controllers and processors that process UK residents’ personal data, Clearview AI’s activities are not within the GDPR’s scope “because the activities of foreign governments fall outside the scope of Union law” and it “is not for one government to seek to bind or control the activities of another sovereign state”.

An ICO spokesperson, quoted by TechCrunch, said:

“The ICO will take stock of today’s judgment and carefully consider next steps. It is important to note that this judgment does not remove the ICO’s ability to act against companies based internationally who process data of people in the UK, particularly businesses scraping data of people in the UK, and instead covers a specific exemption around foreign law enforcement.”

CNIL publishes guidelines on AI and data protection

Finally, the French data protection authority, the CNIL, has issued a set of seven “AI how-to sheets”, setting out recommendations for developing AI systems and using datasets containing personal data to train them.

According to the CNIL, AI research and development is compatible with the GDPR “provided that it does not cross certain red lines and respects certain conditions”.

The sheets cover the following:

  • Determining the legal regime applicable to processing personal data in the development phase.
  • Defining a specified, explicit and legitimate purpose for processing personal data.
  • Determining the legal qualification of AI system providers.
  • Ensuring the lawfulness of the data processing.
  • Carrying out a data protection impact assessment when necessary.
  • Taking data protection into account in the system design choices.
  • Taking data protection into account when collecting and managing learning data.

The easy route to GDPR compliance

Europrivacy™/® is the first GDPR certification mechanism recognised by the EDPB (European Data Protection Board) as the European Data Protection Seal, as defined by Article 42 of the Regulation, in all EU member states.

IT Governance Europe’s parent company, GRC International Group, is an official partner of the ECCP (European Centre for Certification and Privacy) to support the implementation of Europrivacy data-protection-related services.

Alongside our sister companies IT Governance UK and GRCI Law Limited, we offer a comprehensive range of services to organisations that wish to certify that their data protection practices comply with the EU GDPR and relevant national data protection laws.

IT Governance Europe is at the forefront of helping organisations implement GDPR-compliant processes and achieve certification to standards and frameworks such as ISO 27001, ISO 27701, Cyber Essentials, the PCI DSS (Payment Card Industry Data Security Standard), and others.

Our highly experienced consultants, supported by GDPR-specific tools and processes, can work with clients all over the world to ensure their data processing practices meet the Europrivacy standard and are fit for certification.

Contact us today to learn how we can help with your GDPR compliance project.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.