Huge Fine from Finnish Authority
The Finnish Data Protection Authority investigated an online retail company following a complaint by a customer and subsequently imposed an administrative fine of EUR 856,000. It found that the company’s data controller required users to register as customers before making purchases and did not allow purchases through its website without the creation of a customer account. The Authority also observed that data relating to customer accounts were stored indefinitely.
Spain’s DPA imposes multiple fines
The Spanish Data Protection Authority fined a telecom company EUR 56,000 for sharing another customer’s personal data when responding to a customer’s right of access request. The data subject requested a copy of their commercial telephone contract from the company in 2021, claiming that the company had not applied the tariff in the contract. The company, however, sent the applicant an email containing the contract and audio recordings of another customer.
In another decision, the Authority fined a bank EUR 600,000 for inadequate security measures, including lack of two-factor authentication when approving loans.
Finally, the Authority fined a football club EUR 200,000 for processing fingerprint data on the grounds that it lacked legal basis and breached the requirements of necessity and proportionality.
Greek voter data leaked
In May 2024, The Greek Data Protection Authority fined the country’s Interior Ministry EUR 400,000 for a data breach involving thousands of voters’ email addresses in June 2023.
Very busy month for the EDPB
The European Data Protection Board (“EDPB”) issued a statement on the European Commission’s (“EC”) legal regulation on access to financial data and payments. According to the EDPB, there should be more clarity regarding recording and sharing of personal data, obligations of account and payment initiation service providers, and the definition of sensitive payment data.
The EDPB also published its preliminary investigative report into ChatGPT. It argues that the legal basis for data scraping of publicly available personal data may be based on legitimate interest under General Data Protection Regulation (“GDPR”) rules.
Most recently, it issued an opinion on the use of facial recognition technology to facilitate passenger processing at airports in which it discussed four scenarios where the technology could be used and their respective legality under the GDPR.
Italian data scraping guidelines published
The Italian Data Protection Authority published guidelines for the protection of personal data streamed online from data scraping. They include instructions regarding the indiscriminate collection of data on the internet by third parties for the training of generative artificial intelligence models.
EC’s DSA and DGA work continues
The EC requested information on Microsoft Bing’s generative artificial intelligence features under the European Union’s Digital Service Act (“DSA”). The EC underlined that it “suspects that Bing may have infringed the DSA due to risks linked to generative artificial intelligence, such as so-called “hallucinations”, viral spread of deepfakes and automated manipulation”.
The EC also sent a formal warning to 18 member states, including Germany, France and Italy, for not implementing necessary measures to comply with the Data Governance Act (“DGA”). The countries have two months to implement the necessary measures and transparency requirements to ensure compliance.
Telecoms companies face penalties
The US Federal Communications Commission fined various telecom operators a total of USD 200 million for sharing geolocation data without users’ consent.