{"id":9231,"date":"2024-10-02T11:58:10","date_gmt":"2024-10-02T09:58:10","guid":{"rendered":"https:\/\/s8.tgin.eu\/?p=9231"},"modified":"2024-10-02T15:25:05","modified_gmt":"2024-10-02T13:25:05","slug":"data-protection-digest-02102024-eu-data-act-as-an-illustration-of-the-gdpr-prevail-principle","status":"publish","type":"post","link":"https:\/\/techgdpr.com\/blog\/data-protection-digest-02102024-eu-data-act-as-an-illustration-of-the-gdpr-prevail-principle\/","title":{"rendered":"Data protection digest 17 Sep – 1 Oct 2024: EU Data Act as an illustration of the GDPR \u2018prevail\u2019 principle"},"content":{"rendered":"\n

How does the EU Data Act interact with the GDPR? <\/strong><\/h4>\n\n\n\n

The Data Act will become applicable in the EU starting on 12 September 2025. In the runup, the European Commission has published an FAQ<\/a> on the new legislation. Together with the Data Governance Act, it enables a fair distribution of value by establishing clear rules related to the access and use of data within the EU\u2019s data economy. While the Data Act does not regulate the protection of personal data, the GDPR remains fully applicable to all personal data processing activities under the Act.\u00a0<\/p>\n\n\n\n

This includes the powers and competences of supervisory authorities and the rights of data subjects. Sometimes, it complements the GDPR<\/a>, (eg, real-time portability of data from Internet-of-Things objects). In other cases, it restricts the re-use of data<\/a> by third parties, such as for profiling purposes, (unless it is necessary to provide the service to the user). In the event of a conflict between the GDPR and the Data Act, the GDPR rules shall prevail<\/a>, (see Art. 1(5)<\/a> of the Data Act).\u00a0\u00a0<\/p>\n\n\n\n

Stay up to date! Sign on to receive our fortnightly digest via email<\/a><\/em>.<\/p>\n\n\n\n

Corrective powers under the GDPR<\/strong><\/h4>\n\n\n\n

The CJEU has ruled that a supervisory authority is not obliged to exercise a corrective power in all cases of breach and, in particular, to impose a fine. It may refrain from doing so where the controller has already taken the necessary measures on their initiative<\/a>. The case relates to a savings bank in Germany where one of its employees had consulted a customer’s data on several occasions without being authorised to do so. The employee had confirmed in writing that she had neither copied nor retained or shared the data, and the bank had taken disciplinary measures. The data controller nevertheless notified the data protection authority of this breach.<\/p>\n\n\n\n

More legal updates<\/h4>\n\n\n\n
\"Data<\/figure>
\n

<\/p>\n\n\n\n

California tech updates:<\/strong> Among over a dozen new bills<\/a> covering personal data and generative AI, Governor Gavin Newsom signed a bill on training data sources<\/a> into law. It includes reporting provisions for developers on sources or owners of datasets, a description of data points in them, whether the datasets contain personal information, how the datasets further the intended purpose of the AI system or service, whether the datasets include any data protected by copyright, trademark, or patent and more. Changes will be due on 1 January 2026. <\/p>\n<\/div><\/div>\n\n\n\n

California has also expanded the definition of personal data to more abstract digital formats<\/a>, including compressed or encrypted files, metadata, or artificial intelligence systems that are capable of outputting personal information. At the same time, a landmark artificial intelligence safety bill was blocked by the governor after strong opposition from major technology companies. The draft bill required the most powerful AI models to undergo safety testing<\/a> and other oversight obligations.<\/p>\n\n\n\n

Lax social media privacy controls: <\/strong>The Federal Trade Commission has examined the data practices of major social media and video streaming services, revealing they engaged in vast surveillance of consumers to monetize their personal information while failing to adequately protect users online, especially minors. Among other things, companies feed users\u2019 and non-users personal information into their automated systems, including for use by their algorithms, data analytics, and AI, without proper testing and oversight<\/a>. Meanwhile, data subjects had little or no way to opt out of how their data was used by these automated systems.<\/p>\n\n\n\n

Who determines how to secure data? <\/strong><\/h4>\n\n\n\n
\"\"<\/figure>
\n

<\/p>\n\n\n\n

The Polish Supreme Administrative Court has made a final decision on whether a data controller can use an employee to determine how to secure data. In a related case, the probation officer of a district court lost an unencrypted pendrive with the personal data of 400 people. The analysis of the case showed that the controller had not fulfilled security obligations correctly. <\/p>\n<\/div><\/div>\n\n\n\n

Before the incident, the controller issued the device and instructed the probation officer to implement security measures on their own. The obligation to register and encrypt the medium was introduced only after the officer lost<\/a> it. Additionally, employees were only given basic training in data protection, which did not give them enough knowledge on securing digital mediums or calculating the risks of data loss. As a result, the employee decided to protect the data by carrying their drive in a locked bag<\/a>.<\/p>\n\n\n\n

More from supervisory authorities<\/h4>\n\n\n\n

Data accountability from A to Z: <\/strong>The Luxembourg data protection and cybersecurity authorities have recently developed DAAZ, a GDPR compliance tool<\/a> that addresses the challenges faced by start-ups and small and medium-sized enterprises, (available in English). The tool comes in response to the personal data protection challenges faced by SMEs in particular, which are often at a disadvantage compared with large organisations in terms of resources and expertise.<\/p>\n\n\n\n

Mobile applications: <\/strong>The French CNIL has published the final version of its recommendations to help professionals design privacy-friendly mobile applications. From 2025, these will be the subject of a specific control campaign. According to the latest data, a typical French consumer downloads 30 apps and uses their mobile phone for an average of 3 hours and 30 minutes per day. Among other things, the recommendations include best practices for stakeholders to ensure that users understand whether the requested permissions are really necessary for the application to function<\/a>.<\/p>\n\n\n\n

AI Act and GDPR: <\/strong>Finally, the Belgian regulator published its information guide<\/a>, (available in English), on the EU AI Act from a GDPR perspective. It includes sections on AI system definition, and data protection principles such as purpose limitation, data minimisation and data subject rights in an AI context<\/a>. It also emphasizes accountability, security measures and human oversight<\/a> in AI development. <\/p>\n\n\n\n

Termination of employment<\/strong><\/h4>\n\n\n\n
\"\"<\/figure>
\n

<\/p>\n\n\n\n

Although former employees have the right to request the deletion of their data, it should be understood that this right is not absolute<\/a>, according to the Latvian regulator. In one example, the former employer has the right to temporarily retain an e-mail box for a certain period to ensure continuous communication with the company’s customers, (eg, by forwarding e-mails), and access information that is essential to the operation of the company. However, the employer must clearly define for how long this e-mail address will be stored and communicate it to employees. <\/p>\n<\/div><\/div>\n\n\n\n

<\/strong>This does not mean that the employer can use the information found in the e-mail for other purposes. The principle of purpose limitation should be taken into account here. If an employer recovers, for example, a computer or smartphone used by an employee after the end of the employment relationship, they may discover that private e-mails or other communication channels were accessed on it. If the employee is not logged out of these accounts, the employer has no right of access, despite owning the device<\/a>.<\/p>\n\n\n

<\/div>\n
\n \n

\n Receive our digest by email <\/h2>\n

Sign up to receive our digest by email every 2 weeks<\/h3>\n \n
\n
\n
\n
\n
\n
\n
\n