24.06.19 / Nyhet
News from Privacy & Data Protection
NEWSLETTER JUNE 2024

Welcome to our latest newsletter on privacy and data protection! At a time when digitalisation is constantly increasing and the amount of personal data being processed is growing rapidly, it is more important than ever to keep up to date with data protection news.
Our goal is to guide you and provide you with the knowledge you need to navigate this complex and fast-moving data protection world. Whether you are a Data Protection Officer, a legal advisor, an IT specialist or simply someone who wants to understand more about what is happening in the field of data protection, we hope you will find valuable information in our newsletter.
Thank you for reading, and don't hesitate to contact us if you have any questions or need further information!
Summer greetings from
/Anna Eidvall and Karin Schurmann and the entire Privacy and Data Protection team at MAQS

Supervision from IMY
Search services with voluntary publication certificates can be audited
Voluntary publication certificates (Sw. “frivilligt utgivningsbevis”) have been a controversial issue for a long time - not least in Sweden. By holding a voluntary publication certificate, commercial actors have been able to avoid the requirements of the GDPR. Recent case law from both Sweden and the EU emphasises the importance of balancing freedom of information with data protection, and the Court of Justice of the European Union (CJEU) underlines that restrictions on the protection of personal data must be strictly necessary and proportionate. As a result of these developments, the Swedish Authority for Privacy Protection (IMY) announced earlier this spring that it has changed its view on IMY's ability to supervise actors with voluntary publication certificates and now considers itself to have such authority.
IMY's position comes as it has reported an increase in complaints against actors providing search services on the basis of voluntary publication certificates – which often include sensitive information such as names, addresses, vehicle ownership and criminal convictions – raising significant privacy and security concerns. However, it remains unclear whether IMY can take action if it finds that such a service is breaking the law. The authority plans to return to the issue in future investigations.
For companies providing such search services, or relying on services with such elements, IMY's position is an important signal - a voluntary publication certificate no longer guarantees exemption from the GDPR. Since IMY's position, we have noticed an increased demand for help in applying for an exemption from IMY for the processing of data relating to criminal offences. If you would like to know more about how we can help, please get in touch!
IMY to invest even more in complaint handling and enforcement
In our last newsletter, we reported that the Supreme Administrative Court (HFD) decided that a supervisory case that is closed without action may be appealed by the person who submitted the complaint to IMY. Against this background, IMY has announced that it will focus even more on complaint handling and supervision in the future, and statistics also show an increase in activity at IMY in this area in 2023. In 2023, more than 200 supervision cases were opened at the IMY, which is a significant increase compared to the 121 cases opened in the previous year. In addition, IMY imposed fines totalling over SEK 120 million, compared to only SEK 10 million in 2022, demonstrating the increased commitment to ensuring compliance with the GDPR and acting against infringements that may jeopardise the privacy of individuals.
However, IMY's supervision is not only complaint-driven, but also planned. In 2024, IMY plans to supervise, for example, municipalities' compliance with the GDPR, the processing of personal data in the labour market, the processing of biometric data and the review of new technical solutions in the field of camera surveillance. Several of these planned areas of supervision have been recurring for several years - which we see as further evidence that complaint-based supervision consumes much of IMY's resources. Therefore, complaints against an organisation continue to pose a significantly increased enforcement risk.
IMY may be given overall responsibility for enforcement of the AI Regulation
An important piece of news this spring is that the AI Regulation has been adopted and will come into force shortly. It is not yet clear which authority will have overall responsibility for the AI Regulation in Sweden, but IMY has emphasised its extensive experience in providing guidance on legal and technical issues. IMY has also announced that it will be assigned several new tasks in connection with the new regulation. These include oversight responsibilities for AI systems used in law enforcement and managing the regulatory sandbox for AI.
Although specific AI legislation has been delayed, it is important to remember that the GDPR always applies to the development and use of AI involving the processing of personal data. In connection with the annual Nordic data protection meeting, the Nordic data protection authorities also emphasised that both the AI Regulation and the GDPR will affect the future use of AI. We will therefore not be surprised if IMY is appointed as the authority with overall supervisory responsibility and look forward to the announcement of a new AI authority.
Beaches of the GDPR cannot be excused by failings in internal systems
At the beginning of the year, IMY conducted an enforcement action against Klarna after the company failed to correct an email address on a Klarna card following a request for correction from a data subject. Klarna informed the data subject that it was not technically possible to correct the email address and that they needed to order a new Klarna card, which could affect the data subject's creditworthiness.
As it was the data subject who needed to take action to have their personal data rectified, IMY considered that Klarna had failed in its obligation to ensure that data subjects can adequately exercise their rights. However, as the supervision only concerned one data subject's data, and Klarna had provided feedback to the complainant explaining why rectification was not possible and offering an alternative, IMY considered the infringement to be minor and issued only a reprimand.
Although the supervision resulted in a mild sanction, the message is clear: a controller cannot blame shortcomings in internal systems for non-compliance with the GDPR. On the contrary, a controller must ensure that its internal systems and procedures facilitate the exercise of data subjects' rights.
Administrative Court of Appeal rejects Spotify's appeal
In 2021, IMY opened an enforcement action against Spotify following a complaint. The complainant had requested to change his address on his Spotify account, which was not possible without cancelling the account and creating a new one. In addition, the complainant had requested access to his personal data. IMY considered that Spotify had failed to fulfil the complainant's request for rectification or extraction of personal data and issued a reprimand.
Spotify appealed IMY's decision to the Administrative Court. Spotify argued, among other things, that they answer as many as 16,000 customer requests per day and that the complainant's right of access was a single human error in violation of an established procedure. However, the Administrative Court agreed with IMY's assessment and rejected the appeal, which led to a further appeal by Spotify against the Administrative Court's decision to the Administrative Court of Appeal. The Administrative Court of Appeal also agreed with IMY's decision. The Court emphasised that there is no formal requirement for how a request for access should be made. Furthermore, it is stated that the scope for a controller not to fulfil a request for rectification without undue delay is very limited and is mainly justified if the request is very extensive or complex.

EDPB publishes opinion on facial recognition at airports
In May, the European Data Protection Board (EDPB) published an opinion on the use of facial recognition at airports. The opinion is based on complaints from EU Travel Tech in France and Belgium against Ryanair's use of biometric data.
The EDPB notes that there is no uniform legal requirement in the EU for airport operators and airlines to verify that the passenger's name on the boarding pass matches the name on their identity document. If such verification is not required, biometric data should not be used for this purpose, as it would involve unnecessary processing of data.
The EDPB is also considering four different types of storage solutions for the management of biometric data - from those that store the biometric data only in the hands of the individual to those based on a centralised storage architecture with different modalities. In all cases, the EDPB emphasises that only biometric data of passengers who actively enrol and consent to the processing may be processed. Furthermore, the EDPB finds that the only storage solutions that are compatible with the GDPR are those where biometric data are stored on the premises of the individual or in a centralised database where the encryption key is only accessible to the individual. These solutions, if implemented, give individuals the best control over their data according to the EDPB. As regards the principle of storage minimisation, data controllers must ensure that they can justify the envisaged storage period and limit it to what is strictly necessary for the proposed purpose.
Although the EDPB's opinion is limited to the use of facial recognition at airports, we believe that the analysis and the proposed measures are wise to consider also in other uses of biometric data.
The cookie saga continues
The auctioning of advertising space, known as Real Time Bidding (RTB), is an important source of revenue for companies in the advertising and marketing sector. As a starting point, when using RTB, the user's consent is required for targeted adverts to be shown to the user.
IAB Europe is a European-level organisation in the field of digital marketing and advertising that has, among other things, developed the Transparency and Consent Framework (TCF), which enables RTB. As part of the TCF, IAB Europe has created a standardisation of how user choices (consent, refusal, etc.) are encoded to facilitate and enable RTB and data sharing between the parties involved. The user's choice is encoded into a so-called TC string that is shared with different parties subject to TCF to ensure that the user's preferences are respected at all stages. The recipient of the TC string decodes it to understand and follow the user's data protection choices.
In the past, parties using TCF have felt assured that they comply with the requirements of the GDPR. However, in an enforcement case with the Belgian data protection authority, the supervisory authority found that the TC string does indeed contain personal data and that IAB Europe, in designing the TCF, acted as a data controller without fully complying with the requirements of the GDPR. The Authority issued a series of corrective measures and an administrative fine against IAB Europe. IAB Europe challenged the decision and the matter has recently been addressed by the CJEU, which confirmed that the TC string contains personal data within the meaning of the GDPR. In addition, the CJEU ruled that IAB Europe also has a joint responsibility with other parties, as they partly determine the means and purpose of the TC string. What is still unclear and pending before the Belgian court is whether the IAB is also joint controller for the further processing of personal data at the RTB.
Is your company affiliated to TCF or do you use suppliers who are? If so, it is important to monitor future developments. We are currently helping a number of clients to monitor developments, assess the implications and develop a long-term and sustainable digital tracking strategy.
EDPB summary on security measures
At the beginning of the year, the EDPB published a case summary on data security and notified personal data breaches under the One-Stop-Shop mechanism. The summary clarifies how the EDPB has interpreted and applied different scenarios that may arise in the context of security breaches. It is useful for both controllers and processors in assessing whether security measures are appropriate - both before and after a potential external breach. Furthermore, it provides a better understanding of the requirements and expectations placed on organisations in terms of security under the GDPR, as well as enabling the identification of any gaps in current security measures and the taking of appropriate measures to improve the protection of personal data.
The compilation provides a valuable source of guidance at a time of heightened risk and threat of security incidents, you can find it, together with the previous compilation on the right to object and be forgotten, here.

Guidance documents
Since ChatGPT's wider introduction on the market, several EU data protection authorities have initiated supervision of OpenAI, the organisation behind ChatGPT. As OpenAI did not previously have a main establishment in the EU (which is now located in Ireland), the EDPB established a taskforce in spring 2023 to strengthen cooperation and contribute to consistent interpretation between data protection authorities in their work on auditing ChatGPT.
The taskforce has now issued a first report which examines several important aspects of the applicability of the GDPR, including an analysis of the lawfulness of the use of training data and the processing of personal data for input, output and training. The report emphasises that the responsibility for complying with the GDPR lies with OpenAI in this case, even when individuals input personal data themselves. It is therefore important that OpenAI provides accurate information, such as clearly indicating in the ChatGPT results that the generated text may be biased or fictitious.
ChatGPT itself, summarises the report as follows:
"In conclusion, the EDPB's report offers valuable insights and guidelines to ensure that AI applications such as ChatGPT are used in a way that is compliant with the GDPR and respects users' rights and privacy. However, it is important to recognise the practical challenges in implementing these guidelines and the need for a balance between regulation and innovation."
In addition, several national data protection authorities have issued guidance on the use of AI from a data protection perspective. IMY has published guidance on its website (which it says will be extensively updated throughout the year), which can be found here. In addition, the Italian data protection authority (Garante) has recently published guidance on web scraping and AI (available here - only in Italian as yet) and the Danish data protection authority has published an impact assessment template specifically for AI (in Danish), available here. We appreciate the proactivity of data protection authorities in this area, which will hopefully help companies and other organisations to improve compliance both in the development and use of AI.
Time for another round between Schrems and Meta
In early June, NOYB (None of Your Business) filed complaints with data protection authorities in 11 European countries (Austria, Belgium, France, Germany, Greece, Italy, Ireland, the Netherlands, Norway, Poland and Spain). NOYB accused Meta of using Meta users' personal data to train its AI models in violation of the GDPR.
NOYB argued that the planned use of personal data would be based on Meta's legitimate interest. According to NOYB, this would mean that Meta ignores users' fundamental right to data protection and privacy. NOYB pointed out that the CJEU has previously clarified that Meta does not have a legitimate interest that can override users' rights when it comes to behavioural advertising, and that the same reasoning should apply to AI training.
Max Schrems, founder of NOYB, emphasised that Meta should not be allowed to use personal data for AI training without the valid consent of users. NOYB requested that data protection authorities initiated an urgent procedure under Article 66 of the GDPR to stop Meta's plans before 26 June 2024 (when the amendment would enter into force).
It seems that NOYB's actions have paid off. The data protection authorities were quick to act and Meta has now chosen to pause the roll-out of this new processing.
The complaints raise important issues about how companies handle users' personal data for AI purposes and the necessary balancing act that needs to take place between technological innovation and data protection. The handling also shows that coordinated efforts can bear fruit.

The EDPB has published its strategy and direction, as well as priorities for 2024-2027. These are summarised in four pillars:
Improving harmonisation and promoting compliance
This will be done, inter alia, by the EDPB continuing to provide guidance on key issues, such as the application of the GDPR in relation to particularly vulnerable persons, such as children, and the application of legitimate interest as a legal basis.
Strengthening a common enforcement culture and cooperation
This is done, inter alia, by the EDPB reiterating its commitment to the One-Stop-Shop mechanism and other provisions on co-operation under the GDPR. As parThis is done, inter alia, by the EDPB reiterating its commitment to the One-Stop-Shop mechanism and other provisions on co-operation under the GDPR. As part of this, the EDPB will continue to ensure that all requests for opinions or binding decisions under the GDPR are effectively fulfilled by providing clear and robust responses.t of this, the EDPB will continue to ensure that all requests for opinions or binding decisions under the GDPR are effectively fulfilled by providing clear and robust responses.
Ensuring data protection in the digital and cross-border regulatory landscape
This will be done through guidance on the interaction between the application of the GDPR and other EU legal instruments, in particular the AI Regulation and other regulatory frameworks that form part of the EU's Digital Decade strategy. The aim will be to promote the right to data protection in the overall regulatory architecture and contribute to the consistent application of different regulatory frameworks. In addition, it will ensure good cooperation with other supervisory authorities on issues affecting data protection, in particular with consumer protection authorities, competition authorities, and authorities competent under other legal acts, including the AI Regulation and other Digital Decade frameworks.
Contributing to the global dialogue on data protection
The EDPB will further facilitate and strengthen the cooperation between the members of the EDPB and data protection authorities outside the EU. It will increase their efforts regarding their contribution in international cooperation and support enforcement and further develop its current approach.
The common theme of the strategy can be seen as co-operation and that one acting alone is not strong. This is something we all need to keep in mind when working on the complex issues of data protection and digitalisation in general.
_________
We take this opportunity to wish you a very Happy Summer!
Please contact us if you want to know more about MAQS and how we work. For example, we offer regular ongoing support where we ensure that you as a client have access to the necessary expertise for a certain number of hours per day, week or month depending on the arrangement. The assignments contribute to a good partnership with you as a client where we jointly ensure that you can achieve your goals with the help of the law.