Forget oil, data is the new glitter. Just when you think you’ve cleaned off the last of the Christmas glitter, you find some more behind the couch just in time for Easter. Yep, it’s a week of data protection updates. Enjoy!
🔐 Cybersecurity
The US Cybersecurity and Infrastructure Security Agency (“CISA”) released an Emergency Directive after Russian state-sponsored cyber actor, Midnight Blizzard, allegedly infiltrated Microsoft’s corporate email systems, leading to the exfiltration of email correspondences between Microsoft and various Federal Civilian Executive Branch (“FCEB”) agencies. The Emergency Directive will require affected agencies to secure compromised credentials, conduct a cybersecurity impact analysis, and reset affected systems by April 30, 2024. Microsoft has pledged to assist by providing metadata for the exfiltrated emails, and CISA will support agencies in analyzing and securing their systems, ensuring that all necessary actions are completed or the directive is officially terminated. This initiative is critical for mitigating the risks posed by the intrusion and securing federal information systems against further attacks. The Directive, which includes a comprehensive framework for remedial action and ongoing reporting, will remain in force until all specified measures are completed or it is explicitly terminated.
🔏 Data Protection & Privacy
In a recent decision, the CJEU clarified several key aspects of GDPR in relation to non-material damage and controller liability. The dispute arose from the misuse of an individual’s personal data for marketing purposes, despite their objections. The CJEU ruled that an infringement of GDPR alone does not constitute non-material damage unless actual damage is demonstrated, irrespective of its severity. Additionally, the court determined that a controller cannot escape liability merely by blaming an employee’s failure to follow instructions; instead, the controller must prove that the damage was not due to their negligence or failure to comply with GDPR standards. On the matter of compensation, the court stated that the criteria for administrative fines under GDPR do not apply to compensation for damages, which should reflect the actual damage suffered and is intended to be compensatory rather than punitive. The ruling emphasizes the critical importance of GDPR compliance, signaling that companies cannot deflect responsibility for data breaches onto individual employee misconduct and must enforce stringent data protection measures, ensure all employees understand their roles, and handle objections to direct marketing as mandatory, not optional, practices.
The Belgian Data Protection Authority suggested in a prima facie decision that accidentally sending an email to the wrong person may possibly violate Articles 5 and 6 of the GDPR, which relate to the principles of data processing and its lawfulness. The case arose when a notary public mistakenly sent an email intended for heirs regarding a property sale to an unrelated third party, who subsequently notified the sender of the error. The DPA noted that this error went beyond the original purpose of the data processing, which could be seen as unlawful under the GDPR. The decision emphasizes that such unintentional errors might still require a legal basis under the GDPR, raising concerns about the implications for data controllers and the stringent standards they must meet in handling personal data. This ruling underscores the potential legal risks associated with even minor mistakes in data handling and highlights the importance of meticulous attention to the lawful processing of personal data. The outcome of this case could influence stricter interpretations of data protection practices under the GDPR. Data really is the new glitter, guys.
Schleswig-Holstein, Germany’s northernmost state, announced its plan to transition from Microsoft Office to LibreOffice and from Windows to Linux across 30,000 government PCs, aiming for complete digital sovereignty. The announcement cited independence as a primary motivation for this switch to open source software, highlighting data security and the avoidance of dependencies on foreign software as key factors. The transition includes six project pillars such as the adoption of open-source collaboration tools and developing a new open-source telephony solution, aiming to enhance IT security, cost-effectiveness, and data protection while ensuring seamless interoperability across various systems. This decision reflects a significant shift towards prioritizing data protection, privacy, and security, marking a distinct approach from previous German transitions to Linux, which primarily aimed at cost savings.
The Spanish Data Protection Agency (AEPD) initiated a sanctioning procedure following a complaint by an individual alleging discrimination and violation of privacy rights due to a health clinic’s practice of taking temperatures using a publicly visible wall-mounted laser thermometer. The AEPD’s investigation confirmed that while the clinic did not store or record personal data, the public display of temperature readings could expose individuals’ health data to unauthorized persons, thus breaching the GDPR’s confidentiality requirements under Article 5.1.f. Consequently, the clinic was fined €20,000 for this infringement and an additional €10,000 for failing to meet the technical and organizational measures mandated by Article 32 of the GDPR, which ensures data security. This case highlights the critical importance of how personal data, especially sensitive health information, is not only stored but also displayed, emphasizing the need for strict compliance with data protection laws in settings where data breaches may inadvertently occur.
📄 Recommended Readings
Here’s a few –in no particular order– of recent publications that piqued my interest this week. Remember to grab a cuppa and settle in for some riveting reading.
Generative AI and deepfakes: a human rights approach to tackling harmful content by Felipe Romero Moreno
A Sky Full of Stars, Constellations, Satellites and More! Legal Issues for a ‘Darkʼ Sky by Steven Freeland & Anne-Sophie Martin
The End of Average: Deploying Agent-Based Modeling to Antitrust by Thibault Schrepel & John Schuler
Disclaimer: I am in no way affiliated with the authors or publishers in sharing these, and do not necessarily agree with the views contained within. I try to include mostly open access publications due to, well you know, accessibility of knowledge and science.
So there you have it, folks – another week in the fascinating realm of IT Law. Remember to pop back next week for your latest dose of legal updates, served with a twist. Cheerio!
If you have any thoughts or suggestions on how to make this digest more enjoyable, feel free to drop a line. Your feedback is always welcome!
Featured image generated using DALL·E 3.
