DP News - Week 12. IAB Europe sent a letter to the EDPB on the 'Consent or Pay' Model, Norway’s supervisory authority fined Norwegian Labor and Welfare Agency 20M NOK, France’s supervisory authority (CNIL) has published guidance on how to prevent common types of data breaches, the UK’s Data Protection and Digital Information (DPDI) Bill has advanced to the House of Lords committee stage.

According to the IAB Europe’s official press release, it sent “a joint letter to the European Data Protection Board (EDPB) to highlight important considerations in the context of the EDPB’s upcoming Opinion and subsequent Guidelines on the “Consent or Pay” model, and to request a public consultation on the latter”.

In particular, “the letter recommends ensuring that the EDPB’s position further builds upon existing case law and guidelines across the European Union and European Economic Area, and that there is proper cooperation with competition and consumer protection authorities when considering the notion of “reasonable” or “appropriate” pricing”.

Click here for more details.

***

Norway’s supervisory authority (Datatilsynet) has conducted an inspection of the data processing activities performed by the Norwegian Labor and Welfare Agency (NAV), which resulted in a 20M NOK fine being imposed.

According to the official press release, “the main conclusions are that NAV’s management system is not satisfactory for ensuring compliance with the privacy regulations, and that the safeguarding of confidentiality through access management and log control is also not satisfactory in practice. In assessing the size of the infringement fee, the Norwegian Data Protection Authority has emphasized that NAV has made available special categories of personal data for a long time and about a large number of people, without the necessary security mechanisms being established”.

Click here for more details.

***

CNIL has published guidance on how to prevent some common types of data breaches and how to react in cases they occurred. The chosen scenarios cover fraud related data breaches, and the objective of the guidance is to enable professionals to understand and prevent the risks of access to data by third parties.

Click here for more details.

***

According to the UK’s Parliament official statement, “Members of the Lords begin their detailed check of the Data Protection and Digital Information Bill in committee stage on Wednesday 20 March”.

Three days of committee stage have been scheduled so far: Wednesday 20 March, Monday 25 March, Wednesday 27 March.

Members speaking on day one of committee stage have put forward amendments to the bill to be discussed. These amendments cover a range of subjects, including ensuring children’s data is included in the definition of sensitive personal data, assigning data rights to a third party, and the use of personal data for direct marketing.

Click here for more details.

Related blog posts

DP News – Week 17. EDPB released the 2023 annual report, outlined its 2024-2027 strategy and issued an information note on the EU-US Data Privacy Framework redress mechanism, Finnish DPA has decided on retention periods in the recruitment process.

DP News – Week 15. Norwegian DPA imposed a 20 million NOK fine, Denmark’s DPA updated data transfer guidance for third countries, France’s DPA fined retail chain for unsolicited marketing.