RegRally Insights: Data Protection and ICT Regulation

ECOVIS ProventusLaw invites you to its newest all-in-one essential compliance newsletter, January 2025 edition, on personal data protection and ICT regulation.

Preparing for DORA Compliance

The Digital Operational Resilience Act (DORA), a comprehensive EU regulation for ICT risk management in the financial sector, requires compliance from January 17, 2025.

DORA covers five critical areas:

ICT Risk Management: Establishing governance and control frameworks.
ICT Incident Reporting: Detecting, classifying, and reporting incidents promptly.
Operational Resilience Testing: Ongoing evaluation of system robustness.
Third-Party Risk Management: Assessing and overseeing ICT service providers.
Information Intelligence Sharing: Enhancing industry cooperation on resilience.

Your Next Steps

If your organisation falls under DORA, we would like to point out that you must assess your readiness.

Key Steps to Ensure Compliance:

Involve the Management Board: Ensure executive leadership actively oversees ICT risk management.
Strengthen ICT Risk Frameworks: Implement policies and controls aligned with DORA requirements.
Incident Reporting Processes: Develop standardised protocols for detecting and reporting ICT incidents.
Policy and Procedure Updates: Align response plans and testing protocols with DORA’s legal framework.
Review Third-Party Contracts: Ensure vendor contracts meet DORA’s risk management and oversight standards.

Now is the time to conduct a DORA Gap Analysis and take steps to protect your business operations.

Please feel free to contact us for guidance on achieving full compliance. More about DORA is here.

EU Artificial Intelligence Act: Key Provisions Enforced Starting February 2025

On February 2, 2025, the EU Artificial Intelligence Act (AI Act) reaches an important milestone, with the enforcement of Chapters I (General Provisions) and II (Prohibited AI Practices). These provisions outline the scope, classifications, and prohibited practices related to AI technologies, marking a critical step in regulating AI within the EU.

1. Chapter I – General Provisions:

Defines the scope of the AI Act and identifies the AI systems and entities under its jurisdiction.
Establishes a risk-based classification system for AI, distinguishing between prohibited, high-risk, limited-risk, and minimal-risk applications.

2. Chapter II – Prohibited AI Practices:

Bans specific AI systems that threaten fundamental rights and public safety.
Prohibited practices include manipulative AI, biometric categorization, social scoring, and real-time remote biometric identification in public spaces, with limited exceptions for law enforcement.

Artificial Intelligence Act: Why It Matters, and How to Prepare?

VDAI and ŽEIT Begin Publicly Publishing Decisions on Data Protection and Ethics Violations

The State Data Protection Inspectorate (VDAI) and the Journalists’ Ethics Inspectorate (ŽEIT) in Lithuania have initiated the practice of publicly releasing their decisions regarding violations in personal data processing and journalistic ethics. This move enhances transparency and offers insights into the enforcement of data protection laws.

VDAI decisions can be accessed here: VDAI Decisions
ŽEIT decisions are available here: ŽEIT Decisions

This step provides both professionals and the public with an opportunity to better understand data protection and journalistic ethics practices, fostering an environment of improved compliance, responsible data management, and stronger public trust. Companies should monitor these decisions to stay informed on legal interpretations and enhance their internal practices.

EDPB Publishes Guidelines on Pseudonymization for Public Consultation

The European Data Protection Board (EDPB) has released Guidelines 01/2025 on pseudonymization for public consultation. The guidelines aim to clarify the concept of pseudonymization, its benefits, and its role in data protection under the GDPR.

Key clarifications in the guidelines include:

Pseudonymized data that can be linked to an identifiable individual remains personal data.
Pseudonymization can reduce risks and support the use of legitimate interests as a legal basis for processing, provided GDPR conditions are met.

The guidelines also address how pseudonymization aids in fulfilling obligations related to data protection principles, security, and data protection by design and by default. Additionally, they discuss technical safeguards to ensure confidentiality and prevent unlawful identification of individuals.

Italy Fines OpenAI 15 Million EUR for GDPR Violations: Key Lessons for Businesses

At the end of 2024, Italy’s data protection authority, Garante, imposed a 15 million EUR fine on OpenAI, the company behind ChatGPT, for significant violations of the General Data Protection Regulation (GDPR).

Key violations:

Lack of transparency: Users were not provided with clear information on how their personal data was collected and processed.
Inadequate legal basis: Data was processed without valid consent or legitimate interest.

The issues first emerged in 2023 when ChatGPT was temporarily banned in Italy due to these GDPR violations:

Insufficient user notification: Users were not adequately informed about the conditions under which their data was processed.
Child protection: No age verification system was in place, allowing minors to access inappropriate content.
Data accuracy: ChatGPT occasionally provided false or fabricated information about individuals (this problem persists, so users should remain cautious).

What makes this case stand out is that Garante did not just impose a fine but also demanded social responsibility. OpenAI was required to conduct a six-month media campaign to raise awareness about how ChatGPT functions and how it processes data.

EU Court Orders €400 Compensation for Data Protection Breach by European Commission

The EU General Court ruled on January 8, 2025, that the European Commission violated data protection laws when it transferred a German citizen’s personal data to Meta Platforms (US) without consent. The citizen, who had registered for the Conference on the Future of Europe via Facebook’s “Sign in” option in 2022, argued that his IP address, browser details, and device information were sent outside the EU, breaching his right to data protection.

The court determined that the Commission’s actions caused moral harm due to uncertainty about how the data was handled, awarding the citizen €400 in damages. However, the court dismissed claims for further compensation regarding the failure to respond to an information request.

The ruling highlights the importance of ensuring data transfers outside the EU comply with appropriate safeguards and the necessity of clear communication with users about how their data is processed and transferred. Organizations must continuously update their data protection practices to align with EU regulations, especially when it comes to cross-border data flows.

Lithuanian Employment Service Fined €9,000 for Personal Data Security Breach

The State Data Protection Inspectorate (SDPI) has imposed a €9,000 fine on the Employment Service under Lithuania’s Ministry of Social Security and Labour for violating personal data security regulations. The fine was issued following an investigation into a data breach in which personal data of 29,636 individuals was unlawfully disclosed due to an employee’s mistake. The employee inadvertently attached an Excel document containing sensitive client data to an email, which was sent to 292 clients.

The SDPI found that the Employment Service had failed to implement sufficient technical and organizational data protection measures. The organization had not conducted an adequate risk assessment for handling sensitive data, did not test data loss prevention measures, and did not ensure that employees were properly trained in data security protocols.

The breach, which exposed sensitive personal and health data, violated multiple provisions of the GDPR, including requirements for confidentiality, risk assessment, and data protection measures.

Key Lessons:

Conduct thorough risk assessments before sending sensitive personal data.
Provide ongoing training for employees handling sensitive data to minimize human errors.
Regularly test and update data security systems and processes.
Implement strong technical and organizational measures to prevent unauthorized data disclosures.
Have clear procedures for handling data breaches and responding promptly.

Netflix Fined €4.75 Million for GDPR Violations Over Inadequate Data Processing Transparency

The Dutch Data Protection Authority (DPA) fined Netflix €4.75 million after an investigation revealed the company failed to properly inform customers about how their personal data was processed, violating multiple GDPR requirements.

Key Violations:

Lack of Transparency: Netflix did not clearly explain how personal data was used for various purposes such as recommendations, audience analysis, or fraud prevention.
Inadequate Data Information: The company did not specify which data was used for particular purposes or disclose data from third-party sources.
Failure to Comply with GDPR Articles 13-15: This resulted in customers being unable to understand the processing of their personal data.
Additional Violations:

– Failure to disclose data recipients.

– Lack of retention period information.

– Unclear international data transfers.

EU Action Plan to Strengthen Healthcare Cybersecurity Amid Growing Threats

The European Commission has launched an action plan to improve cybersecurity across hospitals and healthcare providers, aiming to safeguard this critical sector from increasing cyber threats. This initiative addresses the rising vulnerability of healthcare organizations, which are increasingly dependent on digital technologies.

Key Points of the Action Plan:

Dedicated Support Center: The EU Agency for Cybersecurity (ENISA) will establish a European cybersecurity support center for healthcare, offering tailored guidelines, tools, and training.
Focus on Preparedness: The plan enhances the ability of hospitals to detect, prepare for, and respond to cyber threats, protecting both patients and healthcare professionals.
Broader Cybersecurity Framework: This is the first sector-specific initiative within the EU’s overall strategy to strengthen cybersecurity for critical infrastructure.